Offensive

Exploit Workflow

Password Attacks

Microsoft Windows Exploits

Privilege Escalation

Active Directory

Priv Escalation

Post Exploitation

Defensive

Defensive Notes

Windows Forensics

Linux Forensics

Network Forensics

Malware Analysis

Programming

Programming Notes

Examples and Quick Scripts

Powered by GitBook

Active Directory

Attack Workflow
Determine what ports are open
Enumerate with 
Determine open ports
Scan ports with Nmap to fingerprint
Enumerate AD information
Domain info
rpcclient
enum4linux
Get list of users
If list not available, bruteforce usernames
Determine if kerberos pre-auth exists
Determine which users have SPNs (Service Principle Names)
enum4linux
Used to enumerate a huge amount of AD information from the command line.
enum4linux -a 10.1.1.10        # Attempts to enumerate everything at target
enum4linux -u administrator -p password -U 10.1.1.10    # Use stolen creds to enumerate all users
enum4linux -S 10.1.1.10        # Attempt to gather SMB shares
rpcclient
Used to enumerate information about system over RPC
Kerberos
Kerbrute, used to run various kerberos attacks. Written in Go. https://github.com/ropnop/kerbrute​
./kerbrute_linux_amd64 userenum --dc 10.10.107.154 -d spookysec.local ../userlist.txt
Kerberoasting
Using a valid account on a pwned box, we can gather tickets for service accounts and extract the hash to crack. We must find all accounts in AD which have a SPN (Service Principle Name), then request RC4 tickets from the DC.
secretsdump
Used to extract hashes from a server. Below command will get NTDS.dit, assuming that you have an account with those permissions.
impacket-secretsdump -just-dc backup:[email protected]

Privilege Escalation

Last updated 5 months ago

Contents

Attack Workflow