Skip to content

Half-Pwned

Domain Enum

Half-Pwned

Home
ActiveDirectory
ActiveDirectory
- ActiveDirectory 101
  ActiveDirectory 101
- ActiveDirectory Hacking
  ActiveDirectory Hacking
  - 101
  - PrivEsc
  - Tools of the Trade
  - 1. Initial Enum
    1. Initial Enum
    
    Domain Enum Domain Enum
    Table of contents
    
    TTPs
    
    Identifying Hosts
    
    Network Sniffing
    
    Responder
    
    NMAP Scanning
    
    Identifying Users
    
    Kerbrute - Internal AD Username enum
    
    Identifying Potential Vulnerabilities
    
    External Recon and Enum
  - 2. LLMNR+NBT NS Poisoning
    2. LLMNR+NBT NS Poisoning
    
    LLMNR+NBT NS Linux
    
    LLMNR+NBT NS Windows
  - 3. Password Spraying
    3. Password Spraying
    
    Enumerating Password Policy
    
    Internal Password Spraying Linux
    
    Internal Password Spraying Windows
    
    Making a target user list
    
    Password Spraying 101
  - 4. Credentialed Enum
    4. Credentialed Enum
    
    Credentialed Enum LINUX
    
    Credentialed Enum Windows
    
    Enumerating Security Controls
    
    Living Off the Land
    
    Mimikatz
  - 5. Kerberoasting
    5. Kerberoasting
    
    Kerberoasting Linux
    
    Manual Method
  - 6. ACL
    6. ACL
    
    ACL Abuse Primer
    
    ACL Abuse Tactis
    
    PowerView
    
    BloodyAD
    
    DCSync
  - 7. Lateral Movement
    7. Lateral Movement
    
    ADCS
    
    ASREPRoasting DU
    
    Bleeding Edge Vulnerabilities
    
    GPO Abuse for Windows Privilege Escalation
    
    Kerberos 'Double Hop' Problem
    
    Miscellaneous Misconfigurations
    
    Privileged Access
    
    Kerberos Delegation
    Kerberos Delegation
    
    Delegation Types
    
    Resource Based Constraint Delegation
  - 8. Domain Trusts
    8. Domain Trusts
    
    Domain Trusts Primer
    
    Cross Forest
    Cross Forest
    
    Attacking CF Trusts Linux
    
    Attacking CF Trusts Windows
    
    Parent Child
    Parent Child
    
    Attacking Domain Trusts Linux
    
    Attacking Domain Trusts Windows
  - 9. Defense
    9. Defense
    
    AD Auditing
    
    Harden AD
  - BloodHound
    BloodHound
    
    GenericAll
Google RedTeaming
Google RedTeaming
- Resources
- Part 1
  Part 1
Network PenTesting
Network PenTesting
- Buffer Overflow
  Buffer Overflow
  - Linux
    Linux
    
    GDB Commands
    
    Prevention
    
    Exploit
    Exploit
    
    Find the Length of the Shellcode
    
    New shellcode & Return Address
    
    Take control of EIP
    
    Intro
    Intro
    
    CPU 101
    
    CPU Registers
    
    Stack Based BOF 101
- Common Services & Ports
  Common Services & Ports
  - Common Services 1
    Common Services 1
    
    Enum
    
    Infrastructure Enum
    
    Host Based Services
    Host Based Services
    
    DNS - 53
    
    FTP - 21
    
    IMAP POP3
    
    IPMI - 623
    
    LDAP - 389, 636,
    
    MSSql - 1433
    
    MySQL - 3306
    
    NFS - 111 or 2049
    
    Oracle TNS - 1521
    
    SMB - 139 or 445
    
    SMTP - 25, 587, 465
    
    SNMP - 161
    
    Remote Management
    Remote Management
    
    Linux Remote Management
    
    Windows Remote Management Protocol
  - Common Services 2
    Common Services 2
    
    101
    
    Attacking AD
    
    Attacking DNS
    
    Attacking FTP
    
    Attacking RDP
    
    Attacking SMB
    
    Attacking SMTP
    
    Attacking SQL DBs
    
    Protocol Specific Attacks
    Protocol Specific Attacks
    
    Concept of attacks
    
    Finding Sensitive Information
    
    Service Misconfig
- File Transfers
  File Transfers
- Linux Privesc
  Linux Privesc
  - Assessment
  - Hardening
  - PreText
  - 1. Information Gathering
    1. Information Gathering
    
