Red Teaming And Windows Notes
  • Windows
    • Local Privilege Escalation
      • PRIVILEGES INFORMATION
      • Open Ports
      • Stored Creds
      • PowerShell/CMD History
      • Unquoted Service Paths
      • Evaluating Vulnerable Drivers
      • Printer
      • $PATH interception
    • Shell generators
    • Credentials Hunting.
      • Mimikatz
      • Secretsdump
      • Pypykatz
    • Active Directory
      • Quick Wins
      • Tools
      • Basic Recon
      • Laps Password Read
      • Weaponizing Windows
        • Weaponizing Windows Pt-1
      • Winrm Using Certificate[PFX]
      • WriteOwner
    • Powershell
    • Password Spray And Roasting
Powered by GitBook
On this page
  1. Windows
  2. Active Directory
  3. Weaponizing Windows

Weaponizing Windows Pt-1

PreviousWeaponizing WindowsNextWinrm Using Certificate[PFX]

Last updated 2 years ago

Lets assume you have an IP address 10.129.208.61, Domain absolute.htb, and Domain Controller dc.absolute.htb. You want to run SharpHound to collect data for Bloodhound. Twist is there is only kerberos authentication. We can use our Windows VM to do this easily.

1) Setup the DNS. The DNS points to the dc.absolute.htb

2) Set up Host File Path => C:\Windows\System32\drivers\etc\hosts Append the IP and host names.

3) Create the Ticket Command => .\Rubeus.exe asktgt /enctype:AES256 /user:<username> /password:<password> /domain:absolute.htb /dc:dc.absolute.htb /ptt

4) Run SharpHound Command => . .\SharpHound.ps1; Invoke-BloodHound -Domain absolute.htb After a while we do get the zip file!

🎉
DNS Setting
IP And Host name in Hosts file
Running Rubeus to get the ticket
Running SharpHound!
SharpHound collects the zip!