AD Enumeration - wook413

# Host Discovery ```powershell # fping example # -a: shows hosts that are alive # -g: generates a target list from a supplied IP netmask. # -q: quiet mode fping -agq 10.211.11.0/24 # Nmap nmap -sn 10.211.11.0/24 # Manual ping sweep / ping scan for i in {1..255}; do (ping -c 1 192.168.1.${i} | grep "bytes from" &); done for i in {1..65535}; do (echo > /dev/tcp/192.168.1.1/$i) >/dev/null 2>&1 && echo $i is open; done ``` # Port Scanning Once we’ve discovered live hosts, we must identify which one is the DC. ```powershell # Common AD ports and protocols 53 DNS 88 Kerberos 135 Ms-rpc 139 SMB/NetBIOS 389 LDAP 445 SMB 464 Kerberos (kpasswd) nmap -p 88,135,139,389,445 -sCV -iL hosts.txt sudo nmap -sS -Pn -n --open --min-rate 3000 -iL hosts.txt -oN full_port_scan.txt ``` # Network Enumeration - SMB ```powershell nxc smb <domain> -u guest -p '' --shares smbclient -N -L //$IP smbmap -H $IP ``` # User Enumeration nxc ```bash nxc smb <domain> -u guest -p '' --rid-brute nxc smb <domain> -u guest -p '' --rid-brute | grep SidTypeUser ``` LDAP ```powershell # LDAP Enumeration (Anonymous Bind) # -x: simple authentication # -H: specifies the LDAP server # -s: limits the query only to the base object and does not search subtrees or children ldapsearch -x -H ldap://$IP -s base # If enabled ldapsearch -x -H ldap://$IP -b "<BASE_DN>" "<SEARCH_FILTER>" ldapsearch -x -H ldap://$IP -b "dc=<domain>,dc=<tld>" "(objectClass=person)" ``` RPC ```powershell # RPC Enumeration (Null Sessions) rpcclient -U "" $IP -N # If enabled enumdomusers ``` Enum4linux-ng ```powershell # -A: Performs all available enumeration functions # -oA: Writes output to YAML and JSON files enum4linux-ng -A $IP -oA results.txt ``` RID Cycling ```powershell # RID ranges are used to assign unique IDs to user and group objects. # RIDs are components of SID # 500 is the Administrator account # 501 is the Guest account # 512-514 are Domain Admins, Domain users and Domain Guests # 1000~ User accounts for i in $(seq 500 2000); do echo "queryuser $i" | rpcclient -U "" -N $IP 2>/dev/null | grep -i "User Name"; done ``` Kerbrute ```powershell # Unlike NTLM, which relies on a challenge response mechanism, # Kerberos uses a ticket-based system managed by a trusted 3rd party, the KDC # Tools like enum4linux or rpcclient may return some usernames but they could be invalid # Kerbrute lets us confirm which ones are real and valid # If our user enumeration tool choice was only Kerbrute, we can use the following wordlist <https://github.com/danielmiessler/SecLists/blob/master/Usernames/Names/names.txt> kerbrute userenum --dc $IP -d domain.tld users.txt ``` # Password Policy rpcclient ```bash rpcclient -U "" <IP> -N # Null session getdompwinfo # query the DC for the password policy # example output password_properties: 0x00000001 ``` crackmapexec ```bash crackmapexec smb <IP> --pass-pol # example output Password Complexity Flags: 000001 ``` # Password Spraying ```bash crackmapexec smb <IP> -u <users.txt> -p <passwords.txt> ```