All Commands, Tools & Scripts

NET SHARE

NET VIEW \\ComputerName /All

In order to be able to list the users and groups from the domain, you should be logged in as a user of that domain.

net user /domain
net group /domain

https://github.com/SisyphusP42/vapt/blob/main/Windows_Users%26Attributes

Powerview script from github to list logged in users.

Alternatively, PsLoggedon executable can be used to retrieve the list when Powerview does not work due to permissions,

Service Principle Names are names given to services that are hosted from within the domain. Enumerating them will us the IP address and Port of those services along with a list of other details.

The same script used for enumerating users and attributes can be used for SPNs with a slight modification.

Change the $Search.filter="samAccountType=805306368" to $Search.filter="serviceprincipalname=*http*"

Alternatively the Get-SPN script can also be used.

The native Windows tool setspn can also be used to get the list of SPNs,

We will use mimikatz executable to retrieve the password hashes and you need to have at least local administrator privilege to get the passwords,

This command can be used to list the local users along with their NTLM hash. This is all the more useful once you gain access to a domain controller to list all users belonging to that domain.

The TGT and TGS of logged in users are stored in the LSASS.

We can export the TGS to the drive and then use John or Hashcat to crack the file. The mimikatz procedure is as follows, you will need to the know the SPN to retreive its ticket.

Once the ticket is exported, it can be cracked using tgsrepcrack,

Invoke-Kerberoast

Invoke kerberoast is a powershell script that takes care of identifying SPNs and exporting the kirbi files end-to-end.

Once you have the file in hashcat format, the file can be cracked using hashcat,

One of the ways, though not the most effective, is to attempt logins with passwords to guess. We can automate this process using powershell scripts. However one thing to be kept in mind is number of wrong passwords before which an account will be locked. We can find it by,

Lockout Threshold and Lockout Observation windows are 2 parameters to keep in mind before starting this attack.

We can use the DomainPasswordSpray script to try and guess the user password,

This works only with NTLM hash on AD admin accounts and built in local admin accounts. This is merely a replacement for instead of logging in with passwords.

This works when you have another user logged on to the system using NTLM and would like to start an application in that user's context. Here we will get a powershell ticket and open the powershell application.

Ensure that a user already has a session using NTLM and get the password hash as shown under the section "Retreive User Password Hash from LSASS"

Then use the following code to get a Kerberos ticket for powershell

With this you should have a powershell open within the context of the user "administrator".

If you already have an powershell application open within the user's context, then you can request for a TGT and use it to further your attack. The following command is to authenticate to a network share,

Note: Any command that seeks the permission of the DC can be used here.

You can check the generated ticket using the command "klist".

In order to be able to open a command prompt on a remote system within the context of a user, you should already have a powershell/cmd prompt in that users context in the local system. Then, the tool PsExec.exe can be used to open the remote prompt.

It is important to note that some systems accept only domain name and the same has to be included in the command instead of the IP address or loopback address.

This is Linux equivalent of the PsExec on Windows. This comes in handy when you have the username and password to gain command prompt control on a remote system. This requires the target machine to have SMB and write access to Admin$ share.

It is important to note that some systems accept only domain name and the same has to be included in the command instead of the IP address or loopback address.

A silver ticket is a service ticket that is crafted by the user instead of the TGT. We will need the password hash of the service account that runs the service and Service ID (SID) of the user domain.

SID can viewed using the following command,

Then the ticket can be crafted using mimikatz,

The rc4 parameter is to indicate the encryption algorithm to be used and the value is the key to the encryption, which here is the NTLM hash of that service account. The NTLM hash can be procured for the SPN by requesting a service ticket and then cracking it. Check out the "Export TGS to the drive and crack it" section.