Page cover

Active Directory Lab Setup [ AD Enumeration ] - 103

A step-by-step guide for building your very own Cybersecurity Home Lab using VMware Workstation

BRUTEFORCING DOMAIN PASSWORDS

For BRUTEFORCING DOMAIN PASSWORDS we need our own kali linux.

Please install Kali Linux for VMware by watching some Youtube Videos. or Some other Documentations. my suggesstions:

LogoHow to Install Kali Linux on VMware: The Ultimate GuideStationX

Lets Start our Bruteforcings 👍

We need our Users for bruteforce . Lets Copy all the users from DC01 to our Kali

Kali TIPS : Ihave my own kali repository in my github. so you can build zsh shell verry fastasticlly, and setup your tmux very nicely. i always use TMUX . I love TMUX 😘

Preinstallations: Sublime Text

After Copy the usernames from DC01 then make a file in our Kali linux

  • Open the file in Vim:

  • Enter Normal Mode: Press Esc to ensure you are in Normal mode.

  • Remove spaces and put each word on a new line: You can use the following Vim command in Normal mode:

By following these steps, all spaces between words will be removed, and each word will be placed on a new line.

Then just remove 'Administrator , Guest , Krbtgt' user from the list. We only are going to work with normal users now.

Customize Rockyou.txt

Lets first Unzip the the Rockyou.txt.gz file from our /usr/share/wordlists directory :

rockyou.txt file are too big . its almost 14M lines wc-l commands show the how many lines are in rockyou.txt file . So i just cut first 1000 passwords by typing the head commnad .

Lets confirm that we can ping our DC01 or not (so we can)

Enumeration

nmap scan

After running the nmap scan we can see Some of the Ports are running . These are the default ports are AD are running in a Windows Hosts. [try to be Remember please]

Next Lets try to login with a user in Our WS01 then remember the IP address. Do nmap scan:

We can see that there are no smb running up. Lets use another tools for this enumeration . Use multple tools is best practice for Enumeration.

Lets Use Crackmapexec

DC01 is valid but lets try with fake login credentials.

STATUS_LOGON_FAILURE is the credentials is not valid for DC01. Lets make some changes.

After run this command we got a valid hit.

If You run it i think you got the same user all the time. But the question is how can we bruteforce the other users here.

Its gonna take some time so Seat Back relax and ENJOY 😁

We can do a lot of things with CrackmapExec. For enumeration:

CrackMapExec Enumeration Keywords and Commands

  1. Enumerate Users

  2. Enumerate Groups

  3. Enumerate Shares

  4. Enumerate Sessions

  5. Enumerate Logged On Users

  6. Enumerate Domain Info

  7. Enumerate Password Policy

  8. Enumerate LAPS Passwords

  9. Enumerate Active Directory Information

  10. Enumerate Domain Controllers

  11. Enumerate Domain Trusts

  12. Enumerate ACLs

  13. Enumerate Group Policy Objects (GPOs)

  14. Enumerate Delegations

  15. Enumerate Computers

BLOODHOUND Domain Enumeration

Another Greate tool for Enumerate AD is BLOODHOUND. There is no other alternative of BLOODHOUND 😁

Lets download Bloodhound

LogoGitHub - SpecterOps/BloodHound-Legacy: Six Degrees of Domain AdminGitHub

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory or Azure environment.

Bloodhound have its own Documentation . (Feel free to read)

Lets download the bloodhound form their docs.

running Bloodhound

I setup bloodhound in my opt directory.

Setup a password for Bloodhound :

After opening the Bloodhound we are gonna give neo4j deafult credentials 'neo4j:neo4j' and its gonna request us for to setup a new passwords.

requesting for password setup

visit localhost:7474 then give the default credentials neo4j:neo4j then new password request promt are gonna open and set this up.

Reset Bloodhound Credentials

You can reset the password via :

after going to the bloohound its gonna ask us to give some data . So we have to give some data here.

in The bruteforce passwords sections we got some smb credentials hits right?

i just copied everything into creds.txt . lets extract our credentials

  • Open the file in Vim:

  • Enter Normal Mode: Press Esc to ensure you are in Normal mode.

  • Run the substitution command: Use the following command to transform each line:

By following these steps, you will transform each line from the format "SMB 10.10.0.100 445 DC1 [+] xyz.com\abutler:softball" to the desired username:password format like abutler:softball.

we have the credentials. now we have to do upload some in bloohound gui application.

Bloodhound have python version of it .

LogoGitHub - dirkjanm/BloodHound.py: A Python based ingestor for BloodHoundGitHub

we can simply install by ruuning pip install bloodhound

Lets do some changes. Lets add 10.10.0.100 dc1.xyz.com to our /etc/hosts

and then change our nameserver from /etc/resolve.conf file to this nameserver 10.10.0.100

Lets run Bloodhound-python

  • bloodhound-python: Tool for collecting AD data.

  • -u abutler: Username for authentication.

  • -p softball: Password for the specified user.

  • -dc dc1.xyz.com: Domain controller to connect to.

  • --disable-autogc: Disables automatic garbage collection.

  • -d xyz.com: Specifies the AD domain

By run ls we found some file

PreviousActive Directory Lab Setup - 102NextActive Directory Lab Setup [AD Attacks ] - 104

Last updated