Reconnaissance

When attacking an Active Directory, or in fact any system, it is essential to gather useful information that will help define who, what, when and where. Here are some examples of what information to look for.

The location of the domain controllers (and other major AD services like KDC, DNS and so on). This can be achieved by resolving standard names, by scanning the network and with standard LDAP queries
The domain name. It can be found with standard LDAP queries, recon through MS-RPC named pipes, by combining different recon techniques with enum4linux, by inspecting multicast and broadcast name resolution queries, ...
Domain objects and relations between them with BloodHound, with MS-RPC named pipes and with enum4linux.

Reconnaissance

Movement

Credentials

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Netlogon

Certificate Services (AD-CS)

SCCM / MECM

Exchange services

Print Spooler Service

Schannel

Built-ins & settings

Kerberos

Certificate Services (AD-CS)

HTTP security headers

Identity and Access Management

File inclusion

LFI to RCE

Initial access (protocols)

Windows

UNIX-like

(AV) Anti-Virus

Mifare Classic

Android

Reconnaissance

Dumping

Bruteforcing

MITM and coerced auths

NTLM

Kerberos

Forged tickets

Delegations

DACL abuse

Certificate Services (AD-CS)

SCCM / MECM

Certificate Services (AD-CS)

HTTP security headers

File inclusion

LFI to RCE

Windows

UNIX-like

Mifare Classic

Reconnaissance ​

Reconnaissance