Post Exploitation

It covers post exploitation steps for movements in AD.

You should approach to first machine in AD as regular standalone windows machine. Lateral movement or privilege escalation as well. Movement is not so hard. You must do post exploitation very well.

You can do post exploitation steps as follows:

Check groups where the user is in. Check the user in some privileged group.

Check another users in the domain.

Search files in the system for finding passwords, important notes and information, mail etc.

Check services on the system.

Some services contains cleartext passwords, hashes in some files.

Extract hashes, secrets, kerberos tickets with mimikatz etc. (requires system shell)

pagePassword Extraction

Try pass the hash methods like using psexec or crackmapexec from impacket, evil-winrm, xfreerdp etc. (If the target user has not Administrator rights, you cannot get shell with impacket).

Try cracking extracted hashes.

pagePassword Cracking

Check SPNs. If there is SPN in system, try extract and crack it.

pageGetUserSPNs.ps1

Check GMSA. If there is gmsa account in the system, try extract and crack it.

pageGMSA

If you have cleartext password you can use Spray-Passwords.ps1 to identify the another user is using the same password.

pageSpray-Passwords.ps1

Check the user has capabilities for exploitable GPO.

pageAbuse GPO

You can try recent AD exploits to get domain admin privileges.

There are perfect tools to using in AD. These can be helpful.

You will find a way, people build systems that so there is always a weakness.

never give up!

PreviousOpen OfficeNextWeb

Last updated