Steps#

1. Make a directory

   mkdir <domain_name>
   cd <domain_name>

2. Run ldapdomaindump

   sudo ldapdomaindump ldaps://<domain_controller_ip> -u '<domain_name>\<user>' -p <password>

3. Analyse what we dump with Firefox

   

Why is it useful?#

• what are the high value targets?
  • check the Domain/Enterprise Admins table
• some specific access for domain users
• some interesting policies
• etc.

Prerequisites#

1. Install the latest version of Bloodhound

2. Need to install, launch and configureneoj4

   sudo neoj4 console

   Go to http://localhost:7474 and configure it

Steps#

1. Run Bloodhound & connect with your neoj4 credentials

   sudo bloodhound

2. Run an ingestor to remotely collect data for Bloodhound

   # Prepare a folder to receive all the collected data
   mkdir bloodhound_data
   cd bloodhound_data
   
   # Run the ingestor
   sudo bloodhound-python -d <domain_name> -u <user> -p <password> -ns <domain_controller_ip> -c all

3. Upload the collected data inside Bloodhound

   

4. Do some analysis / enumeration

   • Find all Domain Admins
   • See what we can do with our compromised user
   • And so much things…

Prerequisites#

• Install Plumhound

  git clone https://github.com/PlumHound/PlumHound.git
  sudo pip3 install -r requirements.txt

• Need to have neoj4 and Bloodhound up with collected data

• Do a first test to verify everything work

  cd /opt/PlumHound
  sudo python3 PlumHound.py --easy -p <neoj4_password>

Steps#

1. Run PlumHound with default tasks

   sudo python3 PlumHound.py -x tasks/default.tasks -p <neoj4_password>

2. Read the reports

   cd reports
   firefox index.html

Prerequisites#

• Download the script:

  https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

• Upload it to the compromised machine with Python web server & certutil

• You need to be local admin ⚠️

Steps#

• Run the script:

  

• Use this cheatsheet to enumerate the AD:

  https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993