Methodology

Once you get initial access to the network, enumerate the target as much as you can. Things to enumerate:

1. Find the full IP config: ipconfig /all

2. Check the DNS IP. This will mostly be the IP of the DC.

3. Check the privileges of the user: whoami /priv

4. Check the membership of the user: whoami /groups

5. Check the user's home directory: Desktop, Documents, Program Files etc.

6. Check the network connections: netstat -ano

7. Check running services and non-standard installed applications.

8. Enumerate the machine to find interesting files, credentials, references to other machines.

9. Enumerate using Sharphound and Bloodhound.

10. Use PowerView to enumerate.

11. Use Invoke-Portscan.ps1

12. Check if there are any domain names mentioned which can be added to /etc/hosts.

13. Run automated scripts such as WindowsExploitSuggester, WinPeas, PowerUp, Seatbelt.

14. Find hosts with SMB message signing disabled. (To perform SMB relay)

Once you are done with the enumeration, piece the information together and plan the attack:

1. As this is an AD environment, most machines will be interconnected to each other. So, check if there are other machines connected to the compromised machine. You can do this by using Invoke-Portscan.

2. If you cannot directly reach the other machines that means you will have to setup a port forwarding or a proxy. Do this by using chisel, socat, sshtunnel, metasploit.

3. Try using tools such as evil-winrm, psexec, xfreerdp, ssh to log into the other machine. Try proxychains.

4. Check if you can bruteforce something using the enumerated data from the previously compromised machine. Do this by using Hydra, Burp Suite, crackmapexec.

5. Dump the hashes using secretsdump.py, mimikatz, or by dumping the SAM and SYSTEM files.

6. Use responder. Maybe you can capture a user's hash.

7. If there is a mail server then try sending emails to everyone in the email list with a reverse shell file attached to the email. Maybe there is a script running on a machine that will automatically execute the file and give you a reverse shell.

8. Find accounts that are kerberoastable. Then use GetUserSPNs, GetNPUsers.py to dump the krbtgt hash.

9. To access a website that cannot be reached directly, setup the proxy/tunnel and use foxyproxy to access the website.

10. Find Principals with DCSync Rights. Find the account which has those rights and then use secretsdump.py to dump the hashes.

11. Add a new user and get an RDP connection (if ports are open).

12. Try performing SMB relay attack using ntlmrelayx.py

13. Check for IPv6 attacks.

14. Check for PassThePassword and PassTheHash.

15. Check for token impersonation.

16. Check for GPP/cPassword attacks.

17. Check for URL File attacks.

18. Check for Golden Ticket attacks.

19. Do process migration.

STUCK?

1. Check the command and the parameters carefully.

2. Try using a different tool.

3. Check if proxy has crashed.

4. Check if you can use the creds on some other service.