Pentesting Methodology
A searchable index of 233 recon, enumeration, privesc, and Active Directory plays — built from my OSCP notes and exposed over MCP for AI agents.
Phases
OS
Type
Filter
Run AutoRecon
Broad automated recon with tuned nmap rate.
reconchecklistAttempt DNS Zone Transfer
Try DNS AXFR; also try knock for port knocking targets.
reconchecklistNmap Full TCP Scan
Scan all ports; try fingerprint with -nvv or connect scan if filtered.
reconchecklistNmap Top UDP Scan
Run against discovered subdomains as well.
reconchecklistDirectory Brute Force with Feroxbuster
If 302 found, ask why — scan for default creds. Try Feroxbuster.
reconchecklistGobuster Directory Scan
Different busters expose different endpoints.
reconchecklistRun Nikto on HTTP
Scan HTTP for misconfigurations, dangerous files, and outdated software.
reconchecklistCheck Page Source and Response Headers
Ctrl+U, check JS files.
reconchecklistSubdomain and Vhost Enumeration
Fuzz Host headers to find virtual hosts and subdomains.
reconchecklistCheck robots.txt
Fetch disallowed paths the site owner tried to hide from crawlers.
reconchecklistCheck README Files
Look for deployment notes, version info, or default credentials.
reconchecklistAnalyze Requests with Burp Suite
Test every function: LFI, SQLi, IDOR, mass assignment, business logic.
reconchecklistTest LFI and Path Traversal
Look for users and try .ssh under /home/<USER>/.ssh/
reconchecklistInspect TLS/SSL Certificates
Good for grabbing usernames from cert fields.
reconchecklistCVE and Exploit Enumeration
searchsploit is easier than exploit-db web.
reconchecklistHunt for Version Number Leaks
Check error pages; Google any errors found.
reconchecklistResearch Third-Party Kit Vulnerabilities
Google specific kits or packages used by the website.
reconchecklistMap Website Functionality
Understand function and identify plugins.
reconchecklistFuzz Hidden Parameters
Fuzz params; check for LFI.
reconchecklistBuild Custom Wordlist with CeWL
Generate a site-specific wordlist from crawled page text.
reconchecklistUse PHP Wrappers
php://filter and data:// wrappers help when curl shows missing page sections or LFI is suspected.
reconchecklistDirectory & API Brute Force with Gobuster
Brute force web directories and API endpoints with Gobuster; use -k for HTTPS and a pattern file to fuzz versioned API paths.
recontoolDirectory & File Fuzzing with ffuf
Fuzzes a web server for directories and files with ffuf, appending common extensions and filtering out 404 responses.
recontoolDirectory Brute-Force with dirb
Brute-forces web directories and files with dirb using a wordlist to discover hidden content.
recontoolDump Exposed .git with git-dumper
Reconstruct a web-exposed .git directory locally with git-dumper, then read the history and grep for leaked secrets.
recontoolIf Stuck, Scan Again From a Pivot
An internal vantage point may expose ports that were filtered from the outside.
reconchecklistRead File Metadata with exiftool
Reads embedded metadata (author, software, GPS, timestamps) from a file, which can leak usernames or other useful recon details.
recontoolRecursive Content Discovery with feroxbuster
Recursively brute-forces web directories and files with feroxbuster, appending extensions to surface scripts, configs and other hidden content.
recontoolSubdomain Discovery with Sublist3r
Passively enumerates subdomains for a domain using public search engines and OSINT sources.
recontoolVirtual Host Enumeration with ffuf
Discovers virtual hosts / subdomains by fuzzing the Host header with ffuf and using auto-calibration to filter default responses.
recontoolCheck Web Server Virtual Hosts
Vhost configs reveal hidden sites, internal apps, and document roots.
enumerationlinuxchecklistEnumerate Listening Ports
Local-only ports are prime pivot targets not visible from an external scan.
enumerationlinuxchecklistCheck Running Processes
Note services running as root and any process started from a writable path.
enumerationlinuxchecklistCheck Active Services
Fingerprint each listening service to find a foothold or pivot.
enumerationlinuxchecklistCheck Installed Packages
Outdated or unusual packages may have known exploits.
enumerationlinuxchecklistExamine Binary Content and Metadata
Hardcoded passwords and useful metadata often hide inside files and binaries.
