Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Ansh Bhawnani Profile picture
Ansh Bhawnani
@techhacker98
Information Security Researcher and a student.

Jul 30, 2022, 9 tweets

LEARNING OSCP: Day #7

Rooted a whole AD domain.

I will share my methodology. There are multiple paths and ways to gain access and move laterally, multiple tools and techniques will work.

I must say the AD in OSCP is pretty easy and straightforward.

#oscp #infosec

For initial access:
1. Start with the box having a web server, it is the most common path.
2. Use revshells.com for powershell payloads, I prefer the base64 one
3. Just remember Windows prefers '\' rather than '/', don't mess up the syntax. (C:\Users and not C:/Users)

For AD enumeration:
1. Use adPEAS, just like linpeas and winpeas, it is a powershell script for automating domain info gathering and lateral movement vectors: github.com/61106960/adPEAS
2. I would recommend to perform the enum manually before using this to understand better.

For password dumps,
1. I use mimikatz, github.com/ParrotSec/mimi…
2.Sometimes you'll get a keyerror, use the older version: github.com/allandev5959/m…
3. lsadump::sam (dump from SAM)
4. sekurlsa::logonPasswords (dump from memory)
5. For access issues, use token::elevate to get SYSTEM

For tickets enum,
1. AdPEAS can dump SPNs for domain and service accounts.
2. In mimikatz, kerberos::list to get in memory tickets (and /export to get kirbi files)
3. In powershell, you can use PowerView: github.com/PowerShellMafi… (it's a really powerful AD enumerator like adPEAS)

For password cracking,
1. Use john or hashcat and even crackstation with ntlm format.
2. You can crack kirbi with kirbi2john and then --format=krb5tgs
3. Hashcat is pretty easy and faster to crack SPN tickets.
4. This is not actually required for hashes, you should use PtH.

For Pass the Hash,
1. Use impacket psexec or pth-winexe
2. Crackmapexec is a neat choice, ut can even spray the hashes through all the servers: github.com/Porchetta-Indu…
3. I don't prefer MetaSploit, but smb/psexec is an easy choice if you have no options.
4. Use only NT part!!

For Pass the Ticket,
1. PowerView to get domain account details (username, SID, FQDN, SPN, etc.)
2. Impacket ticketer.py
3. Mimikatz kerberos::golden /ptt(/spn for silver ticket)
4. Once the tickets are in memory, use impacket psexec (or SysInternals for Windows)

Will add more resources in future.
The only reason why people fear AD is the complex suite of tools and enumeration techniques required.
Once you start doing the labs, you'll get used to it. Keep making your notes and just remember,

ENUMERATION IS THE KEY!

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling