Impacket

Quick Reference Technique Tool Requires Creds AD port scan nmap No DNS SRV enumeration dig / nslookup No LDAP anonymous bind ldapsearch No Full LDAP dump ldapdomaindump No / Yes SMB/User enumeration enum4linux-ng No / Yes AD enumeration swiss-knife NetExec (nxc) No / Yes Attack path mapping bloodhound-python Yes Kerberos user enum Kerbrute No User / SID enumeration lookupsid.py, GetADUsers.py No / Yes RPC enumeration rpcclient No / Yes LDAP attribute queries windapsearch Yes Share content discovery nxc spider_plus Yes adminCount / SPN / UAC flags ldapsearch Yes Environment Setup Before attacking an AD environment from Kali, configure your local resolver and Kerberos client so tools resolve domain names correctly. ...

Quick Reference Attack Tool Hashcat Mode Requirement AS-REP Roasting GetNPUsers.py / kerbrute -m 18200 DONT_REQ_PREAUTH flag set Kerberoasting GetUserSPNs.py -m 13100 (RC4) / -m 19700 (AES) Valid domain user + SPN exists Pass-the-Ticket getTGT.py + impacket N/A Valid credentials or hash Overpass-the-Hash getTGT.py -aesKey N/A AES256 key for user Kerbrute userenum kerbrute N/A Network access to DC on port 88 Ticket conversion ticket_converter.py N/A Existing .kirbi or .ccache AS-REP Roasting AS-REP Roasting targets accounts that have Kerberos pre-authentication disabled (DONT_REQ_PREAUTH flag set in userAccountControl). The KDC returns an AS-REP containing a portion encrypted with the user’s hash — no prior authentication required, making it requestable by anyone. ...

Quick Reference Attack Tool Required Privileges Unconstrained Delegation Abuse impacket, Responder, coercion tools Compromise of delegated host Constrained Delegation (KCD) getST.py Control of account with KCD configured RBCD Setup + Abuse addcomputer.py, rbcd.py, getST.py GenericWrite or WriteDACL on target computer Shadow Credentials pywhisker.py, getnthash.py WriteProperty on msDS-KeyCredentialLink Coerce Authentication (PetitPotam) PetitPotam.py Valid domain credentials Coerce Authentication (PrinterBug) printerbug.py Valid domain credentials Delegation Overview Kerberos delegation allows a service to impersonate users when accessing other services on their behalf. There are three types, each with different risk profiles and abuse paths. ...

Quick Reference Technique Tool Auth Type Notes Pass-the-Hash psexec.py, wmiexec.py, nxc NTLM hash No plaintext needed Pass-the-Ticket psexec.py -k, wmiexec.py -k Kerberos ccache Set KRB5CCNAME first Evil-WinRM evil-winrm Password / Hash / Ticket WinRM port 5985/5986 WMI Execution wmiexec.py Password / Hash Output shown, less noisy DCOM Execution dcomexec.py Password / Hash Multiple COM objects RDP PtH xfreerdp /pth NTLM hash Requires Restricted Admin mode SMB Exec psexec.py, smbexec.py Password / Hash Different noise levels Proxychains proxychains + any tool Any Internal network pivoting Pass-the-Hash (PtH) from Linux Concept NTLM authentication does not require knowledge of the plaintext password — it only requires the NT hash. The NT hash is the MD4 hash of the Unicode password, and it is used directly in the NTLM challenge-response exchange. A valid NT hash is sufficient to authenticate against any service using NTLM. ...

Quick Reference Attack Requirement Tool Cross-domain Kerberoasting Valid low-priv creds in child domain GetUserSPNs.py Cross-domain AS-REP Roasting Valid low-priv creds in child domain GetNPUsers.py SID History Injection (parent-child) Domain Admin in child domain, child krbtgt hash ticketer.py Cross-domain DCSync Replication rights or DA in target domain secretsdump.py One-way inbound trust abuse DA in trusted domain, inter-realm key ticketer.py (silver), getST.py One-way outbound trust abuse DA in trusting domain, TDO GUID secretsdump.py, getTGT.py Cross-forest Kerberoasting Bidirectional forest trust, valid creds GetUserSPNs.py Golden ticket cross-domain Child krbtgt hash + parent domain SID ticketer.py BloodHound trust mapping Valid creds, network access to DC bloodhound-python Trust Concepts Trust Types A Trust is a relationship between two domains that allows security principals in one domain to authenticate to resources in another. Trust information is stored in Active Directory as Trusted Domain Objects (TDOs) under CN=System. ...

Quick Reference Technique Requirement Detection Risk DCSync Domain Admin or explicit replication rights High — replication request from non-DC Golden Ticket krbtgt NTLM + AES256 hash, domain SID Medium — no TGT event (4768) on DC Silver Ticket Service account NTLM hash, domain SID, SPN Low — no DC contact at all Diamond Ticket krbtgt AES256, valid user credentials Low — based on a real TGT NTDS.dit VSS Shell on DC, local admin High — shadow copy creation event DPAPI Backup Key Domain Admin, DC access Medium — LDAP/RPC request to DC ACL-based (DCSync rights) WriteDACL or GenericAll on domain root Low — ACL change may not alert Machine Account creation Any user with MachineAccountQuota > 0 Low Pass-the-Hash persistence Local admin hash, no domain rights needed Low — appears as normal auth DCSync What It Is DCSync abuses the Directory Replication Service (DRS) protocol. Domain controllers use DRS to replicate directory data between themselves. The GetNCChanges function is the core RPC call used. Any account with the following rights on the domain root object can invoke this: ...