Active Directory Checklist

- [ ] Scan all TCP Ports - `nmap $IP -Pn -n --open --min-rate 3000 -p-` - `nmap $IP -sC -sV -p $PORTS` - [ ] Check UDP Ports - `nmap $IP -sU --top-ports 10` - [ ] For unknown ports, interact them with - `telnet $IP $PORT` - `nc -nv $IP $PORT` - [ ] Check `ldap`, `rpc`, `smb` with anonymous access. Check for public shares - [[NetExec]] - In AD set, when testing multiple users and passwords with `nxc`, avoid putting all usernames and passwords in one file. These tools may stop after the first error. **Always test one username at a time**. - [[smbclient]] - Mount - `sudo mount -t cifs -o 'user=Wook' //$IP/$Share /mnt/wook` - `sudo umount /mnt/wook` - [[ldapsearch]] - [[rpcclient]] - [ ] [[LLMNR&NBT-NS Poisoning]] with [[Responder]] (Linux) and `Inveigh` (Windows) - [ ] if you cannot crack the hash, [[NTLM Relay Attack]] - [ ] Find **Usernames**: If you get access look for user names with [[NetExec]] or [[rpcclient]] - `nxc smb $IP -u $USER -p $PWD --rid-brute` - `nxc smb $IP -u $USER -p $PWD --users` - `enumdomusers` - [ ] Confirm usernames with [[Kerbrute]] - [ ] Test for `asreproasting` after you have collected usernames. If successful, try cracking - [[GetNPUsers.py]] - [[Rubeus]] - [[NetExec]] - [ ] Check for `kerberoasting` after you have a username and password. - [[GetUserSPNS.py]] - [[Rubeus]] - [[targetedKerberoast]] - Fix Clock Skew Errors for AD Attacks - `sudo ntpdate $DC IP` - Quick - `sudo rdate -s $DC IP` - Alternative - [[Kerberoasting Error (KRB_AP_ERR_SKEW)]] - Final - [ ] Try authenticating with every possible protocol with those set of credentials - `winrm`, `rdp`, `mssql`, `rpc`, `ldap`, etc. - [ ] Enumerate shares for every user you get access to. Every new user means you should recheck their shares. - [ ] If you get shell as a user, check for PrivEsc, and dump all hashes and collect them in a file for possible bruteforcing and lateral movement. - [ ] Run [[sec/OSCP Notes/07 Active Directory/tools & concepts/BloodHound|BloodHound]] and check for attack paths, roasting, and [[sec/OSCP Notes/07 Active Directory/tools & concepts/DCSync|DCSync]] - [ ] Check for Certificate based attacks with [[Certipy]] or [[Certify.exe]] - [ ] Check if writeable shares could be a path to steal hashes with [[Responder]] - [ ] In an AD Chain, check for additional network adapters in case of `pivoting` being needed. - [[ligolo-ng]] - `LigoloNG` - 점프한 호스트에서 내 칼리까지 통신 불가능, 새로운 리스너 생성해야 함. - [ ] For `Post-Exploitation`, dump all hashes - [[Hashdump overview]] - [[Attacking SAM, SYSTEM, and SECURITY]] - [[Attacking LSASS]] - [[Attacking NTDS.dit]] - [[Mimikatz]] - `Mimikatz` does not work with `evil-winrm`, use `psexec.py` instead - [ ] If you're stuck, remember to `ENUMERATE` again.