*dir \\\\za.tryhackme.com\\SYSVOL (uses kerberos first for auth)*

*dir \\\\<DC IP>\\SYSVOL (uses NTLM) (better to avoid detect in some cases)*

Theory & commands

• what system-level enable me to do & interesting groups

runas.exe /netonly /user:<domain>\\<username> cmd.exe => list sysvol [dir \\\\[*za.tryhackme.com*]\\SYSVOL\\] to assure everything working, if not => $dnsip = "<*DC IP*>" => $index = Get-NetAdapter -Name ['*Ethernet*'] | Select-Object -ExpandProperty 'ifIndex' =>Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip => nslookup [*za.tryhackme.co*m]

sudo ntpdate t1 #updte time to be as target
vim /etc/resolv.conf=> nslookup [domain] #if got an error without provding the ip then smth still wrong
#Methodology (each time get creds, test smb,kerberos & set user owned in bloodhound):
#1 IRL: llmnr => hash+crack=>spray=>secretsdump=>local admin=>spray --local-admin
#2 kerberosting ⇒ secretsdump ⇒ pass the hash/pass
# After owning DC: persistence (create domain admin acc? & golden ticket)⇒do it again, dump NTDS.dit & crack pass ⇒ enum shares for sensitive info

# if I got lets say creds for a normal user and got nothing else, try to conenct and elvate my privs to local admin

Hash capturing

• NBT-NS (old)/LLMNR (man in middle) (run scans like nessus with it to generate additional traffic) (traffics in the morning or after the launch)
• SMB relay (dumps sam hashes) (disabled /enabled but not required) SMB signing
• IPV6 attacks (mitm6)
• passback (look for printers, jenkins with default creds)
• LNK File (Hash capture OR payload download) - NO CLICK NEEDED

No creds (null session may return some (Disabled/ non-domain/fake/false positive):

• Null session Enum
• LDAP(s) Enum
• **ASREPRoasting (**sudo service virtualbox-guest-utils stop && sudo ntpdate -s $IP)
• Password policy enum
• internal password spraying