VulnableOne
  • 🧘‍♂️About Me
  • Offensive Treasure
    • 🧌Penetration Testing
      • Reconnaissance
        • Identify Ports/Hosts/Data
      • Enumeration
        • Service Ports
          • FTP (21)
          • SSH (22)
          • SMTP (25)
          • DNS (53)
          • TFTP (69/udp)
          • Finger (79)
          • SaMBa (139/445)
          • RPC/NFS (111/135)
          • SNMP (161/udp)
          • LDAP (389)
          • isakmp (500/udp)
          • Java (1099)
          • MS-SQL (1433)
          • MySQL (3306)
          • Distcc (3622)
          • PostgreSQL (5437)
          • Redis (6379)
      • Password Attack
        • Wordlist
        • Brute-Force
        • Crack Hash
      • File Transfer
        • Linux
        • Window
      • Misc
    • 🧙‍♂️AD Attack
      • Domain Enumeration
        • PowerView
        • AD-Module
        • Bloodhound
      • Abuse ACLs
        • GenericAll
        • GenericWrite
        • WriteDACL
        • ForceChangePassword
      • Kerberos Attack
        • Kerberoasting
        • ASREPRoasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Resource Based Constrained Delegation
      • LAPs
      • MS SQL Servers
        • PowerUpSQL
        • SQL Server Management
        • Impacket-MSSQL
    • 🥷Red Team
      • Reconnaissance
        • Active Scanning
          • Scanning IP Blocks
          • Vulnerability Scanning
          • Wordlist Scanning
        • Gather Victim Host Information
          • Software
        • Gather Victim Identity Information
          • Credentials
          • Email Addresses
        • Search Open Websites/Domains
          • Social Media
          • Search Engines
          • Code Repositories
        • Search Victim-Owned Websites
      • Resource Development
        • C2 Infrastructure
        • Metasploit
      • Execution
        • Bash - Reverse Shell
        • HTA
        • JScript Dropper
        • Macro
        • Metasploit
        • Network Tools
        • Powershell
        • Python
        • VBA
        • Web Shell
        • WSH
      • Persistence
        • Logon Script
        • Startup Folder
        • WinLogon (Elevated)
        • Run / RunOnce (Elevated)
        • Scheduled Tasks (Elevated )
      • Privilege Escalation
        • Windows
          • SeBackup / SeRestore
          • SeTakeOwnership
          • SeImpersonate / SeAssignPrimaryToken
          • UAC Bypass
          • AutoInstall Elevate
          • Unquoted Service Paths
          • Weak Service Permissions
          • Weak Service Binary Permissions
        • Linux
          • Escalation
      • Defense Evasion
        • Bypassing AV
          • Pack Shellcode
        • Security Control
          • CLM
          • AppLocker
        • Use Alternate Authentication Material
          • Pass The Hash
          • Over Pass The Hash
          • Extract Tickets
          • Pass The Ticket
        • Impersonate
      • Credential Access
        • Adversary-in-the-Middle
          • LLMNR/NBT-NS/MDNS Poisoning
          • Evil SSDP
        • OS Credential Dumping
          • Protected LSASS
          • Invoke-Mimikatz
          • Mimikatz.exe
          • Secretsdump
          • Meterpreter Kiwi
          • Registry
          • Shadow Copy
          • DCSync
        • Steal or Forge Kerberos Tickets
          • Silver Ticket
          • Golden Ticket
        • Steal Web Session Cookie
      • Lateral Movement
        • Remote Access
        • Pivoting
          • Linux
          • Window
    • Web Application
      • Basic Recon
  • Blog
    • 📝Empty!!!
  • Course Review
    • 👨‍🎓Cyber Security Courses Journey
      • PNPT Journey
      • OSCP Journey
        • 🚩CTF
          • Hack The Box
            • Linux Boxes
              • ✅Admirer (Easy)
              • ✅Bashed (Easy)
              • ✅Beep (Easy)
              • ✅Blocky (Easy)
              • ✅FriendZone (Easy)
              • ✅Irked (Easy)
              • ✅Lame (Easy)
              • ✅Mirai (Easy)
              • ✅Networked (Easy)
              • ✅Nibbles (Easy)
              • ✅OpenAdmin (Easy)
              • ✅Sense (Easy)
              • ✅Shocker (Easy)
              • ✅Sunday (Easy)
              • ✅Tabby (Easy)
              • ✅Traverxec (Easy)
              • ✅Valentine (Easy)
              • ✅Cronos (Medium)
              • ✅Haircut (Medium)
              • ✅Jarvis (Medium)
              • ✅Magic (Medium)
              • ✅Nineveh (Medium)
              • ✅Node (Medium)
              • ✅Poison (Medium)
              • ✅SolidState (Medium)
              • ✅TartarSauce (Medium)
            • Window Boxes
              • ✅Arctic (Easy)
              • ✅Active (Easy)
              • ✅Blue (Easy)
              • ✅Bounty (Easy)
              • ✅Devel (Easy)
              • ✅Forest (Easy)
              • ✅Granny (Easy)
              • ✅Granpa (Easy)
              • ✅Jerry (Easy)
              • ✅Legacy (Easy)
              • ✅Optimum (Easy)
              • ✅Bastard (Medium)
              • ✅Silo (Medium)
          • Buffer Overflow
            • BOF - Tib3rius
            • BOF - TCM
              • 1- Spiking
              • 2- Fuzzing
              • 3- Finding Offset
              • 4- Overwriting EIP
              • 5- Finding Bad Characters
              • 6- Finding the Right Module
              • 7- Generating Shellcode
Powered by GitBook
On this page
  • Start Neo4j
  • SharpHound.exe
  • SharpHound.ps1
  • Bloodhound Query
  • Service Principal Name (SPN)
  • Shortest Paths from Kerberoastable Users
  • Unconstrained Delegation
  • AllowedToDelegate to other computers
  • ASREP Roasting
  • Constrained Delegation
  • GPO Query
  • Discretionary Access Control Lists
  • Potential MS SQL Admins
  • LAPS
  1. Offensive Treasure
  2. AD Attack
  3. Domain Enumeration

