👩‍🏫 How To fill DCS

Domain Name

wmic computersystem get domain

Hosts

• Name: "List computers" in BloodHound section
• IP: nslookup NAME
• Type (Domain / Standalone): netexec winrm -u test -p test --continue-on-success $(cat host-dmz.txt)
• Progress (Pwned / Foothold)

Domain Users

# Always do this if possible
Get-NetUser | select samaccountname,useraccountcontrol,ServicePrincipalName

# Else
## w/ PtH
impacket-GetADUsers -all -dc-ip 10.10.121.140 -hashes :e728ecbadfb02f51ce8eed753f3ff3fd oscp.exam/celia.almeda
## w/ Password
impacket-GetADUsers -all -dc-ip 10.10.121.140 oscp.exam/celia.almeda:PASS

• Group: BloodHound → Search user: → “Member Of”
• Local Admin At:
  • (Possibliy false negative) BloodHound → Search user: → “Local Admin Privileges”
  • Pwn3d! displayed in crackmapexec
• Logged-on To: ( sekurlsa::logonpasswords ): .\\PsLoggedon.exe -accepteula \\\\HOST
• Exec Privilege: BloodHound → Search user: → “Execution Privileges”
• GenericAll by (Password Reset): BloodHound → Search user: → “Inbound Object Control”
• DONT_REQ_PREAUTH (AS-REP Roasting): See useraccountcontrol column

Local Users

Windows

1. List all users by: Get-LocalUser (only Enabled)
2. User detail by: net user NAME

Linux

1. List all users by: cat /etc/passwd (only remarkable ones)
2. User detail by: id NAME