search
LinkedInGitHub

Misc

hashtag
Enum4linux

Pull a lot of information out of the Domain Controller using enum4linux

enum4linux 10.10.10.161

hashtag
Password Policy enumeration

crackmapexec smb 10.10.10.161 -u '' -p '' --pass-pol
circle-info

Put in the report that null authentication allows for domain enumeration

hashtag
RPCClient

hashtag
GetNPUsers

Queries target domain for users with 'Do not require Kerberos preauthentication' set and export their TGTs for cracking

hashtag
Credentials inside SYSVOL

Credentials may be stored inside of a script in the SYSVOL of the domain controller. Can happen on old AD environments.

Anyone with domain credentials can access the SYSVOL. To assign default local admin credentials LAPS is now used instead of scripts via Group Policy

Example path: \\conda.local\SYSVOL\conda.local\Policies{EA3B53C1-DDB1-4E62-818F-B7E7933A4E44}\Machine\Scripts\Startup\Set-Password.ps1

hashtag
SMB and RPC Null Authentication

hashtag
Notes

circle-info

If the SID of a group is more than 500 or above 1000 then it is not a default Windows group and was created

PreviousPassback AttackNextPost-Compromise Enumeration