Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)

Run nmap or better nessus on the target

http_version is metasploit module “give it rang of ip”

Start Responder and let it run for a while in a tmux window while we perform other enumeration tasks to maximize the number of hashes that we can obtain.

Work through two different techniques side-by-side

Goal: Acquiring valid cleartext credentials for a domain user account, thereby granting us a foothold in the domain to begin the next phase of enumeration from a credentialed standpoint.

Constantly repeating processes as we uncover new data can grantee you a lot of wins.

Network, **Relay/**poisoning attacks

DNS Record Injection, ADIDNS spoof, ADIDNS Abuse

Password spraying

pre-windows 2000 computers attack

• Zerologon “CVE-2020-1424”
• PrintNightmare CVE-2021-1675
• Eternal blue MS17-010

now you gain credentials, domain name on SMB?

you can take a shell on metasploit

exploit/windows/smb/psexec 

or you can use another tool

psexec

[psexec.py](<http://psexec.py/>) marvel.local/fcastle:[email protected]

[psexec.py](<http://psexec.py/>) domain/user:password@IP

[psexec.py](<http://psexec.py>) user@IP -hashes NTLM:NTLM_again

smbexec

wmiexec

wmiexec[.py](<http://psexec.py>) user@IP -hashes NTLM:NTLM_again