    Check What's Running on a Port (Linux)
    
    Credential Hunting
    
    Environment Enumeration
    
    Linux Services & Internal Enum
    
    OTHER
    
    Tcpdump
  - 2. Env based privesc
    2. Env based privesc
    
    Escaping Restricted Shells
    
    Path Abuse
    
    Wildcard Abuse
  - 3. Permission based privesc
    3. Permission based privesc
    
    Capabilities
    
    Privileged Groups
    
    SUDO Right Abuse
    
    Special Permissions
  - 4. Service based privesc
    4. Service based privesc
    
    Docker Escape
    
    Docker
    
    Linux Containers
    
    Logrotate
    
    Passpie Exploitation
    
    Screen & Cron Jobs
    
    Tcpdump NFS tmux
  - 5. Internal based privesc
    5. Internal based privesc
    
    Kernel Exploits
    
    Python Library Hijacking
    
    Shared Libraries
    
    Shared Object Hijacking
  - 6. 0 days
    6. 0 days
    
    Dirty Pipe
    
    Netfilter
    
    Polkit
    
    Sudo
- Password Attacks
  Password Attacks
  - 101
  - Password Mutations
  - Remediation
  - Remote Password Attacks
  - Cracking Files
    Cracking Files
    
    Protected Archives
    
    Protected Files
  - Linux Local PA
    Linux Local PA
    
    Creds Hunting in Linux
    
    Passwd, Shadow, Opasswd
  - Passwords
    Passwords
    
    Password Mutations
    
    Remote Password Attacks
  - Windows Lateral Movement
    Windows Lateral Movement
    
    Kerberos
    
    Pass the Hash (PtH)
    
    Pass the Ticket (PtT) Linux
    
    Pass the Ticket (PtT) Windows
  - Windows Local PA
    Windows Local PA
    
    Attacking AD and NTDS.dit
    
    Attacking LSASS
    
    Attacking SAM SYSTEM NTDS SECURITY
    
    Attacking SAM
    
    Creds Hunting Windows
    
    DPAPI Decryption
- PenTesting Process
  PenTesting Process
  - Basics
  - Intro
  - My Process
  - Service Enum Links
  - Steps
  - Methodology
    Methodology
    
    Penetration Testing Foothold Checklist
    
    Linux
    
    My Process
    
    Windows AD
    
    Windows
- Pivoting
  Pivoting
  - 101
  - RDP and SOCKS Tunneling with SocksOverRDP
  - Ligolo
  - Ping Sweep
  - 1. Starting Tunnels
    1. Starting Tunnels
    
    Dynamic SSH PFW and SOCKS tunneling
    
    Local Port Fwding
    
    Meterpreter Tunneling & Port Forwarding
    
    Remote Port FWDing
  - 2. Socat
    2. Socat
    
    Socat Redirection
  - 3. Pivot Obstacles
    3. Pivot Obstacles
    
    SSH for Windows plink.exe
    
    Sshuttle
  - 4. Branching out Tunnels
    4. Branching out Tunnels
    
    DNS Tunneling with Dnscat2
    
    ICMP Tunneling
    
    SOCKS5 with Chisel
  - Ligolo
    Ligolo
    
    Ligolo Reverse tunnel
    
    Ligolo
- Reporting
  Reporting
- Windows Privesc
  Windows Privesc
  - Assessments
  - Intro
  - 1. Getting a Lay of the Land
    1. Getting a Lay of the Land
    
