Technical notes, AD pentest methodology, list of tools, scripts and Windows commands that I find useful during internal penetration tests and assumed breach exercises (red teaming).
The output files included here are the results of tools, scripts and Windows commands that I ran against a vulnerable Windows AD lab that I created to test attacks/exploits and deliver hands-on penetration testing training sessions to security auditors at my job.
- Step 1. Bypassing Network Access Control (NAC) - if any
- Step 2. Reconnaissance
- Step 3. Gaining access
- Step 4. Post-exploitation and local privilege escalation
- Step 5. Network lateral movement and privileged accounts hunting
- Step 6. Windows domain compromise (Privilege escalation to become 'Domain Admin' + Persistence)
- Step 7. Forest root domain compromise (Privilege escalation to become 'Enterprise Admin')
- Others
If a NAC solution is implemented, the purpose of this phase will be to bypass it to get access to the internal network and start the internal penetration test.
1. Pre-connect scenario => NAC checks are made before granting any access to the internal network
-------------------------------------------------------------------------------------------------
➤ MAC address spoofing technique
- Bypass MAC address filtering solution by spoofing the MAC address of a whitelisted device (e.g. printer, smart TV in meeting room, VOIP phone)
➤ Pre-authenticated device technique
- Bypass wired network 802.1x protection (NAC) by placing a rogue device (with 2 network adapters) between a pre-authenticated device and the network switch.
Using scripts like 'fenrir-ocd' or 'nac_bypass-setup.sh', the traffic will then flow through the rogue device which will be able to log into the network and smuggle network packets.
➤ Captive portal bypass technique
- Hack the captive authentication portal used to control network access
➤ VOIP hopping and VLAN hopping techniques
➤ ...
2. Post-connect scenario => Network access is temporarily granted while NAC checks are ran against your laptop
--------------------------------------------------------------------------------------------------------------
➤ MAC address randomization technique
- Change your MAC address automatically (e.g. every minute) with a script to obtain a new IP address prior getting blocked
and keep accessing the network resources.
➤ ...
The purpose of the reconnaissance phase is to gather as much as possible information about the targets (Windows domains and internal network). It includes Windows domain(s) enumeration, DNS enumeration, targeted network scans...
1. Black-box penetration test (we start with no account)
--------------------------------------------------------
➤ On our laptop connected to the LAN or Wifi, we run commands like 'ipconfig /all', 'ip a' and 'nslookup' to identify:
- the IP address range of the user network (our laptop IP address is part of it)
- the IP address range of a production (server) network/VLAN (thanks to the IP address of the DNS server which is usually also the IP address of a Domain Controller)
➤ Network sniffing
➤ Reconnaissance using DNS queries (e.g. reverse IP lookup, DNS zone transfer) and the naming convention of the hostnames
Examples:
- Domain Controllers have often a hostname like 'pr<bla>dc1', 'dv<bla>ad2', 'usdc02', 'prodfrdc3', etc.
- Web servers have often a hostname like 'prweb01', 'wwwserver02', 'win2k16iis03', 'devJBOSS04', etc.
- Database servers have often a hostname like 'sqlsrv01', 'prdbserver02', 'prodorasrv08', 'devmongodb14', etc.
- Citrix servers have often a hostname like 'prctxsrv1', 'printctx02', 'citrixsrv02', etc.
➤ Targeted network scans (e.g. Nmap and NSE scripts)
2. Grey-box penetration test (we start with 1 low-privileged Windows account)
-----------------------------------------------------------------------------
➤ AD and Windows domain information gathering (enumerate accounts, groups, computers, ACLs, password policies, GPOs, Kerberos delegation, ...)
➤ Numerous tools and scripts can be used to enumerate a Windows domain
Examples:
- Windows native DOS and Powershell commands (e.g. 'net' commands, PowerShell ActiveDirectory module)
- Sysinternals tools (e.g. ADexplorer.exe)
- PowerView framework / SharpView
- Powershell scripts like ADrecon.ps1
- SharpHound/RustHound + BloodHound
- PingCastle
- Purple Knight
- ADCollector
- ADFind
The purpose of this phase is to gain (unauthorized) access to several internal systems (e.g. servers, file shares, databases) by exploiting common security issues such as: default/weak passwords, OS security misconfiguration, insecure network protocols and unpatched known vulnerabilities.
