AD Enumeration & Attacks - Skills Assessment Part I

Hi j4l3n, I had success using nmap through proxychains, check the output for unusual latency times which might show you the right IP.

If you’re really stuck, you’ll need to first use a proxy of your choice to work between the external target (the 10.129.X.X) and your attacker (remember to change your proxychains.conf file!), keep both of those windows open, and then try running a proxychains nmap scan on a subnet range. Hope that clears things up a little for you.

If someone has problems with last question, please refer to the section titled “Mimikatz - PowerShell Remoting with Pass the Ticket.” Keep in mind that we have two users available for testing purposes: “s****” (user from the 2nd question) and “t****” (user from the 5th question). Consequently, make sure to experiment with both of these user accounts. Additionally, if any specific tools are required, you can easily copy and paste them into the RDP session using Ctrl+C and Ctrl+V.

I appreciate your prompt response! I had previously attempted it using both proxychains and nmap with the “-sn” parameter. Thank you for your quick assistance!

1 Like

Hi guys, it might be a stupid question but I do not know how to Kerberoast an account without an account that is able to authorize against DC. once I log into the web shell I get the meterpreter reverse shell on my machine. i have made the copies of sam, security and system and got the hash for administrator but it looks like he can only authenticate into MS01 but not DC so any kerberoasting goes out the window. I also tried kebrute but completely did not work for some reason. How did you guys find the first user and their password?

I Have same problem…
Could not solve last question I have administrator hash and username with password nothing works after tunneling chisel which works with Nmap, but could not pass the hash or connect with multiple methods to DC01…