AD Enumeration & Attacks | Academy

Hi, I made this topic to help each other with this big module.
Can someone give me a hint about ACL enumeration? How did you get the objectacetype of the first right?

1 Like

Hi there, did you ever figure this out? I’m stuck at the same place and would appreciate any help.

Everything would be fine.
But this command freezes, ((((


Command seems to be slow or unresponsive for me as well. I’ve tried the BloodHound way of enumerating this and I can’t seem to get the right answer.

Replying myself because I found the right answer. If you use Bloodhound to gather the answer you will have to do a bit of googling to get the right answer.

1 Like

I received a response through the command
But I didn’t run it through PS, but through cmd.exe and I waited for a very long time until it worked out to the end, at the very very end of the command output, an answer will be waiting for you))

1 Like

Thanks for the tips. I also found that running the above series of commands in the Powershell ISE environment on the lab server, works. It takes about 30min to completes the scan but all other methods froze for me except this. Like Darcia mentioned, the answer will be at the very end of the output.


Thanks @Smi77y6i9 . I have run the commands from PoweShell ISE and after waiting several minutes I get the answer.

Hello, guys. I am trying to connect to SQL01 with -p 1433 SQLEXPRESS/n****:'D***_****_******'@SQL01 -windows-auth
but receiving Temporary failure in name resolution. Could somebody tell me what I am doing wrong?

That was frustrating! The command did eventually work but I assumed it had frozen. I would love to know how you found it with Bloodhound, DM if you remember please. Thanks!

I would add grep for powershell goes very handy

I have the same problem as everyone here :slight_smile: Unfortunately I get no response from PowerShell or even ISE and Bloodhound just so.

I have found rights but the wrong ones, can someone help me with Bloodhound, please DM me

Ok this my kind contribution for the last answer. Did this with bloodhound because the command are not responding at all (freezed)

  • Just follow the steps showed at this section (about bloodhount)
  • You will find the clue you need between forend and gpo managment (all is in the material)
  • Combine the question with what you get from bloodhound and google it
  • You will find what are you looking for and that’s it


Good luck!

1 Like

Finally :slight_smile:
Don’t Use Powerview Or Powershell Commands Powershell is Freezing
–>Use Bloodhound And Need To Search in Google For Excact object permissions and type
As Our Friend Said Your Answer Will Start With [ S-M ] @Mr_Pachin


Anyone Stuck on This please Refer to this post. will save you a lot of time


Thanks for the info with the PS ISE.
This works - but it takes really a long time - i left it running in the background for 60 minutes.

1 Like

I cant do the question that says: Enumerate valid usernames using Kerbrute and the wordlist located at /opt/jsmith.txt on the ATTACK01 host. How many valid usernames can we enumerate with just this wordlist from an unauthenticated standpoint?

I use scp to get the .txt user list to the base htb machine, and then do "kerbrute userenum -d inlanefreight.htb --dc IP jsmith.txt

the verbose is :

2023/06/15 22:51:31 > [!] jjohnson@inlanefreigth.htb - [Root cause: Encoding_Error] Encoding_Error: failed to unmarshal KDC’s reply: asn1: syntax error: sequence truncated

For the last question:

  • follow the instructions of @Satellite

  • Grab a Coffee

  • Patience

The last question of Acl enumeration topic “What is the ObjectAceType of the first right that the forend user has over the GPO Management group” is not obvious I think. Just enumerate possible values and you’ll find the logical one.

This module has some problems when it comes to targeted enumeration. Instead of using the * for identity you can use “GPO Management”.

PS C:\Tools> $sid = Convert-NameToSid forend
PS C:\Tools> Get-DomainObjectACL -Identity "GPO Management" -ResolveGUIDs | ? {$_.SecurityIdentifier -eq $sid}

and you have your answer in few seconds… not hours xD