Initial Enumeration of the Domain
Key Data Points
Data Point
Description
AD Users
We are trying to enumerate valid user accounts we can target for password spraying.
AD Joined Computers
Key Computers include Domain Controllers, file servers, SQL servers, web servers, Exchange mail servers, database servers, etc.
Key Services
Kerberos, NetBIOS, LDAP, DNS
Vulnerable Hosts and Services
Anything that can be a quick win. ( a.k.a an easy host to exploit and gain a foothold)
Passive and Active Enumeration on the Network
Wireshark
#TCPDUMP
sudo tcpdump -i ens224
#responder
sudo responder -I ens224 -A
#fping
fping -asgq 172.16.5.0/23
#nmap
sudo nmap -v -A -iL hosts.txt -oN /home/htb-student/Documents/host-enum
nmap -A 172.16.5.100
#kerbrute to find valid usernames
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_usersThere are several ways to gain SYSTEM-level access on a host, including but not limited to:
Remote Windows exploits such as MS08-067, EternalBlue, or BlueKeep.
Abusing a service running in the context of the
SYSTEM account, or abusing the service accountSeImpersonateprivileges using Juicy Potato. This type of attack is possible on older Windows OS' but not always possible with Windows Server 2019.Local privilege escalation flaws in Windows operating systems such as the Windows 10 Task Scheduler 0-day.
Gaining admin access on a domain-joined host with a local account and using Psexec to launch a SYSTEM cmd window
By gaining SYSTEM-level access on a domain-joined host, you will be able to perform actions such as, but not limited to:
Enumerate the domain using built-in tools or offensive tools such as BloodHound and PowerView.
Perform Kerberoasting / ASREPRoasting attacks within the same domain.
Run tools such as Inveigh to gather Net-NTLMv2 hashes or perform SMB relay attacks.
Perform token impersonation to hijack a privileged domain user account.
Carry out ACL attacks.
Let's find a user!
Responder retrieved
Cracked with hashcat
Last updated