Active Directory Security

PRACTICE ! PRACTICE ! PRACTICE !

Enumerating the Usernames first !

If anonymous user has READ permissions over the $IPC share, then 

$ impacket-lookupsid anonymous@10.10.117.62 | tee users.txt

Meanwhile, run the enum4linux in the background

$ enum4linux -a 10.10.10.x | tee enum4linux.log

If rpcclient has anonymous login then

rpcclient $> enumdomusers
rpcclient $> enumdomgroups
The last GO-TO option !

AS-REP Roasting

After finding valid usernames, try to check if there is any way to AS-REP roast 

$ impacket-GetNPUsers spooky.local/ -no-pass -usersfile users.txt -dc-ip <target ip>

After Having Creds

  • Enumerate Shares with those creds - cme

  • Try dumping the secrets with it - impacket-secretsdump

  • Try dumping the sam and lass - crackmapexec

  • Check for winrm, smb and other services till it gets Pwn3d

PreviousPOP3 EnumerationNextOS Command Injection

Last updated