AD-Attack-Roadmap

We are trying to cover different authentication mechanism and why AD uses these methods under what circumstance and the attacks that can be performed over different mode of authentication. Covering the roadmap of the attacks.

---

Attack Mind MAP

---

High Level Attack info

Attack	Minimum Requirements	How to Check Requirements
Kerberoasting	Authenticated domain user; SPNs assigned to accounts	GetUserSPNs.py (Impacket); setspn -T <domain> -Q */*
AS-REP Roasting	User with "Do not require Kerberos preauthentication"	GetNPUsers.py; Get-DomainUser -PreauthNotRequired (PowerView)
Pass-the-Ticket (PtT)	Valid TGT or TGS ticket; token injection access	mimikatz kerberos::list; klist
Golden Ticket	KRBTGT hash; domain SID; Domain Admin or SYSTEM access	mimikatz lsadump::lsa /patch
Silver Ticket	NTLM hash of service account; SPN; hostname of service	Extract hash via mimikatz or secretsdump.py
DCSync	Replication privileges (Domain Admin or equivalent)	Get-ObjectAcl -SamAccountName 'krbtgt' (PowerView)
Pass-the-Hash (PtH)	NTLM hash; optional admin rights on target	secretsdump.py; mimikatz
LLMNR/NBT-NS Poisoning	No protection; broadcast name resolution used	Use Responder; monitor with Wireshark
SMB Relay	SMB signing disabled; network access	nmap --script smb-security-mode; crackmapexec smb
ACL Abuse	Write or modify permissions on target object	Get-ACL, Get-ObjectAcl (PowerView)
Unconstrained Delegation	Machine with delegation enabled; victim logs into it	Get-DomainComputer -Unconstrained
Constrained Delegation	Access to object with msDS-AllowedToDelegateTo	Get-DomainUser -TrustedToAuth
Shadow Credentials	Write access to msDS-KeyCredentialLink	Use Whisker; ForgeCert; check with Get-DomainObjectAcl
Printer Bug	Spooler service running on victim machine	Use rpcdump.py; check spooler ports
NTLMv1 Relay/Downgrade	NTLMv1 enabled; no SMB signing; broadcast traffic	Check registry; use Responder, Inveigh, or Wireshark

---

expand more

adding initial access

adding enumeartion section

AD attacks

refining

AD attacks