1. Black-box penetration test (we start with no account)
--------------------------------------------------------
➤ LLMNR & NBT-NS poisonning attacks (tool: Responder) to collect NTLMv2 password hashes from the network + Offline password cracking (tools: John, hashcat)
➤ DNS poisoning attacks via IPv6 DHCP requests (tool: MITM6) to collect NTLMv2 password hashes from the network + Offline password cracking (tools: John, hashcat)
➤ NTLM relay attacks (tool: Ntlmrelayx) by exploiting vulnerabilities like PetitPotam and PrinterBug or poisonning attacks (LLMNR / NBT-NS / DNS & IPV6)
➤ Default/weak admin credentials for a software installed on a Windows server that will lead to a RCE
Examples:
- Web servers (e.g. Tomcat, WebLogic, JBoss) => Webshell upload
- Jenkins, JIRA => OS command execution
- CMS (e.g. WordPress, DNN, Kentico, Drupal) => Webshell upload
- Databases (e.g. MSSQL, Oracle, PostgreSQL, Sybase) => OS command execution
- PhpMyAdmin => Webshell upload
- SAP => OS command execution
➤ Windows password spray attacks (goal: find accounts protected by an easy guessable password or even a blank password / be careful not to lock accounts)
➤ Anonymous access to data storage spaces (e.g. FTP/TFTP/NFS) + Windows clear-text credentials hardcoded in scripts, logs and configuration files
➤ Upload of malicious SCF or URL files to anonymously writable Windows network shares + collect NTLMv2 password hashes + Offline password cracking (tools: John, hashcat)
➤ Enumerate PXE boot media potentially provided from an SCCM server and then try to retrieve Windows credentials via PXE boot media (tools: pxethiefy, PXEthief)
➤ Unpatched/obsolete systems prone to an unauthenticated Remote Code Execution (RCE) vulnerability with a public exploit available
Examples:
- Windows: MS17-010 (EternalBlue), CVE-2020-1472 (Zerologon, risky to run in a production environment), old MS08-067, ...
- Web servers: WebLogic RCE (CVE-2023-21839, CVE-2022-21371, CVE-2020-14882, CVE-2019-2725), Apache Struts RCE (CVE-2017-9805), JBoss RCE (CVE-2017-12149), Java RMI RCE, ...
- CMS: Telerik (CVE 2019-18935, CVE-2017-9248), Kentico (CVE-2019-10068), Drupal (DrupalGeddon2/CVE-2018-7600), DotNetNuke (CVE-2017-9822), ...
- Citrix (ADC & Gateway): CVE-2023-3519, CVE-2020-8193, CVE-2019-19781
- Atlassian software: Jira (CVE-2019-11581), Confluence (CVE-2022-26134)
- Applications using the Java library Log4j: CVE-2021-44228 (Log4shell)
- Outlook: ProxyLogon (CVE-2021-26855), ProxyNotShell (CVE-2022-41040, CVE-2022-41082)
2. Grey-box penetration test (we start with 1 low-privileged Windows account)
-----------------------------------------------------------------------------
➤ All the attacks listed above in the 'black-box pentest' section
➤ Kerberoasting attack (request Kerberos TGS for services with an SPN and retrieve crackable hashes) + Offline password cracking (tools: John, hashcat)
➤ AS-REP Roasting attack (retrieve crackable hashes/encrypted TGT for users without kerberoast pre-authentication enabled) + Offline password cracking (tools: John, hashcat)
➤ Find clear-text passwords in files shared on Domain Shares, NAS, SharePoint sites, internal github accessible to all Domain users
➤ Find a Windows server that is insecurely sharing configuration files, cron job scripts and executable files with write permissions granted to all Domain users
+ Privesc by adding a backdoor in a cron job script or modifying a configuration file, ...
➤ Upload of malicious SCF or URL files to Windows network shares (writable by any authenticated users) + collect NTLMv2 password hashes + Offline password cracking (tools: John, hashcat)
➤ Clear-text passwords stored in AD fields (e.g. account description, comments)
➤ Citrix servers accessible to all Domain users + Citrix jailbreak to get a Windows CMD or PowerShell console + Local privesc
➤ WsuXploit attack – Compromising Windows machines via malicious Windows Update (i.e. tru to inject 'fake' updates into non-SSL WSUS traffic)
➤ Find and exploit ADCS misconfiguration (very often ADCS misconfiguration can lead to a Domain Admin account compromise)
➤ NLTM Relay techniques + ADCS attacks (i.e. ESC8 - NTLM Relay to AD CS HTTP Endpoints)
➤ Unpatched/obsolete systems prone to an authenticated Remote Code Execution vulnerability with a public exploit available
Examples:
- Windows:
- Certifried vulnerability (CVE-2022-26923)
- noPAC / SamAccountName impersonation vulnerability (CVE-2021-42278/CVE-2021-42287)
- PrintNightmare vulnerability (CVE-2021-1675 & CVE-2021-34527)
- Drop-the-MIC vulnerabilities (CVE-2019-1040 & CVE-2019-1166)
- KrbRelayUp local privesc technique
- ...
