These are the ways we initally attempt to attack Active Directory so without any credentials or lateral movement .We are going to how we can abuse Features of windows to get access to User accounts and how we can use that to get access to credentials and domain contorllers maybe.
A very good article to start →
https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa
What is LLMNR so its basicallly Link Local multi case name recogination so its basically DNS and its used to idenitfy hosts when DNS fails to do so . Previously NBT-NS .Its ket flaw is that the service utilizes a username and NTLMv2 hash when appropriately responded to.
So in this the victim reaches to the server this kinda of like man in the middle attack basically when some victim machine asks for a user that doesnt exist or something like that the server responds with idk and then the Victim machine broadcasts saying hey does anyone know this server and we come in the middle and say hey we know this all you goota do is send us your hash and i will connect you.And it provides us with that.
We use a tool called impacket in there we have a tool responder to help us do this attack and this what responds to these requests for us .
Best time to do this is in the early morning or lunch when there is a lot of traffic and thats the best way to catch these hashes.
And then an event occurs so basically someone entered wrong network drive so something failing to do DNS once this happens then we get the Ip address of who we captured and NTLMv2 Hash of their password.
And then we can use hashcat to crack this tool in a easy peasy way
hashcat -m 5600 hashes.txt rockyou.txt
and we get the password.And this is very common and this works only if passwords are weak .So the less complex this password the easier it is for us.Try to have passwords bigger then 14 letters.
Attacks :
Download Impacket tool first and install it and then go type responder.