nyanbinaryOk, question: Is there any way to determine the admins on a (windows) system remotely WITHOUT code execution on the system
Cat 🐈🥗 (D.Burch) 
@nyanbinary As in zero authorization access?
@catsalad sorry, I dont get it, my brain isnt fully booted up yet 😔
Chilly 
🛡️ 
powers on nyan@chillybot @catsalad nooooooooooo I wanted to nap more!!!!
@nyanbinary @chillybot Oh, I was just asking if you're trying to poke at that remote server with any kind of access levels above a guest, or someone with no real access.
@catsalad ah, gotcha. Current limit is pretty much "domain user (non-guest)". Can mostly work around the FW with some non-approved shenanigans.
wall-e@nyanbinary @catsalad as in: you have a normal domain user account on machine A and want to enumerate admin/domain admin accounts remotely on machine B without code exec on B?
Or you don't (want to) have code exec on the machine you're logged in on?
Or you don't (want to) have code exec on the machine you're logged in on?
@wall_e @catsalad I got a normal domain user. I got a domain-joined Windows with basic tools (PS AD module, subset of RSAT, ...) but limited network visibility. I got a domain-joined Windows with hood visibility but limited tools. I got a non-joined linux with visibility to DCs & a shitload of tools.
I want to check a lot of OTHER windows servers.