- Outlook: CVE-2020-0688
➤ ...
The purpose of the post-exploitation phase is to determine the value of the systems compromised during the previous phase (e.g. sensitivity of the data stored on it, usefulness in further compromising the network) and to escalate privileges to harvest credentials (e.g. to steal the password of a privileged account from the memory of a Windows server/laptop). During this phase, the system(s) compromised can be set-up as a pivot to reach machines that are located in other networks.
1. Windows local privilege escalation to become local administrator and/or "NT AUTHORITY\SYSTEM"
------------------------------------------------------------------------------------------------
➤ Exploiting OS security misconfiguration
Examples:
- weak service permissions (file & binpath)
- service unquoted path
- autorun and weak file permissions
- privileged scheduled tasks and weak file permissions
- weak registry permissions
- dll hijacking
- weak passwords and password re-use
- clear-text passwords stored in scripts, unattended install files, configuration files (e.g. Web.config), ...
- AlwaysInstallElevated trick
- bring your own vulnerable driver
➤ Exploiting an unpatched local Windows vulnerability
(e.g. KrbrelayUp, LocalPotato, PrintNightmare, SeriousSam/HiveNightmare, Windows Installer LPE, Juicy/Rotten/Hot Potato exploits,...)
➤ Exploiting an unpatched vulnerability affecting a third party software running with high privileges
2. Dumping Windows credentials from memory and registry hives (requires local admin priv)
-----------------------------------------------------------------------------------------
➤ Dumping the registry hives (SAM, SYSTEM, SECURITY)
Examples:
- Reg save
- Esentutl.exe
- Volume Shadow Copy (VSSadmin)
- SecretsDump (Impacket)
- SharpSecDump
- OLD/Legacy - pwdumpX
➤ Memory dumping of the LSASS process
Examples:
- Mimikatz / invoke-mimikatz.ps1
- NanoDump / invoke-nanodump.ps1
- SafetyDump
- PPLBlade
- SharpKatz
- Lsassy
- EDRSandblast
- OLD/Legacy techniques
- ProcDump (Sysinternals tool)
- Task manager + "Create dump file" of lsass.exe
- Process Explorer (Sysinternals tool) + "Create dump" of lsass.exe
- Process Hacker + "Create dump file" of lsass.exe
- Dumping lsass with rundll32 and comsvcs.dll
- Dumpert
- SQLDumper (included with Microsoft SQL)
- WCE (Windows Credentials Editor)
- ...
3. Dumping other credentials
----------------------------
- The LaZagne application can be used to retrieve passwords stored in browsers, DBA tools (e.g. dbvis, SQLdevelopper) and Sysadmin tools (e.g. WinSCP, PuttyCM, OpenSSH, VNC, OpenVPN)
- The script SessionGopher.ps1 can be used to find and decrypt saved session information for remote access tools (PuTTY, WinSCP, FileZilla, SuperPuTTY, RDP)
- Dumping KeePass master password from memory using tools like 'Keethief', 'KeePassHax' or 'KeePwn'
- Clear-text passwords hardcoded in scripts, configuration files (e.g. Web.config, tomcat-users.xml), backup files, log files, ...
The purpose of the lateral movement phase is to identify Windows servers and laptops on which high privileged user and service accounts are logged (e.g. administrator of all servers, administrator of all workstations/laptops, Domain Admin account). Then try to log into these Windows servers and laptops (for example by re-using the credentials harvested during the previous phase) and take over the high privileged accounts using various hacking techniques (e.g., dumping credentials from memory, token impersonation).
1. Network lateral movement techniques
--------------------------------------
➤ Use native Windows commands and protocols such as: RDP, PowerShell Remoting (WinRM), WMIC, PsExec, Windows built-in SSH client & server, etc.
➤ Use hacking tools such as: Evil-WinRM, NetExec, Impacket framework (e.g., WMIexec, SMBexec), etc.
➤ Use hacking techniques such as: Pass-The-Hash, Pass-The-Ticket, Over-Pass-The-Hash and Pass-The-Certificate
2. Network pivoting techniques
------------------------------
➤ Use a C2 post-exploitation agent (e.g. Meterpreter, Cobalt Strike, Sliver) + SOCKS proxy + proxychains
➤ SSH tunnelling using Putty.exe or Plink.exe (e.g. local/remote port forwarding)
➤ Remote access tools (RAT) such as TeamViewer and AnyDesk portable software, Chrome Remote Desktop, VNC, ...
➤ Tunneling/pivoting tools such as Ligolo-ng, Rpivot, Socat, Chisel, ...
