AD OFFENSIVE CHECKLIST

PRIMARY CATEGORY → CHECKLISTS

Mindmap

AD Mindmap

Zoom in

---

Non-Credentialed Enumeration

W/O Knowing Users

External Network ( OSINT )

Check this out

Corporate Website

• Hunting for Files ( e.g. Google dork → inurl:www.domain.tld filetype:pdf ) → Look for sensitive information on the file’s Metadata Properties ( e.g. Domain User Account → User Accounts’ Naming Convention )

• Hunting Email Addresses

About us or Contact pages ( e.g. https://www.domain.tld/about-us )

Google Dorks ( e.g. inurl:www.domain.tld intext:@domain.tld )

Social Media

• Username Harvesting through Linkedin

Linkedin2Username

Internal Network

Internal Host Discovery

• Passive

   TCPDump ↔ Wireshark

• Active

   FPing ↔ Nmap

• SMB - Null | Guest | Random Authentication

   Netexec

• RPC - SAMR - Null | Guest | Random Authentication

   RPCClient ↔ Impacket’s SAMRDump.py

• RPC - LSARPC - Null | Guest | Random Authentication

   RPCClient

• LDAP - Anonymous Bind

   LDAPSearch ↔ Go-Windapsearch

• DNS - Zone Transfer

   DIG

• Kerberos - AD Naming Convention Discovery

   OSINT ( Linkedin2Username, Social Media, Corporate Website… ) + Username-Anarchy + Kerbrute

   Kerbrute + Statistically-likely-Usernames

   MDNS Poisoning ( e.g. Responder )

• Kerberos - User Accounts Enumeration

   ( OSINT ↔ Statistically-Likely-Usernames ) + Kerbrute

• NTLM Capture + Cracking

LLMNR/NBT-NS Poisoning

   ( Responder ↔ Inveigh ) + ( Hashcat + John )

• Unauthenticated Coercion + NTLM Relay

   PetitPotam.py + Impacket’s NTLMRelayx.py

Knowing Users

• Kerberos - ASREPRoast

   Kerbrute ↔ Impacket’s GetNPUsers.py ↔ Rubeus

• Password Spraying

If any of the above Authentication Methods work or are enabled, first check the Domain Password Policy before spraying

   Netexec ↔ THC-Hydra ↔ Medusa

---

Credentialed Enumeration

Reminder → Always keep in mind that users may reuse passwords! ( e.g. Password Spray all user accounts using the collected password )

• SMB - Shares Listing

If the user account has write permissions on a given share, just try an NTMLv2 Capture via File Coercion

   Netexec ↔ SMBMap ↔ SMBClient ↔ Mount

• SMB - ADS (Alternative Data Stream) on Shares with Read Permission

SMBClient

• SMB - User Accounts Enumeration

   Netexec

• SMB - GPP Credentials on SYSVOL

   Netexec ↔ Mount ↔ Impacket’s GetGPPPassword.py

• SMB - Autologon Credentials

   Netexec

• RPC - SAMR - User Accounts Enumeration

   RPCClient ↔ Impacket’s SAMRDump.py

• RPC - LSARPC - User Accounts Enumeration

   RPCClient

• RPC - LSARPC - User Accounts’ Description Listing

   RPCClient

• LDAP - User Accounts Enumeration

   LDAPSearch ↔ Impacket’s GetADUsers.py ↔ Go-Windapsearch

• LDAP - User Accounts’ Description Listing

   LDAPSearch ↔ Go-Windapsearch

• LDAP - Sensitive Information in LDAP Object Attributes

   LDAPSearch ↔ Go-Windapsearch

• LDAP - Comprehensive Domain Enumeration

   LDAPDomainDump.py ↔ ( BloodHound.py + BH CE )

• MSSQL Remote Access ( e.g. via Impacket’s MSSQLclient.py ) → Domain User Accounts Enumeration

Check this out ( and this too )

• DNS - DNS Records Dump

   ADIDNSDump

• Logged on Users

Check this out as well

• Kerberos - Kerberoasting

   Impacket’s GetUserSPNs.py ↔ Rubeus ↔ Powerview

• DACL Enumeration

   BloodyAD ↔ Impacket’s DACLEdit.py ↔ Powerview ↔ ( BloodHound.py + BH CE )

• NTLM Capture on each compromised host

• Principals with PASSWD_NOTREQD enabled

• Password Spraying - Domain and Local

First check the Domain Password Policy

   Netexec ↔ THC-Hydra ↔ Medusa

• Password Reuse - Domain and Local ( e.g. RID-500 of each domain-joined machine )

Using previously obtained Credentials

   Netexec ↔ THC-Hydra ↔ Medusa

• LDAP - Domain Computers Enumeration

   Impacket’s GetADComputers.py

• A compromised user account can connect remotely to a domain-joined host via RDP, WinRM or MSSQL

   Netexec ↔ Powerview ↔ ( BloodHound.py + BH CE )

• A compromised user account is privileged on a domain-joined computer

   Netexec

• GPO Enumeration

   Powerview ↔ LDAPDomainDump.py ↔ ( BloodHound.py + BH CE ) ↔ Group3r

• Enumerate existing Windows Trusts

• If any Windows Trust exists → ExtraSIDs Attack, ASRepRoasting, Kerberoasting…

• NoPAC

   NoPAC.py

• PrintNightmare - Remote Code Execution

   CVE-2021-1675

• NTLM Capture + Cracking

   ( Responder ↔ Inveigh ) + ( Hashcat + John )

• Authenticated Coercion + NTLM Relay

   ( PetitPotam.py ↔ Dementor.py ) + Impacket’s NTLMRelayx.py

• ADCS - CA Enumeration

Look for know vulnerabilities e.g ESC8, ESC15, ESC16 and so on

   Netexec ↔ Certipy

• Certipy Recon → ESC8 → Self Reflection or NTLM Auth. Disabled → ESC8 via Kerberos Relay over SMB

• Tombstoned | Deleted Objects 🪦

   BloodyAD

• LAPS and gMSA

   Impacket’s GetLAPSpassword.py ↔ LDAPsearch ↔ BloodyAD

• Remote Access to any domain-jonined machine → DPAPI Secrets Extraction

---

Privesc and Lateral Movement

See Windows Privesc Checklist