Domain Enum & Exploitation
Bloodhound
Standalone
Via Covenant
Via Impacket
Sometimes this results in a dns timeout, in this case we can use dnschef.py:
ACLight
ACLight is a great script that finds high privileged accounts by using PowerView and then creates a report.
Find OS Versions
Userenum
Kerbrute
Printerbug
Explore a flaw in msrpc to get a connect back from a vulnerable server via printerbug.py:
Read Remote Registry
We can read a remote machines registry with Service Ticket (which can be generated with "getST.py" if we have the creds or hash of a user) and "runas /netonly". This only works if the user we are targeting has a session on the target system (check in bloodhound).
Last updated