Visit official github page
Certified Red Team Professional (CRTP) - Notes

3.1 - Host & User Identification

Host Identification

Fping

The fping tool allows quick identification of active hosts within a network range. For instance:

fping -asgq 192.168.1.0/24

Parameters Explained:

  • -a: Display only active hosts.

  • -s: Print statistics at the end of the scan.

  • -g: Generate a list of destinations from a CIDR network.

  • -q: Suppress output for individual hosts.

Once the scan is complete, you can create a list of active hosts for further enumeration.

Nmap

nmap can also be used to perform a Ping Scan for host discovery:

sudo nmap -sn 192.168.1.0/24

Parameters Explained:

  • -sn: Skip port scanning and focus on host discovery by sending ICMP echo requests.

This scan provides a list of active hosts within the network. After identifying live hosts, we can move to detailed enumeration to identify services, critical hosts (e.g., domain controllers, web servers), and potential vulnerabilities.

Nmap Advanced Scans

  1. Enumerate Active Hosts from a List

    sudo nmap -v -A -iL hosts.txt -oN hostEnum

    • -v: Increase verbosity.

    • -A: Perform OS detection, version detection, script scanning, and traceroute.

    • -iL: Input file containing list of target hosts.

    • -oN: Save results in a standard output format.

  2. Comprehensive Port Scan

    nmap -p- -sS --open --min-rate 5000 -vvv -Pn -n 192.168.1.10 -oG scanPorts

    • -p-: Scan all 65,535 ports.

    • -sS: Perform a TCP SYN scan.

    • --open: Display only open ports.

    • --min-rate 5000: Ensure a minimum scan rate of 5000 packets per second.

    • -Pn: Skip ping checks.

    • -n: Skip DNS resolution.

    • -oG: Save results in greppable format for easy parsing.

  3. Targeted Service Scan

    nmap -sCV -p <PORTS> 192.168.1.10 -oN targeted

    • -sCV: Perform service and version detection, and run default scripts.

    • -p: Specify ports to scan.

User Identification

Obtaining Valid Domain Users

Kerbrute

Kerbrute is a stealthy tool for enumerating domain accounts by exploiting Kerberos pre-authentication failures, which often avoid logging or alerts:

kerbrute userenum -d DC.LOCAL --dc 192.168.1.1 usernames.txt -o valid_ad_users.txt

Extract valid usernames from results:

cat valid_ad_users.txt | awk -F "VALID USERNAME:\t" '{print $2}' | tr -d ' ' | sed '/^$/d' | awk -F '@' '{print $1}' | tee users.txt

  1. Checking for Passwords Matching Usernames Some users may have their username as their password:

kerbrute bruteuser -d DC.LOCAL -dc 192.168.1.1 usernames.txt passwords.txt

PowerView

  • Find all machines on the current domain where the current user has local admin access

    Find-LocalAdminAccess -Verbose

  • Find computers where a domain admin (or specified user/group) has sessions:

    Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"

Invoke Session Hunter

https://github.com/Leo4j/InvokeSessionHuntergithub.com

  • List sessions on remote machines Users

    . C:\AD\Tools\Invoke-SessionHunter.ps1
Invoke-SessionHunter -FailSafe
Invoke-SessionHunter -NoPortScan -RawResults | select Hostname,UserSession,Access

Labs

Refers to Learning Object 7 lab

Previous3️⃣ 3 - AD EnumerationNext3.2 - Common Services Enum

Last updated