When we are going to do a security test over the infrastructure of some company we need credentials of any user of the domain, this is the first that we should do. What options do we have to obtain some credentials?
I’m not sure if you’re asking about:
- Methods to steal domain credentials or
- The process to obtain access credentials from the client to execute other security tests
Can you please clarify?
I am asking for: Methods to steal credentials of any user of the domain
Well I’ll describe the two cases, with network access and without one.
With network access you can try a MDNS Spoofing attack (there is a tool Responder), or an ARP Spoofing attack.
Without network access, check if the wireless network uses enterprise login, then you can do an Rogue AP or Evil Twin attack to lure users to connect to your network and gather credentials.
Any of this attacks could give you some hashed credentials, you need to crack them using john or hashcat.
If everything fails, it’s always an option to try social engineering or shoulder surfing.