// tashkilot tizimlarini ntbscan orqali topish
# ntbscan -r range

// Rangedagi hostnamelarni topish:
# nmap -sL range

// domain, version topish:
# use auxiliary/scanner/smb/smb_version

// SNMP scanner
# use auxiliary/scanner/snmp/snmp_login

// Domain controllerni topish
# dig -t NS domain_name
# dig _gc. domain_name

// rcpclinet orqali enum qilish mumkin
# rpcclient -U sfsd -p sfs Adress

// tizim haqida ma'lumot olish
# rpcclient srvinfo

// domain users
# rpccleint enumdomusers

// domain (bult in)groups
# rpcclient enumalsgroups domain
# rpcclient enumalsgroups bultin

// SID topish
rpccleint > lookupnames name

//RIDs orqali malumot olish:
queryuser 500 // admin

// SMB share
# smbclient -U 'domain#user%pass' -L hostname

// DC topish
> nltest /server: birorta azo IPsi /dclist: domain

// Domain list
> net view /domain:domainname

// Powerview / has a session , etc

> Invoke-UserHunter
> Invoke-UserView

shovqinsizroq:
> Invoke-StealthUserHunter

// Remote targetdagi processlarni ko'rish / admin needed
> Invoke-userProcessHunter

// ACL abuse check
> Get-ObjectAcl -SamAccountName delegate -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"}

// Tip
Antiviruslar faylni o'chirishga kirganda url fayl attack qilish mumkin.

rpcclient $> querydispinfo

// HTB fuse // enumeration is key!

root@kali# smbclient -U bhult -L \\\\10.10.10.193
Enter WORKGROUP\bhult's password:
session setup failed: NT_STATUS_PASSWORD_MUST_CHANGE

SMB passwordni qabul qilmasa parol hato deganimas.