AD — From Kali / Linux on MrAzoth

Enumeration & Discovery — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Comprehensive Active Directory enumeration from a Kali/Linux attacker host: port scanning, DNS, LDAP, BloodHound, Kerbrute, NetExec, rpcclient, windapsearch, and more.

Kerberos Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Hashcat Mode	Requirement
AS-REP Roasting	GetNPUsers.py / kerbrute	-m 18200	DONT_REQ_PREAUTH flag set
Kerberoasting	GetUserSPNs.py	-m 13100 (RC4) / -m 19700 (AES)	Valid domain user + SPN exists
Pass-the-Ticket	getTGT.py + impacket	N/A	Valid credentials or hash
Overpass-the-Hash	getTGT.py -aesKey	N/A	AES256 key for user
Kerbrute userenum	kerbrute	N/A	Network access to DC on port 88
Ticket conversion	ticket_converter.py	N/A	Existing .kirbi or .ccache

AS-REP Roasting

AS-REP Roasting targets accounts that have Kerberos pre-authentication disabled (DONT_REQ_PREAUTH flag set in userAccountControl). The KDC returns an AS-REP containing a portion encrypted with the user’s hash — no prior authentication required, making it requestable by anyone.

Credential Attacks & Relay — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Prerequisite	Output
LLMNR/NBT-NS Poisoning	Responder	Network access, no SMB signing required	NTLMv1/v2 hashes
SMB Relay	ntlmrelayx.py	SMB signing disabled on target	SAM dump / shell
LDAP Relay	ntlmrelayx.py	LDAP on DC accessible	Computer accounts / RBCD
IPv6 Poisoning	mitm6 + ntlmrelayx	IPv6 not disabled on network	LDAP relay → DA
Coercion + Relay	PetitPotam / printerbug	Auth path to coerced machine	NTLM relay or TGT
DCSync	secretsdump.py	Domain Admin or replication rights	All NTLM hashes + AES keys
LSASS Dump	lsassy	Local admin on target	Plaintext / hashes
GPP Passwords	nxc -M gpp_password	Domain user	Cleartext credential
Password Spraying	nxc smb/ldap	Valid username list	Valid credentials

LLMNR/NBT-NS Poisoning with Responder

LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) are fallback name resolution protocols used by Windows when DNS fails. When a host cannot resolve a name, it broadcasts an LLMNR/NBT-NS query to the local subnet. Responder answers these queries with the attacker’s IP, forcing the victim to authenticate — capturing NTLMv1 or NTLMv2 hashes.

Delegation Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Required Privileges
Unconstrained Delegation Abuse	impacket, Responder, coercion tools	Compromise of delegated host
Constrained Delegation (KCD)	getST.py	Control of account with KCD configured
RBCD Setup + Abuse	addcomputer.py, rbcd.py, getST.py	GenericWrite or WriteDACL on target computer
Shadow Credentials	pywhisker.py, getnthash.py	WriteProperty on msDS-KeyCredentialLink
Coerce Authentication (PetitPotam)	PetitPotam.py	Valid domain credentials
Coerce Authentication (PrinterBug)	printerbug.py	Valid domain credentials

Delegation Overview

Kerberos delegation allows a service to impersonate users when accessing other services on their behalf. There are three types, each with different risk profiles and abuse paths.

Lateral Movement — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Auth Type	Notes
Pass-the-Hash	psexec.py, wmiexec.py, nxc	NTLM hash	No plaintext needed
Pass-the-Ticket	psexec.py -k, wmiexec.py -k	Kerberos ccache	Set KRB5CCNAME first
Evil-WinRM	evil-winrm	Password / Hash / Ticket	WinRM port 5985/5986
WMI Execution	wmiexec.py	Password / Hash	Output shown, less noisy
DCOM Execution	dcomexec.py	Password / Hash	Multiple COM objects
RDP PtH	xfreerdp /pth	NTLM hash	Requires Restricted Admin mode
SMB Exec	psexec.py, smbexec.py	Password / Hash	Different noise levels
Proxychains	proxychains + any tool	Any	Internal network pivoting

Pass-the-Hash (PtH) from Linux

Concept

NTLM authentication does not require knowledge of the plaintext password — it only requires the NT hash. The NT hash is the MD4 hash of the Unicode password, and it is used directly in the NTLM challenge-response exchange. A valid NT hash is sufficient to authenticate against any service using NTLM.

