AKUMA
  • README 🥷🏽
  • Red Teaming 👹
    • Loading 50% 😒
  • 👿BLUE TEAM
    • YARA rules
  • 📦Containers
    • DOCKER
      • Docker Security & Pentesting
        • Commond Docker error
      • 8 Best Practices for Docker Host Security
  • Windows Hardening 🛡️
    • Windows Active Directory Pentesting
      • Dll Hijacking
      • MSDT - Microsoft Support Diagnostic Tool Vulnerability
      • AD Enumeration TOOL
      • AD Certificate Templates
      • Kerberos Delegation
    • Windows Security Controls
      • Applocker Basics
    • Powershell Cheat sheet
    • AMSI Bypass
  • Linux Hardening 🛡️
    • Page 1
  • Network Services Pentesting
    • Footprinting Cheat sheet
      • 21-FTP
      • 161-SNMP
      • 445-SMB-139
      • 2049-NFS
      • 53-DNS
      • 587-SMTP
      • 143-IMAP/POP3
    • Juicy Curl
  • Pentesting Web
    • 100 Web Vulnerabilities, categorized into various types
    • Deserialization
      • Node.js Deserialization
    • SHODAN DORK
    • Vulnerabilities PAYLOADS
      • Directory Traversal Payload
      • Html-Injection-Read-FIle
      • Html-Injection
      • OS-Command-Injection
      • SQL-Injection-Auth-Bypass
      • PHP-Code-Injection
      • SQL-Injection
      • SSRF Basic
      • SSRF
      • XML-External-Entity
      • XSLT (eXtensible Stylesheet Language Transformations)
      • XSS Cheat Sheet
        • XSS
        • XSS -
        • XSS-polyglots
        • Cloudflare's XSS protection
    • Base Information
      • File-Extension-Inclusion
        • File-Inclusion-Windows
        • File-Inclusion-Linux
        • File-Extension
      • Media-Type-(MIME)
      • Windows-Sensitive-Files
      • Linux-Sensitive-Files
      • Linux-Log-Files
  • Blogs
    • How I Passed HTB Certified Penetration Testing Specialist
    • A comparative analysis of Open Source Web Application vulnerability scanners (Rana Khalil)
    • Sean Metcalfe Path for AD
    • Secure Docker - HackerSploit
  • Projects
    • HOME LAB
      • HOME LAB Blogs | Active Directory
        • Active Directory Lab Setup - 101
        • Active Directory Lab Setup - 102
        • Active Directory Lab Setup [ AD Enumeration ] - 103
        • Active Directory Lab Setup [AD Attacks ] - 104
      • Home Lab | Splunk Setup & Configuration
    • HOSTING A WEBSITE AND HARDENING ITS SECURITY
  • CTF- Writeups/ Solutions
    • HTB - Advanced Labs
      • Fortress
        • Jet
        • Akerva
        • Context
        • Synacktv
        • Faraday
        • AWS
      • Endgames
        • Ascension
        • RPG
        • Hades
        • Xen
        • P.O.O.
    • idekCTF 2024 🚩
    • TFC CTF 2024 🏳
    • DeadSec CTF 2024 🏴
      • Bing2 (web)
      • Mic_check (misc)
      • Windows Server (OSINT)
    • ImaginaryCTF 2024 🚩
      • cartesian-1 [Forensics]
      • packed [FORENSICS]
      • bom [FORENSICS]
      • BANK [MISC]
    • NahamCon CTF 2024 🏳
      • all WARMUPs
      • Base3200
      • The Hacker Webstore
      • iDoor
      • All About Robots
      • Thomas DEVerson
      • Helpful Desk
      • Curly Fries
    • Cyber Apocalypse 2024: Hacker Royale 🏴
      • Unbreakable [MISC]
      • StopDropAndRoll [MISC]
      • Character [MISC]
      • Delulu [pwn]
      • Tutorial [pwn]
      • Maze [Hardware]
      • TimeKORP [web]
  • Tools
    • Content Discovery & Form Manipulation
      • ffuf
      • RustScan
      • Feroxbuster
      • Dirsearch
      • Gobuster
      • Wfuzz
      • Webshell
      • websocket
Powered by GitBook
On this page
  • Tools
  • Ldapsearch
  • kerbrute
  • Bloodhound.py
  • Impacket-getST-Creds
  • Topics
  • DNS
  • MS-RPC
  • Ldap

AD Enumeration TOOL

Tools

Ldapsearch

(https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/) (https://devconnected.com/how-to-setup-openldap-server-on-debian-10/)

HackTricks Offensive WMI - Active Directory Enumeration (Part 5)

  • LLL-> shorten output, remove componets and version

  • x- simple authentication (password)

  • H - hostname with protocol

    • h- Ip addr

  • D - Bind DN

    • Windows userPrincipalName are acceptable.

