This section lists AD user recon techniques for common ports. Finding domain users and their credentials is the most important part of the Active Directory penetration testing.
# No passwordrpcclient-U''-N $RHOST# rpcclient userful commands to enumerate users and groups >enumdomusers>enumdomgroups>querydispinfo>querydominfo # With passwordrpcclient-UThrowback.local/BlaireJ10.200.74.117# Create a usernames.txtvienumdomusers.txt# Copy and paste it to the enumdomusers.txtcatenumdomusers.txt|cut-d':'-f2|cut-d'['-f2|cut-d']'-f1>usernames.txt
# Enumeratae AD machine enum4linux $RHOST enum4linux-ng.py-A $RHOST# Check if you can collect the usernamescrackmapexecsmb $RHOST --userscrackmapexecsmb $RHOST -u''-p''--userscrackmapexecsmb $RHOST -u'anyuser'-p''--users# Check if you can enumerate users by bruteforcing the RID on the remote targetcmesmbrebound.htb-uguest-p''--shares--rid-brute10000# With username and passwordcmesmb $RHOST -usvc-alfresco-ps3rvice--shares
kerbruteuserenum/usr/share/seclists/Usernames/Names/names.txt-d<domainname>--dc $RHOST # Large list of username only if you cannot find any userskerbruteuserenum/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt-d<domainname>--dc $RHOST
See Kerberos attacks section for attack techniques.
LDAP TCP (389)
# Search ldap based information. You might find some juicy info. ldapsearch-Hldap://$RHOST -x-sbasenamingcontextsldapsearch-Hldap://$RHOST -x-b" DC=DANTE,DC=local"ldapsearch-Hldap://$RHOST -D''-w''-b"dc=dante,dc=local"ldapsearch-Hldap://$RHOST -D''-w''-b"dc=cascade,dc=local"|grep-iE'(password|pwd|pass|info|desc)'# Check if you can use username and passwordcmeldap $RHOST -uldap-p'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz'# Search all objects ldapsearch -H ldap://support.htb -D ldap@support.htb -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" "*"
# In case of Additional Security Error (AcceptSecurityContext error, etc.), may add -Y option with GSSAPI. ldapsearch-Hldap://dc.absolute.htb-YGSSAPI-b"cn=users,dc=absolute,dc=htb"usersdescription
LDAP TCP (389) - User Description
# Query to get user descrition via cme ldap and get-desc-users modulecmeldap192.168.56.11-dnorth.sevenkingdoms.local-ubrandon.stark-piseedeadpeople-Mget-desc-users