Enumerating infrastructure to get access to a device on AD

TO-DO

• Enumerate the internal network
  • identify users
  • identify hosts
  • identify critical services running
  • identify potential vulnerabilities
  • potential avenues for a foothold.
• Start probing those hosts, looking for any interesting data we can glean from them.
• Regroup and look at what info you got.
  • You may have a set of credentials or a user account to target for a foothold
  • the ability to begin credentialed enumeration

Identifying Hosts

Hosts enumeration

Getting AD Specific Info

<aside> 🚨 we do that to??

1. know open ports so you know services running like Kerberos and LDAP
2. gather domain, hostname, and forest names
3. if LDAP is open then you can enumerate good information from it
4. if WSMan and WinRM services are open then you can use credentials you find to connect to the box using Evil-winRM </aside>

• Enum users

• bruteforce on existing users

• Kerberos brute forcing

• AS-REP ROASTING

• Groups.xml

• Connecting to MS SQL Service service account