| Command | |
|---|---|
Search for all possible paths to escalate privileges on Windows hosts (winPEAS) |
|
Print "kerberoast" hashes for user accounts that have a SPN set |
|
Start ntlmrelayx in socks mode to relay multiple SMB requests later on (multiple commands) |
|
Execute a powershell command |
|
Dump SAM file |
|
Add a user account to the Member of "Users" |
|
Add a computer account to the domain |
|
Dump DC hashes with ntdsutil.exe |
|
Make NTDS backup |
|
Identify the Domain Controller |
|
Find SNMP Info |
|
Find Network Shares using nmap |
|
Find active IP's on local network |
|
Fast range scan (if you know the ranges) |
|
Check whether a port is open on a range |
|
Check for DC’s (LDAP) on a range |
|
Find active IP's on local network |
|
Search for all possible paths to escalate privileges on Windows hosts (WindowsEnum) |
|
Enumerate users, groups, and computers from a Windows domain through LDAP queries |
|
Enumerate sensitive data (passwords, PII, etc.) from file shares in Active Directory |
|
List all processes running on the local system |
|
Perform Privilege Escalation checks |
|
Monitor creation, deletion and changes to LDAP objects live during a pentest |
|
Collect data from the domain controllers and domain-joined Windows systems |
|
Collect data from the domain controllers and domain-joined Windows systems using LDAP collection methods |
|
Dumps the LSASS process or a specific process given it's PID |
|
Collect system data that could be useful for potential privilege escalation or persistence methods |
|
Dump the LSASS process and run Mimikatz to extract credentials from the dumped process |
|
Enumerate a list of SMB hosts for accessible SMB shares, both local and mapped drives |
|
Enumerate a list of SMB hosts for accessible SMB shares, both local and mapped drives (null session) |
|
Enumerate a list of SMB hosts for files and filenames containing a specific keyword (example: 'password') |
|
List all available shares using valid credentials |
|
List all available shares using valid credentials |
|
List all available shares using PTH |
|
List all available shares using anonymous login |
|
Connect to an SMB share using valid credentials |
|
Connect to an SMB share anonymously |
|
Enumerates valid AD accounts through Kerberos Pre-Auth using bruteforce |
|
Fetch Service Principle Names (SPNs) that are associated with user accounts |
|
Request Kerberos tickets to access any service or machine that user has permissions to |
|
Harvest the non-preauth AS_REP responses for a given list of usernames |
|
Intercept hashes with Responder |
|
Add reg keys that will execute an arbitrary payload during logon or startup |
|
Enumerate NetBIOS server anonymously |
|
Manipulate the msDS-KeyCredentialLink attribute of a target user/computer to obtain full control over that object |
|
Monitor creation, deletion and changes to LDAP objects during the pentest |
|
Query the DC for a list of all domain users |
|
Query the DC for a list of members of the Domain Admins group |
|
Query the DC for a list of available shares the current user has access to |
|
Find user logged on machines with Invoke-UserHunter |
|
Privilege Escalation check (PowerUp.ps1) |
|
Find Network Shares |
|
Enumerate valid AD accounts through Kerberos Pre-Auth using nmap's 'krb5-enum-users' |
|
Enumerate information from NTLM authentication enabled web endpoints |
|
Mount cifs share on a windows server |
|
Extract Credentials Remotely (RunDLL) |
|
Extract Credentials Remotely (Procdump ) |
|
Extract Credentials Remotely (Parsing only) |
|
Extract Credentials Remotely (NT Hash Auth) |
|
Extract Credentials Remotely (RunDLL) |
|
Dump Local Plaintext Credentials |
|
Find sensitive information by querying all LDAP objects |
|
Dump Active Directory Information with LDAPDomaindump |
|
Enumerate valid AD accounts through Kerberos Pre-Auth |
|
Enumerate valid AD accounts through Kerberos Pre-Auth using password spray |
|
Enumerate valid AD accounts through Kerberos Pre-Auth using bruteforce on an account |
|
Enumerate valid AD accounts through Kerberos Pre-Auth |
|
Pass the hash |
|
Request Kerberos (TGT) tickets |
|
Impersonate the Administrator account and request a Service Ticket for a service |
|
Impersonate the Administrator account and request a Service Ticket for a service |
|
Use the Task Scheduler service to execute a command |
|
Use the Task Scheduler service to execute a command |
|
Use NTDS.dit and system file to extract the user account hashes associated with the target machine |
|
Dump NTLM hashes locally after dumping the NTDS and SYSTEM |
|
Dump DC hashes with secretsdump |
|
List Shares and list, rename, upload and download files |
|
List system user acounts, available resource shares, and other sensitive information |
|
Remote Registry Manipulation |
|
Enumerate Remote Procedure Call (RPC) endpoints |
|
Modify property of a target computer with the security descriptor of another computer |
|
Get an Interactive Shell on the Windows host |
|
Get an Interactive Shell on the Windows host using Pass the Ticket (PTT) |
|
Perform NTLM Relay Attack |
|
Initiate a mimikatz shell on the target machine |
|
Identify users/groups by bruteforcing Windows SID's |
|
Golden Ticket Attack |
|
Fetch Service Principal Names (SPNs) that are associated with user accounts |
|
Harvest non-preauth AS_REP responses for a given list of usernames |
|
Gather data about the domain users and corresponding email addresses |
|
Extract and decrypt Group Policy Preferences (GPP) passwords |
|
Interactive shell using DCOM endpoints |
|
Add computer to the domain using SMB |
|
Add computer to the domain using LDAPS |
|
Fast NTLM Cracking |
|
Cracking with masks (feasible for 8-11 characters) |
|
Cracking with huge wordlist |
|
Crack kerberos ticket hashes |
|
Crack kerberos ASREP hashes |
|
Crack intercepted (responder) hashes |
|
Crack intercepted (responder) hashes using brute force |
|
Bruteforcing NTLM (3-8 chars) |
|
Recover plaintext domain credentials from WPA2 enterprise on a compromised host |
|
Get all DNS records from Domain Controller with Domain Admin |
|
Find uncommon shares in vast Windows Domains |
|
File Transfers - Windows to Linux - SMB |
|
File Transfers - Windows to Linux - SCP |
|
File Transfers - Windows to Linux - FTP |
|
File Transfers - Linux to Windows - Powershell |
|
File Transfers - Linux to Windows - Native commands |
|
Interactive shell on windows host using WMI |
|
Find Users with Enum4Linux-ng |
|
Find Network Shares with Enum4Linux-ng |
|
Enumerating System Information |
|
Enumerating System Information |
|
Make NTDS backup by creating a shadow copy |
|
Capture authentication to relay to other hosts |
|
Test on what machines your account works |
|
Enumerate users with winrm using Crackmapexec |
|
Create a list of targets with SMB Signing disabled (required to relay) |
|
Pass the hash |
|
Create a list of targets with SMB Signing disabled (required to relay) |
|
Execute powershell command on the target machine (Admin priv needed) |
|
Enumerate SMB with Crackmapexec |
|
Dump DC hashes without password |
|
Create a new domain admin account with CME |
|
Create a list of targets with SMB Signing disabled (required to relay) |
|
Dump DC hashes without password |
|
Bruteforce with multiple passwords |
|
Enumerate users with RID Bruteforce |
|
BloodHound Remote Ingestion without Creds |
|
BloodHound Remote Ingestion with Hash |
|
BloodHound Remote Ingestion with Creds |
|
BloodHound Queries |
|
Get an overview of the AD with ADRecon |
|
| How to add commands? | |