➤ Pivoting with TCP tunnelling over HTTP via Webshells (e.g. Neo-reGeorg, Pivotnacci, Tunna, Fulcrom webshells/clients)
3. Privileged accounts hunting
------------------------------
➤ Windows native commands (e.g. 'qwinsta /server:hostname' OR 'query user /server:hostname')
➤ PowerView and various PowerShell scripts (e.g. Invoke-UserHunter, Get-NetLoggedon, ADrecon)
➤ Windows Sysinternals command-line tool 'PsLoggedOn' (i.e. psloggedon.exe \\computername username)
➤ BloodHound
4. Take over privileged accounts (requires local admin priv)
------------------------------------------------------------
➤ Dump Windows credentials of privileged accounts from memory and registry hives + Pass-The-Hash technique
➤ Use Windows Token impersonation technique to execute arbirary OS commands as another privileged account (victim) also logged on the same Windows server
➤ RDP session hijacking technique (e.g., using the native Windows command "c:\windows\system32\tscon.exe")
➤ Add a malicious script or a malware in the Windows start-up folder of a server to force any privileged users (victims) to run it when they logon
(e.g., "\\REMOTE-COMPUTER-NAME\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\malware.exe")
➤ Create a malicious scheduled task that is triggered at log on of any user and that executes a malicious script with the victim user's privileges
➤ Modify the registry RUN keys so every time a user logs on the Windows server a malware or a malicious script is run with its privileges
➤ ...
STEP 6. WINDOWS DOMAIN COMPROMISE (Privilege escalation to become "Domain Admin" + Persistence) 🔥🧑🏼💻
The purpose of this phase is to take full control over the target Windows domain.
1. Privilege escalation to become "Domain Admin"
------------------------------------------------
➤ Dumping from a Windows server's memory the clear-text password (or hash) of an account member of the group 'Domain Admins' or 'Administrators' of the Domain Controller
➤ Exploiting AD / Windows domain security misconfiguration
Examples:
- abusing weak ACL or GPO permissions
- abusing LAPS misconfiguration
- exploiting password reuse issues
> the same password is used to protect multiple high privileged accounts and low-privileged accounts
> the same password is used to protect the default local administrator account of the Windows servers and the Domain Controllers (i.e. no hardening, no LAPS)
➤ Exploiting Active Directory Certificate Services (ADCS) misconfiguration
Examples:
- abusing misconfigured Certificate Templates - ESC1 & ESC2
- abusing misconfigured Enrolment Agent Templates - ESC3
- abusing vulnerable Certificate Template Access Control - ESC4
- abusing vulnerable PKI Object Access Control - ESC5
- abusing "EDITF_ATTRIBUTESUBJECTALTNAME2" flag issue - ESC6
- abusing vulnerable Certificate Authority Access Control - ESC7
- abusing NTLM Relay to AD CS HTTP Endpoints – ESC8
- abusing "no Security Extension" issue - ESC9
- abusing weak Certificate Mappings - ESC10
- abusing NTLM relay to ICPR - ESC11
- abusing ADCS CA on YubiHSM - ESC12
- abusing Issuance Policy - ESC13
- abusing EKUwu Application Policies (CVE-2024-49019) - ESC15
➤ Compromise an account member of the default security group 'DNSAdmins' and take over the Windows domain by executing a DLL as 'NT AUTHORITY\SYSTEM' on the Domain Controller (known privesc)
➤ Compromise an account member of the default security groups 'Backup Operators' or 'Server Operators' and take over the Windows domain by backuping the NTDS.dit file and HKLM\SYSTEM and then extracting the password hash of 'Domain admins' accounts (known privesc)
➤ Compromise an account member of the default security group 'Account Operators' that can be used to privesc and take over the Windows domain (known privesc)
➤ Find a backup/snapshot of a Windows Domain Controller on a NAS/FTP/Share and extract the password hashes (NTDS.DIT + SYSTEM) of high privileged acccounts (e.g. Domain Admins, Enterprise Admins, krbtgt account)
➤ Abusing Microsoft Exchange for privilege escalation ('PrivExchange' vulnerability)
➤ Exploiting an unpatched vulnerability on a DC with a public exploit available (e.g. CVE-2020-1472 Zerologon, risky to run in a production environment)
➤ Hack the Hypervisor (e.g. vCenter) on which the Domain Controllers are running, then perform a snapshot of the DCs, copy/download their memory dump files (.vmsn & .vmem) and finally extract the password hashes of high privileged acccounts (e.g. Domain Admins, Administrators of DC, krbtgt account)
➤ Kerberos Unconstrained Delegation attack (+ Printer Bug or PetitPotam)
➤ Kerberos Constrained Delegation attack
➤ Kerberos Resource-based Constrained Delegation attack
➤ ...
