Advanced Search
Search Results
166 total results found
Enum4Linux
Details Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com. It is written in PERL and is basically a wrapper around the Samba tool...
Remote Bloodhound
GitHub Repo Prerequisites impacket ldap3 dnspython Installation python3 -m pip install bloodhound Usage Example Nmap LDAP Enumeration Find the FQDN of the domain controller: # Look for the dnsHostName attribute sudo nmap -Pn -T4 -p 389,636 ...
LdapDomainDump
When to Use You'll know when you've found a domain controller, because it will have several ports open that clearly distinguish it: PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open n...
Dumping DNS Records with adidnsdump
Active Directory Integrated DNS Dump (adidnsdump) GitHub Repository Installation python3 -m pip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump Usage Examples Requires a username and password to work. Outputs to records.csv . # Show h...
GetADUsers.py
When to Use Helpful in post-compromise enumeration. If you've compromised a domain-joined host, and you've dumped the hashes from SAM or LSASS, you can pass the hash to the domain controller (even as a low-level domain user) to list users in the directory. ...
GetUserSPNs.py
When to Use Useful in post-compromise enumeration. If you acquire user passwords or hashes for accounts from SAM or LSASS, you can use these credentials to see if there are any Service Principals (service accounts) associated with user accounts. Often times,...
Impacket-Addcomputer
When to Use Could be used post-compromise upon enumerating the ms-DS-MachineAccountQuota policy. If you use a tool such as ldapdomaindump -- see here for more information -- it will write the domain policy to a file called, domain_policy.json. "ms-DS-Machi...
Enumerating Hosts and Identifying the Domain Controllers
Enumerating Live Hosts Internal ARP-Scan Since this is an internal assessment, Kali is on the same LAN segment as the target(s) and ICMP is not needed to enumerate. ARP is not going to be firewalled like ICMP pings. # Assumes internal LAN is 10.10.10.0/24...
CrackMapExec
When to Use Useful post-compromise if you've dumped hashes from SAM or LSASS or obtained cleartext passwords, you can then pass these credentials around the network to enumerate information such as: Shares Sessions Disks Logged-on Users Users Groups ...
Password & Credential Brute Force
User Emumeration You have enumerated users with one of the methods defined here: CrackMapExec PowerView ldapdomaindump ldapsearch enum4linux GetADUsers.py Manual Enumeration Domain Policy Enumeration You have verified the account lockout poli...
PowerShell AD Module on Any Domain Host as Any User
Borrow a DLL Normally, one must install RSAT (Remote Server Administration Tools) on a host to make remote calls to Active Directory from a client computer. And, one must normally be an administrative user to import the PowerShell Active Directory module. Th...
DCSync
DCSync Overview DC Sync is a legitimate function of Active Directory environments where a domain controller will make a sync request from a another domain controller in the environment, as such this is not functionality that can be disabled. Normally, this f...
Port Forwarding with PLINK
Download Plink You can download the latest plink.exe binary from here: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html Individual Port Forwarding Using plink.exe in SSH mode A service on a compromised host is listening on 127.0.0.1 Open...
SMB Client Configuration
Tweaking the Configuration File You can find the client configuration file at: /etc/samba/smb.conf . If you take a look at the configuration file, you'll notice that this is the default Debian SMB client, forked for Kali. [global] #### Kali configuratio...
Modify the Wazuh Dashboards Session Timeout
This procedure applies to Wazuh 4.3+ , as previous versions used references to opendistro in the configuration files. Edit the file /etc/wazuh-dashboard/opensearch_dashboards.yml and add/change the following lines: # The ttl is calculated in milliseconds # ...
Upgrading Fleet Versions
Stop the Server First, stop any running FleetDM processes. I have systemd controlling my FleetDM server, so I will run this command to stop the server. sudo systemctl stop fleet Download the Latest Binaries Pay special attention to any upgrade notes on...
List Nmap Top Ports
Purpose If you're running a lengthy nmap scan and do not want to enumerate all 65,535 TCP (or UDP) ports. You may opt to use the --top-ports scan option to reduce the duration of the scan. But, you may wonder which ports exactly you may be targeting when you ...
WordPress Relative Base URL
Problem Often in some Vulnhub or other self-hosted CTF boxes, there will be a WordPress instance configured as part of the challenge. The WordPress configuration is not correctly configured when the box is shipped and the WordPress installation is still using...
Linux: Booting into Single-User Mode
At the bootloader screen, press the e key to edit the GRUB configuration. Use the up arrow and down arrow keys to navigate the GRUB configuration. Edit the line starting with the word linux and change ro to rw and add init=/bin/bash to the end of the l...
Windows: Unattended Sleep Timeout
Problem A Windows guest running under the Proxmox hypervisor repeatedly powers off despite having the display and sleep settings set to Never . Solution Open a PowerShell prompt as administrator and run the following command to expose a the System Unatte...