🤖
hacktricks
  • 👾Welcome!
    • HackTricks
    • HackTricks Values & FAQ
    • About the author
  • 🤩Generic Methodologies & Resources
    • Pentesting Methodology
    • External Recon Methodology
      • Wide Source Code Search
      • Github Dorks & Leaks
    • Pentesting Network
      • DHCPv6
      • EIGRP Attacks
      • GLBP & HSRP Attacks
      • IDS and IPS Evasion
      • Lateral VLAN Segmentation Bypass
      • Network Protocols Explained (ESP)
      • Nmap Summary (ESP)
      • Pentesting IPv6
      • WebRTC DoS
      • Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
      • Spoofing SSDP and UPnP Devices with EvilSSDP
    • Pentesting Wifi
      • Evil Twin EAP-TLS
    • Phishing Methodology
      • Clone a Website
      • Detecting Phishing
      • Phishing Files & Documents
    • Basic Forensic Methodology
      • Baseline Monitoring
      • Anti-Forensic Techniques
      • Docker Forensics
      • Image Acquisition & Mount
      • Linux Forensics
      • Malware Analysis
      • Memory dump analysis
        • Volatility - CheatSheet
      • Partitions/File Systems/Carving
        • File/Data Carving & Recovery Tools
      • Pcap Inspection
        • DNSCat pcap analysis
        • Suricata & Iptables cheatsheet
        • USB Keystrokes
        • Wifi Pcap Analysis
        • Wireshark tricks
      • Specific Software/File-Type Tricks
        • Decompile compiled python binaries (exe, elf) - Retreive from .pyc
        • Browser Artifacts
        • Deofuscation vbs (cscript.exe)
        • Local Cloud Storage
        • Office file analysis
        • PDF File analysis
        • PNG tricks
        • Video and Audio file analysis
        • ZIPs tricks
      • Windows Artifacts
        • Interesting Windows Registry Keys
    • Brute Force - CheatSheet
    • Python Sandbox Escape & Pyscript
      • Bypass Python sandboxes
        • LOAD_NAME / LOAD_CONST opcode OOB Read
      • Class Pollution (Python's Prototype Pollution)
      • Python Internal Read Gadgets
      • Pyscript
      • venv
      • Web Requests
      • Bruteforce hash (few chars)
      • Basic Python
    • Exfiltration
    • Tunneling and Port Forwarding
    • Threat Modeling
    • Search Exploits
    • Reverse Shells (Linux, Windows, MSFVenom)
      • MSFVenom - CheatSheet
      • Reverse Shells - Windows
      • Reverse Shells - Linux
      • Full TTYs
  • 🐧Linux Hardening
    • Checklist - Linux Privilege Escalation
    • Linux Privilege Escalation
      • Arbitrary File Write to Root
      • Cisco - vmanage
      • Containerd (ctr) Privilege Escalation
      • D-Bus Enumeration & Command Injection Privilege Escalation
      • Docker Security
        • Abusing Docker Socket for Privilege Escalation
        • AppArmor
        • AuthZ& AuthN - Docker Access Authorization Plugin
        • CGroups
        • Docker --privileged
        • Docker Breakout / Privilege Escalation
          • release_agent exploit - Relative Paths to PIDs
          • Docker release_agent cgroups escape
          • Sensitive Mounts
        • Namespaces
          • CGroup Namespace
          • IPC Namespace
          • PID Namespace
          • Mount Namespace
          • Network Namespace
          • Time Namespace
          • User Namespace
          • UTS Namespace
        • Seccomp
        • Weaponizing Distroless
      • Escaping from Jails
      • euid, ruid, suid
      • Interesting Groups - Linux Privesc
        • lxd/lxc Group - Privilege escalation
      • Logstash
      • ld.so privesc exploit example
      • Linux Active Directory
      • Linux Capabilities
      • NFS no_root_squash/no_all_squash misconfiguration PE
      • Node inspector/CEF debug abuse
      • Payloads to execute
      • RunC Privilege Escalation
      • SELinux
      • Socket Command Injection
      • Splunk LPE and Persistence
      • SSH Forward Agent exploitation
      • Wildcards Spare tricks
    • Useful Linux Commands
    • Bypass Linux Restrictions
      • Bypass FS protections: read-only / no-exec / Distroless
        • DDexec / EverythingExec
    • Linux Environment Variables
    • Linux Post-Exploitation
      • PAM - Pluggable Authentication Modules
    • FreeIPA Pentesting
  • 🍏MacOS Hardening
    • macOS Security & Privilege Escalation
      • macOS Apps - Inspecting, debugging and Fuzzing
        • Objects in memory
        • Introduction to x64
        • Introduction to ARM64v8
      • macOS AppleFS
      • macOS Bypassing Firewalls
      • macOS Defensive Apps
      • macOS GCD - Grand Central Dispatch
      • macOS Kernel & System Extensions
        • macOS IOKit
        • macOS Kernel Extensions & Debugging
        • macOS Kernel Vulnerabilities
        • macOS System Extensions
      • macOS Network Services & Protocols
      • macOS File Extension & URL scheme app handlers
      • macOS Files, Folders, Binaries & Memory
        • macOS Bundles
        • macOS Installers Abuse
        • macOS Memory Dumping
        • macOS Sensitive Locations & Interesting Daemons
        • macOS Universal binaries & Mach-O Format
      • macOS Objective-C
      • macOS Privilege Escalation
      • macOS Process Abuse
        • macOS Dirty NIB
        • macOS Chromium Injection
        • macOS Electron Applications Injection
        • macOS Function Hooking
        • macOS IPC - Inter Process Communication
          • macOS MIG - Mach Interface Generator
          • macOS XPC
            • macOS XPC Authorization
            • macOS XPC Connecting Process Check
              • macOS PID Reuse
              • macOS xpc_connection_get_audit_token Attack
          • macOS Thread Injection via Task port
        • macOS Java Applications Injection
        • macOS Library Injection
          • macOS Dyld Hijacking & DYLD_INSERT_LIBRARIES
          • macOS Dyld Process
        • macOS Perl Applications Injection
        • macOS Python Applications Injection
        • macOS Ruby Applications Injection
        • macOS .Net Applications Injection
      • macOS Security Protections
        • macOS Gatekeeper / Quarantine / XProtect
        • macOS Launch/Environment Constraints & Trust Cache
        • macOS Sandbox
          • macOS Default Sandbox Debug
          • macOS Sandbox Debug & Bypass
            • macOS Office Sandbox Bypasses
        • macOS Authorizations DB & Authd
        • macOS SIP
        • macOS TCC
          • macOS Apple Events
          • macOS TCC Bypasses
            • macOS Apple Scripts
          • macOS TCC Payloads
        • macOS Dangerous Entitlements & TCC perms
        • macOS - AMFI - AppleMobileFileIntegrity
        • macOS MACF - Mandatory Access Control Framework
        • macOS Code Signing
        • macOS FS Tricks
          • macOS xattr-acls extra stuff
      • macOS Users & External Accounts
    • macOS Red Teaming
      • macOS MDM
        • Enrolling Devices in Other Organisations
        • macOS Serial Number
      • macOS Keychain
    • macOS Useful Commands
    • macOS Auto Start
  • 🪟Windows Hardening
    • Checklist - Local Windows Privilege Escalation
    • Windows Local Privilege Escalation
      • Abusing Tokens
      • Access Tokens
      • ACLs - DACLs/SACLs/ACEs
      • AppendData/AddSubdirectory permission over service registry
      • Create MSI with WIX
      • COM Hijacking
      • Dll Hijacking
        • Writable Sys Path +Dll Hijacking Privesc
      • DPAPI - Extracting Passwords
