Active Directory
Table of contents
This section assumes that you have at least a network access to the Active Directory domain.
Recon
Before starting to play with following exploits, it is a good idea to recover information about the domain you are going to attack as an unauthenticated user.
Without an account
First thing you want to achieve to compromise a domain is to get an initial foothold. To do so, following attacks can be used to gain a domain joined account, either a user or computer one.
- Brute-force
- Email Password Spraying
- NTLM Relay
- Password Spraying
- PetitPotam [CVE-2022-26925]
- Pre Windows 2000 Compatibility Abuse
- Printer Abuse
- User Spraying
- Zerologon [CVE-2020-1472]
You also should take a look at Windows Initial Foothold methods.
Privilege escalation
Once you get either a low privileged domain account or an access to a domain joined computer, you can perform following attacks to escalate your privileges locally on domain computers or on the domain itself. You should perform Active Directory Enumeration to get as much information as possible before starting to exploit.
- AppLocker Bypass
- AS-REP Roasting
- Certificate Services
- Constrained Delegation
- DCSync Attack
- Forged Certificates
- GPO Abuse
- Kerberoasting
- LAPS Abuse
- NoPac [CVE-2021-42278] & [CVE-2021-42287]
- PetitPotam [CVE-2022-26925]
- Pre Windows 2000 Compatibility Abuse
- PrintNightmare [CVE-2021-1675]
- Role-Based Constrained Delegation
- SCCM Abuse
- S4U2Self Abuse
- Shadow Credentials
- SYSVOL Enumeration
- Unconstrained Delegation
You also should take a look at Windows Privilege Escalation methods.
Lateralization
- Net-NTLMv2 Relay
- Overpass the Hash
- Pass the Hash
- Pass the Ticket
- Service Name Abuse
- Silver Tickets
- Trust Relationship Abuse
You also should take a look at Windows Lateralization methods.
Persistance
Useful links
- ODC Mind Map for the Orange Cyberdefense Active Directory mind map.
