[zer0]

Well yes, you need to find that users' hash and crack it, then use its credentials.

But the question remains, what after that? How to proceed towards foothold?

1. Check which user has permissions on a group called ServiceMgmt
Example

2. Check which permissions that group has on another domain object (OU)
3. Abuse permissions on said object to reset the password of some account that can access the server.
4. Foothold secured.

Maybe use a windows vm for those tasks. Powersploit, Powerview are nice to have.

are the hashese crackable? i've tried the ones retrieved with asreproasting and no success so far

Hash for user ldap_monitor is crackable using rockyou. 
Can be obtained using this method:
https://www.thehacker.recipes/ad/movemen...entication

[killinginthenameof]

Well yes, you need to find that users' hash and crack it, then use its credentials.

But the question remains, what after that? How to proceed towards foothold?

1. Check which user has permissions on a group called ServiceMgmt
Example

2. Check which permissions that group has on another domain object (OU)
3. Abuse permissions on said object to reset the password of some account that can access the server.
4. Foothold secured.

Maybe use a windows vm for those tasks. Powersploit, Powerview are nice to have.

are the hashese crackable? i've tried the ones retrieved with asreproasting and no success so far

Hash for user ldap_monitor is crackable using rockyou. 
Can be obtained using this method:
https://www.thehacker.recipes/ad/movemen...entication

does it take longer than usual or? i've tried running all the hashes retrieved with that command and they were taking more than 1h30

[HerVelizy]

Well yes, you need to find that users' hash and crack it, then use its credentials.

But the question remains, what after that? How to proceed towards foothold?

1. Check which user has permissions on a group called ServiceMgmt
Example

2. Check which permissions that group has on another domain object (OU)
3. Abuse permissions on said object to reset the password of some account that can access the server.
4. Foothold secured.

Maybe use a windows vm for those tasks. Powersploit, Powerview are nice to have.

are the hashese crackable? i've tried the ones retrieved with asreproasting and no success so far

Hash for user ldap_monitor is crackable using rockyou. 
Can be obtained using this method:
https://www.thehacker.recipes/ad/movemen...entication

does it take longer than usual or? i've tried running all the hashes retrieved with that command and they were taking more than 1h30

It is quick. Are you sure you don't have carriage return at the end of each line ?

[plague]

any nudge after json dump?

[genega]

anyone get bloodhound working? tried it on linux and windows over ldaps but seems ldap signing is preventing it. wondering if anyone got round it?

[peacock450]

i'm getting auth errors with this, wtf
can you use crackmapexec ldap with ldap_monitor pass?

Did you install all requirements for LDAPmonitor? Does your command work?

└─$ sudo apt-get install build-essential python-dev-is-python3 python3-dev python2.7-dev libldap2-dev libsasl2-dev slapd ldap-utils tox lcov valgrind

└─$ pip install python-ldap   

when i run it with -k i'm getting
ldap3.core.exceptions.LDAPSocketOpenError: invalid server address

without -k
ldap3.core.exceptions.LDAPBindError: automatic bind not successful - invalidCredentials

Also: i tried a password spray and i got another user, but still can't access anything

Perhaps you need credentials.

I cracked the hash for ldap_monitor using hashcat and i'm trying to use those creds but still getting the same error.

The hascat mode is 19700 and the wordlist is rockyou.txt right? why am i not able to crack it

[chappy]

hashcat -m 13100 for ldap_monitor user

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Scraping | https://breachforums.ai/Forum-Ban-Appeals if you feel this is incorrect.

[plague]

anyone get bloodhound working? tried it on linux and windows over ldaps but seems ldap signing is preventing it. wondering if anyone got round it?

https://gist.github.com/vestjoe/68b579d0...55908883cc

[killinginthenameof]

1. Check which user has permissions on a group called ServiceMgmt
Example

2. Check which permissions that group has on another domain object (OU)
3. Abuse permissions on said object to reset the password of some account that can access the server.
4. Foothold secured.

Maybe use a windows vm for those tasks. Powersploit, Powerview are nice to have.

are the hashese crackable? i've tried the ones retrieved with asreproasting and no success so far

Hash for user ldap_monitor is crackable using rockyou. 
Can be obtained using this method:
https://www.thehacker.recipes/ad/movemen...entication

does it take longer than usual or? i've tried running all the hashes retrieved with that command and they were taking more than 1h30

It is quick. Are you sure you don't have carriage return at the end of each line ?

I did check yes. with hashcat i used module 19700, not sure if this is the correct one, although recognized by hashcat. I've trying to crack the hashes from the asrep roast - i did get one for the use jjones but could not find any cleartext password

[braindust]

Can you explain me my error?, got an unexpected keyword argument 'service':

python ./GetUserSPNs.py -no-preauth "ldap_monitor" -usersfile "services.txt" -dc-host 10.129.x.x rebound.htb/ -request
Impacket v0.10.1.dev1+20220628.224634.5122bcf - Copyright 2022 SecureAuth Corporation

[-] Principal: dc01 - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: ldap/dc01.rebound.htb - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: ldap/dc01 - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: ldap_monitor/dc01 - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: ldap_monitor/DC01 - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: ldap_monitor/dc01.rebound.htb - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: ldap_monitor/DC01.rebound.htb - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: cifs/dc01.rebound.htb - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: cifs/dc01 - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: srv01 - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: winrm/dc01 - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: winrm/dc01.rebound.htb - getKerberosTGT() got an unexpected keyword argument 'service'

Did you figure out the error , I'm getting the same error and don't know why .

I got the same problem.

$ /opt/impacket-nopass/examples/GetUserSPNs.py -no-preauth jjones -usersfile ./services.txt -dc-host dc01.rebound.htb -request rebound.htb/
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[-] Principal: srv01 - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: cifs/dc01.rebound.htb - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: cifs/dc01 - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: winrm/dc01 - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: winrm/dc01.rebound.htb - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: ldap/dc01 - getKerberosTGT() got an unexpected keyword argument 'service'
[-] Principal: ldap/dc01.rebound.htb - getKerberosTGT() got an unexpected keyword argument 'service'