I’ve already obtained local administrator on a domain user’s computer. Now, my target is one of the company’s domain controllers.
However, the domain controllers run no vulnerable services, and every username/password combination is unique across the domain, so pass-the-hash using Mimikatz doesn’t work.
Furthermore, no useful delegation tokens are found using Incognito on the local system.
What are my options from here, except carrying out man-in-the-middle attacks using tools like Responder?