      • From High Integrity to SYSTEM with Name Pipes
      • Integrity Levels
      • JuicyPotato
      • Leaked Handle Exploitation
      • MSI Wrapper
      • Named Pipe Client Impersonation
      • Privilege Escalation with Autoruns
      • RoguePotato, PrintSpoofer, SharpEfsPotato, GodPotato
      • SeDebug + SeImpersonate copy token
      • SeImpersonate from High To System
      • Windows C Payloads
    • Active Directory Methodology
      • Abusing Active Directory ACLs/ACEs
        • Shadow Credentials
      • AD Certificates
        • AD CS Account Persistence
        • AD CS Domain Escalation
        • AD CS Domain Persistence
        • AD CS Certificate Theft
      • AD information in printers
      • AD DNS Records
      • ASREPRoast
      • BloodHound & Other AD Enum Tools
      • Constrained Delegation
      • Custom SSP
      • DCShadow
      • DCSync
      • Diamond Ticket
      • DSRM Credentials
      • External Forest Domain - OneWay (Inbound) or bidirectional
      • External Forest Domain - One-Way (Outbound)
      • Golden Ticket
      • Kerberoast
      • Kerberos Authentication
      • Kerberos Double Hop Problem
      • LAPS
      • MSSQL AD Abuse
      • Over Pass the Hash/Pass the Key
      • Pass the Ticket
      • Password Spraying / Brute Force
      • PrintNightmare
      • Force NTLM Privileged Authentication
      • Privileged Groups
      • RDP Sessions Abuse
      • Resource-based Constrained Delegation
      • Security Descriptors
      • SID-History Injection
      • Silver Ticket
      • Skeleton Key
      • Unconstrained Delegation
    • Windows Security Controls
      • UAC - User Account Control
    • NTLM
      • Places to steal NTLM creds
    • Lateral Movement
      • AtExec / SchtasksExec
      • DCOM Exec
      • PsExec/Winexec/ScExec
      • SmbExec/ScExec
      • WinRM
      • WmiExec
    • Pivoting to the Cloud
    • Stealing Windows Credentials
      • Windows Credentials Protections
      • Mimikatz
      • WTS Impersonator
    • Basic Win CMD for Pentesters
    • Basic PowerShell for Pentesters
      • PowerView/SharpView
    • Antivirus (AV) Bypass
  • 📱Mobile Pentesting
    • Android APK Checklist
    • Android Applications Pentesting
      • Android Applications Basics
      • Android Task Hijacking
      • ADB Commands
      • APK decompilers
      • AVD - Android Virtual Device
      • Bypass Biometric Authentication (Android)
      • content:// protocol
      • Drozer Tutorial
        • Exploiting Content Providers
      • Exploiting a debuggeable application
      • Frida Tutorial
        • Frida Tutorial 1
        • Frida Tutorial 2
        • Frida Tutorial 3
        • Objection Tutorial
      • Google CTF 2018 - Shall We Play a Game?
      • Install Burp Certificate
      • Intent Injection
      • Make APK Accept CA Certificate
      • Manual DeObfuscation
      • React Native Application
      • Reversing Native Libraries
      • Smali - Decompiling/[Modifying]/Compiling
      • Spoofing your location in Play Store
      • Tapjacking
      • Webview Attacks
    • iOS Pentesting Checklist
    • iOS Pentesting
      • iOS App Extensions
      • iOS Basics
      • iOS Basic Testing Operations
      • iOS Burp Suite Configuration
      • iOS Custom URI Handlers / Deeplinks / Custom Schemes
      • iOS Extracting Entitlements From Compiled Application
      • iOS Frida Configuration
      • iOS Hooking With Objection
      • iOS Protocol Handlers
      • iOS Serialisation and Encoding
      • iOS Testing Environment
      • iOS UIActivity Sharing
      • iOS Universal Links
      • iOS UIPasteboard
      • iOS WebViews
    • Cordova Apps
    • Xamarin Apps
  • 👽Network Services Pentesting
    • Pentesting JDWP - Java Debug Wire Protocol
    • Pentesting Printers
    • Pentesting SAP
    • Pentesting VoIP
      • Basic VoIP Protocols
        • SIP (Session Initiation Protocol)
    • Pentesting Remote GdbServer
    • 7/tcp/udp - Pentesting Echo
    • 21 - Pentesting FTP
      • FTP Bounce attack - Scan
      • FTP Bounce - Download 2ºFTP file
    • 22 - Pentesting SSH/SFTP
    • 23 - Pentesting Telnet
    • 25,465,587 - Pentesting SMTP/s
      • SMTP Smuggling
      • SMTP - Commands
    • 43 - Pentesting WHOIS
    • 49 - Pentesting TACACS+
    • 53 - Pentesting DNS
    • 69/UDP TFTP/Bittorrent-tracker
    • 79 - Pentesting Finger
    • 80,443 - Pentesting Web Methodology
      • 403 & 401 Bypasses
      • AEM - Adobe Experience Cloud
      • Angular
      • Apache
      • Artifactory Hacking guide
      • Bolt CMS
      • Buckets
        • Firebase Database
      • CGI
      • DotNetNuke (DNN)
      • Drupal
        • Drupal RCE
      • Electron Desktop Apps
        • Electron contextIsolation RCE via preload code
        • Electron contextIsolation RCE via Electron internal code
        • Electron contextIsolation RCE via IPC
      • Flask
      • NodeJS Express
      • Git
      • Golang
      • GWT - Google Web Toolkit
      • Grafana
      • GraphQL
      • H2 - Java SQL database
      • IIS - Internet Information Services
      • ImageMagick Security
      • JBOSS
      • Jira & Confluence
      • Joomla
      • JSP
      • Laravel
      • Moodle
      • Nginx
      • NextJS
      • PHP Tricks
        • PHP - Useful Functions & disable_functions/open_basedir bypass
          • disable_functions bypass - php-fpm/FastCGI
          • disable_functions bypass - dl function
          • disable_functions bypass - PHP 7.0-7.4 (*nix only)
          • disable_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit
          • disable_functions - PHP 5.x Shellshock Exploit
          • disable_functions - PHP 5.2.4 ionCube extension Exploit
          • disable_functions bypass - PHP <= 5.2.9 on windows
          • disable_functions bypass - PHP 5.2.4 and 5.2.5 PHP cURL
          • disable_functions bypass - PHP safe_mode bypass via proc_open() and custom environment Exploit
          • disable_functions bypass - PHP Perl Extension Safe_mode Bypass Exploit
          • disable_functions bypass - PHP 5.2.3 - Win32std ext Protections Bypass
          • disable_functions bypass - PHP 5.2 - FOpen Exploit
          • disable_functions bypass - via mem
          • disable_functions bypass - mod_cgi
          • disable_functions bypass - PHP 4 >= 4.2.0, PHP 5 pcntl_exec
        • PHP - RCE abusing object creation: new $_GET["a"]($_GET["b"])
        • PHP SSRF
      • PrestaShop
      • Python
      • Rocket Chat
      • Special HTTP headers
      • Source code Review / SAST Tools
      • Spring Actuators
      • Symfony
      • Tomcat
        • Basic Tomcat Info
      • Uncovering CloudFlare
      • VMWare (ESX, VCenter...)
      • Web API Pentesting
      • WebDav
      • Werkzeug / Flask Debug
      • Wordpress
    • 88tcp/udp - Pentesting Kerberos
      • Harvesting tickets from Windows
      • Harvesting tickets from Linux
    • 110,995 - Pentesting POP
    • 111/TCP/UDP - Pentesting Portmapper
    • 113 - Pentesting Ident
    • 123/udp - Pentesting NTP
    • 135, 593 - Pentesting MSRPC
    • 137,138,139 - Pentesting NetBios
    • 139,445 - Pentesting SMB
      • rpcclient enumeration
    • 143,993 - Pentesting IMAP
    • 161,162,10161,10162/udp - Pentesting SNMP
      • Cisco SNMP
      • SNMP RCE
    • 194,6667,6660-7000 - Pentesting IRC
    • 264 - Pentesting Check Point FireWall-1
    • 389, 636, 3268, 3269 - Pentesting LDAP
