Starting phase of Active Directory penetration testing against Inlanefreight domain. Beginning from an attack host placed inside the network without domain credentials.
Client Configuration:
- Custom pentest VM within internal network (calls back to jump host)
- Windows host available for tool loading
- Starting unauthenticated with standard domain user account available (htb-student)
- Network range:
172.16.5.0/23 - Grey box testing approach
- Non-evasive testing
- Enumerate internal network - identify hosts, services, attack vectors
- Document findings for later use
- Find domain user account or SYSTEM access on domain-joined host
Technique: Monitor network traffic to identify hosts and services
# Start Wireshark GUI
sudo -E wireshark
# Command line alternative
sudo tcpdump -i ens224Key Findings:
- ARP packets reveal active hosts:
172.16.5.5,172.16.5.25,172.16.5.50,172.16.5.100,172.16.5.125 - MDNS queries reveal hostnames:
ACADEMY-EA-WEB01.local
Technique: Analyze LLMNR, NBT-NS, and MDNS traffic passively
# Passive analysis mode (no poisoning)
sudo responder -I ens224 -ABenefits:
- Non-intrusive reconnaissance
- Discovers additional hosts not seen in basic scans
- Identifies naming conventions and network structure
Technique: ICMP sweep to identify live hosts
# Quick ICMP sweep with summary
fping -asgq 172.16.5.0/23Example Output:
172.16.5.5
172.16.5.25
172.16.5.50
172.16.5.100
172.16.5.125
172.16.5.200
172.16.5.225
172.16.5.238
172.16.5.240
510 targets
9 alive
501 unreachable
Flags Explained:
-a: Show targets that are alive-s: Print stats at end of scan-g: Generate target list from CIDR-q: Quiet (don't show per-target results)
Technique: Detailed service and version detection
# Aggressive scan against host list
sudo nmap -v -A -iL hosts.txt -oN /home/htb-student/Documents/host-enum
# Single host detailed scan
sudo nmap -A -v -Pn 172.16.5.5
# Network-wide scan with grepable output
sudo nmap -A -Pn -T5 -oG ./nmapOutput 172.16.5.0/23Domain Controller (172.16.5.5) - ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL:
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP
3268/tcp open ldap Microsoft Windows Active Directory LDAP
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP
3389/tcp open ms-wbt-server Microsoft Terminal Services
Legacy System (172.16.5.100) - Potential Quick Win:
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 7.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7600
1433/tcp open ms-sql-s Microsoft SQL Server 2008 R2 10.50.1600.00
Technique: Kerberos pre-authentication username enumeration
# Clone repository
sudo git clone https://github.com/ropnop/kerbrute.git
cd kerbrute
# View compile options
make help
# Compile for all platforms
sudo make all
# Install binary
sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbruteTechnique: Leverage Kerberos pre-auth failures (often doesn't trigger alerts)
# Enumerate users against DC with wordlist
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_usersExample Results:
[+] VALID USERNAME: jjones@INLANEFREIGHT.LOCAL
[+] VALID USERNAME: sbrown@INLANEFREIGHT.LOCAL
[+] VALID USERNAME: tjohnson@INLANEFREIGHT.LOCAL
[+] VALID USERNAME: evalentin@INLANEFREIGHT.LOCAL
[+] VALID USERNAME: sgage@INLANEFREIGHT.LOCAL
[+] VALID USERNAME: jshay@INLANEFREIGHT.LOCAL
[+] VALID USERNAME: jhermann@INLANEFREIGHT.LOCAL
[+] VALID USERNAME: whouse@INLANEFREIGHT.LOCAL
[+] VALID USERNAME: emercer@INLANEFREIGHT.LOCAL
[+] VALID USERNAME: wshepherd@INLANEFREIGHT.LOCAL
Done! Tested 48705 usernames (56 valid) in 9.940 seconds
Benefits of Kerbrute:
- ✅ Stealthy (pre-auth failures often don't log)
- ✅ Fast (thousands of usernames in seconds)
- ✅ Builds target list for password spraying
