Skip to content

101

  • AD is based on the protocols x.500 and LDAP

If you do NOT HAVE DOMAIN creds:

  • Kerbrute to find valid usernames
  • Kerbrute to find usernames that do not require krb pre authentication
  • ASREPRoasting
  • LLMNR Poisoning
  • Password policy and spraying
  • GPP Policy having encrypted passwords
  • GPO Abuse
  • Check passwords in description, Password not required options

If you HAVE DOMAIN creds:

  • Enumerate security controls
    • LAPS
    • check Defender status
  • DomainPasswordSpray
  • Credentialed Enum using Linux
    • domain enum
    • user enum
    • share enum
    • logged-on users
    • rpcclient
    • winrm/rdp/psexec/wmiexec
    • windapsearch
    • bloodhound
  • Credentialed Enum using Windows
    • PowerShell
    • PowerView
    • Domain enum
    • Trust enum
    • local admin access
    • SPN enum (kerberoasting)
    • SharpView if no Powerview
    • Snaffler, LaZagne to get creds saved on machine
    • mimikatz
    • BloodHound
  • LOTL
  • Kerberoasting (Getting a users SPN)
  • TargetedKerberoasting
  • Shadow Credentials
    • pywhisker
  • ACL Enum and Abuse (using bloodyAD or PowerView)
    • DCSync (replication privileges)
  • CVEs
  • Other:
    • password not required fields
  • Domain Trusts
    • Cross Forest
    • Parent child

Notable

  • Bleeding edge vulns has:
    • cert to TGT using pkinit.
    • dc tgt to dcsync
  • AD CS