    • 500/udp - Pentesting IPsec/IKE VPN
    • 502 - Pentesting Modbus
    • 512 - Pentesting Rexec
    • 513 - Pentesting Rlogin
    • 514 - Pentesting Rsh
    • 515 - Pentesting Line Printer Daemon (LPD)
    • 548 - Pentesting Apple Filing Protocol (AFP)
    • 554,8554 - Pentesting RTSP
    • 623/UDP/TCP - IPMI
    • 631 - Internet Printing Protocol(IPP)
    • 700 - Pentesting EPP
    • 873 - Pentesting Rsync
    • 1026 - Pentesting Rusersd
    • 1080 - Pentesting Socks
    • 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP
    • 1414 - Pentesting IBM MQ
    • 1433 - Pentesting MSSQL - Microsoft SQL Server
      • Types of MSSQL Users
    • 1521,1522-1529 - Pentesting Oracle TNS Listener
    • 1723 - Pentesting PPTP
    • 1883 - Pentesting MQTT (Mosquitto)
    • 2049 - Pentesting NFS Service
    • 2301,2381 - Pentesting Compaq/HP Insight Manager
    • 2375, 2376 Pentesting Docker
    • 3128 - Pentesting Squid
    • 3260 - Pentesting ISCSI
    • 3299 - Pentesting SAPRouter
    • 3306 - Pentesting Mysql
    • 3389 - Pentesting RDP
    • 3632 - Pentesting distcc
    • 3690 - Pentesting Subversion (svn server)
    • 3702/UDP - Pentesting WS-Discovery
    • 4369 - Pentesting Erlang Port Mapper Daemon (epmd)
    • 4786 - Cisco Smart Install
    • 4840 - OPC Unified Architecture
    • 5000 - Pentesting Docker Registry
    • 5353/UDP Multicast DNS (mDNS) and DNS-SD
    • 5432,5433 - Pentesting Postgresql
    • 5439 - Pentesting Redshift
    • 5555 - Android Debug Bridge
    • 5601 - Pentesting Kibana
    • 5671,5672 - Pentesting AMQP
    • 5800,5801,5900,5901 - Pentesting VNC
    • 5984,6984 - Pentesting CouchDB
    • 5985,5986 - Pentesting WinRM
    • 5985,5986 - Pentesting OMI
    • 6000 - Pentesting X11
    • 6379 - Pentesting Redis
    • 8009 - Pentesting Apache JServ Protocol (AJP)
    • 8086 - Pentesting InfluxDB
    • 8089 - Pentesting Splunkd
    • 8333,18333,38333,18444 - Pentesting Bitcoin
    • 9000 - Pentesting FastCGI
    • 9001 - Pentesting HSQLDB
    • 9042/9160 - Pentesting Cassandra
    • 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream)
    • 9200 - Pentesting Elasticsearch
    • 10000 - Pentesting Network Data Management Protocol (ndmp)
    • 11211 - Pentesting Memcache
      • Memcache Commands
    • 15672 - Pentesting RabbitMQ Management
    • 24007,24008,24009,49152 - Pentesting GlusterFS
    • 27017,27018 - Pentesting MongoDB
    • 44134 - Pentesting Tiller (Helm)
    • 44818/UDP/TCP - Pentesting EthernetIP
    • 47808/udp - Pentesting BACNet
    • 50030,50060,50070,50075,50090 - Pentesting Hadoop
  • 🕸️Pentesting Web
    • Web Vulnerabilities Methodology
    • Reflecting Techniques - PoCs and Polygloths CheatSheet
      • Web Vulns List
    • 2FA/MFA/OTP Bypass
    • Account Takeover
    • Browser Extension Pentesting Methodology
      • BrowExt - ClickJacking
      • BrowExt - permissions & host_permissions
      • BrowExt - XSS Example
    • Bypass Payment Process
    • Captcha Bypass
    • Cache Poisoning and Cache Deception
      • Cache Poisoning via URL discrepancies
      • Cache Poisoning to DoS
    • Clickjacking
    • Client Side Template Injection (CSTI)
    • Client Side Path Traversal
    • Command Injection
    • Content Security Policy (CSP) Bypass
      • CSP bypass: self + 'unsafe-inline' with Iframes
    • Cookies Hacking
      • Cookie Tossing
      • Cookie Jar Overflow
      • Cookie Bomb
    • CORS - Misconfigurations & Bypass
    • CRLF (%0D%0A) Injection
    • CSRF (Cross Site Request Forgery)
    • Dangling Markup - HTML scriptless injection
      • SS-Leaks
    • Dependency Confusion
    • Deserialization
      • NodeJS - __proto__ & prototype Pollution
        • Client Side Prototype Pollution
        • Express Prototype Pollution Gadgets
        • Prototype Pollution to RCE
      • Java JSF ViewState (.faces) Deserialization
      • Java DNS Deserialization, GadgetProbe and Java Deserialization Scanner
      • Basic Java Deserialization (ObjectInputStream, readObject)
      • PHP - Deserialization + Autoload Classes
      • CommonsCollection1 Payload - Java Transformers to Rutime exec() and Thread Sleep
      • Basic .Net deserialization (ObjectDataProvider gadget, ExpandedWrapper, and Json.Net)
      • Exploiting __VIEWSTATE knowing the secrets
      • Exploiting __VIEWSTATE without knowing the secrets
      • Python Yaml Deserialization
      • JNDI - Java Naming and Directory Interface & Log4Shell
      • Ruby Class Pollution
    • Domain/Subdomain takeover
    • Email Injections
    • File Inclusion/Path traversal
      • phar:// deserialization
      • LFI2RCE via PHP Filters
      • LFI2RCE via Nginx temp files
      • LFI2RCE via PHP_SESSION_UPLOAD_PROGRESS
      • LFI2RCE via Segmentation Fault
      • LFI2RCE via phpinfo()
      • LFI2RCE Via temp file uploads
      • LFI2RCE via Eternal waiting
      • LFI2RCE Via compress.zlib + PHP_STREAM_PREFER_STUDIO + Path Disclosure
    • File Upload
      • PDF Upload - XXE and CORS bypass
    • Formula/CSV/Doc/LaTeX/GhostScript Injection
    • gRPC-Web Pentest
    • HTTP Connection Contamination
    • HTTP Connection Request Smuggling
    • HTTP Request Smuggling / HTTP Desync Attack
      • Browser HTTP Request Smuggling
      • Request Smuggling in HTTP/2 Downgrades
    • HTTP Response Smuggling / Desync
    • Upgrade Header Smuggling
    • hop-by-hop headers
    • IDOR
    • JWT Vulnerabilities (Json Web Tokens)
    • LDAP Injection
    • Login Bypass
      • Login bypass List
    • NoSQL injection
    • OAuth to Account takeover
    • Open Redirect
    • ORM Injection
    • Parameter Pollution
    • Phone Number Injections
    • PostMessage Vulnerabilities
      • Blocking main page to steal postmessage
      • Bypassing SOP with Iframes - 1
      • Bypassing SOP with Iframes - 2
      • Steal postmessage modifying iframe location
    • Proxy / WAF Protections Bypass
    • Race Condition
    • Rate Limit Bypass
    • Registration & Takeover Vulnerabilities
    • Regular expression Denial of Service - ReDoS
    • Reset/Forgotten Password Bypass
    • Reverse Tab Nabbing
    • SAML Attacks
      • SAML Basics
    • Server Side Inclusion/Edge Side Inclusion Injection
    • SQL Injection
      • MS Access SQL Injection
      • MSSQL Injection
      • MySQL injection
        • MySQL File priv to SSRF/RCE
      • Oracle injection
      • Cypher Injection (neo4j)
      • PostgreSQL injection
        • dblink/lo_import data exfiltration
        • PL/pgSQL Password Bruteforce
        • Network - Privesc, Port Scanner and NTLM chanllenge response disclosure
        • Big Binary Files Upload (PostgreSQL)
        • RCE with PostgreSQL Languages
        • RCE with PostgreSQL Extensions
      • SQLMap - CheatSheet
        • Second Order Injection - SQLMap
    • SSRF (Server Side Request Forgery)
      • URL Format Bypass
      • SSRF Vulnerable Platforms
      • Cloud SSRF
    • SSTI (Server Side Template Injection)
      • EL - Expression Language
      • Jinja2 SSTI
    • Timing Attacks
    • Unicode Injection
      • Unicode Normalization
    • UUID Insecurities
    • WebSocket Attacks
    • Web Tool - WFuzz
    • XPATH injection
    • XSLT Server Side Injection (Extensible Stylesheet Language Transformations)
    • XXE - XEE - XML External Entity
    • XSS (Cross Site Scripting)
      • Abusing Service Workers
      • Chrome Cache to XSS
      • Debugging Client Side JS
      • Dom Clobbering
