From 327966ea70a8f7e1988d54fa5af3bcf555f21f37 Mon Sep 17 00:00:00 2001 From: sud0Ru <153985719+sud0Ru@users.noreply.github.com> Date: Sun, 12 Jan 2025 00:09:48 +0300 Subject: [PATCH 1/2] Adding new way for domain users enumeration --- src/windows-hardening/active-directory-methodology/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/windows-hardening/active-directory-methodology/README.md b/src/windows-hardening/active-directory-methodology/README.md index 77130c545..45bec3aea 100644 --- a/src/windows-hardening/active-directory-methodology/README.md +++ b/src/windows-hardening/active-directory-methodology/README.md @@ -78,6 +78,8 @@ If you just have access to an AD environment but you don't have any credentials/ - **Anonymous SMB/LDAP enum:** Check the [**pentesting SMB**](../../network-services-pentesting/pentesting-smb/index.html) and [**pentesting LDAP**](../../network-services-pentesting/pentesting-ldap.md) pages. - **Kerbrute enum**: When an **invalid username is requested** the server will respond using the **Kerberos error** code _KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN_, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response or the error _KRB5KDC_ERR_PREAUTH_REQUIRED_, indicating that the user is required to perform pre-authentication. +- **No Authintication against MS-NRPC**: Using auth-level = 1 (No authentication) against the MS-NRPC (Netlogon) interface on domain controllers.The method calls the `DsrGetDcNameEx2` function after binding MS-NRPC interface to check if the user or computer exists without any credentials. +The [NauthNRPC](https://github.com/sud0Ru/NauthNRPC) tool implments this type of enumeration. The reseash can be found [here](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/22190247/A-journey-into-forgotten-Null-Session-and-MS-RPC-interfaces.pdf) ```bash ./kerbrute_linux_amd64 userenum -d lab.ropnop.com --dc 10.10.10.10 usernames.txt #From https://github.com/ropnop/kerbrute/releases @@ -88,6 +90,7 @@ Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm=' use auxiliary/gather/kerberos_enumusers crackmapexec smb dominio.es -u '' -p '' --users | awk '{print $4}' | uniq +python3 nauth.py -t target -u users_file.txt #From https://github.com/sud0Ru/NauthNRPC ``` - **OWA (Outlook Web Access) Server** From 5184529807a01617dd7c2265d797afacfd26207f Mon Sep 17 00:00:00 2001 From: SirBroccoli Date: Wed, 22 Jan 2025 13:08:43 +0100 Subject: [PATCH 2/2] Update README.md --- src/windows-hardening/active-directory-methodology/README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/windows-hardening/active-directory-methodology/README.md b/src/windows-hardening/active-directory-methodology/README.md index 45bec3aea..a129a98fc 100644 --- a/src/windows-hardening/active-directory-methodology/README.md +++ b/src/windows-hardening/active-directory-methodology/README.md @@ -78,8 +78,7 @@ If you just have access to an AD environment but you don't have any credentials/ - **Anonymous SMB/LDAP enum:** Check the [**pentesting SMB**](../../network-services-pentesting/pentesting-smb/index.html) and [**pentesting LDAP**](../../network-services-pentesting/pentesting-ldap.md) pages. - **Kerbrute enum**: When an **invalid username is requested** the server will respond using the **Kerberos error** code _KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN_, allowing us to determine that the username was invalid. **Valid usernames** will illicit either the **TGT in a AS-REP** response or the error _KRB5KDC_ERR_PREAUTH_REQUIRED_, indicating that the user is required to perform pre-authentication. -- **No Authintication against MS-NRPC**: Using auth-level = 1 (No authentication) against the MS-NRPC (Netlogon) interface on domain controllers.The method calls the `DsrGetDcNameEx2` function after binding MS-NRPC interface to check if the user or computer exists without any credentials. -The [NauthNRPC](https://github.com/sud0Ru/NauthNRPC) tool implments this type of enumeration. The reseash can be found [here](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/22190247/A-journey-into-forgotten-Null-Session-and-MS-RPC-interfaces.pdf) +- **No Authentication against MS-NRPC**: Using auth-level = 1 (No authentication) against the MS-NRPC (Netlogon) interface on domain controllers. The method calls the `DsrGetDcNameEx2` function after binding MS-NRPC interface to check if the user or computer exists without any credentials. The [NauthNRPC](https://github.com/sud0Ru/NauthNRPC) tool implements this type of enumeration. The research can be found [here](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2024/05/22190247/A-journey-into-forgotten-Null-Session-and-MS-RPC-interfaces.pdf) ```bash ./kerbrute_linux_amd64 userenum -d lab.ropnop.com --dc 10.10.10.10 usernames.txt #From https://github.com/ropnop/kerbrute/releases