Overview
Active directory attacks are:
KerberoastingAS-REProastingGPP PasswordsMisconfigured GPO Permissions (or GPO-deployed files)Credentials in Network SharesCredentials in User AttributesDCSyncKerberos Golden TicketKerberos Constrained Delegation attackPrint Spooler & NTLM RelayingCoercing attacks & Kerberos Unconstrained DelegationObject ACLsPKI Misconfigurations-ESC1PKI Misconfigurations-ESC8(Coercing+Certificates)
Our Invirement Structure: The environment consists of the following machines and their corresponding IP addresses:
DC1:172.16.18.3DC2:172.16.18.4Server01:172.16.18.10PKI:172.16.18.15WS001:DHCP or 172.16.18.25(depending on the section)Kali Linux:DHCP or 172.16.18.20(depending on the section)
Below, you may find guidance (from a Linux host):
How to connect to the Windows box WS001
How to connect to the Kali box
How to transfer files between WS001 and your Linux attacking machine
Connect to WS001 via RDP
xfreerdp is the same software as the windows machines have just for linux. To access the machine, we will use the user account Bob whose password is 'Slavi123'.
xfreerdp /u:eagle\\bob /p:Slavi123 /v:TARGET_IP /dynamic-resolutionConnect to Kali via SSH
we can access the Kali machine via SSH. The credentials of the machine are the default 'kali/kali'
ssh kali@TARGET_IPConnect to Kali via RDP
If RDP is enabled on the kali machines, always connect using the rdp first.
xfreerdp /v:TARGET_IP /u:kali /p:kali /dynamic-resolutionMoving files between WS001 and your Linux attacking machine
On the WS there are sharable files (right click on a file -> properties -> sharing)
To access the folder from the Kali machine, you can use the 'smbclient' command Accessing the folder requires authentication, so you will need to provide credentials.
smbclient \\\\TARGET_IP\\Share -U eagle/administrator%Slavi123Once connected, you can utilize the commands put or get to either upload or download files.
Last updated