2. AD password dumping & cracking (NTDS)
----------------------------------------
➤ Dump and extract the password hashes of all the Windows domain accounts (file 'NTDS.DIT' + SYSTEM registry hive)
Examples:
- Ntdsutil + Secretsdump
- Wbadmin + Secretsdump
- Diskshadow + Secretsdump
- VSSadmin + Secretsdump
- Secretsdump
- NetExec / CrackMapExec (legacy)
- Mimikatz (dcsync technique)
- ...
➤ Crack (with John or Hashcat) the password hashes of all the Windows domain accounts
3. Creating persistence (examples)
----------------------------------
➤ Use the KRBTGT account’s password hash to forge of a Kerberos Golden ticket with Domain Administrator privileges
➤ Keep temporarily the password hash of a highly-privileged service account (e.g. Domain Admin) with a password set to never expire
➤ Modify temporarily the ACLs to allow an account that you control to perform DCsync attack
➤ Request a certificate (ADCS) for a highly-privileged account (e.g. Domain Admin)
➤ Add temporarily an account in a default AD security group such as 'Domain Admins', 'BUILTIN\Administrators' or 'Account Operators'
➤ ...
The purpose of this phase is to take full control over the Forest root domain and all the other domains in the target network.
➤ Forge a Kerberos Golden Ticket (TGT) with a 'SID History' for the Forest 'Enterprise Admins' group
➤ Forge an inter-realm trust ticket (cross-domain trust kerberos ticket) and then create TGS for the services LDAP/CIFS/HOST/... in the parent domain
➤ Take over other Windows domains due to password re-use across domains for high privileged accounts
➤ Take over other Windows domains thanks to AD Forest Trusts and/or misconfiguration (e.g. the group 'Domain Admins' of the domain A is member of the group 'Domain Admins' of the domain B)
➤ ...
During penetration tests, it is important to know how to bypass antivirus solutions to be able to identify and exploit vulnerabilities without being blocked.
During Red Team exercises (unlike in a penetration test) it is important to be stealthy and thus to know how to bypass EDR products. In Red teaming, avoid at all costs using "noisy & easy to detect" pentest tools (e.g. Mimikatz, Metasploit C2) and techniques (e.g. aggressive and wide network port and vulnerability scans).
1. Common antivirus bypass techniques - With a low privilege account
--------------------------------------------------------------------
➤ Use living-off-the-land and fileless techniques
- Download & execute malicious PowerShell scripts (with AMSI bypass), PE files and shellcodes directly into memory such as encrypted/obfuscated C2 agents (e.g. Cobalt Strike, Sliver, Metasploit, Havoc)
- Use 'Living Off The Land' binaries, scripts and libraries (https://lolbas-project.github.io) to perform arbitrary code execution, file operations, UAC bypass, persistence, ...
➤ Regularly obfuscate and recompile your favorite (open source) hacking tools and scripts
➤ Write your own hacking tools and scripts
➤ Use PE/Dll packers and shellcode loaders that implement defense evasion techniques such as:
- Code obfuscation & payload encryption
- AMSI & ETW bypass
- Anti-Debugging techniques
- Sandbox evasion techniques
➤ Abuse potential AV exclusions set for files, folders, processes, and process-opened files
➤ Use portable legitimate SysAdmin tools and native OS commands/binaries which are less likely to be blocked by AV solutions than hacking tools
For examples:
- Portable SysAdmin tools: putty & plink, sysinternals tools, teamviewer, anydesk, mobaxterm, dbvisualizer, ...
- Native OS commands/binaries: REG SAVE to extract the registry keys, WinRM for lateral movement, TSCON for RDP session hijacking, ...
➤ If you can read the Bitlocker recovery key of your Windows laptop in Microsoft Intune (or in the AD) then you can use it to decrypt your laptop's hard drive and delete the AV files
➤ ...
2. Common antivirus bypass techniques - With local admin privileges
-------------------------------------------------------------------
➤ All the AV bypass techniques listed in the previous section
➤ Kill the anti-malware (AV) protected processes using "Bring Your Own Vulnerable Driver" (BYOVD) techniques
➤ Temporarily disable or uninstall the AV software if it is not protected by a password
➤ Install VirtualBox or VMware Workstation on a compromised Windows laptop/workstation and run hacking tools and scripts inside a VM to avoid detection
➤ Modify the registry keys or rename the AV executable files on a compromised Windows machine and then restart it to disable the AV software
➤ ...
