Commands Only Summary

🐧 Find

Find all SUID binaries

find / -perm -u=s -type f 2>/dev/null

All readable files

find / -type f -readable ! -path "/proc/*" ! -path "/dev/*" ! -path "/run/*" ! -path "/sys/*" 2>/dev/null

All files from user

find / -user 'USERNAME' ! -path "/proc/*" ! -path "/dev/*" ! -path "/run/*" ! -path "/sys/*" 2>/dev/null

Active Directory

🪟 SharpView (C# Port of PowerView)

AD Enumeration tool. C# port of 🪟 PowerView (Now deprecated). Same commands

Get help about a command

.\SharpView.exe Get-DomainUser -Help

Enumerate information about a specific user

🪟 PowerView (Now deprecated)

AD Enumeration Tools

Import

Information for specific User or All users

Group specific info

Enumerate domain trust mappings

Test for local admin access on either the current machine or a remote one

Check Kerberoasting attack possibility

🪟 BloodHound

Collect data

🪟 [Built-in] ActiveDirectory PowerShell Module

AD Enumeration tools

Discover Modules

Load ActiveDirectory Module

Get Domain Info

List accounts that may be susceptible to a Kerberoasting attack

Verify domain trust relationships

Group Enumeration

Group Information

Group Membership Listing

If part of GMSA_MANAGERS Group, Set yourself as someone who can read the password

🪟 Snaffler

Snaffler is a tool that can help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories. Once that is done, it iterates through any directories readable by our user and hunts for files that could serve to better our position within the assessment. Snaffler requires that it be run from a domain-joined host or in a domain-user context.

🐧 CrackMapExec (deprecated) | NetExec (updated)

A swiss army knife for pentesting networks

Help for specific protocol

Domain User Enumeration

Domain Group Enumeration

Logged On Users

Share Searching

Dig Through Share

Password Policy

Group Policy Password misconfiguration (GPP, usually to check if read access to SYSVOL)

Enumerate users from RID (for when the --users command doesnt work)

Get GMSA passwords

Get Group membership users

Find certificate server (ADCS)

List Kerberoastable users

AS_REP version with --asreproast flag

🐧 SMBMap

SMBMap is great for enumerating SMB shares from a Linux attack host. It can be used to gather a listing of shares, permissions, and share contents if accessible.

SMBMap To Check Access

Recursive List Of All Directories

🐧 rpcclient

Useful for enumeration with NULL sessions

Connect to anonymous session

Enumerate all users to gather the RIDs

User Enumeration By RID

🐧 Impacket Toolkit

Impacket is a versatile toolkit that provides us with many different ways to enumerate, interact, and exploit Windows protocols and find the information we need using Python.

Shell on target device (PSExec)

Stealthier Shell on target device (wmiexec.py)

A more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems.

Finding ASREProasting targets

No user specification needed

Edit DACL to get DCSync

target-dn is the LDAP format, like DC=htb,DC=local

DCSync attack, secretsdump

🐧 Windapsearch

Windapsearch is another handy Python script we can use to enumerate users, groups, and computers from a Windows domain by utilizing LDAP queries.

Enumerate Domain Admins

Enumerate Priviledged Users

🐧 Bloodhound.py

Collect data for BloodHound GUI from a Linux host

NTLM Hash instead of password

(the NTLM hash needs to be preceded by the :). Use -c all or -c dconly

🐧 ldapsearch

• -h <host>

• -x simple authentication (anonymous)

• -s scope (-s base namingcontexts). Output of this goes in the -b flag content

• -b base (-b "DC=htb,DC=local") (Basically the searching scope)

Get naming context (domain name)

Get anonymous info

Query for users (Object class of Person)

Usually the class can be person, organizationalPerson or user

Query for users and only show username

(you can add more things at the end, such as sAMAccountName userPrincipalName)

🐧 Evil-winrm

Connect with kerberos

🐧 🪟 Hashcat

secretsdump output

Find Hashcat mode

Generate password list from rules

Limit length of passwords

Hashes in user:hash format to save user info

Put the hashes in a file in the user:hash format, for example for NTLM hashes then use the flag --user for automatically make hashcat discard that first column and use the rest as the hash. This allows to use --show to then recover the user of the cracked password from the potfile.

🐧 BloodyAD

Swiss army knife for AD privilege escalation

GitHub - CravateRouge/bloodyAD: BloodyAD is an Active Directory Privilege Escalation FrameworkGitHub

As other tools, to use NTLM hashes on this put them in the -p password field PRECEDED by a :

Set yourself as owner

Get Writable

Add user to group (GenericAll over group)

Add DCSync rights to user

Read GMSA password

ReadGMSAPassword privilege abuse

Following command uses -k for Kerberos (needs export KRB5CCNAME= to be set)

Disable Pre Authentication

this makes the accounts vulnerable to asreproasting, requires GenericAll or other ways to control account

Enable account

This is handy when an account is disabled but you control it through GenericAll or other write permissions

🐧 ntpdate

Useful to adjust the system clock to one of another machine. Solves problem like kerberos Clock skew too great

Disable NTP first:

Also if in a VM, check that no option to sync the time is set on your VM software. For example on VirtualBox on a Windows Host:

🐧 Sanitize/Stabilize Reverse Shell

Option number 1: Use pwncat

Option number 2-ish: Use rlwrap (this doesnt FULLY stabilize it but it works decently for quick stuff)

Option 3:

ctrl + z to background netcat

🐧 Process monitoring without permissions

GitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub

🐧 pwning `su` command usage

In the case you notice that an automated script or user will su into a user you have access to, it's possible to pwn it using .bashrc or any other shell script automatically read.

More explaination at https://www.errno.fr/TTYPushback.html

Write the following python script in the user home, for example /home/user/esc.py

Then run

The above command assumed it's a root user doing a su into a lowpriv user.

You can then run the bash as root using

🪟 Mounting smb share (auth) from command line

list with

🪟 Refreshing Privileges after privesc without closing and reopening

Useful in occasions when restarting the connection is more annoying than downloading a binary on the machine. Example is when assigning your own user to the administrators group