
AD Enumeration TOOL
Tools
Ldapsearch
(https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/) (https://devconnected.com/how-to-setup-openldap-server-on-debian-10/)
HackTricks Offensive WMI - Active Directory Enumeration (Part 5)
LLL-> shorten output, remove componets and version
x- simple authentication (password)
H - hostname with protocol
h- Ip addr
D - Bind DN
Windows userPrincipalName are acceptable.
w - password
b - base to search from
fold title='nmap Script for ldap'
locate -r nse$|grep ldap
/usr/share/nmap/scripts/ldap-brute.nse
/usr/share/nmap/scripts/ldap-novell-getpass.nse
/usr/share/nmap/scripts/ldap-rootdse.nse
/usr/share/nmap/scripts/ldap-search.nse
ldap example
ldapsearch -x -H ldap://sizzle.htb.local -s base namingcontexts
ldapsearch -x -H ldap://sizzle.htb.local -s sub -b 'DC=HTB,DC=LOCAL'
Dumping only admin or users.
ldapsearch -x -H ldap://sizzle.htb.local -D 'amanda@htb.local' -w 'Ashare1972' -b 'dc=htb,dc=local' \
'(&(ObjectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=htb,DC=local))'
ldapsearch -LLL -x -H ldap://pdc01.lab.ropnop.com -b '' -s base '(objectclass=*)'
kerbrute
username Enum
kerbrute --dc 10.10.10.240 -d licordebellota.htb userenum user.txt --downgrade
Downgrade
- its means downgrade the hash type. when kerberos choose their hash type the default is 23 often times they choose 18 which is more upgraded hash hashcat unable to crack it.
on the AD env. kerberos hash type cannot be changed 23 to 18 because of not all application are support 18 hash type. so they are gonna set the group policy to choose 18 hash type first for any application. then choose 23 is that application does not have 18. often times they are gonna set a group policy to monitor 23 hash type like who are gonna use it. for prevent malicious purpose.
Bloodhound.py
KRB5CCNAME=d.klay.ccache bloodhound-python -u d.klay -p 'Darkmoonsky248girl' -k -ns 10.10.11.181 -d absolute.htb -dc dc.absolute.
htb -c ALL --zip
impacket-getTGT 'absolute.htb/d.klay:Darkmoonsky248girl' -dc-ip 10.10.11.181
delete the DB MATCH (n) OPTIONAL MATCH (n)-[r]-() DELETE n,r
and restart bloodhound.
Get a ticket
kinit absolut.htb/d.klay
klist
Sometime its hard to get a ticket [kerberos only care about 2 thing time and auth creds]:
ntupdate -s dcname/ip
Impacket-getST-Creds
impacket-getST -spn cifs/hope.windcorp.htb -dc-ip 192.168.0.2 -debug 'windcorp.htb/ray.duncan:pantera'
Topics
DNS
AD-DS relies heavily on DNS, especially SRV records for service discovery. most usefull & common ones:
dig -t SRV _gc._tcp.lab.ropnop.com //Global Catalog
dig -t SRV _ldap._tcp.lab.ropnop.com
dig -t SRV _kerberos._tcp.lab.ropnop.com
dig -t SRV _kpasswd._tcp.lab.ropnop.com
nmap --script dns-svr-enum --script-args "dns-srv-enum.domain-'lab.ropnop.com'"
Domain Meta-data Trough Ldap
domainFunctionality
forestFunctionality
DomainControlerFunctionality
Value Forest Domain Domain Controller
0 2000 2000 Mixed/Native 2000
1 2003 Interim 2003 Interim N/A
2 2003 2003 2003
3 2008 2008 2008
4 2008 R2 2008 R2 2008 R2
5 2012 2012 2012
6 2012 R2 2012 R2 2012 R2
7 2016 2016 2016
ldapsearch -LLL -x -H ldap://pdc01.lab.ropnop.com -b '' -s base '(objectclass=*)'
MS-RPC
samba
rpcclient
smbclient
net
Impacket [ropnop binaries are also good]
Ldap
389-LDAP,636-LDAPS(SSL),3269-LDAP Global Catalog
best is do nmap.
Last updated