00:00 - Intro
01:05 - Start of nmap
02:20 - Running CrackMapExec to enumerate open file share and downloading a custom DotNet Executable
05:00 - Showing that we can run DotNet programs on our linux machine (will show how I configured this at the end of the video)
06:00 - Using Wireshark to examine DNS Requests when running this application
06:50 - Using Wireshark to examine the LDAP Connection and discover credentials being send in cleratext
10:00 - Using the credentials from the program to run the Python Bloodhound Ingestor
12:45 - Playing around in Bloodhound
16:10 - Discovering the Shared Support Account has GenericAll against the DC
18:50 - Doing a LDAP Search to dump all information and finding a password stored in the Info field of Active Directory
21:50 - Examining what the Support user can do, showing the importance of looking at Outbound Object Control option in bloodhound
22:20 - Explaining how to abuse GenericAll to the Computer object
26:00 - Downloading dependencies
31:00 - Starting the attack, checking that we can join machines to the domain
31:30 - Starting the attack Creating a machine account, had some issues will redo everything later
40:30 - Redoing the attack, copying commands verbatim from Bloodhound
44:30 - Copying the ticket to our machine and then converting it from KIRBI to CCNAME format and using PSEXEC
51:50 - Extracting the LDAP Password through static analysis
55:00 - Installing DotNet on a linux machine
Support the originator by clicking the read the rest link below.