3. Common Endpoint Detection & Response (EDR) bypass techniques - With a low privilege account
----------------------------------------------------------------------------------------------
➤ Use as much as possible the Sysadmin tools already installed on the compromised systems to "blend in" among the legitimate system administrators
➤ Abuse potential EDR exclusions (whitelist) set for files, folders, processes, and process-opened files
➤ Find server(s) in the network that have not been yet onboarded in the EDR solution & use them as a pivot (e.g. obfuscated/encrypted C2 implant + socks proxy)
➤ Write your own hacking tools/exploits when possible or carefully modify, obfuscate and test open-source ones before using them
➤ Use living-off-the-land and fileless techniques
➤ Use PE/Dll packers and shellcode loaders that implement defense evasion techniques such as:
- Code obfuscation & payload encryption
- AMSI & ETW bypass
- Anti-Debugging techniques
- Sandbox evasion techniques
- Import Address Table (IAT) obfuscation
- NTDLL unhooking techniques
- use of direct syscalls
- use of indirect syscalls
- module stomping technique
- suspended process method
- ...
➤ If you can read the Bitlocker recovery key of your Windows laptop in Microsoft Intune (or in the AD) then you can use it to decrypt your laptop's hard drive and delete the EDR files
➤ ...
4. Common Endpoint Detection & Response (EDR) bypass techniques - With local admin privileges
---------------------------------------------------------------------------------------------
➤ All the EDR bypass techniques listed in the previous section
➤ Kill the anti-malware (EDR) protected processes using "Bring Your Own Vulnerable Driver" (BYOVD) techniques
➤ Disable or uninstall the EDR agent if it is not protected by a password
➤ Add a rule in the local Windows firewall that will prevent the EDR agent to send alerts to the EDR appliance/server
➤ Add a wrong IP address for the EDR appliance/server in the '/etc/hosts' file to prevent the EDR agent to send alerts to the EDR appliance/server
➤ Install VirtualBox or VMware Workstation on a compromised Windows laptop/workstation and run hacking tools and scripts inside a VM to avoid detection
➤ Modify the registry keys or rename the EDR executable files on a compromised Windows machine and then restart it to disable the EDR software
➤ ...
TOPIC | TOOL | URL | DESCRIPTION |
---|---|---|---|
Recon, Audit, Post-Exploitation | Windows Sysinternals | https://docs.microsoft.com/en-us/sysinternals/ |
Adexplorer, procdump, procmon, autorun, ... |
Recon, Audit, Post-Exploitation | Windows native commands | - | Windows native DOS commands (e.g. net commands, nltest) and PowerShell commands (including AD module) |
Recon, Audit | ADRecon | https://github.com/adrecon/ADRecon |
Active Directory gathering information tool |
Recon, Audit | ADCollector | https://github.com/dev-2null/ADCollector |
Tool to quickly extract valuable information from the AD environment for both attacking and defending |
Recon, Audit | NMAP | https://nmap.org |
Network port scanner and (NSE) scripts |
Recon, Audit | PingCastle | https://www.pingcastle.com |
Active Directory security audit tool |
Recon, Audit | BloodHound | https://github.com/BloodHoundAD/BloodHound |
Tool to easily identify complex Windows domain attack paths |
Recon, Audit | ACLight | https://github.com/cyberark/ACLight |
A tool for advanced discovery of privileged accounts including Shadow Admins |
Recon, Audit | ADACLScanner | https://github.com/canix1/ADACLScanner |
A tool with GUI used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory |
Recon, Audit | Liza | http://www.ldapexplorer.com/en/liza.htm |
Active Directory Security, Permission and ACL Analysis |
Recon, Audit | LAPSToolkit | https://github.com/leoloobeek/LAPSToolkit |
LAPS auditing for pentesters |
Gaining Access | Rubeus | https://github.com/GhostPack/Rubeus |
Toolset for raw Kerberos interaction and abuses |
Audit, Privesc | Certify | https://github.com/GhostPack/Certify |
C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS) |
Audit, Privesc | Certipy | https://github.com/ly4k/Certipy |
Python tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS) |
Audit, Privesc | PassTheCert | https://github.com/AlmondOffSec/PassTheCert |
Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through Schannel |
Gaining Access, MITM | Responder | https://github.com/lgandx/Responder |
LLMNR/NBTNS/mDNS poisoner and NTLMv1/2 relay |
Gaining Access, MITM | Inveigh | https://github.com/Kevin-Robertson/Inveigh |
.NET IPv4/IPv6 machine-in-the-middle tool for penetration testers |
Gaining Access, MITM | Smbrelayx & Ntlmrelayx | https://github.com/fortra/impacket/tree/master/examples |
