Impacket on MrAzoth

Enumeration & Discovery — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Comprehensive Active Directory enumeration from a Kali/Linux attacker host: port scanning, DNS, LDAP, BloodHound, Kerbrute, NetExec, rpcclient, windapsearch, and more.

Kerberos Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Hashcat Mode	Requirement
AS-REP Roasting	GetNPUsers.py / kerbrute	-m 18200	DONT_REQ_PREAUTH flag set
Kerberoasting	GetUserSPNs.py	-m 13100 (RC4) / -m 19700 (AES)	Valid domain user + SPN exists
Pass-the-Ticket	getTGT.py + impacket	N/A	Valid credentials or hash
Overpass-the-Hash	getTGT.py -aesKey	N/A	AES256 key for user
Kerbrute userenum	kerbrute	N/A	Network access to DC on port 88
Ticket conversion	ticket_converter.py	N/A	Existing .kirbi or .ccache

AS-REP Roasting

AS-REP Roasting targets accounts that have Kerberos pre-authentication disabled (DONT_REQ_PREAUTH flag set in userAccountControl). The KDC returns an AS-REP containing a portion encrypted with the user’s hash — no prior authentication required, making it requestable by anyone.

Delegation Attacks — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Tool	Required Privileges
Unconstrained Delegation Abuse	impacket, Responder, coercion tools	Compromise of delegated host
Constrained Delegation (KCD)	getST.py	Control of account with KCD configured
RBCD Setup + Abuse	addcomputer.py, rbcd.py, getST.py	GenericWrite or WriteDACL on target computer
Shadow Credentials	pywhisker.py, getnthash.py	WriteProperty on msDS-KeyCredentialLink
Coerce Authentication (PetitPotam)	PetitPotam.py	Valid domain credentials
Coerce Authentication (PrinterBug)	printerbug.py	Valid domain credentials

Delegation Overview

Kerberos delegation allows a service to impersonate users when accessing other services on their behalf. There are three types, each with different risk profiles and abuse paths.

Lateral Movement — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Tool	Auth Type	Notes
Pass-the-Hash	psexec.py, wmiexec.py, nxc	NTLM hash	No plaintext needed
Pass-the-Ticket	psexec.py -k, wmiexec.py -k	Kerberos ccache	Set KRB5CCNAME first
Evil-WinRM	evil-winrm	Password / Hash / Ticket	WinRM port 5985/5986
WMI Execution	wmiexec.py	Password / Hash	Output shown, less noisy
DCOM Execution	dcomexec.py	Password / Hash	Multiple COM objects
RDP PtH	xfreerdp /pth	NTLM hash	Requires Restricted Admin mode
SMB Exec	psexec.py, smbexec.py	Password / Hash	Different noise levels
Proxychains	proxychains + any tool	Any	Internal network pivoting

Pass-the-Hash (PtH) from Linux

Concept

NTLM authentication does not require knowledge of the plaintext password — it only requires the NT hash. The NT hash is the MD4 hash of the Unicode password, and it is used directly in the NTLM challenge-response exchange. A valid NT hash is sufficient to authenticate against any service using NTLM.

Domain & Forest Trusts — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Attack	Requirement	Tool
Cross-domain Kerberoasting	Valid low-priv creds in child domain	GetUserSPNs.py
Cross-domain AS-REP Roasting	Valid low-priv creds in child domain	GetNPUsers.py
SID History Injection (parent-child)	Domain Admin in child domain, child krbtgt hash	ticketer.py
Cross-domain DCSync	Replication rights or DA in target domain	secretsdump.py
One-way inbound trust abuse	DA in trusted domain, inter-realm key	ticketer.py (silver), getST.py
One-way outbound trust abuse	DA in trusting domain, TDO GUID	secretsdump.py, getTGT.py
Cross-forest Kerberoasting	Bidirectional forest trust, valid creds	GetUserSPNs.py
Golden ticket cross-domain	Child krbtgt hash + parent domain SID	ticketer.py
BloodHound trust mapping	Valid creds, network access to DC	bloodhound-python

Trust Concepts

Trust Types

A Trust is a relationship between two domains that allows security principals in one domain to authenticate to resources in another. Trust information is stored in Active Directory as Trusted Domain Objects (TDOs) under CN=System.

Persistence — From Kali

Mon, 01 Jan 0001 00:00:00 +0000

Quick Reference

Technique	Requirement	Detection Risk
DCSync	Domain Admin or explicit replication rights	High — replication request from non-DC
Golden Ticket	krbtgt NTLM + AES256 hash, domain SID	Medium — no TGT event (4768) on DC
Silver Ticket	Service account NTLM hash, domain SID, SPN	Low — no DC contact at all
Diamond Ticket	krbtgt AES256, valid user credentials	Low — based on a real TGT
NTDS.dit VSS	Shell on DC, local admin	High — shadow copy creation event
DPAPI Backup Key	Domain Admin, DC access	Medium — LDAP/RPC request to DC
ACL-based (DCSync rights)	WriteDACL or GenericAll on domain root	Low — ACL change may not alert
Machine Account creation	Any user with MachineAccountQuota > 0	Low
Pass-the-Hash persistence	Local admin hash, no domain rights needed	Low — appears as normal auth

DCSync

What It Is

DCSync abuses the Directory Replication Service (DRS) protocol. Domain controllers use DRS to replicate directory data between themselves. The GetNCChanges function is the core RPC call used. Any account with the following rights on the domain root object can invoke this: