Windows
Enumeration
Scripts
Winpeas
PrivescCheck
This script aims to enumerate common Windows configuration issues that can be leveraged for local privilege escalation. It also gathers various information that might be useful for exploitation and/or post-exploitation.
Enum4Linux
Enum4linux is a tool for enumerating information from Windows and Samba systems.
List Users
Blank user
With User
SMB
Port: 445
SMB/Samba is a popular freeware program that allows users to access and use files, printers, and other commonly shared resources.
Nmap
List Share
Connect
SmbMap
Bruteforce
Bruteforce users
MSRPC
Port: 135
"MSRPC is a protocol that uses the client-server model in order to allow one program to request service from a program on another computer without having to understand the details of that computer's network." · Hacktricks
Connect
List Services
IOXIDResolver is used for remote enumeration of network interfaces
WinRM
Port: 5985 / 5986
Windows Remote Management (WinRM) is a feature that allows administrators to remotely run management scripts, execute command, monitor and manage windows system remote computers and servers.
Connect with powershell
Kerberos
Port: 88
Kerberos is an authentication protocol that is used to verify the identity of a user or host.
Bruteforce User
Get user ticket
Checking if Kerberos pre-authentication has been disabled for accounts
Enumusers
With msfconsole we have able to list users form wordlists of users.
Ldap
Port: 389, 636
Lightweight directory access protocol (LDAP) is a protocol that makes it possible for applications to query user information rapidly.
Nmap
Ldapsearch
Ldapdomaindump
ldapdomaindump is a tool for gathering information of ldap. (you need to have creds of an user to use it)
gMSADumper
gMSADumper read the gMSA (group managed service accounts) password of the account.
IMPACKET
GetUserSPNs
GetUserSPNs find Service Principal Names that are associated with normal user account, and exfiltrate the kerberos.
Responder
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. Basicaly a rogue everything use for exemple to steal NLTLM Hash, usernames... source
Server (attacker) :
Client (victim):
GetNPUsers
GetNPUsers.py will attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ set.
secretsdump
secretsdump dumping Active Directory Password Hashes.
Exfiltration
Certificate
Download file
DMP File
Extract
Volatility
Bulk Extractor
Virus
Virus Total
Analyse suspicious files, domains, IPs and URLs to detect malware and other breaches, automatically share them with the security community.
VirusTotal aggregates many antivirus products and online scan engines called Contributors
Cobalt Strike
Reverse shell
ConPtyShell
ConPtyShell is a Fully Interactive Reverse Shell for Windows systems. source
Server :
Client with internet access:
without create shell.ps1, paste the Invoke-ConPtyShell.ps1, add Invoke-ConPtyShell ip port
on a new line
Interactive Windows cheatsheet : Wadcoms
Last updated