Find passwords in SYSVOL (MS14-025). SYSVOL is the domain-wide share in Active Directory to which all authenticated users have read access. All domain Group Policies are stored here: \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\.
Directory Services Restore Mode (DSRM) is a safe mode boot option for Windows Server domain controllers. DSRM allows an administrator to repair or recover to repair or restore
There are 3-4 fields that seem to be common in most Active Directory schemas: UserPassword, UnixUserPassword, unicodePwd and msSFU30Password. Password in User Description crackmapexec ldap domain.lab -u 'username' -p 'password' -M user-desc crackmapexec
Tickets are used to grant access to network resources. A ticket is a data structure that contains information about the user’s identity, the network service or resource being
Resource-based Constrained Delegation was introduced in Windows Server 2012. The user sends a Service Ticket (ST) to access the service (« Service A »), and if the service is allowed
Kerberos Constrained Delegation (KCD) is a security feature in Microsoft’s Active Directory (AD) that allows a service to impersonate a user or another service in order to access
CVE-2020-17049 An attacker can impersonate users which are not allowed to be delegated. This includes members of the Protected Users group and any other users explicitly configured as sensitive and cannot
READ Permission Some shares can be accessible without authentication, explore them to find some juicy files ShawnDEvans/smbmap – a handy SMB enumeration tool smbmap -H 10.10.10.10 # null