  • w - password

  • b - base to search from


fold title='nmap Script for ldap'
 locate -r nse$|grep ldap
/usr/share/nmap/scripts/ldap-brute.nse
/usr/share/nmap/scripts/ldap-novell-getpass.nse
/usr/share/nmap/scripts/ldap-rootdse.nse
/usr/share/nmap/scripts/ldap-search.nse

ldap example

ldapsearch -x -H ldap://sizzle.htb.local -s base namingcontexts
ldapsearch -x -H ldap://sizzle.htb.local -s sub -b 'DC=HTB,DC=LOCAL'

Dumping only admin or users.

ldapsearch -x -H ldap://sizzle.htb.local -D 'amanda@htb.local' -w 'Ashare1972' -b 'dc=htb,dc=local' \
'(&(ObjectClass=user)(memberOf=CN=Domain Admins,CN=Users,DC=htb,DC=local))'
ldapsearch -LLL -x -H ldap://pdc01.lab.ropnop.com -b '' -s base '(objectclass=*)'

kerbrute

username Enum

kerbrute --dc 10.10.10.240 -d licordebellota.htb userenum user.txt --downgrade

Downgrade - its means downgrade the hash type. when kerberos choose their hash type the default is 23 often times they choose 18 which is more upgraded hash hashcat unable to crack it.

on the AD env. kerberos hash type cannot be changed 23 to 18 because of not all application are support 18 hash type. so they are gonna set the group policy to choose 18 hash type first for any application. then choose 23 is that application does not have 18. often times they are gonna set a group policy to monitor 23 hash type like who are gonna use it. for prevent malicious purpose.

Bloodhound.py

KRB5CCNAME=d.klay.ccache bloodhound-python -u d.klay -p 'Darkmoonsky248girl' -k -ns 10.10.11.181 -d absolute.htb -dc dc.absolute.
htb -c ALL --zip

impacket-getTGT 'absolute.htb/d.klay:Darkmoonsky248girl' -dc-ip 10.10.11.181

delete the DB MATCH (n) OPTIONAL MATCH (n)-[r]-() DELETE n,r and restart bloodhound.

Get a ticket

kinit absolut.htb/d.klay
klist

Sometime its hard to get a ticket [kerberos only care about 2 thing time and auth creds]:

ntupdate -s dcname/ip

Impacket-getST-Creds

impacket-getST -spn cifs/hope.windcorp.htb -dc-ip 192.168.0.2 -debug 'windcorp.htb/ray.duncan:pantera'

Topics

DNS

  • AD-DS relies heavily on DNS, especially SRV records for service discovery. most usefull & common ones:

dig -t SRV _gc._tcp.lab.ropnop.com         //Global Catalog
dig -t SRV _ldap._tcp.lab.ropnop.com
dig -t SRV _kerberos._tcp.lab.ropnop.com
dig -t SRV _kpasswd._tcp.lab.ropnop.com
nmap --script dns-svr-enum --script-args "dns-srv-enum.domain-'lab.ropnop.com'"

Domain Meta-data Trough Ldap

  • domainFunctionality

  • forestFunctionality

  • DomainControlerFunctionality

Value  Forest        Domain             Domain Controller
0      2000          2000 Mixed/Native  2000
1      2003 Interim  2003 Interim       N/A
2      2003          2003               2003
3      2008          2008               2008
4      2008 R2       2008 R2            2008 R2
5      2012          2012               2012
6      2012 R2       2012 R2            2012 R2
7      2016          2016               2016
ldapsearch -LLL -x -H ldap://pdc01.lab.ropnop.com -b '' -s base '(objectclass=*)'

MS-RPC

samba

  • rpcclient

  • smbclient

  • net

  • Impacket [ropnop binaries are also good]

Ldap

389-LDAP,636-LDAPS(SSL),3269-LDAP Global Catalog best is do nmap.

PreviousMSDT - Microsoft Support Diagnostic Tool VulnerabilityNextAD Certificate Templates

Last updated 3 months ago

Logoimpacket getst creds | WADComs
LogoNo Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DA
Page cover image