Bloodhound

Extra: https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/

Start Neo4j

Open a web browser and navigate to http://localhost:7474/

C:\Tools\neo4j\bin>neo4j.bat console
2021-05-11 10:03:21.143+0000 INFO  Starting...
2021-05-11 10:03:28.065+0000 INFO  ======== Neo4j 4.2.3 ========
2021-05-11 10:03:32.143+0000 INFO  Performing postInitialization step for component 'security-users' with version 2 and status CURRENT
2021-05-11 10:03:32.143+0000 INFO  Updating the initial password in component 'security-users'
2021-05-11 10:03:33.128+0000 INFO  Bolt enabled on localhost:7687.
2021-05-11 10:03:36.096+0000 INFO  Remote interface available at http://localhost:7474/
2021-05-11 10:03:36.096+0000 INFO  Started.

SharpHound.exe

SharpHound has a number of different collection methods (all documented on the repository):

  • Default - Performs group membership collection, domain trust collection, local group collection, session collection, ACL collection, object property collection, and SPN target collection

  • Group - Performs group membership collection

  • LocalAdmin - Performs local admin collection

  • RDP - Performs Remote Desktop Users collection

  • DCOM - Performs Distributed COM Users collection

  • PSRemote - Performs Remote Management Users collection

  • GPOLocalGroup - Performs local admin collection using Group Policy Objects

  • Session - Performs session collection

  • ComputerOnly - Performs local admin, RDP, DCOM and session collection

  • LoggedOn - Performs privileged session collection (requires admin rights on target systems)

  • Trusts - Performs domain trust enumeration

  • ACL - Performs collection of ACLs

  • Container - Performs collection of Containers

  • DcOnly - Performs collection using LDAP only. Includes Group, Trusts, ACL, ObjectProps, Container, and GPOLocalGroup.

  • ObjectProps - Performs Object Properties collection for properties such as LastLogon or PwdLastSet

  • All - Performs all Collection Methods except GPOLocalGroup.

C:\> SharpHound.exe -c DcOnly
C:\> SharpHound.exe -c DcOnly -d vulnableone.local
C:\> SharpHound.exe --CollectionMethod All,GPOLocalGroup --Domain vulnableone.local
C:\> SharpHound.exe --CollectionMethod All --Domain vulnableone.local --LdapUsername khan.chanthou --LdapPassword Password123 --ZipFileName output.zip

SharpHound.ps1

Invoke-BloodHound -CollectionMethod All

Bloodhound Query

Service Principal Name (SPN)

MATCH (u:User {hasspn:true}) RETURN u

Shortest Paths from Kerberoastable Users

MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p

Unconstrained Delegation

MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

AllowedToDelegate to other computers

MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p

ASREP Roasting

MATCH (u:User {dontreqpreauth:true}) RETURN u

Constrained Delegation

MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p

GPO Query

MATCH (gr:Group), (gp:GPO), p=((gr)-[:GenericWrite]->(gp)) RETURN p

Discretionary Access Control Lists

MATCH (g1:Group), (g2:Group), p=((g1)-[:GenericAll]->(g2)) RETURN p
MATCH (g1:Group {name:"IT_Support"}), (g2:Group), p=((g1)-[:GenericAll]->(g2)) RETURN p

Potential MS SQL Admins

MATCH p=(u:User)-[:SQLAdmin]->(c:Computer) RETURN p

LAPS 

MATCH (c:Computer {haslaps: true}) RETURN c
MATCH p=(g:Group)-[:ReadLAPSPassword]->(c:Computer) RETURN p
PreviousAD-ModuleNextAbuse ACLs

Last updated 1 year ago

🧙‍♂️