AD Enumeration

Port scanning

• nmap -A -p- -T3 --open -vvv -Pn <IP> -oN <output_file>

• Important ports are 88, 445 and 139.

SMB Enumeration

smbclient

smbclient //<IP>/interesting-directory -c 'recursive ; ls' - Fast smb directory enumeration

smbmap

RPC Enumeration

Authenticating

rpcclient -U '' -N <IP> - Without password

rpcclient -U '' -P '' <IP> - Using a password

Enumerating RPC

LDAP Enumeration

Using ldapsearch and ldapdomaindump

ldapsearch

ldapsearch -H ldap://<IP> -x -s base namingcontext

ldapsearch -H ldap://<IP> -x -s -b 'DC=tld,DC=local' '(objectClass=User)' 'sAMAccountName' | grep sAMAccountname

ldapdomaindump

Kerberos

User enumeration

kerbrute userenum --dc <domain.local> -d <domain> <path-to-user-wordlist>

Brute-Forcing Users

Kerberoasting

Kerberoasting

Crackmapexec

Brute-Force

crackmapexec smb targets.txt -u users.txt -p passwords.txt

crackmapexec smb targets.txt -u users.txt -p passwords.txt --continue-on-success

Get Domain Password Policy

Password / Username Spraying

Scan for vulnerabilities

https://wiki.porchetta.industries/wiki.porchetta.industries

Evil-Winrm

Connecting through winrm

evil-winrm -i <IP> -u 'user' -p 'password'