From initial access to Domain Takeover in 10 minutes (More or less)
This video shows a complete domain takeover from initial access in form of a malicious LNK-file, coercing, relaying, ADCS abuse and DCSync.
Part 1 shows the attack through a firewall allowing TCP 445 out.
in Part 2 SMB out is blocked (as it should be), and showing a sneaky workaround using QUIC (UDP 443) instead
Tools used:
Chisel - github.com/jpillora/chisel
Lnk2pwn - github.com/it-gorillaz/lnk2pwn
Shellz - github.com/4ndr34z/shells
Rubeus - github.com/GhostPack/Rubeus
Proxychains - github.com/haad/proxychains
impacket-ticketConverter - github.com/fortra/impacket
impacket-ntlmrelayx - github.com/fortra/impacket
impacket-secretsdump - github.com/fortra/impacket
impacket-addcomputer - github.com/fortra/impacket
impacket-getTGT - github.com/fortra/impacket
DFSCoerce - github.com/Wh04m1001/DFSCoerce
Evil-WinRM - github.com/Hackplayers/evil-w...
certipy - github.com/ly4k/Certipy
ntlmQUIC - github.com/xpn/ntlmquic
gettgtpkinit - github.com/dirkjanm/PKINITtools
dnstool - github.com/dirkjanm/PKINITtools
Пікірлер: 8
Great video. 🙂
I hope you are able to make more windcorp boxes sir, this video is very informative
Could you make a video for NS takeover?
The certificate enum part is missing was it esc8 ?
@_4ndr34z
28 күн бұрын
Correct. esc8😊
why is bro so quiet 😭
@_4ndr34z
29 күн бұрын
There’re should be audio on this one?
@SolitaryElite
29 күн бұрын
@@_4ndr34z yes :))