OSCP Active Directory Cheat Sheet: Your Ultimate Guide

Hey there, future OSCP holders! If you’re diving into the world of penetration testing and specifically focusing on Active Directory (AD) environments for your OSCP exam, you’ve landed in the right spot. This OSCP Active Directory cheat sheet is designed to be your go-to resource, packed with essential commands, techniques, and tips to help you conquer those AD labs. We’re going to break down the crucial steps, from enumeration to privilege escalation, so you can navigate complex AD infrastructures with confidence. Remember, guys, AD is a massive attack surface, and understanding its nuances is key to acing the OSCP. Let’s get this knowledge party started!

Mastering Active Directory Enumeration: The First Step to Dominance

Alright team, the very first thing you need to nail when you’re staring down an Active Directory environment is enumeration . This is where you gather as much intel as possible about the domain, its users, groups, computers, and any potential misconfigurations. Think of it like being a detective – you need to find all the clues before you can crack the case. For the OSCP, especially when dealing with Active Directory, getting a solid enumeration baseline is absolutely critical . Without it, you’re essentially flying blind, and nobody wants that on exam day, right? So, what are our go-to tools and techniques for AD enumeration? We’ve got a few heavy hitters. First off, nmap is your best friend for initial port scanning. You’ll want to look for common AD-related ports like 53 (DNS), 88 (Kerberos), 135 (MSRPC), ¹³⁹ ⁄ ₄₄₅ (SMB), 389 (LDAP), 636 (LDAPS), and 464 (Kerberos Change Password). Once you’ve identified these, you can start digging deeper. PowerView and BloodHound are absolute game-changers for AD enumeration. If you can get your hands on these tools (or their command-line equivalents like Get-DomainUser , Get-DomainGroup , Get-NetSession , etc.), your life will be so much easier. PowerView shines for scripting and querying AD objects directly, while BloodHound, with its fancy graph visualization, helps you spot attack paths and relationships you might otherwise miss. Seriously, spend time playing with BloodHound in your labs; it’s a revelation. Don’t forget about good old LDAP enumeration using tools like ldapsearch or just scripting it yourself. You can pull tons of information about users, groups, organizational units (OUs), and machine accounts. Another key aspect is identifying unpatched systems or systems with weak configurations . This often involves scanning for vulnerable services or looking for default credentials. SMB enumeration using smbclient or enum4linux can reveal shares, users, and group information. Remember, every piece of information you gather is a potential stepping stone towards gaining a foothold or escalating privileges. So, dedicate ample time to thorough enumeration – it’s the bedrock of your entire AD penetration test. The more you know, the more opportunities you’ll uncover. Don’t rush this phase, guys; it’s worth every minute.

Exploiting Active Directory Vulnerabilities: Cracking the Domain

Once you’ve completed your thorough enumeration, the next logical step in our OSCP Active Directory cheat sheet is to start exploiting the vulnerabilities you’ve uncovered. This is where the real fun begins, right? We’re talking about moving from just seeing the environment to actually compromising it. The OSCP exam often features Active Directory environments with classic misconfigurations and known vulnerabilities that are ripe for exploitation. One of the most common attack vectors in AD is leveraging Kerberos . This authentication protocol, while powerful, has several weaknesses that can be exploited. For instance, Kerberoasting is a technique where you can request service tickets for services running under user accounts and then crack the hashes offline to reveal user passwords. Tools like GetUserSPNs.py from the Impacket suite are your best bet here. You’ll need a good wordlist for offline cracking, so make sure you have one ready. Another Kerberos-related attack is AS-REP Roasting . This targets user accounts that have the ‘Do not require Kerberos preauthentication’ flag set. You can request TGS tickets for these users without needing their password, and then crack the hash. GetNPUsers.py is your tool of choice for this. Beyond Kerberos, SMB exploits are also prevalent. Think about exploiting weak SMB configurations, like NULL sessions or anonymous access to shares. You might find sensitive files, password hashes, or even configuration information that can lead to further compromise. Exploiting unpatched systems is another major theme. If enumeration revealed a server running an old, vulnerable version of software (like an outdated web server or an old RDP client), you might be able to use known exploits to gain initial access. Credential stuffing or pass-the-hash (PtH) attacks are also common. If you manage to snag some valid credentials or hashes through other means (like Kerberoasting or finding them in a leaked file), you can use tools like psexec or Impacket’s wmiexec.py or psexec.py to execute commands remotely on other machines. This is a fantastic way to pivot deeper into the network. Don’t forget about GPO (Group Policy Object) abuse . Misconfigured GPOs can sometimes be leveraged to deploy malicious scripts or executables to user machines. Finally, exploring trusts between domains can open up entirely new avenues for attack if misconfigured. The key here, guys, is to be systematic. Don’t just randomly try exploits. Use the information from your enumeration phase to guide your exploitation efforts. If you found a service running under a specific user account, target that account with Kerberoasting. If you found a vulnerable SMB share, dive into that. Each successful exploit should lead you to more information and opportunities. Keep a detailed log of what you try and what the results are – it’s crucial for staying organized.

