Feature Request: Threading

[Viss]

When attacking a domain with 4000-10000 endpoints, running userhunter takes fooorreeevvvvver. It would be really really awesome to have the ability to specify threads so that this process is shortened.

[ChrisTruncer]

There is a Threaded-UserHunter, but even that will potentially be slow depending on the number of end points. Probably the best thing to do in such a large environment (I just was in a similar situation as you) is to identify the Domain Controllers and File Servers, and run Get-NetSessions against those. You're not hitting every single system, but you're hitting the high priority systems, or file servers that users may have mounted.

Powershell actually consumed too much memory when I used UserHunter because of being in such a large environment, so we did it the way above.

[Viss]

so the trick is we don't have DA on the target domain yet. What we're after here is basically finding machines that are in multiple domains, and hoping we can snare DA creds from a machine on which a user with DA is logged into, so we can mimikatz their machine, and use that to hop to the domain controller.

[ChrisTruncer]

You can still run Get-NetSessions against a domain controller even if you aren't running in the context of a domain admin.

[HarmJ0y]

This post and slidedeck cover the various methods of userhunting, including pre-elevated/post-elevated access http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/ http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20