      • DOM Invader
      • DOM XSS
      • Iframes in XSS, CSP and SOP
      • Integer Overflow
      • JS Hoisting
      • Misc JS Tricks & Relevant Info
      • PDF Injection
      • Server Side XSS (Dynamic PDF)
      • Shadow DOM
      • SOME - Same Origin Method Execution
      • Sniff Leak
      • Steal Info JS
      • XSS in Markdown
    • XSSI (Cross-Site Script Inclusion)
    • XS-Search/XS-Leaks
      • Connection Pool Examples
      • Connection Pool by Destination Example
      • Cookie Bomb + Onerror XS Leak
      • URL Max Length - Client Side
      • performance.now example
      • performance.now + Force heavy task
      • Event Loop Blocking + Lazy images
      • JavaScript Execution XS Leak
      • CSS Injection
        • CSS Injection Code
    • Iframe Traps
  • ⛈️Cloud Security
    • Pentesting Kubernetes
    • Pentesting Cloud (AWS, GCP, Az...)
    • Pentesting CI/CD (Github, Jenkins, Terraform...)
  • 😎Hardware/Physical Access
    • Physical Attacks
    • Escaping from KIOSKs
    • Firmware Analysis
      • Bootloader testing
      • Firmware Integrity
  • 🎯Binary Exploitation
    • Basic Stack Binary Exploitation Methodology
      • ELF Basic Information
      • Exploiting Tools
        • PwnTools
    • Stack Overflow
      • Pointer Redirecting
      • Ret2win
        • Ret2win - arm64
      • Stack Shellcode
        • Stack Shellcode - arm64
      • Stack Pivoting - EBP2Ret - EBP chaining
      • Uninitialized Variables
    • ROP - Return Oriented Programing
      • BROP - Blind Return Oriented Programming
      • Ret2csu
      • Ret2dlresolve
      • Ret2esp / Ret2reg
      • Ret2lib
        • Leaking libc address with ROP
          • Leaking libc - template
        • One Gadget
        • Ret2lib + Printf leak - arm64
      • Ret2syscall
        • Ret2syscall - ARM64
      • Ret2vDSO
      • SROP - Sigreturn-Oriented Programming
        • SROP - ARM64
    • Array Indexing
    • Integer Overflow
    • Format Strings
      • Format Strings - Arbitrary Read Example
      • Format Strings Template
    • Libc Heap
      • Bins & Memory Allocations
      • Heap Memory Functions
        • free
        • malloc & sysmalloc
        • unlink
        • Heap Functions Security Checks
      • Use After Free
        • First Fit
      • Double Free
      • Overwriting a freed chunk
      • Heap Overflow
      • Unlink Attack
      • Fast Bin Attack
      • Unsorted Bin Attack
      • Large Bin Attack
      • Tcache Bin Attack
      • Off by one overflow
      • House of Spirit
      • House of Lore | Small bin Attack
      • House of Einherjar
      • House of Force
      • House of Orange
      • House of Rabbit
      • House of Roman
    • Common Binary Exploitation Protections & Bypasses
      • ASLR
        • Ret2plt
        • Ret2ret & Reo2pop
      • CET & Shadow Stack
      • Libc Protections
      • Memory Tagging Extension (MTE)
      • No-exec / NX
      • PIE
        • BF Addresses in the Stack
      • Relro
      • Stack Canaries
        • BF Forked & Threaded Stack Canaries
        • Print Stack Canary
    • Write What Where 2 Exec
      • WWW2Exec - atexit()
      • WWW2Exec - .dtors & .fini_array
      • WWW2Exec - GOT/PLT
      • WWW2Exec - __malloc_hook & __free_hook
    • Common Exploiting Problems
    • Windows Exploiting (Basic Guide - OSCP lvl)
    • iOS Exploiting
  • 🔩Reversing
    • Reversing Tools & Basic Methods
      • Angr
        • Angr - Examples
      • Z3 - Satisfiability Modulo Theories (SMT)
      • Cheat Engine
      • Blobrunner
    • Common API used in Malware
    • Word Macros
  • 🔮Crypto & Stego
    • Cryptographic/Compression Algorithms
      • Unpacking binaries
    • Certificates
    • Cipher Block Chaining CBC-MAC
    • Crypto CTFs Tricks
    • Electronic Code Book (ECB)
    • Hash Length Extension Attack
    • Padding Oracle
    • RC4 - Encrypt&Decrypt
    • Stego Tricks
    • Esoteric languages
    • Blockchain & Crypto Currencies
  • 🦂C2
    • Salseo
    • ICMPsh
    • Cobalt Strike
  • ✍️TODO
    • Other Big References
    • Rust Basics
    • More Tools
    • MISC
    • Pentesting DNS
    • Hardware Hacking
      • I2C
      • UART
      • Radio
      • JTAG
      • SPI
    • Industrial Control Systems Hacking
      • Modbus Protocol
    • Radio Hacking
      • Pentesting RFID
      • Infrared
      • Sub-GHz RF
      • iButton
      • Flipper Zero
        • FZ - NFC
        • FZ - Sub-GHz
        • FZ - Infrared
        • FZ - iButton
        • FZ - 125kHz RFID
      • Proxmark 3
      • FISSURE - The RF Framework
      • Low-Power Wide Area Network
      • Pentesting BLE - Bluetooth Low Energy
    • Industrial Control Systems Hacking
    • Test LLMs
    • LLM Training
      • 0. Basic LLM Concepts
      • 1. Tokenizing
      • 2. Data Sampling
      • 3. Token Embeddings
      • 4. Attention Mechanisms
      • 5. LLM Architecture
      • 6. Pre-training & Loading models
      • 7.0. LoRA Improvements in fine-tuning
      • 7.1. Fine-Tuning for Classification
      • 7.2. Fine-Tuning to follow instructions
    • Burp Suite
    • Other Web Tricks
    • Interesting HTTP
    • Android Forensics
    • TR-069
    • 6881/udp - Pentesting BitTorrent
    • Online Platforms with API
    • Stealing Sensitive Information Disclosure from a Web
    • Post Exploitation
    • Investment Terms
    • Cookies Policy
Powered by GitBook
On this page
  • Basic overview
  • Kerberos Authentication
  • Cheat Sheet
  • Recon Active Directory (No creds/sessions)
  • User enumeration
  • Knowing one or several usernames
  • LLMNR/NBT-NS Poisoning
  • NTML Relay
  • Steal NTLM Creds
  • Enumerating Active Directory WITH credentials/session
  • Enumeration
  • Kerberoast
  • Remote connexion (RDP, SSH, FTP, Win-RM, etc)
  • Local Privilege Escalation
  • Current Session Tickets
  • NTML Relay
  • Looks for Creds in Computer Shares
  • Steal NTLM Creds
  • CVE-2021-1675/CVE-2021-34527 PrintNightmare
  • Privilege escalation on Active Directory WITH privileged credentials/session
  • Hash extraction
  • Pass the Hash
  • Over Pass the Hash/Pass the Key
  • Pass the Ticket
  • Credentials Reuse
  • MSSQL Abuse & Trusted Links
  • Unconstrained Delegation
  • Constrained Delegation
  • Resourced-based Constrain Delegation
  • ACLs Abuse
  • Printer Spooler service abuse
  • Third party sessions abuse
  • LAPS
  • Certificate Theft
  • Certificate Templates Abuse
  • Post-exploitation with high privilege account
  • Dumping Domain Credentials
  • Privesc as Persistence
  • Silver Ticket
  • Golden Ticket
  • Diamond Ticket
  • Certificates Account Persistence
  • Certificates Domain Persistence
  • AdminSDHolder Group
  • DSRM Credentials
  • ACL Persistence
  • Security Descriptors
  • Skeleton Key
  • Custom SSP
  • DCShadow
  • LAPS Persistence
  • Forest Privilege Escalation - Domain Trusts
  • Basic Information
  • Different trusts
  • Attack Path
  • Child-to-Parent forest privilege escalation
  • External Forest Domain - One-Way (Inbound) or bidirectional
  • External Forest Domain - One-Way (Outbound)
  • Domain trust abuse mitigation
  • SID Filtering:
  • Selective Authentication:
  • AD -> Azure & Azure -> AD
  • Some General Defenses
  • Defensive Measures for Credential Protection
  • Implementing Deception Techniques
  • Identifying Deception
  • Bypassing Detection Systems
  • References
Edit on GitHub
  1. Windows Hardening