Domain & Forest Trusts — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Requirement	Tool
Cross-domain Kerberoasting	Valid low-priv creds in child domain	GetUserSPNs.py
Cross-domain AS-REP Roasting	Valid low-priv creds in child domain	GetNPUsers.py
SID History Injection (parent-child)	Domain Admin in child domain, child krbtgt hash	ticketer.py
Cross-domain DCSync	Replication rights or DA in target domain	secretsdump.py
One-way inbound trust abuse	DA in trusted domain, inter-realm key	ticketer.py (silver), getST.py
One-way outbound trust abuse	DA in trusting domain, TDO GUID	secretsdump.py, getTGT.py
Cross-forest Kerberoasting	Bidirectional forest trust, valid creds	GetUserSPNs.py
Golden ticket cross-domain	Child krbtgt hash + parent domain SID	ticketer.py
BloodHound trust mapping	Valid creds, network access to DC	bloodhound-python

Trust Concepts

Trust Types

A Trust is a relationship between two domains that allows security principals in one domain to authenticate to resources in another. Trust information is stored in Active Directory as Trusted Domain Objects (TDOs) under CN=System.

Persistence — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Requirement	Detection Risk
DCSync	Domain Admin or explicit replication rights	High — replication request from non-DC
Golden Ticket	krbtgt NTLM + AES256 hash, domain SID	Medium — no TGT event (4768) on DC
Silver Ticket	Service account NTLM hash, domain SID, SPN	Low — no DC contact at all
Diamond Ticket	krbtgt AES256, valid user credentials	Low — based on a real TGT
NTDS.dit VSS	Shell on DC, local admin	High — shadow copy creation event
DPAPI Backup Key	Domain Admin, DC access	Medium — LDAP/RPC request to DC
ACL-based (DCSync rights)	WriteDACL or GenericAll on domain root	Low — ACL change may not alert
Machine Account creation	Any user with MachineAccountQuota > 0	Low
Pass-the-Hash persistence	Local admin hash, no domain rights needed	Low — appears as normal auth

DCSync

What It Is

DCSync abuses the Directory Replication Service (DRS) protocol. Domain controllers use DRS to replicate directory data between themselves. The GetNCChanges function is the core RPC call used. Any account with the following rights on the domain root object can invoke this:

AD CS Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Active Directory Certificate Services exploitation from Kali: ESC1-ESC8, Certipy enumeration, certificate request abuse, NTLM relay to CA, and Pass-the-Certificate.

Azure AD Hybrid Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Requirement	Impact
MSOL Account DCSync	Local admin on AAD Connect server	Full domain + cloud compromise
AZUREADSSOACC$ Abuse	DCSync rights or DA	Forge Azure AD tokens
PHS Hash Extraction	MSOL DCSync rights	Cloud account takeover
PTA Abuse	On-prem DC compromise	Transparent cloud auth bypass
Golden SAML	ADFS signing cert theft	Persistent cloud access

Azure AD Connect Abuse (MSOL Account)

Azure AD Connect synchronizes on-premises Active Directory to Azure AD. During setup, it creates a service account named MSOL_xxxxxxxx in the on-premises domain. This account is granted DS-Replication-Get-Changes and DS-Replication-Get-Changes-All on the domain root — the exact permissions required for DCSync. Its password is stored encrypted in a SQL LocalDB instance on the AAD Connect server.

Advanced Techniques — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Requirement	Impact
WebDAV Coercion → LDAP relay	ntlmrelayx + PetitPotam	WebClient running on target	RBCD, shadow creds, DA
gMSA password read	gMSADumper / nxc	Authorized principal	Lateral movement
Zerologon	cve-2020-1472	Network access to DC (pre-patch)	Instant DA
noPac (CVE-2021-42278/42287)	noPac.py	Domain user	DA via KDC spoofing
LAPS read	nxc / ldapsearch	Read perm on ms-Mcs-AdmPwd	Local admin on target
LSASS dump (offline parse)	pypykatz	LSASS dump file	Credential extraction
KrbRelayUp pre-check	nxc ldap	Network access	Identify LDAP signing state

WebDAV Coercion — Bypass SMB Signing for NTLM Relay

Why WebDAV Coercion Works

Standard NTLM relay from SMB to LDAP is blocked when SMB signing is required (which is enforced on DCs by default). WebDAV coercion forces the target to authenticate over HTTP instead of SMB. HTTP authentication does not enforce signing, so it can be relayed to LDAP even when the target has SMB signing enabled.