πCredentialed Enumeration with Linux
CrackMapExec with Valid Creds
With valid credentials, we can use various tools to build a user list.
CME Domain User Enumeration
We can use CME by pointing it at a Domain Controller and using the credentials we found to retrieve a list of all domain users.
sudo crackmapexec smb IP -u found-username -p found-password --usersCME Domain Group Enumeration
We can also do the same with domain groups
sudo crackmapexec smb IP -u found-username -p found-password --groupsCME Logged On Users
We can use CME to target other hosts, in this case, we can see what users are logged in currently
sudo crackmapexec smb IP -u found-username -p found-password --loggedon-usersIf we see a (Pwn3d!) at the end of a username, we know they are a local admin.
CME Share Searching
We can use CME to enumerate the available shares on the remote host and the level of access we have from them.
sudo crackmapexec smb IP -u found-username -p found-password --sharesCME Spider_plus
It will dig through each readable share on the host and list all readable files, it will then save the results in a JSON file at /tmp/cme_spider_plus/<IP>
sudo crackmapexec smb IP -u found-username -p found-password spSMBMap
We can use SMBMap to list shares, recursively list directories, list contents, and search contents of directories.
SMBMap Check Access
Will tell us what our user can access and their permission levels
smbmap -u user -p password -d DOMAIN.LOCAL -H IPRecursively List of All Directories
smbmap -u user -p password -d DOMAIN.LOCAL -H IP -R 'Sharename' --dir-onlyRpcclient
We can perform both authenticated and unauthenticated enumeration using rpcclient.
SMB NULL Session with rpcclient
rpcclient -U "" -N IPRpcclient Enumeration
While looking at users in rpcclient we will see a field called rid beside each user.
RID stands for Relative Identifier and is a unique identifier used by Windows to track and identify objects. An Administrator account will always have the RID value Hex 0x1f4, or 500.
RPCClient User Enumeration By RID
rpcclient > queryuser USER_RIDRPCclient Enumdomusers
We can enumerate all users to get RID's
rpcclient > enumdomusersImpacket Toolkit
Provides us with a huge set of tools that allows us to enumerate, interact and exploit Windows protocols.
Psexec.py
One of the most powerful tools in the Impacket suite works by creating a remote service by uploading a randomly named executable to the ADMIN$ share on the target host. It then registers the service via RPC and Windows Service Control Manager and once established provides a remote shell as SYSTEM.
To connect we need credentials for a user with local admin privileges.
psexec.py domain.local/username:'password'@IP wmiexec.py
Utilises a semi-interactive shell where commands are executed through Windows Management Instrumentation., it generates fewer logs and does not drop any files on the target host. Once connected it runs as the local admin user we connected to which makes it a more stealthy approach compared to other tools.
wmiexec.py domain.local/username:'password'@IP Windapsearch
Another Python tool used to enumerate users, groups and computers from a Windows domain by using LDAP requests. We can use Windapsearch to perform standard enumeration (users, computer, groups) or dig deeper (domain admin groups, privileged users).
Enumerate Domain Admins
python3 windapsearch.py --dc-ip IP -u user@domain.local -p password --daEnumerating Privileged Users
python3 windapsearch.py --dc-ip IP -u user@domain.local -p password --PUBloodhound
Creates a GUI interpretation of our target AD network, this can help us look for attack paths of where access with a particular user may lead. It collects data from AD such as users, groups, computers, group membership, GPOs, ACLs, domain trusts, local admin access, user sessions, computer and user properties, RDP access, WinRM access, etc.
First, we have to gather some data, this can be done with Sharphound if we have access to a low-level account or with bloodhound-python
Useful Flags
-c: Collection method to use, we can pass inuser sessions,users,groupsand many more. If we want as much data as possible we useall-d: Domain-ns: Domain name server
Then we can import the data to Bloodhound
The data was imported and we can now see the information below, we can use the analytics tab to run queries against the database.
The queries can be custom and specific but we can also use the built-in Path Finding queries.
For example we chose the Find Shortest Paths To Domain Admins it will give us any logical path it find through users / groups that will likely lead to escalate to Domain Admin Privileges.
Last updated
Was this helpful?