Privilege Escalation in Active Directory: The Path to Domain Admin

So, you’ve gained initial access, maybe as a low-privileged user. Now what? The next critical phase in any Active Directory penetration test, and a huge focus for the OSCP, is privilege escalation . This is where you move from having limited access to becoming a Domain Administrator or achieving the highest level of privilege possible. It’s the ultimate goal, right? Getting that sweet, sweet NT AUTHORITY\SYSTEM or Domain Admin access. Active Directory offers a multitude of pathways for privilege escalation, and knowing them inside out is what separates the rookies from the pros. Let’s dive into some of the most common and effective methods. A foundational technique is local privilege escalation on individual machines. This could involve exploiting kernel vulnerabilities, misconfigured services running as SYSTEM, insecure file permissions (like AlwaysInstallElevated in the registry), or finding sensitive information in unquoted service paths. Tools like WinPEAS (Windows Privilege Escalation Awesome Script) and PowerUp are invaluable here. Running these scripts can quickly highlight potential local privilege escalation vectors. Once you escalate locally, you might gain access to credentials or hashes that allow you to move laterally. Speaking of lateral movement, Pass-the-Hash (PtH) and Pass-the-Ticket (PtT) are your best friends. If you’ve obtained NTLM hashes or Kerberos tickets from a compromised machine or user, you can use them with tools like psexec , wmiexec , or Mimikatz to authenticate as that user on other machines without knowing their actual password. This is a massive shortcut to escalating privileges across the domain. Kerberoasting and AS-REP Roasting , which we touched upon earlier, can also be considered privilege escalation vectors if they lead you to credentials that grant you higher access, or if they allow you to reset passwords for privileged accounts. Another significant area is abuse of Active Directory permissions . This can include finding users with excessive permissions on specific objects (like Organizational Units or Group Policy Objects), or exploiting group memberships. For example, if a user is a member of a group that has administrative rights on critical servers, gaining access to that user’s account can lead to domain-level compromise. Unconstrained Delegation and Constrained Delegation misconfigurations are goldmines for privilege escalation. If a service account is configured with unconstrained delegation, an attacker who compromises that service account can request Kerberos tickets for any service on behalf of any user. This is a direct path to Domain Admin. Similarly, misconfigurations in constrained delegation can also be exploited. Exploiting GPOs again comes into play. If you can modify a GPO that is applied to privileged users or computers, you can use it to execute code with elevated privileges. DCSync is a powerful technique that allows an attacker to request password hashes from a Domain Controller, effectively mimicking the replication process. If you have an account with the right permissions (like a Domain Admin or a replicated account), you can use tools like Mimikatz ( lsadump::dcsync ) to dump all domain password hashes. This is a direct route to compromising the entire domain. Remember, guys, privilege escalation is an iterative process. You might need to perform local escalation on one machine, then use those credentials for lateral movement, then perform another escalation on a different machine, and so on. Always keep enumerating, even after gaining initial access. Look for new opportunities, new user accounts, and new group memberships. Persistence and a methodical approach are key. Don’t get discouraged if the first few attempts don’t work; keep digging!

