AD Enumeration

Port scanning

• nmap -A -p- -T3 --open -vvv -Pn <IP> -oN <output_file>

• Important ports are 88, 445 and 139.

SMB Enumeration

smbclient

smbclient //<IP>/interesting-directory -c 'recursive ; ls' - Fast smb directory enumeration

smbmap

smbmap -H <IP> -U ''"

RPC Enumeration

Authenticating

rpcclient -U '' -N <IP> - Without password

rpcclient -U '' -P '' <IP> - Using a password

Enumerating RPC

enumdomusers - Enumerate all domain users

querygroupmem 0x200 - Enumerate all the admin users of the domain.

queryuser 0x1f4 - Enumerate user information using the rid.

LDAP Enumeration

Using ldapsearch and ldapdomaindump

ldapsearch

ldapsearch -H ldap://<IP> -x -s base namingcontext

ldapsearch -H ldap://<IP> -x -s -b 'DC=tld,DC=local' '(objectClass=User)' 'sAMAccountName' | grep sAMAccountname

ldapdomaindump

ldapdomaindump.py -u 'domain.local\user' -p 'password123' <IP>

Kerberos

User enumeration

kerbrute userenum --dc <domain.local> -d <domain> <path-to-user-wordlist>

Brute-Forcing Users

kerbrute bruteuser --dc <domain-ip> --domain <domain> rockyou.txt sqlservice

Kerberoasting

pageKerberoasting

Crackmapexec

Brute-Force

crackmapexec smb targets.txt -u users.txt -p passwords.txt

crackmapexec smb targets.txt -u users.txt -p passwords.txt --continue-on-success

Get Domain Password Policy

crackmapexec smb 192.168.1.0/24 -u username -p 'password' --pass-pol

Password / Username Spraying

crackmapexec smb 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce

Scan for vulnerabilities

crackmapexec smb <ip> -u '' -p '' -M zerologo - Zerologon

crackmapexec smb <ip> -u '' -p '' -M petitpotam - petitpotam

crackmapexec smb <ip> -u 'user' -p 'pass' -M nopac - NoPac >> You need credentials dor this one.

IntroductionCrackMapExec ~ CME WIKI

Evil-Winrm

Connecting through winrm

evil-winrm -i <IP> -u 'user' -p 'password'