whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added PW policies, cleanup

This commit is contained in:
gurkenhabicht 2025-05-20 14:38:52 +02:00
parent 84a3616b03
commit dedafc3c94
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
Enumeration/LDAP.md
View File

@ -35,6 +35,23 @@ ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>
ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile ldapsearch -H ldap://$TARGET_IP -x -b 'DC=<DC>,DC=<ORG>' -D '<DC>\<user>' -W > outfile
``` ```
Other tools are enum4linux-ng and rpcclient.
```sh
enum4linux-ng -A $TARGET_IP -oA ldap_report.txt
```
```sh
rpcclient -U "" -N $TARGET_IP
> enumdomusers
```
Check status of users via Kerbrute.
```sh
./kerbrute_linux_amd64 userenum --dc $TARGET_IP -d $DC_DOMAIN ./users.txt
```
## Domain Dump ## Domain Dump
If a set of LDAP credentials is known dump the domain via If a set of LDAP credentials is known dump the domain via
@ -82,4 +99,5 @@ used for SQL injections. They way they are done in LDAP queries is the following
The tautology is introduced through `(&)`, which sets the condition of the The tautology is introduced through `(&)`, which sets the condition of the
password check to true. password check to true.
Other injections like blind based are also possible through boolean or error based responses, providing information about the state of the LDAP query. Other injections like blind based are also possible through boolean or error
based responses, providing information about the state of the LDAP query.

28
Enumeration/Password Policies.md Normal file
View File

@ -0,0 +1,28 @@
# Password Policies
In order to generate password lists it is of importance to know the password
policies of the designated target. Therefore one can use `netexec` or
`crackmapexec` to find out how they look like.
```sh
netexec smb $TARGET_IP --pass-pol
```
## Password Complexity Flags
The output of netexec contains a field which indicates what [password
complexity](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gpsb/0b40db09-d95d-40a6-8467-32aedec8140c)
is used.
> Flag that indicates whether the operating system MUST require that passwords
> meet complexity requirements. If this flag is set, it indicates that passwords
> MUST meet a specific minimum requirement. This value MUST be between 0 and
> 2^16. A value of 0 indicates that no password complexity requirements apply.
> Any other valid value indicates that password complexity requirements apply.
Categories of complexity are
* Uppercase letters
* Lowercase letters
* Digits
* Special characters