Commands Only Summary

🪟 = Windows, 🐧 = Linux

Active Directory

🪟 SharpView (C# Port of PowerView)

AD Enumeration tool. C# port of 🪟 PowerView (Now deprecated). Same commands

Get help about a command

.\SharpView.exe Get-DomainUser -Help

Enumerate information about a specific user

.\SharpView.exe Get-DomainUser -Identity <username>

🪟 PowerView (Now deprecated)

AD Enumeration Tools

Import

Import-Module ./PowerView

Information for specific User or All users

 Get-DomainUser -Identity <username> -Domain <inlanefreight.local> | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol

Group specific info

Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Explaination

-Recurse switch tells PowerView that if it finds any groups that are part of the target group (nested group membership) to list out the members of those groups.

Enumerate domain trust mappings

Get-DomainTrustMapping

Test for local admin access on either the current machine or a remote one

Test-AdminAccess -ComputerName ACADEMY-EA-MS01

Check Kerberoasting attack possibility

Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

🪟 BloodHound

Collect data

.\SharpHound.exe -c All --zipfilename <outputFileName>
Explaination

SharpHound.exe collector, needs to be ran from a domain joined PC.

-c: (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup, Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly

--zipfilename: Filename for the zip

🪟 [Built-in] ActiveDirectory PowerShell Module

AD Enumeration tools

Discover Modules

Get-Module

Load ActiveDirectory Module

Import-Module ActiveDirectory

Get Domain Info

Get-ADDomain
Explaination

This will print out helpful information like the domain SID, domain functional level, any child domains, and more

List accounts that may be susceptible to a Kerberoasting attack

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Verify domain trust relationships

Get-ADTrust -Filter *
Explaination

This cmdlet will print out any trust relationships the domain has. We can determine if they are trusts within our forest or with domains in other forests, the type of trust, the direction of the trust, and the name of the domain the relationship is with.

Group Enumeration

Get-ADGroup -Filter * | select name

Group Information

Get-ADGroup -Identity "Backup Operators"

Group Membership Listing

Get-ADGroupMember -Identity "Backup Operators"

🪟 Snaffler

Snaffler is a tool that can help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories. Once that is done, it iterates through any directories readable by our user and hunts for files that could serve to better our position within the assessment. Snaffler requires that it be run from a domain-joined host or in a domain-user context.

Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data
Explaination

-s tells it to print results to the console.

-d specifies the domain to search within.

-o tells Snaffler to write results to a logfile.

-v option is the verbosity level.

🐧 CrackMapExec (deprecated) | NetExec (updated)

A swiss army knife for pentesting networks

Help for specific protocol

crackmapexec smb -h

Domain User Enumeration

sudo crackmapexec smb <IP> -u <username> -p <password> --users
Explaination

-u Username The user whose credentials we will use to authenticate

-p Password User's password

Target (IP or FQDN) Target host to enumerate (in our case, the Domain Controller)

--users Specifies to enumerate Domain Users

--groups Specifies to enumerate domain groups

--loggedon-users Attempts to enumerate what users are logged on to a target, if any

Domain Group Enumeration

sudo crackmapexec smb <IP> -u <username> -p <password> --groups

Logged On Users

sudo crackmapexec smb <IP> -u <user> -p <password> --loggedon-users

Share Searching

sudo crackmapexec smb <IP> -u <user> -p <password> --shares

Dig Through Share

sudo crackmapexec smb <IP> -u <user> -p <password> -M spider_plus --share '<shareName>'

When completed, CME writes the results to a JSON file located at /tmp/cme_spider_plus/<ip of host>

🐧 SMBMap

SMBMap is great for enumerating SMB shares from a Linux attack host. It can be used to gather a listing of shares, permissions, and share contents if accessible.

SMBMap To Check Access

smbmap -u <user> -p <password> -d <DOMAIN> -H <IP>

Recursive List Of All Directories

smbmap -u <user> -p <password> -d <DOMAIN> -H <IP> -R 'Department Shares' --dir-only

🐧 rpcclient

Useful for enumeration with NULL sessions

Enumerate all users to gather the RIDs

rpcclient $> enumdomusers

User Enumeration By RID

rpcclient $> queryuser 0x457

🐧 Impacket Toolkit

Impacket is a versatile toolkit that provides us with many different ways to enumerate, interact, and exploit Windows protocols and find the information we need using Python.

Shell on target device (PSExec)

psexec.py <domain/user>:'<password>'@<IP>

Stealthier Shell on target device (wmiexec.py)

A more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems.

wmiexec.py <domain/user>:'<password>'@<IP

🐧 Windapsearch

Windapsearch is another handy Python script we can use to enumerate users, groups, and computers from a Windows domain by utilizing LDAP queries.

Enumerate Domain Admins

python3 windapsearch.py --dc-ip <DC_IP> -u <user>@<domain> -p <password> --da

Enumerate Priviledged Users

python3 windapsearch.py --dc-ip <DC_IP> -u <user>@<domain> -p <password> -PU

🐧 Bloodhound.py

Collect data for BloodHound GUI from a Linux host

sudo bloodhound-python -u '<username>' -p '<password>' -ns <DC_IP> -d <domain> -c all

🐧 🪟 Hashcat

hashcat -m 5600 <NTLM_HASH> <wordlist>
PreviousHomeNextSome other cool websites

Last updated