Commands Only Summary

πŸͺŸ = Windows, 🐧 = Linux

Active Directory

πŸͺŸ SharpView (C# Port of PowerView)

AD Enumeration tool. C# port of πŸͺŸ PowerView (Now deprecated). Same commands

Get help about a command

.\SharpView.exe Get-DomainUser -Help

Enumerate information about a specific user

.\SharpView.exe Get-DomainUser -Identity <username>

πŸͺŸ PowerView (Now deprecated)

AD Enumeration Tools

Import

Import-Module ./PowerView

Information for specific User or All users

Group specific info

Explaination

-Recurse switch tells PowerView that if it finds any groups that are part of the target group (nested group membership) to list out the members of those groups.

Enumerate domain trust mappings

Test for local admin access on either the current machine or a remote one

Check Kerberoasting attack possibility

πŸͺŸ BloodHound

Collect data

Explaination

SharpHound.exe collector, needs to be ran from a domain joined PC.

-c: (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup, Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly

--zipfilename: Filename for the zip

πŸͺŸ [Built-in] ActiveDirectory PowerShell Module

AD Enumeration tools

Discover Modules

Load ActiveDirectory Module

Get Domain Info

Explaination

This will print out helpful information like the domain SID, domain functional level, any child domains, and more

List accounts that may be susceptible to a Kerberoasting attack

Verify domain trust relationships

Explaination

This cmdlet will print out any trust relationships the domain has. We can determine if they are trusts within our forest or with domains in other forests, the type of trust, the direction of the trust, and the name of the domain the relationship is with.

Group Enumeration

Group Information

Group Membership Listing

If part of GMSA_MANAGERS Group, Set yourself as someone who can read the password

πŸͺŸ Snaffler

Snaffler is a tool that can help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories. Once that is done, it iterates through any directories readable by our user and hunts for files that could serve to better our position within the assessment. Snaffler requires that it be run from a domain-joined host or in a domain-user context.

Explaination

-s tells it to print results to the console.

-d specifies the domain to search within.

-o tells Snaffler to write results to a logfile.

-v option is the verbosity level.

🐧 CrackMapExec (deprecated) | NetExec (updated)

A swiss army knife for pentesting networks

Help for specific protocol

Domain User Enumeration

Explaination

-u Username The user whose credentials we will use to authenticate

-p Password User's password

Target (IP or FQDN) Target host to enumerate (in our case, the Domain Controller)

--users Specifies to enumerate Domain Users

--groups Specifies to enumerate domain groups

--loggedon-users Attempts to enumerate what users are logged on to a target, if any

Domain Group Enumeration

Logged On Users

Share Searching

Dig Through Share

When completed, CME writes the results to a JSON file located at /tmp/cme_spider_plus/<ip of host>

Password Policy

Use empty username and password for null authentication

Group Policy Password misconfiguration (GPP, usually to check if read access to SYSVOL)

Enumerate users from RID (for when the --users command doesnt work)

Get GMSA passwords

Get Group membership users

Find certificate server (ADCS)

List Kerberoastable users

AS_REP version with --asreproast flag

🐧 SMBMap

SMBMap is great for enumerating SMB shares from a Linux attack host. It can be used to gather a listing of shares, permissions, and share contents if accessible.

SMBMap To Check Access

Recursive List Of All Directories

🐧 rpcclient

Useful for enumeration with NULL sessions

Connect to anonymous session

Enumerate all users to gather the RIDs

User Enumeration By RID

🐧 Impacket Toolkit

Impacket is a versatile toolkit that provides us with many different ways to enumerate, interact, and exploit Windows protocols and find the information we need using Python.

Shell on target device (PSExec)

Stealthier Shell on target device (wmiexec.py)

A more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems.

Finding ASREProasting targets

No user specification needed

Edit DACL to get DCSync

target-dn is the LDAP format, like DC=htb,DC=local

DCSync attack, secretsdump

🐧 Windapsearch

Windapsearch is another handy Python script we can use to enumerate users, groups, and computers from a Windows domain by utilizing LDAP queries.

Enumerate Domain Admins

Enumerate Priviledged Users

🐧 Bloodhound.py

Collect data for BloodHound GUI from a Linux host

NTLM Hash instead of password

(the NTLM hash needs to be preceded by the :). Use -c all or -c dconly

🐧 ldapsearch

  • -h <host>

  • -x simple authentication (anonymous)

  • -s scope (-s base namingcontexts). Output of this goes in the -b flag content

  • -b base (-b "DC=htb,DC=local") (Basically the searching scope)

Get naming context (domain name)

Get anonymous info

Query for users (Object class of Person)

Usually the class can be person, organizationalPerson or user

Query for users and only show username

(you can add more things at the end, such as sAMAccountName userPrincipalName)

$ at the end of a user account is a machine account

🐧 Evil-winrm

Connect with kerberos

🐧 πŸͺŸ Hashcat

secretsdump output

Find Hashcat mode

Generate password list from rules

Limit length of passwords

Rules

Cracking

Password list gen

Hashes in user:hash format to save user info

Put the hashes in a file in the user:hash format, for example for NTLM hashes then use the flag --user for automatically make hashcat discard that first column and use the rest as the hash. This allows to use --show to then recover the user of the cracked password from the potfile.

🐧 BloodyAD

Swiss army knife for AD privilege escalation

LogoGitHub - CravateRouge/bloodyAD: BloodyAD is an Active Directory Privilege Escalation FrameworkGitHub

As other tools, to use NTLM hashes on this put them in the -p password field PRECEDED by a :

Set yourself as owner

Get Writable

Add user to group (GenericAll over group)

Add DCSync rights to user

Read GMSA password

ReadGMSAPassword privilege abuse

Following command uses -k for Kerberos (needs export KRB5CCNAME= to be set)

Disable Pre Authentication

this makes the accounts vulnerable to asreproasting, requires GenericAll or other ways to control account

Enable account

This is handy when an account is disabled but you control it through GenericAll or other write permissions

🐧 ntpdate

Useful to adjust the system clock to one of another machine. Solves problem like kerberos Clock skew too great

Disable NTP first:

Also if in a VM, check that no option to sync the time is set on your VM software. For example on VirtualBox on a Windows Host:

πŸͺŸ Mounting smb share (auth) from command line

list with

πŸͺŸ Refreshing Privileges after privesc without closing and reopening

Useful in occasions when restarting the connection is more annoying than downloading a binary on the machine. Example is when assigning your own user to the administrators group

PreviousHomeNextSome other cool websites

Last updated