Active Directory Methodology

PreviousWindows C PayloadsNextAbusing Active Directory ACLs/ACEs

Last updated 8 months ago

Learn & practice AWS Hacking: Learn & practice GCP Hacking:

Support HackTricks
  • Check the !

  • Join the 💬 or the or follow us on Twitter 🐦 .

  • Share hacking tricks by submitting PRs to the and github repos.

Basic overview

Active Directory serves as a foundational technology, enabling network administrators to efficiently create and manage domains, users, and objects within a network. It is engineered to scale, facilitating the organization of an extensive number of users into manageable groups and subgroups, while controlling access rights at various levels.

The structure of Active Directory is comprised of three primary layers: domains, trees, and forests. A domain encompasses a collection of objects, such as users or devices, sharing a common database. Trees are groups of these domains linked by a shared structure, and a forest represents the collection of multiple trees, interconnected through trust relationships, forming the uppermost layer of the organizational structure. Specific access and communication rights can be designated at each of these levels.

Key concepts within Active Directory include:

  1. Directory – Houses all information pertaining to Active Directory objects.

  2. Object – Denotes entities within the directory, including users, groups, or shared folders.

  3. Domain – Serves as a container for directory objects, with the capability for multiple domains to coexist within a forest, each maintaining its own object collection.

  4. Tree – A grouping of domains that share a common root domain.

  5. Forest – The pinnacle of organizational structure in Active Directory, composed of several trees with trust relationships among them.

Active Directory Domain Services (AD DS) encompasses a range of services critical for the centralized management and communication within a network. These services comprise:

  1. Domain Services – Centralizes data storage and manages interactions between users and domains, including authentication and search functionalities.

  2. Certificate Services – Oversees the creation, distribution, and management of secure digital certificates.

  3. Lightweight Directory Services – Supports directory-enabled applications through the LDAP protocol.

  4. Directory Federation Services – Provides single-sign-on capabilities to authenticate users across multiple web applications in a single session.

  5. Rights Management – Assists in safeguarding copyright material by regulating its unauthorized distribution and use.

  6. DNS Service – Crucial for the resolution of domain names.

Kerberos Authentication

Cheat Sheet

Recon Active Directory (No creds/sessions)

If you just have access to an AD environment but you don't have any credentials/sessions you could:

  • Pentest the network:

    • Enumerating DNS could give information about key servers in the domain as web, printers, shares, vpn, media, etc.

      • gobuster dns -d domain.local -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt

  • Check for null and Guest access on smb services (this won't work on modern Windows versions):

    • enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>

    • smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>

    • smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //

    • A more detailed guide on how to enumerate a SMB server can be found here:

  • Enumerate Ldap

    • nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>

    • A more detailed guide on how to enumerate LDAP can be found here (pay special attention to the anonymous access):

  • Poison the network

    • Extract usernames/names from internal documents, social media, services (mainly web) inside the domain environments and also from the publicly available.

    • Tools:

User enumeration

  • Kerbrute enum: When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the username was invalid. Valid usernames will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, indicating that the user is required to perform pre-authentication.

./kerbrute_linux_amd64 userenum -d lab.ropnop.com --dc 10.10.10.10 usernames.txt #From https://github.com/ropnop/kerbrute/releases

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>
Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>

msf> use auxiliary/gather/kerberos_enumusers

crackmapexec smb dominio.es  -u '' -p '' --users | awk '{print $4}' | uniq
  • OWA (Outlook Web Access) Server

ipmo C:\Tools\MailSniper\MailSniper.ps1
# Get info about the domain
Invoke-DomainHarvestOWA -ExchHostname [ip]
# Enumerate valid users from a list of potential usernames
Invoke-UsernameHarvestOWA -ExchHostname [ip] -Domain [domain] -UserList .\possible-usernames.txt -OutFile valid.txt
# Password spraying
Invoke-PasswordSprayOWA -ExchHostname [ip] -UserList .\valid.txt -Password Summer2021
# Get addresses list from the compromised mail
Get-GlobalAddressList -ExchHostname [ip] -UserName [domain]\[username] -Password Summer2021 -OutFile gal.txt

Knowing one or several usernames

Ok, so you know you have already a valid username but no passwords... Then try:

    • Note that you can also spray OWA servers to try to get access to the users mail servers.

LLMNR/NBT-NS Poisoning

You might be able to obtain some challenge hashes to crack poisoning some protocols of the network:

NTML Relay

Steal NTLM Creds

If you can access other PCs or shares with the null or guest user you could place files (like a SCF file) that if somehow accessed will trigger an NTML authentication against you so you can steal the NTLM challenge to crack it:

Enumerating Active Directory WITH credentials/session

For this phase you need to have compromised the credentials or a session of a valid domain account. If you have some valid credentials or a shell as a domain user, you should remember that the options given before are still options to compromise other users.

Before start the authenticated enumeration you should know what is the Kerberos double hop problem.

Enumeration

Having compromised an account is a big step to start compromising the whole domain, because you are going to be able to start the Active Directory Enumeration:

  • A tool with GUI that you can use to enumerate the directory is AdExplorer.exe from SysInternal Suite.

  • You could also try automated tools as:

  • Extracting all domain users

    It's very easy to obtain all the domain usernames from Windows (net user /domain ,Get-DomainUser or wmic useraccount get name,sid). In Linux, you can use: GetADUsers.py -all -dc-ip 10.10.10.110 domain.com/username or enum4linux -a -u "user" -p "password" <DC IP>

Even if this Enumeration section looks small this is the most important part of all. Access the links (mainly the one of cmd, powershell, powerview and BloodHound), learn how to enumerate a domain and practice until you feel comfortable. During an assessment, this will be the key moment to find your way to DA or to decide that nothing can be done.

Kerberoast

Kerberoasting involves obtaining TGS tickets used by services tied to user accounts and cracking their encryption—which is based on user passwords—offline.

More about this in:

Remote connexion (RDP, SSH, FTP, Win-RM, etc)

Once you have obtained some credentials you could check if you have access to any machine. For that matter, you could use CrackMapExec to attempt connecting on several servers with different protocols, accordingly to your ports scans.

Local Privilege Escalation

If you have compromised credentials or a session as a regular domain user and you have access with this user to any machine in the domain you should try to find your way to escalate privileges locally and looting for credentials. This is because only with local administrator privileges you will be able to dump hashes of other users in memory (LSASS) and locally (SAM).

Current Session Tickets

It's very unlikely that you will find tickets in the current user giving you permission to access unexpected resources, but you could check:

## List all tickets (if not admin, only current user tickets)
.\Rubeus.exe triage
## Dump the interesting one by luid
.\Rubeus.exe dump /service:krbtgt /luid:<luid> /nowrap
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<BASE64_TICKET>"))

NTML Relay

Looks for Creds in Computer Shares

Now that you have some basic credentials you should check if you can find any interesting files being shared inside the AD. You could do that manually but it's a very boring repetitive task (and more if you find hundreds of docs you need to check).

Steal NTLM Creds

If you can access other PCs or shares you could place files (like a SCF file) that if somehow accessed will trigger an NTML authentication against you so you can steal the NTLM challenge to crack it:

CVE-2021-1675/CVE-2021-34527 PrintNightmare

This vulnerability allowed any authenticated user to compromise the domain controller.