⚠️ Caution: Can cause account lockouts if not careful
| Data Point | Description | Use Cases |
|---|---|---|
| AD Users | Valid user accounts discovered | Password spraying, targeted attacks |
| AD Computers | Domain Controllers, file servers, SQL servers, web servers, Exchange | Service enumeration, lateral movement |
| Key Services | Kerberos, NetBIOS, LDAP, DNS | Protocol-specific attacks |
| Vulnerable Hosts | Legacy systems, unpatched services | Quick wins, privilege escalation |
Gaining NT AUTHORITY\SYSTEM on domain-joined host provides:
- Domain enumeration capabilities (computer account impersonation)
- Kerberoasting/ASREPRoasting attacks
- Net-NTLMv2 hash gathering with Inveigh
- SMB relay attacks
- Token impersonation for privileged accounts
- ACL attacks
- Remote exploits: MS08-067, EternalBlue, BlueKeep
- Service abuse: SYSTEM services + SeImpersonate (Juicy Potato)
- Local privilege escalation: Windows Task Scheduler 0-day
- Local admin + Psexec: Launch SYSTEM cmd window
- Evasive vs Non-evasive: Understand engagement rules
- Network impact: Some scans can destabilize systems
- Industrial environments: Be cautious with sensors/controllers
- Documentation: Always use
-oAflag for multiple output formats
- Start passive: Wireshark, Responder analysis
- Light active: fping, basic port scans
- Targeted enumeration: Focus on discovered services
- Deep dive: Service-specific enumeration tools
Task: Find the commonName in SSL certificate
Solution:
# SSH to attack host
ssh htb-student@10.129.226.51
# Password: HTB_@cademy_stdnt!
# Scan target host
sudo nmap -A -v -Pn 172.16.5.5Answer: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
Location: Found in SSL-Cert details under port 3389 (RDP)
Task: Find IP address of host running specific SQL Server version
Solution:
# Network-wide scan with grepable output
sudo nmap -A -Pn -T5 -oG ./nmapOutput 172.16.5.0/23
# Extract SQL Server hosts
awk '/1433\/open/ {print $2}' nmapOutput
# Alternative: grep for SQL Server version
grep "Microsoft SQL Server 2019 15.00.2000.00" nmapOutputAnswer: 172.16.5.130
Location: Found on port 1433 during service detection
- Methodical approach: Passive → Active → Targeted enumeration
- Documentation crucial: Save all scan outputs for later analysis
- Multiple tools: Different tools reveal different information
- Legacy systems: High-value targets but require caution
- User enumeration: Critical for subsequent password attacks
- Service focus: Target AD-specific protocols (LDAP, Kerberos, DNS)
- Password spraying against enumerated users
- Service-specific enumeration (SMB, LDAP, etc.)
- Vulnerability assessment of discovered hosts
- Search for foothold opportunities
- Usernames: jsmith.txt, jsmith2.txt (from Insidetrust repository)
- Passwords: Common corporate passwords, season+year patterns
- Subdomain enumeration: SecLists various wordlists
# Passive analysis
sudo wireshark
sudo tcpdump -i ens224
sudo responder -I ens224 -A
# Active discovery
fping -asgq 172.16.5.0/23
sudo nmap -sn 172.16.5.0/23
# Service enumeration
sudo nmap -A -v -Pn TARGET
sudo nmap -A -Pn -T5 -oA scan_results 172.16.5.0/23# Kerbrute setup
git clone https://github.com/ropnop/kerbrute.git
make all
sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute
# Username enumeration
kerbrute userenum -d DOMAIN --dc DC_IP wordlist.txt -o valid_users# Extract specific services
awk '/PORT_NUMBER\/open/ {print $2}' nmap_output.gnmap
grep "SERVICE_NAME" nmap_output
# Format for further tools
cat valid_users | cut -d@ -f1 > usernames.txtThis methodology provides a systematic approach to initial AD enumeration, balancing thoroughness with operational security considerations.