AD OFFENSIVE CHECKLIST

PRIMARY CATEGORY → CHECKLISTS

Mindmap

AD Mindmap

---

Non-Credentialed Enumeration

W/O Knowing Users

• Internal Host Discovery

   TCPDump ↔ Wireshark ↔ FPing ↔ Nmap

• SMB - Null | Guest | Random Authentication

   Netexec

• RPC - SAMR - Null | Guest | Random Authentication

   RPCClient ↔ Impacket’s SAMRDump.py

• RPC - LSARPC - Null | Guest | Random Authentication

   RPCClient

• LDAP - Anonymous Bind

   LDAPSearch

• DNS - Zone Transfer

   DIG

• Kerberos - AD Naming Convention Discovery

   OSINT ( Linkedin2Username, Social Media, Corporate Website… ) + Username-Anarchy + Kerbrute

• Kerberos - User Accounts Enumeration

   ( OSINT ↔ Statistically-Likely-Usernames ) + Kerbrute

• NTLM Capture + Cracking

   ( Responder ↔ Inveigh ) + ( Hashcat + John )

• Unauthenticated Coercion + NTLM Relay

   PetitPotam.py + Impacket’s NTLMRelayx.py

Knowing Users

• Kerberos - ASREPRoast

   Kerbrute ↔ Impacket’s GetNPUsers.py ↔ Rubeus

• Password Spraying

If any of the above Authentication Methods work or are enabled, first check the Domain Password Policy before spraying

   Netexec ↔ THC-Hydra ↔ Medusa

---

Credentialed Enumeration

• SMB - Shares Listing

   Netexec ↔ SMBMap ↔ SMBClient ↔ Mount

• SMB - User Accounts Enumeration

   Netexec

• SMB - GPP Credentials on SYSVOL

   Netexec ↔ Mount ↔ Impacket’s GetGPPPassword.py

• SMB - Autologon Credentials

   Netexec

• RPC - SAMR - User Accounts Enumeration

   RPCClient ↔ Impacket’s SAMRDump.py

• [[135 - RPC#RPCClient#LSARPC|RPC - LSARPC]] - User Accounts Enumeration

   RPCClient

• RPC - LSARPC - User Accounts’ Description Listing

   RPCClient

• LDAP - User Accounts Enumeration

   LDAPSearch ↔ Impacket’s GetADUsers.py ↔ Go-Windapsearch

• LDAP - User Accounts’ Description Listing

   LDAPSearch ↔ Go-Windapsearch

• LDAP - Sensitive Information in LDAP Object Attributes

   LDAPSearch ↔ Go-Windapsearch

• LDAP - Comprehensive Domain Enumeration

   LDAPDomainDump.py ↔ ( BloodHound.py + BH CE )

• DNS - DNS Records Dump

   ADIDNSDump

• Kerberos - Kerberoasting

   Impacket’s GetUserSPNs.py ↔ Rubeus ↔ Powerview

• DACL Enumeration

   Impacket’s DACLEdit.py ↔ Powerview ↔ ( BloodHound.py + BH CE )

• Password Spraying - Domain and Local

First check the Domain Password Policy

   Netexec ↔ THC-Hydra ↔ Medusa

• Password Reuse - Domain and Local

Using previously obtained Credentials

   Netexec ↔ THC-Hydra ↔ Medusa

• LDAP - Domain Computers Enumeration

   Impacket’s GetADComputers.py

• A compromised user account can connect remotely to a domain-joined host via RDP, WinRM or MSSQL

   Netexec ↔ Powerview ↔ ( BloodHound.py + BH CE )

• A compromised user account is privileged on a domain-joined computer

   Netexec

• GPO Enumeration

   Powerview ↔ LDAPDomainDump.py ↔ ( BloodHound.py + BH CE ) ↔ Group3r

• NoPAC

   NoPAC.py

• PrintNightmare - Remote Code Execution

   CVE-2021-1675

• NTLM Capture + Cracking

   ( Responder ↔ Inveigh ) + ( Hashcat + John )

• Authenticated Coercion + NTLM Relay

   ( PetitPotam.py ↔ Dementor.py ) + Impacket’s NTLMRelayx.py

---

PE and Lateral Movement

Non-Privileged

• SeImpersonate and SeAssignPrimaryToken Privileges

From LOCAL SERVICE or NETWORK SERVICE to LOCAL SYSTEM

   RoguePotato ↔ JuicyPotato ↔ PrintSpoofer

• Other Sensitive Windows Privileges related to the Current Access Token

• Local and Domain Groups to which the Current User belongs

Nested Group Membership

• Autologon

   Netexec ↔ Impacket’s REG.py ↔ Get-GPPAutologon

• Directory Content Checking → C: | Program Files | Program Files (x86) | Users

Privileged

• Windows Credential Dump - NTDS | SAM | SYSTEM | SECURITY | LSASS

   Impacket’s Secretsdump.py ↔ Mimikatz ↔ Netexec

• NT Hash Cracking

   Impacket’s Secretsdump.py + ( Hashcat + John )