initial-enumeration-of-the-domain

Network Discovery and Traffic Analysis

Capture traffic using Wireshark

sudo wireshark

Capture packets on interface ens224 using tcpdump

sudo tcpdump -i ens224

Run Responder for LLMNR, NBT-NS, and MDNS poisoning

sudo responder -I ens224 -A

Ping sweep using fping

fping -asgq 172.16.5.0/23

Responder

sudo responder -I <interface> -A

Host and Service Enumeration

Perform aggressive scan on hosts listed in hosts.txt

sudo nmap -v -A -iL hosts.txt -oN /home/htb-student/Documents/host-enum

Aggressive scan on a specific host

sudo nmap -A 172.16.5.100

User Enumeration

Clone kerbrute repository

sudo git clone https://github.com/ropnop/kerbrute.git

View make options

make help

Build kerbrute

sudo make all

Run kerbrute binary

./kerbrute_linux_amd64

Check current PATH

echo $PATH

Move kerbrute to a directory in PATH

sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute

Enumerate valid Active Directory users

kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users

1. Penetration Testing Setup Variations:

• Clients have diverse ways to set up penetration tests, ranging from fully external to deeply embedded within their network.

• This includes:

  • Virtual machines, physical devices, or on-site laptops.

  • VPN access.

  • Managed workstations or VDIs.

  • Cloud-based attack platforms.

• "Grey box" (partial knowledge) and "black box" (no knowledge) testing approaches.

• Evasive, non-evasive, or hybrid testing styles.

• Starting with or without credentials.

2. Initial Enumeration Goals:

• Identify active hosts and network services.

• Discover potential avenues for gaining a foothold.

• Enumerate users, computers, and services within the Active Directory (AD) environment.

• Find vulnerable hosts and services for exploitation.

• Document all findings meticulously.

3. Key Data Points:

• AD users.

• AD-joined computers (especially critical servers like Domain Controllers).

• Key services (Kerberos, NetBIOS, LDAP, DNS).

• Vulnerable hosts and services.

4. Enumeration Techniques:

• Passive Reconnaissance:

  • Network traffic monitoring (Wireshark, TCPDump).

  • LLMNR/NBT-NS analysis (Responder).

• Active Reconnaissance:

  • ICMP sweeps (FPing).

  • Port scanning and service identification (Nmap).

  • Kerberos User enumeration (Kerbrute).

5. Tools and Their Purpose:

• Wireshark/TCPDump: Network traffic capture and analysis.

• Responder: LLMNR/NBT-NS poisoning and analysis.

• FPing: Fast ICMP host discovery.

• Nmap: Port scanning, service identification, OS detection.

• Kerbrute: Kerberos-based user enumeration.

6. Importance of the SYSTEM Account:

• The NT AUTHORITY\SYSTEM account has the highest privileges on a Windows system.

• Compromising a SYSTEM account on a domain-joined host provides significant access to the AD environment.

• Allows for further enumeration, and attacks.

7. Ethical Considerations:

• Staying within the agreed-upon scope.

• Obtaining client approval before performing potentially disruptive actions.

• Understanding the potential impact of scanning and exploitation activities.

• Being aware of the noise generated by your actions, and how that relates to the type of test being performed.

8. User Enumeration Importance:

• Gaining a valid domain user account is a critical early step.

• It unlocks further enumeration and attack possibilities.

• Kerbrute is a tool that can be used to enumerate users.

9. Vulnerability Identification:

• Identifying outdated operating systems and services.

• Recognizing potential vulnerabilities (e.g., EternalBlue, MS08-067).

• Understanding the risks and obtaining client approval before exploiting vulnerabilities.