s1ckb0y1337 / active-directory-exploitation-cheat-sheet Goto Github PK

cool stuff

o alh8inos egw

Integrating a mindmap like this could also be really helpful :)
https://www.xmind.net/m/5dypm8/
https://github.com/Orange-Cyberdefense/arsenal/tree/master/mindmap

Like
CVE-2020-0932
CVE-2019-1257
CVE-2019-0604
When you pwned the SharePoint, you get more domain accounts
ref https://www.zerodayinitiative.com/blog?tag=SharePoint

Noticed you went for title case, however some sections, do not respect this (OCD alert).

Could you please address this or would you prefer me opening a PR?

hi @S1ckB0y1337 , I'm trying to conduct RBCD, and really confused with this note:

In Constrain and Resource-Based Constrained Delegation if we don't have the password/hash of the account with TRUSTED_TO_AUTH_FOR_DELEGATION that we try to abuse, we can use the very nice trick "tgt::deleg" from kekeo or "tgtdeleg" from rubeus and fool Kerberos to give us a valid TGT for that account. Then we just use the ticket instead of the hash of the account to perform the attack.

suppose I have machine acc MACHINE$ which has RBCD over DC
userAccountControl : WORKSTATION_TRUST_ACCOUNT, TRUSTED_TO_AUTH_FOR_DELEGATION
msDS-AllowedToDelegateTo : cifs/DC01.domain.local

but I dont know MACHINE$'s pass/rc4, how exctly I can request TGT for it? Rubeus.exe tgtdeleg will return TGT for my current user, and I cannot run it under machnie's context since I dont now its passwd

These notes could be compiled into an Obsidian-compatible ultimate cheat sheet for Red Teaming, this would allow leveraging the features of Obsidian, e.g. search and tagging features.

All that would be needed would be a refactoring of this large Readme.md into smaller chunks logically organised within folders.

In case you might be interested in adding an Active Directory Recon Tool to the documentation under Tools:

ADDS_Tool (An Active Directory Recon Tool)