There is also a bug that I encounter sometimes using offline ADExplorer snapshots when using the ‘contains’ search that crashes ADExplorer, but it works when using ADExplorer online, so the problem is not too big. Sometimes I just search for ‘description not empty’ and manually look at the results. You do that by right clicking and choosing PIVOTING > SOCKS Serverįigure 24 – Searching for pwd in Description Let’s go through the steps on getting ADExplorer to work from my local Windows machine through a SOCKS proxy on my Cobalt Strike command and control (C2) server.įirst you will need to tell Cobalt Strike to establish a SOCKS proxy on the beacon you have. So, how do we use the Active Directory computer account over SOCKS to look at Active Directory? Well, of course there are many tools out there such as Impacket or LDAPPER, but today I’ll be covering ADExplorer. One way I typically end up in this scenario is to proxychain through a beacon on a user’s workstation and use a known exploit to gain administrative access. The tool itself can be found here: Ī typical scenario I often face on engagements is that I have compromised a server or workstation, and I am able to get my hands on the local NTLM hashes as well as the computer account NTLM hash used to authenticate itself against the Active Directory domain.
It can be useful for both offensive and defensive purposes, but in this post, I am going to focus more on its offensive use. By Oddvar Moe in Attack Path Effectiveness Review, Penetration Testing, Red Team Adversarial Attack Simulation, Security Testing & AnalysisĪDExplorer is a tool I have always had in my backpack.
0 kommentar(er)
