📕Quick References

Hackcraking

NTLM:

hashcat -m 1000 ntlm-hashes.txt wordlist -o Cracked.txt -O

hashcat -m 1000 ntlm-hashes.txt -r rule wordlist -o Cracked.txt -O

hashcat -m 1000 -w 3 ntlm-hashes.txt -r rule wordlist -o Cracked.txt -O

NTLMv2:

hashcat -m 5600 ntlmv2-hashes.txt wordlist -o Cracked.txt -O

hashcat -m 5600 ntlmv2-hashes.txt -r rule wordlist -o Cracked.txt -O

hashcat -m 5600 -w 3 ntlmv2-hashes.txt -r rule wordlist -o Cracked.txt -O

Kerberoast:

hashcat -m 13100 kerb-hashes.txt wordlist -o Cracked.txt -O

hashcat -m 13100 kerb-hashes.txt -r rule wordlist -o Cracked.txt -O

hashcat -m 13100 -w 3 kerb-hashes.txt -r rule wordlist -o Cracked.txt -O

AS-REP:

hashcat -m 18200 asrep-hashes.txt wordlist -o Cracked.txt -O

WPA/PMKID

Reverse Shells

MANY more on PayloadAllTheThings - These are my more commonly used ones

Bash

TCP

UDP

Python

IPv4

IPv4 (No Spaces)

PHP

Meterpreter

Windows Staged reverse TCP

Windows Stageless reverse TCP

Linux Staged reverse TCP

Linux Stageless reverse TCP

MSFVenom

Post Exploitation

Upgrade to usable shell

• Find python version

Powershell Oneliners

• Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]

• Invoke-Mimikatz: Dump credentials from memory

• Import Mimikatz Module to run further commands

• Invoke-MassMimikatz: Use to dump creds on remote host

• PowerUp: Privilege escalation checks

• Invoke-Inveigh and log output to file

• Invoke-ShareFinder and print output to file

• Import PowerView Module to run further commands

• Invoke-Bloodhound

• Find GPP Passwords in SYSVOL

• Run Powershell prompt as a different user, without loading profile to the machine

• Insert reg key to enable Wdigest on newer versions of Windows