AD Testing Checklist (Windows)

Below are the things you should check on every Active Directory assessment from a Windows machine

Shortlist

Short bullet point to jog your memory. If this is not enough, click on the check to get full notes.

  1. Confirm AD Access

  2. Search for abusable ACLs (Bloodhound)

  3. Search for passwords in user descriptions

  4. Search for Kerberoastable accounts

  5. Search for As-Rep Roastable accounts

  6. Perform Timeroasting attack

  7. Check for default Machine Account Quota

  8. Check password policy

  9. Check for active WebDAV clients

  10. Check for missing SMB signing

  11. Check for SMBv1 Support

  12. Check for writable shares

  13. Check for sensitive data in shares

  14. Check for anonymous access

  15. Check LDAP Configuration

  16. Check MsSQL Configuration

  17. Check ADCS Configuration

  18. Check SCCM Configuration

Extra Attacks

  1. Coercion Attacks

    1. Local Network Poisoning

    2. IPv6 MITM

    3. Stale Half-Duplex ARP

    4. WPAD

    5. WebDAV

    6. LNK file drop

  2. Password Spraying

  3. ADIDNS Wildcard Attack (Dangerous and not well understood)

Confirm AD Access (Windows)

This page assumes you have followed Tunneling Windows VM to Target Environment and Configuring Windows 11 for AD Testing to have a Windows Machine configured testing AD

Start Runas session as Domain User

runas /netonly /user:<ADDOMAIN>\<ADUSER> powershell.exe

Define Shell Variables (PowerShell)

$ADUSER = Read-Host "Input AD Username"
$ADDOMAIN = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
$ADCONTROLLER = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).PdcRoleOwner.Name
$ADCONTROLLER_IP = (Resolve-DnsName $ADCONTROLLER | Where-Object { $_.Type -eq "A" }).IPAddress

Check Access

net view \\$ADDOMAIN\

Search for abusable ACLs (Bloodhound)

SharpHound -d $ADDOMAIN --zipfilename bloodhound_$ADDOMAIN.zip --recursedomains --trackcomputercalls

Get SharpHound.exe from your local Bloodhound CE install web dashboard

Search for passwords in user descriptions

COMING SOON

Search for Kerberoastable accounts

# Regular
Rubeus kerberoast /stats /domain:$ADDOMAIN

# AES
Rubeus kerberoast /aes /domain:$ADDOMAIN

Search for As-Rep Roastable accounts

Rubeus asreproast /stats

Check for default Machine Account Quota

Automated

Invoke-adPEAS -Domain $ADDOMAIN -Module Rights -Outputfile 'Rights_Info-adPeas.txt'

Manual

$domain = [ADSI]"LDAP://RootDSE"
$configNC = $domain.Get("defaultNamingContext")
$domainObject = [ADSI]"LDAP://$configNC"
$domainObject."ms-DS-MachineAccountQuota"

Check password policy

Invoke-adPEAS -Domain $ADDOMAIN -Module Domain -Outputfile 'Domain_Info-adPeas.txt'

Check for active WebDAV clients

COMING SOON

Check for missing SMB signing

COMING SOON

Check for SMBv1 Support

COMING SOON

Check for writable shares

COMING SOON

Check for sensitive data in shares

Snaffler --domain $ADDOMAIN --domainusers --domaincontroller $ADCONTROLLER --stdout -o SMB_Search.txt | Tee-Object -FilePath "Snaffler-Output.txt"

The above checks all shares in the domain... make sure that's in scope!

Check for anonymous access

COMING SOON

Check LDAP Configuration

wget https://github.com/cube0x0/LdapSignCheck/raw/refs/heads/main/LdapSignCheck/bin/Release/LdapSignCheck.exe -o LdapSignCheck.exe
.\LdapSignCheck.exe -domain $ADDOMAIN -user $ADUSER -password (Read-Host "Input Password") -dc-ip $ADCONTROLLER_IP

Check MsSQL Configuration

Get-SQLInstanceDomain | select ComputerName

COMING SOON

Check ADCS Configuration

COMING SOON

Check SCCM Configuration

COMING SOON

PreviousAD Testing Checklist (Linux)NextConfiguring Windows 11 for AD Testing

Last updated