Weaponizing Windows Pt-1

Lets assume you have an IP address 10.129.208.61, Domain absolute.htb, and Domain Controller dc.absolute.htb. You want to run SharpHound to collect data for Bloodhound. Twist is there is only kerberos authentication. We can use our Windows VM to do this easily.

1) Setup the DNS. The DNS points to the dc.absolute.htb

DNS Setting

2) Set up Host File Path => C:\Windows\System32\drivers\etc\hosts Append the IP and host names.

IP And Host name in Hosts file

3) Create the Ticket Command => .\Rubeus.exe asktgt /enctype:AES256 /user:<username> /password:<password> /domain:absolute.htb /dc:dc.absolute.htb /ptt

Running Rubeus to get the ticket

4) Run SharpHound Command => . .\SharpHound.ps1; Invoke-BloodHound -Domain absolute.htb After a while we do get the zip file! 🎉

Running SharpHound!
SharpHound collects the zip!

Last updated