fssull Usernames (either build a list OR use Impacket or WindapSearch) Check: If Pre-authentication is disabled for user or users NMap output If you see a lot of certificate related output. That is a strong indication that there is a Certificate Authority running. Use Certify to enumerate possible misconfiguration in Active Directory Certificate Services. read the results, very carefully. Found a Password If the password is for a service, but doesn't work with that service, then use it against other services or usernames. Found a UserName Enumerate More Check “Net User UserName” Check Groups it belongs to Check what programs it has access to ASREPRoast Password Spraying If you have a username and password Test it with crackmapexec (winrm and smb), SSH, ftp, on all available machines try enum4linux -a IP_ADDRESS try psexec.py Domain.com/administrator@X.X.X.X try impacket-GetUserSPNs to get SPN If you already have a session try to use that creadential with runascs.ps1 Active Directory Enumerate Other Users run remote BloodHound SPN? (Impacket OR SetSPN.exe) bind use LDAPSearch to search for more info SMB Shares Rights (if you have write access, try to get hashes by ntlm_theft) Bloodhound Run remote Bloodhound Check Abuse opportunities If has DCSync: run secretsdump If there are other usernames, do a password spray (Impacket-lookupsid and crackmapexec)
fssull Usernames (either build a list OR use Impacket or WindapSearch) Check: If Pre-authentication is disabled for user or users NMap output If you see a lot of certificate related output. That is a strong indication that there is a Certificate Authority running. Use Certify to enumerate possible misconfiguration in Active Directory Certificate Services. read the results, very carefully. Found a Password If the password is for a service, but doesn't work with that service, then use it against other services or usernames. Found a UserName Enumerate More Check “Net User UserName” Check Groups it belongs to Check what programs it has access to ASREPRoast Password Spraying If you have a username and password Test it with crackmapexec (winrm and smb), SSH, ftp, on all available machines try enum4linux -a IP_ADDRESS try psexec.py Domain.com/administrator@X.X.X.X try impacket-GetUserSPNs to get SPN If you already have a session try to use that creadential with runascs.ps1 Active Directory Enumerate Other Users run remote BloodHound SPN? (Impacket OR SetSPN.exe) bind use LDAPSearch to search for more info SMB Shares Rights (if you have write access, try to get hashes by ntlm_theft) Bloodhound Run remote Bloodhound Check Abuse opportunities If has DCSync: run secretsdump If there are other usernames, do a password spray (Impacket-lookupsid and crackmapexec)
fssull Usernames (either build a list OR use Impacket or WindapSearch) Check: If Pre-authentication is disabled for user or users NMap output If you see a lot of certificate related output. That is a strong indication that there is a Certificate Authority running. Use Certify to enumerate possible misconfiguration in Active Directory Certificate Services. read the results, very carefully. Found a Password If the password is for a service, but doesn't work with that service, then use it against other services or usernames. Found a UserName Enumerate More Check “Net User UserName” Check Groups it belongs to Check what programs it has access to ASREPRoast Password Spraying If you have a username and password Test it with crackmapexec (winrm and smb), SSH, ftp, on all available machines try enum4linux -a IP_ADDRESS try psexec.py Domain.com/administrator@X.X.X.X try impacket-GetUserSPNs to get SPN If you already have a session try to use that creadential with runascs.ps1 Active Directory Enumerate Other Users run remote BloodHound SPN? (Impacket OR SetSPN.exe) bind use LDAPSearch to search for more info SMB Shares Rights (if you have write access, try to get hashes by ntlm_theft) Bloodhound Run remote Bloodhound Check Abuse opportunities If has DCSync: run secretsdump If there are other usernames, do a password spray (Impacket-lookupsid and crackmapexec)
fssull Usernames (either build a list OR use Impacket or WindapSearch) Check: If Pre-authentication is disabled for user or users NMap output If you see a lot of certificate related output. That is a strong indication that there is a Certificate Authority running. Use Certify to enumerate possible misconfiguration in Active Directory Certificate Services. read the results, very carefully. Found a Password If the password is for a service, but doesn't work with that service, then use it against other services or usernames. Found a UserName Enumerate More Check “Net User UserName” Check Groups it belongs to Check what programs it has access to ASREPRoast Password Spraying If you have a username and password Test it with crackmapexec (winrm and smb), SSH, ftp, on all available machines try enum4linux -a IP_ADDRESS try psexec.py Domain.com/administrator@X.X.X.X try impacket-GetUserSPNs to get SPN If you already have a session try to use that creadential with runascs.ps1 Active Directory Enumerate Other Users run remote BloodHound SPN? (Impacket OR SetSPN.exe) bind use LDAPSearch to search for more info SMB Shares Rights (if you have write access, try to get hashes by ntlm_theft) Bloodhound Run remote Bloodhound Check Abuse opportunities If has DCSync: run secretsdump If there are other usernames, do a password spray (Impacket-lookupsid and crackmapexec)