SMB and NTLM relay tools which are part of the Python offensive security framework 'Impackets' |
Recon, Gaining Access | Vulnerability scanners | (https://github.com/greenbone/openvas-scanner/releases) (https://www.tenable.com/) (https://www.qualys.com/) (https://www.rapid7.com/products/nexpose/) |
e.g. OpenVAS, Nessus, Qualys, Nexpose, ... |
Gaining Access | Hydra | https://github.com/vanhauser-thc/thc-hydra |
Online password bruteforce tool |
Post-Exploitation, Privesc | Mimikatz | https://github.com/gentilkiwi/mimikatz |
Extract plaintexts passwords, hash, PIN code and kerberos tickets from memory |
Post-Exploitation, Creds dumping | SharpKatz | https://github.com/b4rtik/SharpKatz |
Porting in C# of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands |
Post-Exploitation, Creds dumping | Nanodump | https://github.com/helpsystems/nanodump |
The swiss army knife of LSASS dumping |
Password cracking | Hashcat | https://github.com/hashcat/hashcat/ |
World's fastest and most advanced password recovery utility |
Password cracking | John the Ripper | https://www.openwall.com/john/ |
Offline password cracker |
Post-Exploitation, Privesc | PowerSploit (incl. PowerView & PowerUp) | https://github.com/PowerShellMafia/PowerSploit |
PowerShell offensive security framework |
Recon, Audit, Post-Exploitation, Privesc | PowerSharpPack | https://github.com/S3cur3Th1sSh1t/PowerSharpPack/ |
Many usefull offensive CSharp Projects wraped into Powershell for easy usage |
Post-Exploitation, Privesc | PrivescCheck | https://github.com/itm4n/PrivescCheck |
This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation |
Post-Exploitation, Privesc | Seatbelt | https://github.com/GhostPack/Seatbelt |
C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive & defensive security perspectives |
Post-Exploitation, Privesc | KrbRelayUp | https://github.com/Dec0ne/KrbRelayUp |
KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings) |
Privesc | Juicy potato exploit | https://github.com/ohpe/juicy-potato |
Local privesc tool |
Privesc | Rotten potato exploit | https://github.com/breenmachine/RottenPotatoNG |
Local privesc tool |
Post-Exploitation, Privesc | Nightly builds of common C# offensive tools | https://github.com/Flangvik/SharpCollection |
Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines |
Post-Exploitation, Privesc | SharpImpersonation | https://github.com/S3cur3Th1sSh1t/SharpImpersonation |
A user impersonation tool via Token or Shellcode injection |
Post-Exploitation, Privesc | Tokenvator | https://github.com/0xbadjuju/Tokenvator |
Windows Tokens impersonation tool |
AD Privesc | BloodyAD | https://github.com/CravateRouge/bloodyAD |
BloodyAD is an Active Directory Privilege Escalation Framework |
Post-Exploitation, Defense evasion | AMSI.fail | https://amsi.fail |
It generates obfuscated PowerShell snippets that break or disable AMSI for the current process |
Post-Exploitation, Defense evasion | Nimcrypt2 | https://github.com/icyguider/Nimcrypt2 |
.NET, PE and raw shellcode packer/loader designed to bypass AV/EDR |
Post-Exploitation, Defense evasion | ProtectMyTooling | https://github.com/mgeeky/ProtectMyTooling |
Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry. |
Post-Exploitation, Defense evasion | FilelessRemotePE | https://github.com/D1rkMtr/FilelessRemotePE |
Loading Fileless Remote PE from URI to memory with argument passing and ETW patching and NTDLL unhooking and no new thread technique |
Post-Exploitation, Defense evasion | Invoke-Obfuscation | https://github.com/danielbohannon/Invoke-Obfuscation |
PowerShell scripts obfuscator |
Post-Exploitation, Defense evasion | Chameleon | https://github.com/klezVirus/chameleon |
PowerShell scripts obfuscator |
Post-Exploitation C2, Network Lateral Movement, Pivoting | Cobalt Strike | https://www.cobaltstrike.com |
Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer's network |
Post-Exploitation C2, Network Lateral Movement, Pivoting | Metasploit | https://www.metasploit.com |
Penetration testing framework and post-exploitation C2 |
Post-Exploitation C2, Network Lateral Movement, Pivoting | Sliver | https://github.com/BishopFox/sliver |
Open source cross-platform adversary emulation/red team framework |
Post-Exploitation C2, Network Lateral Movement, Pivoting | Havoc | https://github.com/HavocFramework/Havoc |
Havoc is a modern and malleable post-exploitation command and control framework |
Post-Exploitation C2, Network Lateral Movement, Pivoting | Covenant | https://github.com/cobbr/Covenant |
Covenant is a collaborative .NET C2 framework for red teamers |
Network Lateral Movement, Pivoting | Impacket Framework | https://github.com/SecureAuthCorp/impacket |
Python offensive security framework (e.g. WMIexec.py, SMBexec.py, Secretsdump.py) |
