-
Ports: ldap 389/tcp ldaps 636/tcp globalldap/globalcatldap 3268/tcp globalldaps/globalcatldapssl 3269/tcp Enumerate without credentials Nmap enumeration scans nmap -n -sV --script "ldap* and not brute" $target Ldapsearch scan ldapsearch -x -h $target -D '' -w '' -b "DC=BLA,DC=local" Connect to LDAPs/GlobalLDAPs: openssl s_client -connect $target:636 </dev/null openssl s_client -connect $target:3269 </dev/null Search in the directory: ldapsearch -x -b…
-
Powershell Cmdlets consist out of Verb-Method. To search for a method, type Get-Command New-U* To see all attributes for a Cmdlet, type Get-LocalUser | Get-Member To see specific or non-default attributes, type Get-LocalUser | Select-Object -Property Name,PasswordRequired Examples Directories and files Get all files in the current directory. Get-ChildItem Get all files in the current directory and below.…
-
Windows Remote Management (WinRM / wsman) is a service which runs on port 5985 and 5986. Evil Winrm Github | Opens a shell for a user root@kali:~# evil-winrm -i $victim -u melanie -p 'Welcome123!' For many users: for cred in $(cat user_pass.txt); do username=$(echo $cred | cut -d ',' -f 1) password=$(echo $cred | cut -d ',' -f…
-
Basics Authentication sequence for an user to log in on a domain (controller): Authentication sequence for an authenticated user on a local system: Terminology Kerberoasting means an offline cracking of the password in the NTLM hash. Useless if the service runs as service user. Then, the password will be replaced by a 128 character long…
-
Like OSXcollector, but for Windows. Collects information on a host for later analyzation. https://www.fireeye.com/services/freeware/redline.html