Password Spraying:

• https://book.hacktricks.xyz/windows/active-directory-methodology/password-spraying
• https://github.com/Greenwolf/Spray
• MSF: use auxiliary/scanner/smb/smb_login
• CrackMapExec: crackmapexec cmd <targetfile> -u user -p pass -d domain

Relaying Credentials with ntlmrelayx:

• https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/

Authenticated Vectors:

Start CMD with secondary user credentials:

• Local: runas /netonly /user:<username> cmd.exe
• Domain: runas /netonly /user:<domain>\<username> cmd.exe

Log into System:

• winrs -r:<computername> cmd.exe
• Enter-PSSession -ComputerName <computername>

Enable PowerShell Remoting

• Enable: Enable-PSRemoting –force
• Check WinRM Running: Get-WmiObject –Class win32_service | Where-Object {$_.name -like “WinRM”}
• Set all remote hosts to trusted: Set-Item WSMan:localhost\client\trustedhosts -value *
  • Verify Configuration: Get-Item WSMan:\localhost\Client\TrustedHosts

Windows Activities:

See: /index.php/2021/07/19/cheatsheet-microsoft-windows/