Privilege escalation on Active Directory WITH privileged credentials/session

For the following techniques a regular domain user is not enough, you need some special privileges/credentials to perform these attacks.

Hash extraction

Pass the Hash

Over Pass the Hash/Pass the Key

This attack aims to use the user NTLM hash to request Kerberos tickets, as an alternative to the common Pass The Hash over NTLM protocol. Therefore, this could be especially useful in networks where NTLM protocol is disabled and only Kerberos is allowed as authentication protocol.

Pass the Ticket

In the Pass The Ticket (PTT) attack method, attackers steal a user's authentication ticket instead of their password or hash values. This stolen ticket is then used to impersonate the user, gaining unauthorized access to resources and services within a network.

Credentials Reuse

If you have the hash or password of a local administrator you should try to login locally to other PCs with it.

# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +

Note that this is quite noisy and LAPS would mitigate it.

MSSQL Abuse & Trusted Links

If a user has privileges to access MSSQL instances, he could be able to use it to execute commands in the MSSQL host (if running as SA), steal the NetNTLM hash or even perform a relay attack. Also, if a MSSQL instance is trusted (database link) by a different MSSQL instance. If the user has privileges over the trusted database, he is going to be able to use the trust relationship to execute queries also in the other instance. These trusts can be chained and at some point the user might be able to find a misconfigured database where he can execute commands. The links between databases work even across forest trusts.

Unconstrained Delegation

Constrained Delegation

If a user or computer is allowed for "Constrained Delegation" it will be able to impersonate any user to access some services in a computer. Then, if you compromise the hash of this user/computer you will be able to impersonate any user (even domain admins) to access some services.

Resourced-based Constrain Delegation

Having WRITE privilege on an Active Directory object of a remote computer enables the attainment of code execution with elevated privileges:

ACLs Abuse

The compromised user could have some interesting privileges over some domain objects that could let you move laterally/escalate privileges.

Printer Spooler service abuse

Discovering a Spool service listening within the domain can be abused to acquire new credentials and escalate privileges.

Third party sessions abuse

If other users access the compromised machine, it's possible to gather credentials from memory and even inject beacons in their processes to impersonate them. Usually users will access the system via RDP, so here you have how to performa couple of attacks over third party RDP sessions:

LAPS

LAPS provides a system for managing the local Administrator password on domain-joined computers, ensuring it's randomized, unique, and frequently changed. These passwords are stored in Active Directory and access is controlled through ACLs to authorized users only. With sufficient permissions to access these passwords, pivoting to other computers becomes possible.

Certificate Theft

Gathering certificates from the compromised machine could be a way to escalate privileges inside the environment:

Certificate Templates Abuse

If vulnerable templates are configured it's possible to abuse them to escalate privileges:

Post-exploitation with high privilege account

Dumping Domain Credentials

Once you get Domain Admin or even better Enterprise Admin privileges, you can dump the domain database: ntds.dit.

Privesc as Persistence

Some of the techniques discussed before can be used for persistence. For example you could:

  • Set-DomainObject -Identity <username> -Set @{serviceprincipalname="fake/NOTHING"}r
  • Set-DomainObject -Identity <username> -XOR @{UserAccountControl=4194304}
  • Add-DomainObjectAcl -TargetIdentity "DC=SUB,DC=DOMAIN,DC=LOCAL" -PrincipalIdentity bfarmer -Rights DCSync

Silver Ticket

The Silver Ticket attack creates a legitimate Ticket Granting Service (TGS) ticket for a specific service by using the NTLM hash (for instance, the hash of the PC account). This method is employed to access the service privileges.

Golden Ticket

A Golden Ticket attack involves an attacker gaining access to the NTLM hash of the krbtgt account in an Active Directory (AD) environment. This account is special because it's used to sign all Ticket Granting Tickets (TGTs), which are essential for authenticating within the AD network.

Once the attacker obtains this hash, they can create TGTs for any account they choose (Silver ticket attack).

Diamond Ticket

These are like golden tickets forged in a way that bypasses common golden tickets detection mechanisms.

Certificates Account Persistence

Having certificates of an account or being able to request them is a very good way to be able to persist in the users account (even if he changes the password):

Certificates Domain Persistence

Using certificates is also possible to persist with high privileges inside the domain:

AdminSDHolder Group

The AdminSDHolder object in Active Directory ensures the security of privileged groups (like Domain Admins and Enterprise Admins) by applying a standard Access Control List (ACL) across these groups to prevent unauthorized changes. However, this feature can be exploited; if an attacker modifies the AdminSDHolder's ACL to give full access to a regular user, that user gains extensive control over all privileged groups. This security measure, meant to protect, can thus backfire, allowing unwarranted access unless closely monitored.

DSRM Credentials

Inside every Domain Controller (DC), a local administrator account exists. By obtaining admin rights on such a machine, the local Administrator hash can be extracted using mimikatz. Following this, a registry modification is necessary to enable the use of this password, allowing for remote access to the local Administrator account.

ACL Persistence

You could give some special permissions to a user over some specific domain objects that will let the user escalate privileges in the future.

Security Descriptors

The security descriptors are used to store the permissions an object have over an object. If you can just make a little change in the security descriptor of an object, you can obtain very interesting privileges over that object without needing to be member of a privileged group.

Skeleton Key

Alter LSASS in memory to establish a universal password, granting access to all domain accounts.

Custom SSP

DCShadow

It registers a new Domain Controller in the AD and uses it to push attributes (SIDHistory, SPNs...) on specified objects without leaving any logs regarding the modifications. You need DA privileges and be inside the root domain. Note that if you use wrong data, pretty ugly logs will appear.

LAPS Persistence

Previously we have discussed about how to escalate privileges if you have enough permission to read LAPS passwords. However, these passwords can also be used to maintain persistence. Check:

Forest Privilege Escalation - Domain Trusts

Microsoft views the Forest as the security boundary. This implies that compromising a single domain could potentially lead to the entire Forest being compromised.

Basic Information

In a typical scenario, if a user intends to access a service in a trusted domain, they must first request a special ticket known as an inter-realm TGT from their own domain's DC. This TGT is encrypted with a shared key that both domains have agreed upon. The user then presents this TGT to the DC of the trusted domain to get a service ticket (TGS). Upon successful validation of the inter-realm TGT by the trusted domain's DC, it issues a TGS, granting the user access to the service.

Steps:

  1. A client computer in Domain 1 starts the process by using its NTLM hash to request a Ticket Granting Ticket (TGT) from its Domain Controller (DC1).

  2. DC1 issues a new TGT if the client is authenticated successfully.

  3. The client then requests an inter-realm TGT from DC1, which is needed to access resources in Domain 2.

  4. The inter-realm TGT is encrypted with a trust key shared between DC1 and DC2 as part of the two-way domain trust.

  5. The client takes the inter-realm TGT to Domain 2's Domain Controller (DC2).

  6. DC2 verifies the inter-realm TGT using its shared trust key and, if valid, issues a Ticket Granting Service (TGS) for the server in Domain 2 the client wants to access.

  7. Finally, the client presents this TGS to the server, which is encrypted with the server’s account hash, to get access to the service in Domain 2.

Different trusts

It's important to notice that a trust can be 1 way or 2 ways. In the 2 ways options, both domains will trust each other, but in the 1 way trust relation one of the domains will be the trusted and the other the trusting domain. In the last case, you will only be able to access resources inside the trusting domain from the trusted one.

If Domain A trusts Domain B, A is the trusting domain and B ins the trusted one. Moreover, in Domain A, this would be an Outbound trust; and in Domain B, this would be an Inbound trust.

Different trusting relationships

  • Parent-Child Trusts: This is a common setup within the same forest, where a child domain automatically has a two-way transitive trust with its parent domain. Essentially, this means that authentication requests can flow seamlessly between the parent and the child.

  • Cross-link Trusts: Referred to as "shortcut trusts," these are established between child domains to expedite referral processes. In complex forests, authentication referrals typically have to travel up to the forest root and then down to the target domain. By creating cross-links, the journey is shortened, which is especially beneficial in geographically dispersed environments.

