đŸ’»
my_offsec_notes
  • Intro
  • Enumeration
    • Network Discovery
      • Arp
      • NetDiscover
      • TCPDump
    • DNS Enumeration
      • Find E-mail Addresses
      • Zone Transfer
    • Scanning
      • Nmap
        • FlaconSpy.py
        • NSE
      • AutoRecon
      • onetwopunch.sh
      • nc
      • Nikto Scan
      • Banner Grabbing
    • brute forcing the web
    • my recon cheat-sheet
      • Comman
    • Passive Enum
  • Starting web services
  • ⚓Common Ports
    • TCP
      • Samba
        • Enumerating
        • Accessing
      • LDap
      • Domain (53)
      • NFS
      • MSRPC (135)
      • SMTP
      • MSRPC
      • FTP
        • BRUTE FORCING
      • KERBEROS (88)
      • POP3
      • RPC-BIND
      • SQL
        • MYSQL
          • My-SQL Root Access
          • Access
        • MS-SQL
          • Access
      • HTTP/HTTPS
        • WEB TECHNOLOGY
          • WORD-PRESS
          • DRUPAL
          • JOOMLA
          • WebDav
          • JENKINS
          • FLASK
          • PHP
          • J-BOSS
        • DIRECTORY/FILES FUZZING
        • LOGIN PAGE
        • TOMCAT
      • ORACLE (1521)
      • SSH
      • RDP (3389)
      • Redis
      • Rsync
      • Netbios (137)
      • Memcached (11211)
      • SSL (443)
      • Finger (79)
      • RPC (1024 to 5000)
    • ALL-ROUNDER
    • UDP
      • SNMP (161)
      • TFTP
  • PORT KNOCKING
  • ENUMERATING USERS
    • ENUM HASHES
  • Exploitation
    • Web Site Exploitation Vectors
      • LFI
        • Config Files
          • Linux
          • Windows
        • Some Useful
      • RFI
      • XXE
      • XSS
      • SQLi
        • NoSQL-Map
        • SQL-Map
      • SSTI
    • Accessing Target Machine
      • Windows
      • Linux
    • Exploits
  • Buffer Overflow
    • useful commands
    • Buffer Overflow Prep ("THM")
  • Creating Reverse Shells
    • Online Resources
    • Windows
    • Linux
    • Mac
    • Gifts for Web Pages
      • Scripting Languages
    • Common One liners
  • Active Directory
    • Enumeration
    • my A.D. Cheat-Sheet
    • After Getting D.C.
  • Priv-Esc
    • Windows
      • whoami /privs
      • Writable Service Executable
      • Cheat sheet
      • Unquoted Service Path
    • Linux
      • Cheat sheet
      • Cronjob
      • Docker (Group)
        • Docker GTFO
      • LXD (Group)
      • sudo+LD_PRELOAD
      • Mysql
        • MySQL (root access)
      • sudo<1.8.28
  • Break-Out Commands
    • Jailed SSH
    • Spawn a Bash shell for me
  • Password Attacks
  • PORT FORWARDING / TUNNELING
  • Post Exploitation
    • injecting Backdoors
  • Machines
    • Template
    • Hack The Box
      • Late
    • Try Hack Me
    • P.G. Grounds
    • Vuln-Hub
Powered by GitBook
On this page
  • Grabbing Host-name
  • You found Users but want to confirm
  • you have a password but don't know of which user
  • test If your founded User can be accessed
  • Bloodhound
  1. Active Directory

Enumeration

PreviousActive DirectoryNextmy A.D. Cheat-Sheet

Last updated 2 years ago


>>>bloodhound-pyhton  -u  username  -p  password  -d  htb.local  -ns  $IP

Grabbing Host-name

crackmapexec smb $IP

You found Users but want to confirm 

Page Link : https://github.com/ropnop/kerbrute/releases/tag/v1.0.3
./kerbrute _linux_amd64 userenum --dc $IP -d <domain> users.txt

you have a password but don't know of which user 

./kerbrute _linux_amd64 passwordspray 	--dc $IP -d <domain>  users.txt  ‘Iampassword?’

test If your founded User can be accessed 

crackmapexec smb $IP -u  username -p ‘password’

crackmapexec winrm $IP -u  username -p ‘password’

crackmapexec winrm $IP -d domain -u  username -p ‘password’

Bloodhound

Link : https://github.com/fox-it/BloodHound.py
python3 bloodhound.py -u username -p ‘password’ -d  <domain> -ns  $IP  -c All
above command will generate some json files for bloodhound.

sudo neo4j console 

wget https://github.com/BloodHoundAD/BloodHound/releases/download/4.1.0/BloodHound-linux-x64.zip
unzip BloodHound-linux-x64.zip
cd BloodHound-linux-x64.zip
chmod +x BloodHound
./BloodHound

👍
👍