Ansh Bhawnani Profile picture
Jul 30, 2022 9 tweets 4 min read Read on X
LEARNING OSCP: Day #7

Rooted a whole AD domain.

I will share my methodology. There are multiple paths and ways to gain access and move laterally, multiple tools and techniques will work.

I must say the AD in OSCP is pretty easy and straightforward.

#oscp #infosec
For initial access:
1. Start with the box having a web server, it is the most common path.
2. Use revshells.com for powershell payloads, I prefer the base64 one
3. Just remember Windows prefers '\' rather than '/', don't mess up the syntax. (C:\Users and not C:/Users)
For AD enumeration:
1. Use adPEAS, just like linpeas and winpeas, it is a powershell script for automating domain info gathering and lateral movement vectors: github.com/61106960/adPEAS
2. I would recommend to perform the enum manually before using this to understand better.
For password dumps,
1. I use mimikatz, github.com/ParrotSec/mimi…
2.Sometimes you'll get a keyerror, use the older version: github.com/allandev5959/m…
3. lsadump::sam (dump from SAM)
4. sekurlsa::logonPasswords (dump from memory)
5. For access issues, use token::elevate to get SYSTEM
For tickets enum,
1. AdPEAS can dump SPNs for domain and service accounts.
2. In mimikatz, kerberos::list to get in memory tickets (and /export to get kirbi files)
3. In powershell, you can use PowerView: github.com/PowerShellMafi… (it's a really powerful AD enumerator like adPEAS)
For password cracking,
1. Use john or hashcat and even crackstation with ntlm format.
2. You can crack kirbi with kirbi2john and then --format=krb5tgs
3. Hashcat is pretty easy and faster to crack SPN tickets.
4. This is not actually required for hashes, you should use PtH.
For Pass the Hash,
1. Use impacket psexec or pth-winexe
2. Crackmapexec is a neat choice, ut can even spray the hashes through all the servers: github.com/Porchetta-Indu…
3. I don't prefer MetaSploit, but smb/psexec is an easy choice if you have no options.
4. Use only NT part!!
For Pass the Ticket,
1. PowerView to get domain account details (username, SID, FQDN, SPN, etc.)
2. Impacket ticketer.py
3. Mimikatz kerberos::golden /ptt(/spn for silver ticket)
4. Once the tickets are in memory, use impacket psexec (or SysInternals for Windows)
Will add more resources in future.
The only reason why people fear AD is the complex suite of tools and enumeration techniques required.
Once you start doing the labs, you'll get used to it. Keep making your notes and just remember,

ENUMERATION IS THE KEY!

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Ansh Bhawnani

Ansh Bhawnani Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @techhacker98

Aug 25, 2022
LEARNING OSCP: Day #8
Initial Access tips #1
1. Don't rely on a single wordlist. I had instances where I couldn't find a hidden directory with dirbuster list, I got it when I ran with the dirb big.txt.
2. Don't forget to add extensions to directories: php, txt, html, etc.
#oscp
3. Try default passwords on every login function, ftp, ssh, mysql, smb, webdav, pop, etc. Search for the default creds for a specific web software and try to apply an educated guess if the original ones don't work.
4. Always check the source code, for usernames, passwords, etc.
5. Bruteforce all authenticated services with identified strings which look like usernames.
6. Use README.txt/LICENSE.txt/CHANGELOG.txt for enumerating service versions.
7. Not every exploit is available on searchsploit, many times custom exploits from google/github work fine.
Read 5 tweets
Jun 28, 2022
LEARNING OSCP: Day #2

Finished watching all the course videos. Took me 10 days, with about an hour a day, at 2x speed.

It starts from the basics, but elevates real fast. You'll learn about using Kali Linux, and the bash environment (a complete module for that).

#oscp #infosec
It will teach you about connection tools like netcat/socat/PowerShell/Powercat, and using them practically for file transfers, reverse/bind listeners, and channelizing I/O.

We also learn to make simple bash scripts for automation. You'll have practical exercises for each module.
The modules passive info gathering isn't much of a requirement in the exam, though there are some useful tools like google dorks and shodan that might help.

Active info gathering is useful for DNS, SMB, Port scanning, NFS, SMTP and SNMP Enumerations.
Read 13 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(