  • Forest Trusts: This type of trust is a two-way transitive trust between two forest root domains, also enforcing SID filtering to enhance security measures.

Other differences in trusting relationships

  • A trust relationship can also be transitive (A trust B, B trust C, then A trust C) or non-transitive.

  • A trust relationship can be set up as bidirectional trust (both trust each other) or as one-way trust (only one of them trust the other).

Attack Path

  1. Enumerate the trusting relationships

  2. Check if any security principal (user/group/computer) has access to resources of the other domain, maybe by ACE entries or by being in groups of the other domain. Look for relationships across domains (the trust was created for this probably).

    1. kerberoast in this case could be another option.

  3. Compromise the accounts which can pivot through domains.

Attackers with could access to resources in another domain through three primary mechanisms:

  • Local Group Membership: Principals might be added to local groups on machines, such as the “Administrators” group on a server, granting them significant control over that machine.

  • Foreign Domain Group Membership: Principals can also be members of groups within the foreign domain. However, the effectiveness of this method depends on the nature of the trust and the scope of the group.

Child-to-Parent forest privilege escalation

Get-DomainTrust

SourceName      : sub.domain.local    --> current domain
TargetName      : domain.local        --> foreign domain
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST       --> WITHIN_FOREST: Both in the same forest
TrustDirection  : Bidirectional       --> Trust direction (2ways in this case)
WhenCreated     : 2/19/2021 1:28:00 PM
WhenChanged     : 2/19/2021 1:28:00 PM

There are 2 trusted keys, one for Child --> Parent and another one for Parent --> Child. You can the one used by the current domain them with:

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc.my.domain.local
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'

SID-History Injection

Escalate as Enterprise admin to the child/parent domain abusing the trust with SID-History injection:

Exploit writeable Configuration NC

Understanding how the Configuration Naming Context (NC) can be exploited is crucial. The Configuration NC serves as a central repository for configuration data across a forest in Active Directory (AD) environments. This data is replicated to every Domain Controller (DC) within the forest, with writable DCs maintaining a writable copy of the Configuration NC. To exploit this, one must have SYSTEM privileges on a DC, preferably a child DC.

Link GPO to root DC site

The Configuration NC's Sites container includes information about all domain-joined computers' sites within the AD forest. By operating with SYSTEM privileges on any DC, attackers can link GPOs to the root DC sites. This action potentially compromises the root domain by manipulating policies applied to these sites.

Compromise any gMSA in the forest

An attack vector involves targeting privileged gMSAs within the domain. The KDS Root key, essential for calculating gMSAs' passwords, is stored within the Configuration NC. With SYSTEM privileges on any DC, it's possible to access the KDS Root key and compute the passwords for any gMSA across the forest.

Schema change attack

This method requires patience, waiting for the creation of new privileged AD objects. With SYSTEM privileges, an attacker can modify the AD Schema to grant any user complete control over all classes. This could lead to unauthorized access and control over newly created AD objects.

From DA to EA with ADCS ESC5

The ADCS ESC5 vulnerability targets control over Public Key Infrastructure (PKI) objects to create a certificate template that enables authentication as any user within the forest. As PKI objects reside in the Configuration NC, compromising a writable child DC enables the execution of ESC5 attacks.

External Forest Domain - One-Way (Inbound) or bidirectional

Get-DomainTrust
SourceName      : a.domain.local   --> Current domain
TargetName      : domain.external  --> Destination domain
TrustType       : WINDOWS-ACTIVE_DIRECTORY
TrustAttributes : 
TrustDirection  : Inbound          --> Inboud trust
WhenCreated     : 2/19/2021 10:50:56 PM
WhenChanged     : 2/19/2021 10:50:56 PM

In this scenario your domain is trusted by an external one giving you undetermined permissions over it. You will need to find which principals of your domain have which access over the external domain and then try to exploit it:

External Forest Domain - One-Way (Outbound)

Get-DomainTrust -Domain current.local

SourceName      : current.local   --> Current domain
TargetName      : external.local  --> Destination domain
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection  : Outbound        --> Outbound trust
WhenCreated     : 2/19/2021 10:15:24 PM
WhenChanged     : 2/19/2021 10:15:24 PM

In this scenario your domain is trusting some privileges to principal from a different domains.

However, when a domain is trusted by the trusting domain, the trusted domain creates a user with a predictable name that uses as password the trusted password. Which means that it's possible to access a user from the trusting domain to get inside the trusted one to enumerate it and try to escalate more privileges:

Another way to compromise the trusted domain is to wait in a machine where a user from the trusted domain can access to login via RDP. Then, the attacker could inject code in the RDP session process and access the origin domain of the victim from there. Moreover, if the victim mounted his hard drive, from the RDP session process the attacker could store backdoors in the startup folder of the hard drive. This technique is called RDPInception.

Domain trust abuse mitigation

SID Filtering:

  • The risk of attacks leveraging the SID history attribute across forest trusts is mitigated by SID Filtering, which is activated by default on all inter-forest trusts. This is underpinned by the assumption that intra-forest trusts are secure, considering the forest, rather than the domain, as the security boundary as per Microsoft's stance.

  • However, there's a catch: SID filtering might disrupt applications and user access, leading to its occasional deactivation.

Selective Authentication:

  • For inter-forest trusts, employing Selective Authentication ensures that users from the two forests are not automatically authenticated. Instead, explicit permissions are required for users to access domains and servers within the trusting domain or forest.

  • It's important to note that these measures do not safeguard against the exploitation of the writable Configuration Naming Context (NC) or attacks on the trust account.

AD -> Azure & Azure -> AD

Some General Defenses

Defensive Measures for Credential Protection

  • Domain Admins Restrictions: It is recommended that Domain Admins should only be allowed to login to Domain Controllers, avoiding their use on other hosts.

  • Service Account Privileges: Services should not be run with Domain Admin (DA) privileges to maintain security.

  • Temporal Privilege Limitation: For tasks requiring DA privileges, their duration should be limited. This can be achieved by: Add-ADGroupMember -Identity ‘Domain Admins’ -Members newDA -MemberTimeToLive (New-TimeSpan -Minutes 20)

Implementing Deception Techniques

  • Implementing deception involves setting traps, like decoy users or computers, with features such as passwords that do not expire or are marked as Trusted for Delegation. A detailed approach includes creating users with specific rights or adding them to high privilege groups.

  • A practical example involves using tools like: Create-DecoyUser -UserFirstName user -UserLastName manager-uncommon -Password Pass@123 | DeployUserDeception -UserFlag PasswordNeverExpires -GUID d07da11f-8a3d-42b6-b0aa-76c962be719a -Verbose

Identifying Deception

  • For User Objects: Suspicious indicators include atypical ObjectSID, infrequent logons, creation dates, and low bad password counts.

Bypassing Detection Systems

  • Microsoft ATA Detection Bypass:

    • User Enumeration: Avoiding session enumeration on Domain Controllers to prevent ATA detection.

    • Ticket Impersonation: Utilizing aes keys for ticket creation helps evade detection by not downgrading to NTLM.

    • DCSync Attacks: Executing from a non-Domain Controller to avoid ATA detection is advised, as direct execution from a Domain Controller will trigger alerts.

References

Support HackTricks

For a more detailed explanation check:

To learn how to attack an AD you need to understand really good the Kerberos authentication process.

You can take a lot to to have a quick view of which commands you can run to enumerate/exploit an AD.

Scan the network, find machines and open ports and try to exploit vulnerabilities or extract credentials from them (for example, .

Take a look to the General to find more information about how to do this.

Gather credentials

Access host by

Gather credentials exposing

:

If you find the complete names of company workers, you could try different AD username conventions (). The most common conventions are: NameSurname, Name.Surname, NamSur (3letters of each), Nam.Sur, NSurname, N.Surname, SurnameName, Surname.Name, SurnameN, Surname.N, 3 random letters and 3 random numbers (abc123).

Anonymous SMB/LDAP enum: Check the and pages.