Network Lateral Movement, Pivoting | NetExec | https://github.com/Pennyw0rth/NetExec |
Swiss army knife for pentesting Windows networks |
Network Lateral Movement, Pivoting | CrackMapExec (legacy) | https://github.com/byt3bl33d3r/CrackMapExec |
Swiss army knife for pentesting Windows networks |
Network Lateral Movement, Pivoting | SharpMapExec | https://github.com/cube0x0/SharpMapExec |
Swiss army knife for pentesting Windows networks |
Network Lateral Movement, Pivoting | Powercat | https://github.com/besimorhino/powercat |
PowerShell TCP/IP swiss army knife like netcat |
Network Lateral Movement, Pivoting | Invoke-TheHash | https://github.com/Kevin-Robertson/Invoke-TheHash |
It contains PowerShell functions for performing pass-the-hash WMI and SMB tasks |
Network Lateral Movement, Pivoting | Chisel | https://github.com/jpillora/chisel https://github.com/shantanu561993/SharpChisel |
Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH |
Network Lateral Movement, Pivoting | Rpivot | https://github.com/klsecservices/rpivot |
Socks4 reverse proxy for penetration testing |
Network Lateral Movement, Pivoting | Ligolo | https://github.com/sysdream/ligolo |
Reverse Tunneling made easy for pentesters, by pentesters |
Network Lateral Movement, Pivoting | Ligolo-ng | https://github.com/nicocha30/ligolo-ng |
A simple, lightweight and fast tool that allows to establish tunnels from a reverse TCP/TLS connection using a tun interface |
NAC bypass | Fenrir | https://github.com/Orange-Cyberdefense/fenrir-ocd |
Tool/script designed to bypass wired network 802.1x protection (NAC) |
Miscellaneous - Windows Penetration Testing & Red Teaming
---------------------------------------------------------
➤ Active Directory and Internal Pentest Cheatsheets
+ https://swisskyrepo.github.io/InternalAllTheThings/
+ https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md
➤ Active Directory Kill Chain Attack & Defense
+ https://github.com/infosecn1nja/AD-Attack-Defense
➤ Red Teaming Tactics and Techniques
+ https://www.ired.team
+ https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse
+ https://github.com/mantvydasb/RedTeaming-Tactics-and-Techniques
➤ MITRE ATT&CK® - A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations
+ https://attack.mitre.org/tactics/enterprise/;
+ https://attack.mitre.org/mitigations/M1015/ (Active Directory Configuration)
➤ Evaluation matrix of Command and Control (C2) frameworks
+ https://www.thec2matrix.com/matrix
Microsoft Security Guidelines
-----------------------------
➤ Best Practices for Securing Active Directory - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory)
➤ Reducing the Active Directory Attack Surface - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/reducing-the-active-directory-attack-surface
➤ Securing Domain Controllers Against Attack - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/securing-domain-controllers-against-attack
➤ Implementing Least-Privilege Administrative Models - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/implementing-least-privilege-administrative-models
➤ Planning a bastion environment - https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/planning-bastion-environment
➤ Monitoring Active Directory for Signs of Compromise - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/monitoring-active-directory-for-signs-of-compromise
➤ Attractive Accounts for Credential Theft - https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/attractive-accounts-for-credential-theft
➤ Evolution from the legacy AD tier model / Enterprise access model - https://learn.microsoft.com/en-us/security/privileged-access-workstations/privileged-access-access-model
➤ Tier model for partitioning administrative privileges - https://learn.microsoft.com/en-us/microsoft-identity-manager/pam/tier-model-for-partitioning-administrative-privileges
+ Tier 0: Domain Controllers, PKI servers (ADCS), SCCM servers, Hypervisors (e.g., vCenter/ESXi), ...
+ Tier 1: Windows Servers
+ Tier 2: Laptops and Workstations
➤ ACSC Essential Eight - https://learn.microsoft.com/en-us/compliance/essential-eight/e8-overview#what-are-the-essential-eight-pillars
+ Application Control
+ Patch Applications
+ Configure Microsoft Office Macro Settings
+ User Application Hardening
+ Restrict Administrative Privileges
+ Patch Operating Systems
+ Multifactor authentication
+ Regular Backups
➤ ...
CIS benchmarks - Windows Secure Configuration Guidelines
--------------------------------------------------------
➤ Windows servers - https://www.cisecurity.org/benchmark/microsoft_windows_server/
➤ Windows laptops/workstations - https://www.cisecurity.org/benchmark/microsoft_windows_desktop
➤ Windows SQL database servers - https://www.cisecurity.org/benchmark/microsoft_sql_server