Hacking Notes
Searchβ¦
β
Offensive
π‘
Defensive
β¨
Programming
Active Directory
Attack Workflow
Determine what ports are open
Enumerate with
- Determine open ports
- Scan ports with Nmap to fingerprint
- Enumerate AD information
- Domain info
- rpcclient
- enum4linux
- Get list of users
- If list not available, bruteforce usernames
- Determine if kerberos pre-auth exists
- Determine which users have SPNs (Service Principle Names)
enum4linux
Used to enumerate a huge amount of AD information from the command line.
1
enum4linux -a 10.1.1.10 # Attempts to enumerate everything at target
2
enum4linux -u administrator -p password -U 10.1.1.10 # Use stolen creds to enumerate all users
3
enum4linux -S 10.1.1.10 # Attempt to gather SMB shares
Copied!
rpcclient
Used to enumerate information about system over RPC
Kerberos
Kerbrute, used to run various kerberos attacks. Written in Go. https://github.com/ropnop/kerbruteβ
1
./kerbrute_linux_amd64 userenum --dc 10.10.107.154 -d spookysec.local ../userlist.txt
Copied!
Kerberoasting
Using a valid account on a pwned box, we can gather tickets for service accounts and extract the hash to crack. We must find all accounts in AD which have a SPN (Service Principle Name), then request RC4 tickets from the DC.
secretsdump
Used to extract hashes from a server. Below command will get NTDS.dit, assuming that you have an account with those permissions.
1
impacket-secretsdump -just-dc backup:[email protected]
Copied!
AD Detailed Mind Map
Last modified 4mo ago
Copy link