If you found one of these servers in the network you can also perform user enumeration against it. For example, you could use the tool :

You can find lists of usernames in **** and this one ().

However, you should have the name of the people working on the company from the recon step you should have performed before this. With the name and surname you could used the script to generate potential valid usernames.

: If a user doesn't have the attribute DONT_REQ_PREAUTH you can request a AS_REP message for that user that will contain some data encrypted by a derivation of the password of the user.

: Let's try the most common passwords with each of the discovered users, maybe some user is using a bad password (keep in mind the password policy!).

If you have managed to enumerate the active directory you will have more emails and a better understanding of the network. You might be able to to force NTML **** to get access to the AD env.

Regarding you can now find every possible vulnerable user, and regarding you can get a list of all the usernames and try the password of the compromised account, empty passwords and new promising passwords.

You could use the

You can also use which will be stealthier

You ca also to extract more detailed information

Another amazing tool for recon in an active directory is . It is not very stealthy (depending on the collection methods you use), but if you don't care about that, you should totally give it a try. Find where users can RDP, find path to other groups, etc.

Other automated AD enumeration tools are: , , , .

as they might contain interesting information.

You can also search in the LDAP database with ldapsearch to look for credentials in fields userPassword & unixUserPassword, or even for Description. cf. for other methods.

If you are using Linux, you could also enumerate the domain using .

There is a complete page in this book about and a . Also, don't forget to use .

If you have managed to enumerate the active directory you will have more emails and a better understanding of the network. You might be able to to force NTML .

Hopefully you have managed to compromise some local admin account using , , , including relaying, , . Then, its time to dump all the hashes in memory and locally.

Once you have the hash of a user, you can use it to impersonate it. You need to use some tool that will perform the NTLM authentication using that hash, or you could create a new sessionlogon and inject that hash inside the LSASS, so when any NTLM authentication is performed, that hash will be used. The last option is what mimikatz does.

If you find any Computer object with the attribute and you have domain privileges in the computer, you will be able to dump TGTs from memory of every users that logins onto the computer. So, if a Domain Admin logins onto the computer, you will be able to dump his TGT and impersonate him using . Thanks to constrained delegation you could even automatically compromise a Print Server (hopefully it will be a DC).

.

Make users vulnerable to

Make users vulnerable to

Grant privileges to a user

You can create you own SSP to capture in clear text the credentials used to access the machine.\

A is a security mechanism that enables a user from one domain to access resources in another domain. It essentially creates a linkage between the authentication systems of the two domains, allowing authentication verifications to flow seamlessly. When domains set up a trust, they exchange and retain specific keys within their Domain Controllers (DCs), which are crucial to the trust's integrity.

External Trusts: These are set up between different, unrelated domains and are non-transitive by nature. According to , external trusts are useful for accessing resources in a domain outside of the current forest that isn't connected by a forest trust. Security is bolstered through SID filtering with external trusts.

Tree-root Trusts: These trusts are automatically established between the forest root domain and a newly added tree root. While not commonly encountered, tree-root trusts are important for adding new domain trees to a forest, enabling them to maintain a unique domain name and ensuring two-way transitivity. More information can be found in .

MIT Trusts: These trusts are established with non-Windows, Kerberos domains. MIT trusts are a bit more specialized and cater to environments requiring integration with Kerberos-based systems outside the Windows ecosystem.

Access Control Lists (ACLs): Principals might be specified in an ACL, particularly as entities in ACEs within a DACL, providing them access to specific resources. For those looking to dive deeper into the mechanics of ACLs, DACLs, and ACEs, the whitepaper titled “” is an invaluable resource.

For in-depth information, one might explore research on .

Detailed analysis can be found in the discussion on .

Further reading is available on .

More details on this can be read in . In scenarios lacking ADCS, the attacker has the capability to set up the necessary components, as discussed in .

Another way to compromise the trusted domain is to find a created in the opposite direction of the domain trust (which isn't very common).

\

More on deploying deception techniques can be found at .

General Indicators: Comparing attributes of potential decoy objects with those of genuine ones can reveal inconsistencies. Tools like can assist in identifying such deceptions.

Learn & practice AWS Hacking: Learn & practice GCP Hacking:

Check the !

Join the 💬 or the or follow us on Twitter 🐦 .

Share hacking tricks by submitting PRs to the and github repos.

🪟
TechTerms - Active Directory Definition
Read this page if you still don't know how it works.
https://wadcoms.github.io/
printers could be very interesting targets
Pentesting Methodology
139,445 - Pentesting SMB
389, 636, 3268, 3269 - Pentesting LDAP
impersonating services with Responder
fake UPnP services with evil-S
SDP
OSINT
read this
w0Tx/generate-ad-username
urbanadventurer/username-anarchy
pentesting SMB
pentesting LDAP
MailSniper
this github repo
statistically-likely-usernames
namemash.py
ASREPRoast
Password Spraying
Password Spraying / Brute Force
Spoofing LLMNR, NBT-NS, mDNS/DNS and WPAD and Relay Attacks
Places to steal NTLM creds
Kerberos Double Hop Problem
ASREPRoast
Password Spraying
powershell for recon
use powerview
BloodHound
DNS records of the AD
Password in AD User comment on PayloadsAllTheThings
pywerview
tomcarver16/ADSearch
61106960/adPEAS
Kerberoast
local privilege escalation in Windows
checklist
WinPEAS
Places to steal NTLM creds
PrintNightmare
AsRepRoast
Password Spraying
Kerberoast
Responder
EvilSSDP
escalating privileges locally
Read this page about different ways to obtain the hashes.
Over Pass the Hash/Pass the Key
Pass the Ticket
MSSQL AD Abuse
ADS_UF_TRUSTED_FOR_DELEGATION
Pass the Ticket
Unconstrained Delegation
Constrained Delegation
Resource-based Constrained Delegation
Abusing Active Directory ACLs/ACEs
Force NTLM Privileged Authentication
RDP Sessions Abuse
LAPS
AD CS Certificate Theft
AD CS Domain Escalation
More information about DCSync attack can be found here
More information about how to steal the NTDS.dit can be found here
Kerberoast
ASREPRoast
Silver Ticket
Golden Ticket
Diamond Ticket
AD CS Account Persistence
AD CS Domain Persistence
DSRM Credentials
Abusing Active Directory ACLs/ACEs
Security Descriptors
Skeleton Key
Custom SSP
DCShadow
LAPS
domain trust
Microsoft's documentation
Microsoft's guide
RFC4120-compliant
An ACE Up The Sleeve
SID-History Injection
Bypassing SID Filtering
Golden gMSA Trust Attacks
Schema Change Trust Attacks
From DA to EA with ESC5
Escalating from Child Domain Admins to Enterprise Admins
External Forest Domain - OneWay (Inbound) or bidirectional
External Forest Domain - One-Way (Outbound)
RDP Sessions Abuse
More information about domain trusts in ired.team.
Learn more about how to protect credentials here.
Deploy-Deception on GitHub
HoneypotBuster
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
https://www.labofapenetrationtester.com/2018/10/deploy-deception.html
https://ired.team/offensive-security-experiments/active-directory-kerberos-abuse/child-domain-da-to-ea-in-parent-domain
subscription plans
Discord group
telegram group
@hacktricks_live
HackTricks
HackTricks Cloud
DCSync
HackTricks Training AWS Red Team Expert (ARTE)
HackTricks Training GCP Red Team Expert (GRTE)
subscription plans
Discord group
telegram group
@hacktricks_live
HackTricks
HackTricks Cloud
HackTricks Training AWS Red Team Expert (ARTE)
HackTricks Training GCP Red Team Expert (GRTE)
More information about AdminDSHolder Group here.
Follow this link to learn about tools you could use.
AD Explorer
ADRecon
Group3r
PingCastle
Read this page for more information.
CMD to perform a basic recon
Azure AD Connect - Hybrid IdentityHackTricks Cloud
Logo
SQL trusted link
abusing the relay attack
relay attacks
relay attacks
Learn what is a SSP (Security Support Provider) here.