# Active Directory Attacks - [Password spraying](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/password-spraying.md): People don't always choose strong passwords, neither do IT people for temporary accounts. Spraying passwords against all user accounts is effective for moving laterally and escalating privileges. - [AS-REP Roasting](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3.md) - [Empty password](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3-1.md): It is possible that accounts have an empty password if the useraccountcontrol attribute contains the value PASSWD\_NOT\_REQ. - [Password in description](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3-2.md): A old habit from IT people was to write down the password for shared user accounts in the description field, which every user with a bit of knowledge can read from all users! - [Kerberoasting](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/page-3-3.md) - [Delegation Attacks](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks.md) - [Unconstrained Delegation](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/unconstrained-delegation.md) - [Printerbug](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/unconstrained-delegation/page-3.md): Abusing unconstrained delegation and the printspooler service. - [Constrained Delegation](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/page-3.md): If a user or computer has constrained delegation configured, it's possible to impersonate any domain user and authenticate to a service that the user account is trusted to delegate to. It is also poss - [Resource Based Constrained Delegation](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/resource-based-constrained-delegation.md) - [Computeraccount Takeover](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/resource-based-constrained-delegation/computeraccount-takeover.md): If you have GenericAll or GenericWrite rights to a computer object you can write to the attribute msds-AllowedToActOnBehalfOfOtherIdentity and the abuse the delegation to take over the system - [Change-LockScreen](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/resource-based-constrained-delegation/resource-based-constrained-delegation.md): Abuse the lockscreen image changing functionality to achieve a webdav network authentication as SYSTEM from the given computer. Then relay the authentication to the Active Directory LDAP service in or - [Webclient Attack (todo)](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/delegation-attacks/resource-based-constrained-delegation/webclient-attack-todo.md) - [DACL-Abuses](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses.md) - [Write Owner](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/page-2.md) - [Owns](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/owns.md): If you are "Owner" of a object, you can change the DACL of the object. - [WriteDacl](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/writedacl.md) - [GenericAll](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/genericall.md) - [GenericWrite (todo)](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/genericwrite-todo.md) - [ForceChangePassword](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/forcechangepassword.md) - [Add user to group (todo)](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/add-user-to-group-todo.md) - [Targeted Kerberoast (todo)](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/targeted-kerberoast-todo.md) - [Get-Changes](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/acl-abuses/get-changes.md) - [Reused local administrator (todo)](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/reused-local-administrator-todo.md) - [SQL Server Attacks (todo)](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks.md) - [Initial Access](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/initial-access.md) - [SQL Server default login](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/initial-access/sql-server-default-login.md) - [Normal domain user access](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/initial-access/normal-domain-user-access.md) - [Privilege Escalation](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation.md) - [Impersonation](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/impersonation.md): SQL Server has a special permission, named impersonate, this enables one user to operate with the permissions of another user as well as their own permissions. - [DB-Owner](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/db-owner.md) - [Enumerate Logins](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/enumerate-logins.md) - [Weak passwords](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/privilege-escalation/enumerate-logins/weak-passwords.md) - [Executing Commands](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/executing-commands.md): xp\_cmdshell could be used to execute commands on the SQL Server. - [Database-Links](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/database-links.md): SQL Servers can be configured to link to other SQL Servers. - [Capturing hashes & Relaying](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/sql-server-attacks/capturing-hashes-and-relaying.md): SQL servers by default run as a service with a local account, but might run under a domain user account. These are normally local admin on a server and might be on multiple SQL Servers. - [Reading LAPS passwords (todo)](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/laps.md) - [Priviliged Groups (todo)](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups.md) - [DNS-Admins (todo)](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups/dns-admins.md) - [Account Operators (todo)](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups/account-operators.md) - [Backup Operators](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups/backup-operators.md) - [Server Operators (todo)](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/priviliged-groups/server-operators-todo.md) - [Hopping domains and forests](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests.md) - [Child to parent domain](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain.md) - [Krbtgt hash](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain/page-3.md) - [Trust key](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/child-to-parent-domain/page-3-1.md) - [Cross forest Attacks (todo)](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/cross-forest-attacks-todo.md) - [Foreign user](https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks/hopping-domains-and-forests/cross-forest-attacks-todo/page-3.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ad-lab.gitbook.io/building-a-windows-ad-lab/vulnerabilities-and-misconfigurations-and-attacks/active-directory-attacks.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.