OSCP-CPTS NOTES
TwitterGithubLinkedinInstagramDiscord
  • oscp-cpts-notes
  • Pivoting & Tunneling
    • Local Port Forwarding
    • Remote Port Forwarding
    • Dynamic Port Forwarding
    • Ligolo-ng
  • Linux Privilege Escalation
    • Gathering Information of the System
    • Capabilities
    • Group Based
    • SUID Privilege Escalation
    • Cron Job
    • Exploiting NFS weak Permission
    • Sudo + LD_PRELOAD (Shared Libraries)
    • Shared Object Manipulation
    • Python Library Hijacking
  • Windows Privilege Escalation
    • Gathering Information of the System
    • User Privileges
      • SeImpersonatePrivilege and SeAssignPrimaryToken
      • SeDebugPrivilege
      • SeTakeOwnershipPrivilege
    • Group Privileges
      • Backup Operators
      • DnsAdmins
      • Server Operators
      • Always Install Elevated
      • Print Operators
      • Event Log Readers
      • Hyper-V Administrators
    • Credential Theft
  • Active Directory Attacks
    • Enumeration
    • Initial Foothold
    • Gathering Users & Password Policies
    • Password Spraying
    • Credentialed Enumeration From Linux
    • Credentialed Enumeration From Windows
    • Kerberoasting - From Linux
    • Kerberoasting - From Windows
  • Beyond OSCP - CPTS
    • RED TEAMING
      • Windows Local Persistence
        • Tampering With Unprivileged Accounts
        • Backdooring Files
        • Abusing Services
        • Abusing Scheduled Tasks
        • Logon Triggered Persistence
        • Backdooring the Login Screen / RDP
        • Persisting Through Existing Services
Powered by GitBook
On this page
  • Authenticated Enumeration - from Linux
  • 1️⃣ CrackMapExec
  • 2️⃣ SMBMap
  • 3️⃣ rpcclient
  • 4️⃣ Impacket Toolkit
  • 5️⃣ Windapsearch
  • 6️⃣ BloodHound.py

Was this helpful?

Edit on GitHub
  1. Active Directory Attacks

Credentialed Enumeration From Linux

PreviousPassword SprayingNextCredentialed Enumeration From Windows

Last updated 1 month ago

Was this helpful?

Authenticated Enumeration - from Linux

1️⃣ CrackMapExec

  • sudo crackmapexec smb 10.20.30.40 -u alex -p StrongPass123 --users → Enumerates domain users Displays a list of domain users along with the badPwdCount attribute.

  • sudo crackmapexec smb 10.20.30.40 -u alex -p StrongPass123 --groups → Enumerates domain groups Provides a list of groups along with the number of users in each.

  • sudo crackmapexec smb 10.20.30.150 -u alex -p StrongPass123 --loggedon-users → Shows currently logged-in users.

  • sudo crackmapexec smb 10.20.30.40 -u alex -p StrongPass123 --shares → Lists available shared resources and access levels for the user.

  • sudo crackmapexec smb 10.20.30.40 -u alex -p StrongPass123 -M spider_plus This module scans all accessible shares for readable files. You can specify a particular share using --share 'Finance Records'. The output is saved in /tmp/cme_spider_plus/<target_ip>.

2️⃣ SMBMap

  • smbmap -u alex -p StrongPass123 -d CORP.LOCAL -H 10.20.30.40 → Checks accessible resources and permission levels.

  • smbmap -u alex -p StrongPass123 -d CORP.LOCAL -H 10.20.30.40 -R 'Finance Records' --dir-only Displays all subdirectories within the specified directory without listing files.

3️⃣ rpcclient

is a useful tool for interacting with Samba and MS-RPC services. It allows enumeration, modification, and deletion of Active Directory objects.

  • rpcclient -U "" -N 10.20.30.40 → Establishes a null session shell with the domain controller.

  • rpcclient$> queryuser 0x457 → Enumerates user by RID (0x457 in hex = 111 in decimal).

  • rpcclient$> enumdomusers → Lists all domain users along with their RIDs.

4️⃣ Impacket Toolkit

Psexec.py

This tool uploads an executable to the ADMIN$ share, creates a remote service, and establishes a SYSTEM-level shell.

  • psexec.py corp.local/jdoe:'SecurePass!1'@10.20.30.125 → Spawns a remote shell.

wmiexec.py

wmiexec.py leverages Windows Management Instrumentation (WMI) for command execution. Unlike psexec.py, it does not leave artifacts on the target system.

  • wmiexec.py corp.local/jdoe:'SecurePass!1'@10.20.30.40 → Opens a semi-interactive shell.

5️⃣ Windapsearch

  • python3 windapsearch.py --dc-ip 10.20.30.40 -u alex@corp.local -p StrongPass123 --da → Retrieves members of the Domain Admins group.

  • python3 windapsearch.py --dc-ip 10.20.30.40 -u alex@corp.local -p StrongPass123 -PU → Identifies privileged users.

6️⃣ BloodHound.py

Initially a PowerShell tool, BloodHound.py is a Python implementation useful for gathering AD-related data without needing a Windows machine.

  • sudo bloodhound-python -u 'alex' -p 'StrongPass123' -ns 10.20.30.40 -d corp.local -c all → Runs BloodHound data collection.

    • -ns = Name server

    • -d = Domain

    • -c = Collection type (all data in this case)

The output consists of JSON files.

  • zip -r corp_bh.zip *.json → Compresses collected data into a ZIP file.

is a Python script for querying LDAP and extracting user, group, and computer information from an Active Directory domain.

rpcclient
Windapsearch