Methodology
Tools to have locally to transfer:
Rubeus
mimikatz
Powerview
Perform full port scans with nmap, and deeper scans with -sV -sC, and general nmap vuln scan
Fingerprint any port with netcat and nmap
Abuse misconfigured services like anonymous access for ftp, smb, rpc, public shares, etc.
Collect usernames through smb --rid-brute, rpc enumdomusers, ldap, smtp, etc.
Check for asreproasting from linux
Check for asreproasting from windows
Check for kerberoasting from linux
Check for kerberoasting from windows
Checking shares with any user access
Hash Stealing using responder (No spoofing & poisoning allowed. Only use analyze mode -A)
Relaying hashes with ntlmrelayx
Perform pass the hash with protocols like rpc, smb, winrm, and mssql
Perform bruteforcing against protocols like rpc, smb, winrm, mssql, and rdp
Authenticate to get a shell with protocols like rpc, smb, winrm, mssql, and rdp
Find & exploit common windows privilege escalation vectors
Dump system, sam, and ntds.dit hashes from target either remotely or locally
Crack hashes with hashcat or johntheripper
Perform attacks against Active Directory Certificate Service (ADCS) with tools like certipy
Enumerate domain & discover domain privilege escalation paths with bloodhound
Perform pivoting with tools like chisel or ligolo-ng
Last updated