Active Directory Pentesting Techniques

I wanted to share some easy wins to perform during pentesting. These are best with credentials.
NOPAC-------------
crackmapexec smb -u ‘user’ -p ‘pass’ -M nopac

Printer Bug --------------
crackmapexec smb -u ‘user’ -p ‘pass’ -M spooler

GPP Autologin
crackmapexec smb -u username -p pass -M gpp_autologin

Petipotam
crackmapexec smb -u Administrator -p ‘Password123!’ -M petitpotam

DFSCoerce
crackmapexec smb -u Administrator -p ‘Password123!’ -M
dfscoerce

Shadowcoarce
crackmapexec smb -u Administrator -p ‘Password123!’ -M shadowcoerce

ldap-checker
crackmapexec ldap -u Administrator -p ‘Password123!’ -M ldap-checker --kdcHost example.local

ldap-signing
crackmapexec ldap -u Administrator -p ‘Password123!’ -M ldap-signing

neat!

There are a whole bunch of things you can do with Active Directory Certificate Services (ADCS) as well. Most companies barely understand ADCS, so they often have configuration issues that can be exploited.

Two great tools for this are Certify and Certipy (yes the second one is spelled correctly). I like Certipy because you can run it from Linux, so if you can get a foothold or rogue device or VM on their network, you can run it without being caught by EDR.