    Communication with Processes
    
    Initial Enum
    
    NEEDED COMMANDS
    
    Situational Awareness
  - 2. User Privileges
    2. User Privileges
    
    Enable Privileges
    
    Privileges 101
    
    SeDebugPrivilege
    
    SeImpersonate and SeAssignPrimaryToken
    
    SeTakeOwnershipPrivilege
  - 3. Group Privileges
    3. Group Privileges
    
    Backup Operators
    
    DnsAdmins
    
    Event Log Readers
    
    Hyper V Administrators
    
    Print Operators
    
    Server Operators
  - 4. Attacking the OS
    4. Attacking the OS
    
    Kernel Exploits
    
    User Account Control
    
    Vulnerable Services
    
    Weak Permissions
  - 5. Credential Theft
    5. Credential Theft
    
    Creds Hunting
    
    Further Credential Theft
    
    Hunting other Files
  - 6. Restricted Envs
    6. Restricted Envs
    
    Citrix Breakout
  - 7. Additional Techniques
    7. Additional Techniques
    
    Interacting with Users
    
    Misc
    
    Pillaging
  - 8. End of Life Systems
    8. End of Life Systems
    
    Legacy Operating Systems
    
    Windows Desktop
    
    Windows Server
Web Application Pentesting
Web Application Pentesting
- Attacking Common Applications
  Attacking Common Applications
  - 101 common Applications
  - Application Discovery & Enumeration
  - Hardening
  - ASSESSMENTS
    ASSESSMENTS
    
    Assessment 2
  - CMS
    CMS
    
    DNN
    
    Drupal
    Drupal
    
    Attacking Drupal
    
    Discovery & Enum
    
    Joomla
    Joomla
    
    Attacking Joomla
    
    Discovery and Enum
    
    Wordpress
    Wordpress
    
    Attacking Wordpress
    
    Discovery & Enum
  - Common Gateway Interfaces
    Common Gateway Interfaces
    
    Attacking CGI Apps Shellshock
    
    Attacking Tomcat CGI
  - Infra Network Tools
    Infra Network Tools
    
    PRTG Network Monitor
    
    Splunk
  - Other
    Other
    
    Apps connecting to Services
    
    Attacking LDAP
    
    ColdFusion
    
    IIS Tilde
    
    IIS machineKey RCE
    
    Web Mass Assignment
  - Servlet Containers
    Servlet Containers
    
    Jenkins
    Jenkins
    
    Attacking Jenkins
    
    Discovery & Enum
    
    Tomcat
    Tomcat
    
    Attacking Tomcat
    
    Discovery & Enum
  - Thick Client
    Thick Client
    
    PT Steps
    
    Exploiting Web vulns in Thick Client
    
    Thick Client 101
  - osTicket & GitLab
    osTicket & GitLab
    
    GitLab
    
    osTicket
- Attacking Web Apps
  Attacking Web Apps
  - Proxying
  - Brute Forcing Login
    Brute Forcing Login
    
    101
    
    Custom Wordlists Username anarchy, CUPP
    
    Hydra
    
    Medusa
  - Command Injection
    Command Injection
    
    101
    
    Prevention
    
    Filter Evasion
    Filter Evasion
    
    Basic
    
    Bypass Space and slashes
    
    Bypass blacklisted commands
    
    Evasion Tools
    
    Identifying filters
  - File Inclusion
    File Inclusion
    
    Basic Bypasses
    
    LFI 101
    
    LFI
    
    PHP Filters
    
    To do List
    
    What to look for
    
    Automation and Prevention
    Automation and Prevention
    
    Automated Scanning
    
    Prevention
    
    Remote code execution
    Remote code execution
    
    LFI and File Uploads
    
    Log Poisoning
    
    PHP Wrappers
    
    RFI
  - File Uploads
    File Uploads
    
    Prevention
    
    Bypassing Filters
    Bypassing Filters
    
    Basic Exploitation
    
    Limited File Uploads
    
    Main Techniques
    
    Other techniques
  - Fuzzing
    Fuzzing
    
    Domain + VHost Fuzzing
    
    Parameter Fuzzing
    
    Web Fuzzing
  - IDOR
    IDOR
    
    101 IDOR
    
    Bypassing IDOR
    
    IDOR Prevention
  - SQL Injection
    SQL Injection
    
    DB Enumeration
    
    Reading Files
    
    SQL 101
    
    SQL Injections
    
    Writing Files
  - SQLMap
    SQLMap
    
    SQLMap 101
    
    SQLMap outputs
    
    Building attacks
    Building attacks
    
    Handling SQLMap errors + Attack Tuning
    
    SQLMap on HTTP Request
    
    DB Enum
    DB Enum
    
    Advanced DB Enum
    
    DB Enum
    
    Webapps +OS
    Webapps +OS
    
    Bypassing Web Application Protections
    
    OS Exploitation
  - Verb Tampering
    Verb Tampering
    
    101
    
    Bypass
  - XSS
    XSS
    
    DOM XSS
    
    XSS (Stored, Reflected)
    