Essential Tools and Commands for OSCP Active Directory Mastery

To truly excel in Active Directory penetration testing for your OSCP, you need a solid arsenal of tools and commands at your disposal. This section of our OSCP Active Directory cheat sheet focuses on the must-haves that will streamline your efforts and boost your efficiency. Think of these as your trusty sidekicks in the AD jungle. First up, we have the essentials for enumeration and information gathering . nmap is indispensable for initial reconnaissance, identifying open ports and services. Remember those key AD ports: 53, 88, 135, ¹³⁹ ⁄ ₄₄₅ , 389, 636, 464. PowerView (or its PowerShell cmdlets like Get-DomainUser , Get-DomainGroup , Get-NetSession ) is phenomenal for querying Active Directory objects. It’s incredibly versatile for finding users, groups, computers, and relationships. BloodHound is arguably the most powerful tool for visualizing AD attack paths. Its GUI allows you to see complex relationships and identify the shortest routes to Domain Admin. Make sure you know how to ingest data into it using the SharpHound collector. For Kerberos attacks , GetUserSPNs.py (from Impacket) is your go-to for Kerberoasting, while GetNPUsers.py is used for AS-REP Roasting. kerberoast is another useful tool if you’re using the Rubeus utility. Responder is crucial for capturing hashes via LLMNR/NBT-NS poisoning, especially in lab environments where these protocols might be enabled. For SMB enumeration , smbclient and enum4linux are your allies for listing shares, users, and system information. When it comes to exploitation and lateral movement , psexec (from Sysinternals Suite) is a classic for remote command execution. Impacket suite, with tools like wmiexec.py , psexec.py , and evil-winrm.py , offers more advanced and often stealthier ways to achieve the same. Mimikatz is the king of credential dumping and token manipulation. You’ll use it for sekurlsa::logonpasswords , lsadump::sam , lsadump::secrets , and crucially, lsadump::dcsync for dumping domain hashes. Remember that Mimikatz often requires elevated privileges. For privilege escalation , WinPEAS and PowerUp are essential scripts that automate the discovery of local privilege escalation vectors. JuiceSSH (on Android) can be surprisingly useful for quick remote access if you have a shell. Don’t underestimate the power of built-in Windows commands too! whoami /all , net user /domain , net group /domain , gpresult /r , quser , qwinsta , tasklist /svc , and systeminfo can provide a wealth of information without needing external tools. Learning to effectively use PowerShell within Windows environments is also non-negotiable. Mastering cmdlets like Get-ADUser , Get-ADGroup , Get-ADComputer , and their filtering capabilities will significantly speed up your enumeration. Finally, for password cracking , Hashcat is the industry standard. Make sure you know how to prepare your hash files and use different rule sets. Guys, the key is to practice these tools extensively in lab environments. Understand why they work and what information they provide. Knowing your tools is just as important as knowing the techniques themselves. Keep this list handy, and good luck!

Final Thoughts and OSCP Exam Tips for Active Directory

As we wrap up this comprehensive OSCP Active Directory cheat sheet , let’s focus on some final, crucial tips for the exam itself. You’ve got the tools, you’ve got the techniques, now you need the mindset and strategy to succeed. First and foremost, stay calm and methodical . The OSCP AD environment can seem daunting, but panic is your worst enemy. Take a deep breath, refer to your notes (this cheat sheet included!), and approach the problem systematically. Prioritize enumeration . Seriously, guys, I cannot stress this enough. The more you know about the environment from the get-go, the clearer your path will be. Don’t just run one tool and move on; run multiple enumeration techniques from different angles. Look for the low-hanging fruit first – often, it’s a simple misconfiguration or a weak password that can give you initial access. Document everything . Keep a running log of what you’ve scanned, what you’ve found, what commands you’ve run, and what the results were. This is vital for tracking your progress, avoiding repetitive work, and providing clear write-ups later. Your notes are your lifeline during the exam. Understand the attack lifecycle . Remember the flow: Enumeration -> Gaining Initial Access -> Lateral Movement -> Privilege Escalation -> Domain Compromise. Each stage builds on the previous one. Don’t get stuck trying to find a complex exploit if a simpler method is available. Leverage your lab time . The best way to internalize these techniques is through practice. The more time you spend in Active Directory labs (like those provided by Offensive Security or other platforms), the more comfortable you’ll become with the tools and common AD pitfalls. Identify common AD misconfigurations and practice exploiting them until it becomes second nature. Don’t be afraid to pivot . Once you gain access to one machine, think about how you can use that access to explore other parts of the network. Look for shared drives, administrative shares, or network connections that might lead you to more valuable targets. Read the prompts carefully . Sometimes the exam environment or specific machines will give you hints or point you in a general direction. Pay attention to usernames, machine names, and any other details that might be relevant. Finally, manage your time effectively . The OSCP exam is a race against the clock. Allocate your time wisely across different machines and objectives. If you’re stuck on one thing for too long, consider moving on to another objective and coming back later with a fresh perspective. Remember, the goal is to get as many points as possible. This OSCP Active Directory cheat sheet is designed to be a powerful resource, but it’s your dedication to practice and your problem-solving skills that will ultimately lead you to victory. You’ve got this, team! Go out there and conquer those domains!