6️
SixthCyber
  • Introduction
  • Favorite Pages
  • 🌐Active Directory
    • AD Testing Checklist (Windows)
    • Create Machine Account
    • Searching SMB Shares
    • Active Directory Password Spraying
    • AD Testing Checklist (Linux)
    • Tunneling Windows VM to Target Environment (WireGuard)
    • 🕐Analyzing Data with Bloodhound
    • 🕐Kerberoasting
    • Configuring Windows 11 for AD Testing
  • 🕐As-Rep Roasting
  • ADCS Exploitation
  • NTLM Coercion
  • Building Custom Wordlists
Powered by GitBook
On this page
  • Shortlist
  • Extra Attacks
  • Confirm AD Access (Windows)
  • Search for abusable ACLs (Bloodhound)
  • Search for passwords in user descriptions
  • Search for Kerberoastable accounts
  • Search for As-Rep Roastable accounts
  • Check for default Machine Account Quota
  • Check password policy
  • Check for active WebDAV clients
  • Check for missing SMB signing
  • Check for SMBv1 Support
  • Check for writable shares
  • Check for sensitive data in shares
  • Check for anonymous access
  • Check LDAP Configuration
  • Check MsSQL Configuration
  • Check ADCS Configuration
  • Check SCCM Configuration
  1. Active Directory

AD Testing Checklist (Windows)

Below are the things you should check on every Active Directory assessment from a Windows machine

Shortlist

Short bullet point to jog your memory. If this is not enough, click on the check to get full notes.

  1. Confirm AD Access

  2. Search for abusable ACLs (Bloodhound)

  3. Search for passwords in user descriptions

  4. Search for Kerberoastable accounts

  5. Search for As-Rep Roastable accounts

  6. Check for default Machine Account Quota

  7. Check password policy

  8. Check for active WebDAV clients

  9. Check for missing SMB signing

  10. Check for SMBv1 Support

  11. Check for writable shares

  12. Check for sensitive data in shares

  13. Check for anonymous access

  14. Check LDAP Configuration

  15. Check MsSQL Configuration

  16. Check ADCS Configuration

  17. Check SCCM Configuration

Extra Attacks

  1. Coercion Attacks

    1. Local Network Poising

    2. IPv6 MITM

    3. Stale Half-Duplex ARP

    4. WPAD

    5. WebDAV

    6. LNK file drop

  2. Password Spraying

  3. ADIDNS Wildcard Attack (Dangerous and not well understood)

Confirm AD Access (Windows)

This page assumes you have followed Tunneling Windows VM to Target Environment and Configuring Windows 11 for AD Testing to have a Windows Machine configured testing AD

Start Runas session as Domain User

runas /netonly /user:<ADDOMAIN>\<ADUSER> powershell.exe

Define Shell Variables (PowerShell)

$ADUSER = Read-Host "Input AD Username"
$ADDOMAIN = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).Name
$ADCONTROLLER = ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).PdcRoleOwner.Name

Check Access

net view \\$ADDOMAIN\

Search for abusable ACLs (Bloodhound)

SharpHound -d $ADDOMAIN --zipfilename bloodhound_$ADDOMAIN.zip --recursedomains --trackcomputercalls

Get SharpHound.exe from your local Bloodhound CE install web dashboard

Search for passwords in user descriptions

COMING SOON

Search for Kerberoastable accounts

# Regular
Rubeus kerberoast /stats /domain:$ADDOMAIN

# AES
Rubeus kerberoast /aes /domain:$ADDOMAIN

Search for As-Rep Roastable accounts

Rubeus asreproast /stats

Check for default Machine Account Quota

 Invoke-adPEAS -Domain $ADDOMAIN -Module Rights -Outputfile 'Rights_Info-adPeas.txt'

Check password policy

 Invoke-adPEAS -Domain $ADDOMAIN -Module Domain -Outputfile 'Domain_Info-adPeas.txt'

Check for active WebDAV clients

COMING SOON

Check for missing SMB signing

COMING SOON

Check for SMBv1 Support

COMING SOON

Check for writable shares

COMING SOON

Check for sensitive data in shares

Snaffler --domain $ADDOMAIN --domainusers --domaincontroller $ADCONTROLLER --stdout -o SMB_Search.txt

The above checks all shares in the domain... make sure that's in scope!

Check for anonymous access

COMING SOON

Check LDAP Configuration

COMING SOON

Check MsSQL Configuration

Get-SQLInstanceDomain | select ComputerName

COMING SOON

Check ADCS Configuration

COMING SOON

Check SCCM Configuration

COMING SOON

PreviousFavorite PagesNextCreate Machine Account

Last updated 8 days ago

🌐