    XSS Discovery
    
    Xss 101
    
    XSS Attacks
    XSS Attacks
    
    Defacing
    
    Phishing & Session Hijacking
  - XXE
    XXE
    
    Advanced File Disclosure
    
    Blind Data Exfiltration
    
    Bypass XXE
    
    Prevention
    
    XXE 101
- Information Gathering
  Information Gathering
Blog
Blog
- Blog
- GCP
  GCP
  - GCRTP
    GCRTP
    
    Initial Access - Password Spray
    
    GCP-Phishing
    
    Metadata in GCP Instances
    
    Reveal Files Hidden in Google Storage
- Linux
  Linux
  - Agile
  - Alert
  - Builder
  - Chemistry
  - Conversor
  - Crafty
  - Delivery
  - Expressway
  - Giveback
  - Logforge
  - Metatwo
  - Pandora
  - Planning
  - Postman
  - Remote
  - Shoppy
  - Snoopy
  - Soccer
  - Soulmate
  - Trick
  - Underpass
  - Union
- Pro Labs
  Pro Labs
  - AEN
    AEN
    
    10.129.229.147
    
    10.129.229.147
  - POO
    POO
    
    10.13.38.11 - Entrypoint
- Windows
  Windows
  - Active
  - Authority
  - Cicada
  - Driver
  - Escapetwo
  - Fluffy
  - Forest
  - Hospital
  - Jeeves
  - Mailing
  - Manager
  - Media
  - Monitorfour
  - Nanocorp
  - Outdated
  - Pov
  - Redelegate
  - Return
  - Sauna
  - Servmon
  - Streamio
  - Support
  - Timelapse
  - Tombwatcher
  - Voleur
  - Vulncicada
- Archive
  Archive
  - 2023

Domain Enum

Jot down Key Data Points

TTPs

AD is HUGE
create a game plan to enumerate AD in a progressive way
passive identification of any host in the network
active validation to find more about the host (services, names, vulns)
- probe the host after validation

Identifying Hosts

Network Sniffing

"put your ear to the wire" - WIRESHARE or TCPDump
If no wiresharm
- tcpdump, net-creds, and NetMiner,
pktmon.exe - windows 10 network monitoring tool
Save PCAP files to analyze them later

Responder

listen, analyze, poison LLMNR, NBT-NS, MDNS requests and responses.
Analyze Mode
- sudo responder -I ens224 -A
We might find new hosts not found already using wireshark
With a few hosts in our bank, we can perform ICMP sweep of the subnet using fping - https://fping.org/
can script using fping and uses round-robin to cycle between hosts.
Ping sweep a network using fping
- fping -asgq 172.16.5.0/23
We get a list of IPs that are up.

NMAP Scanning

protocols with AD - DNS, SMB, LDAP, Kerberos
Save the above found ips to hosts.txt
NMAP to enumerate hosts
- sudo nmap -v -A -iL hosts.txt -oN /home/htb-student/Documents/host-enum

Identifying Users

If the pentest starts without any creds, we need to find a cleartext password or use an NTLM hash for a user account.
Some foothold is great to open up opps to perform enum and even attacks

Kerbrute - Internal AD Username enum

https://github.com/ropnop/kerbrute/releases/latest - get a binary
Kerbrute is silent. Kerberos pre-auth failure is not logged. Used by Kerbrute

Use kerbrute with the likely usernames jsmith.txt & jsmith2.txt - https://github.com/insidetrust/statistically-likely-usernames

# Installing Kerbrute
sudo git clone https://github.com/ropnop/kerbrute.git
make help
# Get All Binaries (Linux, Win, Mac)
sudo make all
# Binaries present here
cd dist/ 

# Add to our PATH
echo $PATH
sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute

Enumerate users using Kerbrute
- kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users
This will output a list of valid usernames
We can use this list for password spraying

Identifying Potential Vulnerabilities

NT AUTHORITY\SYSTEM - local system account : has highest access in the OS which is used to run most Windows services
A SYSTEM account on a domain-joined host will be able to enumerate AD by impersonating the computer account (another user account).
SYSTEM is like domain user account
GAIN SYSTEM
USE SYSTEM