AD Testing Checklist (Windows)

Below are the things you should check on every Active Directory assessment from a Windows machine

Shortlist

Short bullet point to jog your memory. If this is not enough, click on the check to get full notes.

Confirm AD Access
Search for abusable ACLs (Bloodhound)
Search for passwords in user descriptions
Search for Kerberoastable accounts
Search for As-Rep Roastable accounts
Perform Timeroasting attack
Check for default Machine Account Quota
Check password policy
Check for active WebDAV clients
Check for missing SMB signing
Check for SMBv1 Support
Check for writable shares
Check for sensitive data in shares
Check for anonymous access
Check LDAP Configuration
Check MsSQL Configuration
Check ADCS Configuration
Check SCCM Configuration

Extra Attacks

Coercion Attacks
1. Local Network Poisoning
2. IPv6 MITM
3. Stale Half-Duplex ARP
4. WPAD
5. WebDAV
6. LNK file drop
Password Spraying
ADIDNS Wildcard Attack (Dangerous and not well understood)

Confirm AD Access (Windows)

This page assumes you have followed Tunneling Windows VM to Target Environment and Configuring Windows 11 for AD Testing to have a Windows Machine configured testing AD

Start Runas session as Domain User

runas /netonly /user:<ADDOMAIN>\<ADUSER> powershell.exe

Define Shell Variables (PowerShell)

$ADUSER = Read-Host "Input AD Username"
$ADDOMAIN = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
$ADCONTROLLER = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).PdcRoleOwner.Name
$ADCONTROLLER_IP = (Resolve-DnsName $ADCONTROLLER | Where-Object { $_.Type -eq "A" }).IPAddress

Check Access

net view \\$ADDOMAIN\

Search for abusable ACLs (Bloodhound)

SharpHound -d $ADDOMAIN --zipfilename bloodhound_$ADDOMAIN.zip --recursedomains --trackcomputercalls

Get SharpHound.exe from your local Bloodhound CE install web dashboard

Search for passwords in user descriptions

COMING SOON

Search for Kerberoastable accounts

# Regular
Rubeus kerberoast /stats /domain:$ADDOMAIN

# AES
Rubeus kerberoast /aes /domain:$ADDOMAIN

Search for As-Rep Roastable accounts

Rubeus asreproast /stats

Check for default Machine Account Quota

Automated

Invoke-adPEAS -Domain $ADDOMAIN -Module Rights -Outputfile 'Rights_Info-adPeas.txt'

Manual

$domain = [ADSI]"LDAP://RootDSE"
$configNC = $domain.Get("defaultNamingContext")
$domainObject = [ADSI]"LDAP://$configNC"
$domainObject."ms-DS-MachineAccountQuota"

Check password policy

Invoke-adPEAS -Domain $ADDOMAIN -Module Domain -Outputfile 'Domain_Info-adPeas.txt'

Check for active WebDAV clients

COMING SOON

Check for missing SMB signing

COMING SOON

Check for SMBv1 Support

COMING SOON

Check for writable shares

COMING SOON

Check for sensitive data in shares

Snaffler --domain $ADDOMAIN --domainusers --domaincontroller $ADCONTROLLER --stdout -o SMB_Search.txt | Tee-Object -FilePath "Snaffler-Output.txt"

The above checks all shares in the domain... make sure that's in scope!

Check for anonymous access

COMING SOON

Check LDAP Configuration

wget https://github.com/cube0x0/LdapSignCheck/raw/refs/heads/main/LdapSignCheck/bin/Release/LdapSignCheck.exe -o LdapSignCheck.exe
.\LdapSignCheck.exe -domain $ADDOMAIN -user $ADUSER -password (Read-Host "Input Password") -dc-ip $ADCONTROLLER_IP

Check MsSQL Configuration

Get-SQLInstanceDomain | select ComputerName

COMING SOON

Check ADCS Configuration

COMING SOON

Check SCCM Configuration

COMING SOON

PreviousAD Testing Checklist (Linux)NextConfiguring Windows 11 for AD Testing

Last updated 3 months ago

hashtagShortlist

hashtagExtra Attacks

hashtagConfirm AD Access (Windows)

hashtagSearch for abusable ACLs (Bloodhound)

hashtagSearch for passwords in user descriptions

hashtagSearch for Kerberoastable accounts

hashtagSearch for As-Rep Roastable accounts

hashtagCheck for default Machine Account Quota

hashtagCheck password policy

hashtagCheck for active WebDAV clients

hashtagCheck for missing SMB signing

hashtagCheck for SMBv1 Support

hashtagCheck for writable shares

hashtagCheck for sensitive data in shares

hashtagCheck for anonymous access

hashtagCheck LDAP Configuration

hashtagCheck MsSQL Configuration

hashtagCheck ADCS Configuration

hashtagCheck SCCM Configuration

Shortlist

Extra Attacks

Confirm AD Access (Windows)

Search for abusable ACLs (Bloodhound)

Search for passwords in user descriptions

Search for Kerberoastable accounts

Search for As-Rep Roastable accounts

Check for default Machine Account Quota

Check password policy

Check for active WebDAV clients

Check for missing SMB signing

Check for SMBv1 Support

Check for writable shares

Check for sensitive data in shares

Check for anonymous access

Check LDAP Configuration

Check MsSQL Configuration

Check ADCS Configuration

Check SCCM Configuration