h4n0sh1 · November 17, 2024 12:51
diff --git a/Domain Enumeration Commands b/Domain Enumeration Commands
 Domain: TEST.local
 User Enumeration:
  Windows:
    net user
    net user /domain
    net user [username]
    net user [username] /domain
    wmic useraccount
  Mac:
    dscl . ls /Users
    dscl . read /Users/[username]
    dscl "/Active Directory/TEST/All Domains" ls /Users
    dscl "/Active Directory/TEST/All Domains" read /Users/[username]
    dscacheutil -q user
  LDAP:
    ldapsearch -H ldap://test.local -b DC=test,DC=local "(objectclass=user)"
    ldapsearch -H ldap://test.local -b DC=test,DC=local "(&(objectclass=user)(name=[username]))"
    // LDAP Null bind = Anonymous
    ldapsearch -H ldap://htb.local -x -b "DC=htb,DC=local" '(objectClass=*)' 
    // Ldap search with username + password 
    ldapsearch -H ldap://support.htb -D [email protected] -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" "*"
  BLOODHOUND:
    curl -L https://ghst.ly/getbhce | docker compose -f - up
    bloodhound-python -d support.htb -usupport -p 'Ironside47pleasure40Watchful' -gc support.htb -c all -ns 10.129.255.119

    


 Computer Enumeration:
  Windows:
    net group "Domain Computers" /domain
    net group "Domain Controllers" /domain
  Mac:
    dscl "/Active Directory/TEST/All Domains" ls /Computers
    dscl "/Active Directory/TEST/All Domains" read "/Computers/[compname]$"
  LDAP:
    ldapsearch -H ldap://test.local -b DC=test,DC=local "(objectclass=computer)"
    ldapsearch -H ldap://test.local -b DC=test,DC=local "(&(objectclass=computer)(name=[computername]))"

 Group Enumeration:
  Windows:
    net localgroup
    net group /domain
    net localgroup [groupname]
    net group [groupname] /domain
    wmic group
  Mac:
    dscl . ls /Groups
    dscl . read "/Groups/[groupname]"
    dscl "/Active Directory/TEST/All Domains" ls /Groups
    dscl "/Active Directory/TEST/All Domains" read "/Groups/[groupname]"
  LDAP:
    ldapsearch -H ldap://test.local -b DC=test,DC=local "(objectclass=group)"
    ldapsearch -H ldap://test.local -b DC=test,DC=local "(&(objectclass=group)(name=[groupname]))"
    ldapsearch -H ldap://test.local -b DC=test,DC=local "(&(objectclass=group)(name=*admin*))"

 Domain Information:
  Windows:
    wmic ntdomain
    ipconfig /all
  Mac:
    dsconfigad -show
  LDAP:
    ldapsearch -H ldap://test.local -b DC=test,DC=local "(objectclass=trusteddomain)"
	Domain: TEST.local
	User Enumeration:
	Windows:
	net user
	net user /domain
	net user [username]
	net user [username] /domain
	wmic useraccount
	Mac:
	dscl . ls /Users
	dscl . read /Users/[username]
	dscl "/Active Directory/TEST/All Domains" ls /Users
	dscl "/Active Directory/TEST/All Domains" read /Users/[username]
	dscacheutil -q user
	LDAP:
	ldapsearch -H ldap://test.local -b DC=test,DC=local "(objectclass=user)"
	ldapsearch -H ldap://test.local -b DC=test,DC=local "(&(objectclass=user)(name=[username]))"
	// LDAP Null bind = Anonymous
	ldapsearch -H ldap://htb.local -x -b "DC=htb,DC=local" '(objectClass=*)'
	// Ldap search with username + password
	ldapsearch -H ldap://support.htb -D [email protected] -w 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -b "dc=support,dc=htb" "*"
	BLOODHOUND:
	curl -L https://ghst.ly/getbhce \| docker compose -f - up
	bloodhound-python -d support.htb -usupport -p 'Ironside47pleasure40Watchful' -gc support.htb -c all -ns 10.129.255.119




	Computer Enumeration:
	Windows:
	net group "Domain Computers" /domain
	net group "Domain Controllers" /domain
	Mac:
	dscl "/Active Directory/TEST/All Domains" ls /Computers
	dscl "/Active Directory/TEST/All Domains" read "/Computers/[compname]$"
	LDAP:
	ldapsearch -H ldap://test.local -b DC=test,DC=local "(objectclass=computer)"
	ldapsearch -H ldap://test.local -b DC=test,DC=local "(&(objectclass=computer)(name=[computername]))"

	Group Enumeration:
	Windows:
	net localgroup
	net group /domain
	net localgroup [groupname]
	net group [groupname] /domain
	wmic group
	Mac:
	dscl . ls /Groups
	dscl . read "/Groups/[groupname]"
	dscl "/Active Directory/TEST/All Domains" ls /Groups
	dscl "/Active Directory/TEST/All Domains" read "/Groups/[groupname]"
	LDAP:
	ldapsearch -H ldap://test.local -b DC=test,DC=local "(objectclass=group)"
	ldapsearch -H ldap://test.local -b DC=test,DC=local "(&(objectclass=group)(name=[groupname]))"
	ldapsearch -H ldap://test.local -b DC=test,DC=local "(&(objectclass=group)(name=admin))"

	Domain Information:
	Windows:
	wmic ntdomain
	ipconfig /all
	Mac:
	dsconfigad -show
	LDAP:
	ldapsearch -H ldap://test.local -b DC=test,DC=local "(objectclass=trusteddomain)"