πActive Directory
Active Directory Basics
Active Directory (AD) is a directory service for Windows network environments. AD provides authentication and authorization functions within a Windows domain environment. It's a hierarchical structure that allows for centralized management of an organization's resources
Resources in AD can be users, computers, groups, network devices, file shares, group policies, devices, and trusts. Any user in AD, regardless of their privileges, can be used to enumerate most objects within the AD environment.
Many features in AD are not secure by default and can be easily misconfigured. This weakness can be leveraged to move laterally and vertically within a network and gain unauthorized access.
Useful Resources
Learning Resources
Other Useful Resources & Cheatsheets
Active Directory Helper Tools
| Tool | Description |
|---|---|
Repository containing some of the following tools' pre-compiled binaries | |
PowerView is one of the main powershell tools to perform network and Windows domain enumeration and exploitation. It is useful for checking access, permissions, but also to enumerate potential users for Kerberoasting/ASREPRoasting attacks | |
Performs many functions. Noteably, pass-the-hash attacks, extracting plaintext passwords, and kerberos ticket extraction from memory on host. | |
Built-In Cmdlets to manage Active Directory domains, useful tool for enumeration | |
Sharpview is the C# version of PowerView | |
Visually map out AD relationships and help plan attack paths that may otherwise go unnoticed. | |
Data collector to gather information from Active Directory about varying AD objects such as users, groups, computers, ACLs, GPOs, user and computer attributes, user sessions, and more. The tool produces JSON files which can then be ingested into the BloodHound GUI tool for analysis. | |
A Python-based BloodHound ingestor based on the Impacket toolkit. It supports most BloodHound collection methods and can be run from a non-domain joined attacker host. The output can be ingested into the BloodHound GUI for analysis. | |
A tool written in Go that uses Kerberos Pre-Authentication to enumerate Active Directory accounts and perform password spraying and brute forcing. | |
A collection of tools written in Python for interacting with network protocols. The suite of tools contains various scripts for enumerating and attacking Active Directory. | |
Tool to poison LLMNR, NBT-NS and MDNS, with many different functions. | |
Similar to Responder, a PowerShell tool for performing various network spoofing and poisoning attacks. | |
C# version of Inveigh with a semi-interactive console for interacting with captured data such as username and password hashes. | |
Tool that can be used to perform a variety of Active Directory enumeration tasks via the remote RPC service. | |
CME is an enumeration, attack, and post-exploitation toolkit. CME attempts to "live off the land" and abuse built-in AD features and protocols such as SMB, WMI, WinRM, and MSSQL. | |
C# tool built for Kerberos Abuse. | |
Impacket module geared towards finding Service Principal names tied to normal users. Useful for Kerberoasting attacks. | |
Tool for enumerating information from Windows and Samba systems. | |
Built in interface for interacting with the LDAP protocol. | |
A Python script used to enumerate AD users, groups, and computers using LDAP queries. Useful for automating custom LDAP queries. | |
DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. | |
Tool to leverage PowerView to audit and attack Active Directory environments that have deployed Microsoft's Local Administrator Password Solution (LAPS). | |
Tool for finding useful information and credentials in Active Directory on computers with accessible file shares. | |
Reads, modifies, and deletes the Service Principal Names (SPN) directory property for an Active Directory service account. Useful for a targeted kerberoasting attack | |
Remotely dump SAM and LSA secrets from a host. | |
Provides us with an interactive shell on host over the WinRM protocol. | |
Part of Impacket toolset, it provides the ability to interact with MSSQL databases. | |
Exploit combo using CVE-2021-42278 and CVE-2021-42287 to impersonate Domain Admin from standard domain user. | |
Part of the Impacket toolset, it performs SMB relay attacks. | |
Tool for manipulating certificates and TGTs. | |
A tool for enumeration and dumping of DNS records from a domain. Similar to performing a DNS Zone transfer. | |
Extracts usernames and passwords from Group Policy preferences. | |
Attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set. | |
SID bruteforcing tool. | |
A tool for creation and customization of TGT/TGS tickets. | |
Part of the Impacket toolset, It is a tool for child to parent domain privilege escalation. | |
AD viewer and editor that can be used to navigate an AD database and view object properties and attributes. It can also be used to save a snapshot of an AD database for offline analysis. | |
Used for auditing the security level of an AD environment | |
Group3r is useful for auditing and finding security misconfigurations in AD Group Policy Objects (GPO). | |
A tool used to extract various data from a target AD environment. |
Last updated