fssull Usernames (either build a list OR use Impacket or WindapSearch) Check: If Pre-authentication is disabled for user or users NMap output If you see a lot of certificate related output. That is a strong indication that there is a Certificate Authority running. Use Certify to enumerate possible misconfiguration in Active Directory Certificate Services. read the results, very carefully. Found a Password If the password is for a service, but doesn't work with that service, then use it against other services or usernames. Found a UserName Enumerate More Check “Net User UserName” Check Groups it belongs to Check what programs it has access to ASREPRoast Password Spraying If you have a username and password Test it with crackmapexec (winrm and smb), SSH, ftp, on all available machines try enum4linux -a IP_ADDRESS try psexec.py Domain.com/administrator@X.X.X.X try impacket-GetUserSPNs to get SPN If you already have a session try to use that creadential with runascs.ps1 Active Directory Enumerate Other Users run remote BloodHound SPN? (Impacket OR SetSPN.exe) bind use LDAPSearch to search for more info SMB Shares Rights (if you have write access, try to get hashes by ntlm_theft) Bloodhound Run remote Bloodhound Check Abuse opportunities If has DCSync: run secretsdump If there are other usernames, do a password spray (Impacket-lookupsid and crackmapexec)
fssull Usernames (either build a list OR use Impacket or WindapSearch) Check: If Pre-authentication is disabled for user or users NMap output If you see a lot of certificate related output. That is a strong indication that there is a Certificate Authority running. Use Certify to enumerate possible misconfiguration in Active Directory Certificate Services. read the results, very carefully. Found a Password If the password is for a service, but doesn't work with that service, then use it against other services or usernames. Found a UserName Enumerate More Check “Net User UserName” Check Groups it belongs to Check what programs it has access to ASREPRoast Password Spraying If you have a username and password Test it with crackmapexec (winrm and smb), SSH, ftp, on all available machines try enum4linux -a IP_ADDRESS try psexec.py Domain.com/administrator@X.X.X.X try impacket-GetUserSPNs to get SPN If you already have a session try to use that creadential with runascs.ps1 Active Directory Enumerate Other Users run remote BloodHound SPN? (Impacket OR SetSPN.exe) bind use LDAPSearch to search for more info SMB Shares Rights (if you have write access, try to get hashes by ntlm_theft) Bloodhound Run remote Bloodhound Check Abuse opportunities If has DCSync: run secretsdump If there are other usernames, do a password spray (Impacket-lookupsid and crackmapexec)
fssull Usernames (either build a list OR use Impacket or WindapSearch) Check: If Pre-authentication is disabled for user or users NMap output If you see a lot of certificate related output. That is a strong indication that there is a Certificate Authority running. Use Certify to enumerate possible misconfiguration in Active Directory Certificate Services. read the results, very carefully. Found a Password If the password is for a service, but doesn't work with that service, then use it against other services or usernames. Found a UserName Enumerate More Check “Net User UserName” Check Groups it belongs to Check what programs it has access to ASREPRoast Password Spraying If you have a username and password Test it with crackmapexec (winrm and smb), SSH, ftp, on all available machines try enum4linux -a IP_ADDRESS try psexec.py Domain.com/administrator@X.X.X.X try impacket-GetUserSPNs to get SPN If you already have a session try to use that creadential with runascs.ps1 Active Directory Enumerate Other Users run remote BloodHound SPN? (Impacket OR SetSPN.exe) bind use LDAPSearch to search for more info SMB Shares Rights (if you have write access, try to get hashes by ntlm_theft) Bloodhound Run remote Bloodhound Check Abuse opportunities If has DCSync: run secretsdump If there are other usernames, do a password spray (Impacket-lookupsid and crackmapexec)
fssull Usernames (either build a list OR use Impacket or WindapSearch) Check: If Pre-authentication is disabled for user or users NMap output If you see a lot of certificate related output. That is a strong indication that there is a Certificate Authority running. Use Certify to enumerate possible misconfiguration in Active Directory Certificate Services. read the results, very carefully. Found a Password If the password is for a service, but doesn't work with that service, then use it against other services or usernames. Found a UserName Enumerate More Check “Net User UserName” Check Groups it belongs to Check what programs it has access to ASREPRoast Password Spraying If you have a username and password Test it with crackmapexec (winrm and smb), SSH, ftp, on all available machines try enum4linux -a IP_ADDRESS try psexec.py Domain.com/administrator@X.X.X.X try impacket-GetUserSPNs to get SPN If you already have a session try to use that creadential with runascs.ps1 Active Directory Enumerate Other Users run remote BloodHound SPN? (Impacket OR SetSPN.exe) bind use LDAPSearch to search for more info SMB Shares Rights (if you have write access, try to get hashes by ntlm_theft) Bloodhound Run remote Bloodhound Check Abuse opportunities If has DCSync: run secretsdump If there are other usernames, do a password spray (Impacket-lookupsid and crackmapexec)
fssull Usernames (either build a list OR use Impacket or WindapSearch) Check: If Pre-authentication is disabled for user or users NMap output If you see a lot of certificate related output. That is a strong indication that there is a Certificate Authority running. Use Certify to enumerate possible misconfiguration in Active Directory Certificate Services. read the results, very carefully. Found a Password If the password is for a service, but doesn't work with that service, then use it against other services or usernames. Found a UserName Enumerate More Check “Net User UserName” Check Groups it belongs to Check what programs it has access to ASREPRoast Password Spraying If you have a username and password Test it with crackmapexec (winrm and smb), SSH, ftp, on all available machines try enum4linux -a IP_ADDRESS try psexec.py Domain.com/administrator@X.X.X.X try impacket-GetUserSPNs to get SPN If you already have a session try to use that creadential with runascs.ps1 Active Directory Enumerate Other Users run remote BloodHound SPN? (Impacket OR SetSPN.exe) bind use LDAPSearch to search for more info SMB Shares Rights (if you have write access, try to get hashes by ntlm_theft) Bloodhound Run remote Bloodhound Check Abuse opportunities If has DCSync: run secretsdump If there are other usernames, do a password spray (Impacket-lookupsid and crackmapexec)