WadComs - WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.
Queries and Commands for Active Directory
Get more information about users in AD
Manual Queries - Traditional
>net user - enumerates all accounts
>net user /domain - enumerates all accounts in the domain
>net user bob_admin - enumerate groups the user belongs to
Manual queries - Powershell
Script that will Enumerate AD users and properties of the accounts
The Active Directory Mapping tool. Used by Red and Blue teamers to map out their Active Directory environment and look for the shortest path to compromise Domain Admin.
Uses graph theory to reveal the hidden and unintended relationships in an AD environment.
Easily identity highly complex attack paths - can be used by defenders ad well.
Bloodhound works by running an ingestor that queries AD for users, groups and hosts. It will then connect to each system to enumerate logged in users sessions and permissions. ***WARNING: VERY LOUD*** There is a stealth option but its limited.
Two Verisons
BloodHound - Powershell based older module
Sharphound - C# verision that is much faster and stable. Standalone binary or imported as a Powershell script.
Script version wil use reflection and assembly.load to load the compiled ingestor into memory
GoodHound - Uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation.
BadBlood - BadBlood by Secframe fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. Used for testing of Bloodhound.
aclpwn.py - Active Directory ACL exploitation with BloodHound
crackhound - CrackHound is a way to introduce plain-text passwords into BloodHound. This allows you to upload all your cracked hashes to the Neo4j database and use it for reporting purposes (csv exports) or path finding in BloodHound using custom queries.
ADExplorer by Sysinternals - An advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute.
ADRecon - ADRecon is a tool which extracts and combines various artifacts (as highlighted below) out of an AD environment.
ACLight -A tool for advanced discovery of Privileged Accounts - including Shadow Admins.
TruffleSnout - Iterative AD discovery toolkit for offensive operators. Situational awareness and targeted low noise enumeration.
Snaffler - It gets a list of Windows computers from Active Directory, then spreads out its snaffly appendages to them all to figure out which ones have file shares, and whether you can read them.
Red Snarf - RedSnarf is a pen-testing / red-teaming tool by Ed Williams for retrieving hashes and credentials from Windows workstations, servers and domain controllers using OpSec Safe Techniques
CrackMapExec - CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
GetTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.
GetST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf another user.
GetPac.py: This script will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]'s S4USelf + User to User Kerberos Authentication.
GetUserSPNs.py: This example will try to find and fetch Service Principal Names that are associated with normal user accounts. Output is compatible with JtR and HashCat.
GetNPUsers.py: This example will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH). Output is compatible with JtR.
ticketConverter.py: This script will convert kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa.
ticketer.py: This script will create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, ExtraSids, duration, etc.
raiseChild.py: This script implements a child-domain to forest privilege escalation
Start with writing all tickets to the folder from wihch it was executed.
>privilege :: debug
>sekurlsa::tickets /export
Now we import one of those as our tikets and drop back into mimikatz
>kerberos::ptt [0,ab9bf] [ticket info]
Overpass the Hash
Over abuse NTLM user hash to gain a full Kerberos TGT
The essence of the overpass the hash technique is to turn the NTLM hash into a Kerberos ticketand avoid the use of NTLM authentication. A simple way to do this is again with the sekurlsa::pth command from Mimikatz.
aclpwn.py - Active Directory ACL exploitation with BloodHound
ADACLScanner - A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory
RACE - RACE is a PowerShell module for executing ACL attacks against Windows targets.