# Active Directory Attacks

- [Password spraying](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/password-spraying.md): People don't always choose strong passwords, neither do IT people for temporary accounts. Spraying passwords against all user accounts is effective for moving laterally and escalating privileges.
- [AS-REP Roasting](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3.md)
- [Empty password](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3-1.md): It is possible that accounts have an empty password if the useraccountcontrol attribute contains the value PASSWD\_NOT\_REQ.
- [Password in description](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3-2.md): A old habit from IT people was to write down the password for shared user accounts in the description field, which every user with a bit of knowledge can read from all users!
- [Kerberoasting](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3-3.md)
- [Delegation Attacks](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks.md)
- [Unconstrained Delegation](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/unconstrained-delegation.md)
- [Printerbug](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/unconstrained-delegation/page-3.md): Abusing unconstrained delegation and the printspooler service.
- [Constrained Delegation](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/page-3.md): If a user or computer has constrained delegation configured, it's possible to impersonate any domain user and authenticate to a service that the user account is trusted to delegate to. It is also poss
- [Resource Based Constrained Delegation](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/resource-based-constrained-delegation.md)
- [Computeraccount Takeover](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/resource-based-constrained-delegation/computeraccount-takeover.md): If you have GenericAll or GenericWrite rights to a computer object you can write to the attribute msds-AllowedToActOnBehalfOfOtherIdentity and the abuse the delegation to take over the system
- [Change-LockScreen](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/resource-based-constrained-delegation/resource-based-constrained-delegation.md): Abuse the lockscreen image changing functionality to achieve a webdav network authentication as SYSTEM from the given computer. Then relay the authentication to the Active Directory LDAP service in or
- [Webclient Attack (todo)](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/resource-based-constrained-delegation/webclient-attack-todo.md)
- [DACL-Abuses](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses.md)
- [Write Owner](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/page-2.md)
- [Owns](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/owns.md): If you are "Owner" of a object, you can change the DACL of the object.
- [WriteDacl](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/writedacl.md)
- [GenericAll](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/genericall.md)
- [GenericWrite (todo)](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/genericwrite-todo.md)
- [ForceChangePassword](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/forcechangepassword.md)
- [Add user to group (todo)](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/add-user-to-group-todo.md)
- [Targeted Kerberoast (todo)](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/targeted-kerberoast-todo.md)
- [Get-Changes](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/get-changes.md)
- [Reused local administrator (todo)](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/reused-local-administrator-todo.md)
- [SQL Server Attacks (todo)](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks.md)
- [Initial Access](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/initial-access.md)
- [SQL Server default login](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/initial-access/sql-server-default-login.md)
- [Normal domain user access](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/initial-access/normal-domain-user-access.md)
- [Privilege Escalation](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation.md)
- [Impersonation](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/impersonation.md): SQL Server has a special permission, named impersonate, this enables one user to operate with the permissions of another user as well as their own permissions.
- [DB-Owner](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/db-owner.md)
- [Enumerate Logins](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/enumerate-logins.md)
- [Weak passwords](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/enumerate-logins/weak-passwords.md)
- [Executing Commands](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/executing-commands.md): xp\_cmdshell could be used to execute commands on the SQL Server.
- [Database-Links](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/database-links.md): SQL Servers can be configured to link to other SQL Servers.
- [Capturing hashes & Relaying](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/capturing-hashes-and-relaying.md): SQL servers by default run as a service with a local account, but might run under a domain user account. These are normally local admin on a server and might be on multiple SQL Servers.
- [Reading LAPS passwords (todo)](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/laps.md)
- [Priviliged Groups (todo)](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups.md)
- [DNS-Admins (todo)](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups/dns-admins.md)
- [Account Operators (todo)](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups/account-operators.md)
- [Backup Operators](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups/backup-operators.md)
- [Server Operators (todo)](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups/server-operators-todo.md)
- [Hopping domains and forests](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests.md)
- [Child to parent domain](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain.md)
- [Krbtgt hash](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain/page-3.md)
- [Trust key](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain/page-3-1.md)
- [Cross forest Attacks (todo)](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/cross-forest-attacks-todo.md)
- [Foreign user](/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/cross-forest-attacks-todo/page-3.md)