SMBMAP smbmap -H 10.10.11.102 -u 'localadmin' -p 'Secret123' --download Shared\\Documents\\Analytics\\Whatif.omv [[Anubis#^cbbd94]] SMBCLIENT Download a Share # First connect to it and then run t...

NMAP Footprinting the Service sudo nmap -p110,143,993,995 -sCV -Pn -n -vvv 10.129.95.171 Connect to the IMAPS/POP3s service openssl s_client -connect <FQDN/IP>:imaps Connect to the IMAPS se...

SMBMAP Null Session Guest can be exchanged with “” smbmap -u guest -p "" -H <IP> -L Authenticathed smbmap -H <IP> -u 'user' -p 'pass' -d . Command Execution smbmap -H <IP> -u '...

Pass The Hash Attack The Pass the Hash (PtH) technique allows an attacker to authenticate to a remote system or service using a user’s NTLM hash instead of the associated plaintext password. Note t...

Unauthenticated If we get valid users we can try to request TGT tickets to authenticate as another user: Remember to add the name of the domain controller into the /etc/hosts for this command ...

Null Session rpcclient -U "" -N 10.10.10.10 Authenticated rpcclient -U "htb.local\amanda%Ashare1972" 10.10.10.103 Sizzle If an RPC console is prompted then you can execute following commands: En...

Githacker Command to extract the whole git project: githacker --url http://10.10.11.134/.git/ --output-folder results Examples: Epsilon Git Commits Command to list the commits under a git project...

Host entries 10.10.11.152 dc01.timelapse.htb timelapse.htb If Active Directory => NTP Synchronization with the domain controller. Content Kerberos enumeration RPC Enumeration SMB En...

Basic Access Evil-WinRM to access via port tcp-5985 into a system: evil-winrm -i 10.10.11.158 -u 'nikk37' -p 'get_dem_girls2@yahoo.com' Examples: [[Forest#^b22389]] Active Directory Certificate S...

Calling an operating system API from PowerShell is not completely straightforward. Fortunately, other researchers have presented a technique that simplifies the process and also helps avoid endpoin...