1.initial-enumeration-of-the-domain

Network Discovery and Traffic Analysis

Capture traffic using Wireshark

sudo wireshark

Capture packets on interface ens224 using tcpdump

sudo tcpdump -i ens224

Run Responder for LLMNR, NBT-NS, and MDNS poisoning

sudo responder -I ens224 -A

Ping sweep using fping

fping -asgq 172.16.5.0/23

Responder

sudo responder -I <interface> -A

Host and Service Enumeration

Perform aggressive scan on hosts listed in hosts.txt

sudo nmap -v -A -iL hosts.txt -oN /home/htb-student/Documents/host-enum

Aggressive scan on a specific host

sudo nmap -A 172.16.5.100

User Enumeration

Clone kerbrute repository

sudo git clone https://github.com/ropnop/kerbrute.git

View make options

make help

Build kerbrute

sudo make all

Run kerbrute binary

./kerbrute_linux_amd64

Check current PATH

echo $PATH

Move kerbrute to a directory in PATH

sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute

Enumerate valid Active Directory users

kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users

1. Penetration Testing Setup Variations:

  • Clients have diverse ways to set up penetration tests, ranging from fully external to deeply embedded within their network.

  • This includes:

    • Virtual machines, physical devices, or on-site laptops.

    • VPN access.

    • Managed workstations or VDIs.

    • Cloud-based attack platforms.

  • "Grey box" (partial knowledge) and "black box" (no knowledge) testing approaches.

  • Evasive, non-evasive, or hybrid testing styles.

  • Starting with or without credentials.

2. Initial Enumeration Goals:

  • Identify active hosts and network services.

  • Discover potential avenues for gaining a foothold.

  • Enumerate users, computers, and services within the Active Directory (AD) environment.

  • Find vulnerable hosts and services for exploitation.

  • Document all findings meticulously.

3. Key Data Points:

  • AD users.

  • AD-joined computers (especially critical servers like Domain Controllers).

  • Key services (Kerberos, NetBIOS, LDAP, DNS).

  • Vulnerable hosts and services.

4. Enumeration Techniques:

  • Passive Reconnaissance:

    • Network traffic monitoring (Wireshark, TCPDump).

    • LLMNR/NBT-NS analysis (Responder).

  • Active Reconnaissance:

    • ICMP sweeps (FPing).

    • Port scanning and service identification (Nmap).

    • Kerberos User enumeration (Kerbrute).

5. Tools and Their Purpose:

  • Wireshark/TCPDump: Network traffic capture and analysis.

  • Responder: LLMNR/NBT-NS poisoning and analysis.

  • FPing: Fast ICMP host discovery.

  • Nmap: Port scanning, service identification, OS detection.

  • Kerbrute: Kerberos-based user enumeration.

6. Importance of the SYSTEM Account:

  • The NT AUTHORITY\SYSTEM account has the highest privileges on a Windows system.

  • Compromising a SYSTEM account on a domain-joined host provides significant access to the AD environment.

  • Allows for further enumeration, and attacks.

7. Ethical Considerations:

  • Staying within the agreed-upon scope.

  • Obtaining client approval before performing potentially disruptive actions.

  • Understanding the potential impact of scanning and exploitation activities.

  • Being aware of the noise generated by your actions, and how that relates to the type of test being performed.

8. User Enumeration Importance:

  • Gaining a valid domain user account is a critical early step.

  • It unlocks further enumeration and attack possibilities.

  • Kerbrute is a tool that can be used to enumerate users.

9. Vulnerability Identification:

  • Identifying outdated operating systems and services.

  • Recognizing potential vulnerabilities (e.g., EternalBlue, MS08-067).

  • Understanding the risks and obtaining client approval before exploiting vulnerabilities.

Previous1.External Recon and Enumeration PrinciplesNextActive-Directory-Basic-Command

Last updated