-
Notifications
You must be signed in to change notification settings - Fork 108
Exploitation
There are two main strategies for exploitation:
- Assign all privileges to the user/computer account from which you are performing the exploitation.
- Assign all privileges to a different account and only use the initial account for the first step.
In either strategy, you will need the password of the user or computer account that you are escalating from (specified with the -f flag). This can be supplied using the --source-password parameter. If it is not specified, aclpwn will prompt for it.
It is also possible to assign the privileges to a different account under the attackers control. For example we may want to assign the DCSync privileges to the account testuser instead of to a computer account. To do this, specify the --user flag. If you have an attack chain with only one step, this will just assign the privileges to this user and finish. If however you have a multi step exploitation chain, aclpwn will need the password (or the LM:NTLM hashes) of this user to perform the next step in the escalation chain. You can either specify it manually with the --password flag or you can wait till aclpwn prompts for the password.