enumerationlinuxchecklistReuse Passwords and Usernames Everywhere
Spray every recovered credential across all services and users — reuse is extremely common.
enumerationlinuxchecklistCheck Python Availability
Knowing if Python exists helps with shell upgrades and exploit delivery.
enumerationlinuxchecklistProcess Enumeration via /proc
Especially useful via LFI to read process environment and command lines.
enumerationlinuxchecklistIdentify Web Framework
Check debug endpoints, error pages, and framework-specific paths to fingerprint the stack.
enumerationlinuxchecklistCheck Key Root Directories
Manually browse /var/www, /home, and /root for configs, keys, and notes.
enumerationlinuxchecklistCheck Absolute vs Relative Paths
Missing quotes or relative paths in service/script definitions enable path hijacking (unquoted service paths on Windows).
enumerationlinuxchecklistSMB Enumeration
List shares with null/guest sessions before trying recovered credentials.
smbenumerationlinuxchecklistLDAP Enumeration
Anonymous LDAP binds can leak users, groups, and naming contexts.
ldapenumerationlinuxchecklistCheck Config Files and Environment
Application config files and environment variables frequently store secrets.
enumerationlinuxchecklistCheck Installed Program Files
Look for third-party applications and their config/.ini files (Program Files on Windows) that may hold credentials or be vulnerable.
enumerationlinuxchecklistCheck for Database Config Files
Web app config files (conf.php, defines.php) usually hold DB credentials.
enumerationlinuxchecklistCheck Who Can SSH
AllowUsers/AllowGroups and auth settings show which accounts can log in over SSH.
enumerationlinuxchecklistCheck for Firewall or Blocking Device
If egress is filtered, try common service ports or tools like busybox to get traffic out.
enumerationlinuxchecklistUsername and Hostname
Confirm the current account and machine name before deeper Windows enumeration.
enumerationwindowschecklistGroup Memberships of the Current User
Group memberships reveal admin rights, impersonation tokens, and paths to privilege escalation.
enumerationwindowschecklistExisting Users and Groups
Map local accounts and group membership to find privileged or custom admin groups.
enumerationwindowschecklistOperating System Version and Architecture
OS build and patch level guide kernel exploit selection and Mimikatz compatibility checks.
enumerationwindowschecklistNetwork Information
Interfaces and listening ports reveal internal subnets, dual-homed hosts, and local services to pivot against.
enumerationwindowschecklistInstalled Applications
Check both the x64 and x86 uninstall registry hives so 32-bit apps are not missed.
enumerationwindowschecklistRunning Processes and File Hunting
Also review Event Viewer for script block logging events and check default PowerShell transcripts.
enumerationwindowschecklistChecking Services for Privesc
Sample adduser.c (cross-compile with mingw) creates a local admin: it calls system("net user dave2 password123! /add") then system("net localgroup administrators dave2 /add"). Replace a writable service binary with it, restart the service, and also check PowerShell history.
enumerationwindowschecklistAccess S3 Buckets with Leaked AWS Credentials
Configure the AWS CLI with discovered access keys, then list S3 buckets against a custom endpoint (e.g. a self-hosted/MinIO service).
enumerationtoolAlways Ask Why It Exists
Sketch a tiny mindmap of each service and asset, and always ask yourself why it exists.
enumerationchecklistConnect to a Redis Server with redis-cli
Connects to an exposed Redis instance (default port 6379) with redis-cli so you can enumerate keys and configuration.
enumerationtoolConnect to SSH with Legacy Algorithms
Re-enable deprecated key-exchange and host-key algorithms so a modern SSH client can connect to an old/legacy SSH server.
enumerationtoolCrackMapExec / NetExec
Spray creds and enumerate SMB/WinRM/LDAP/MSSQL across hosts. "Pwn3d!" means the account has admin/exec rights on that protocol.
enumerationtoolFast Full Port Scan with nmap
Scans all 65535 TCP ports quickly with a high minimum packet rate to find services missed by a default scan.
enumerationtoolFTP (21)
Always test anonymous login, then mirror readable files. Note the banner (vsftpd/ProFTPD versions) for known CVEs, and watch for upload rights into a webroot.
ftpenumerationportsList Login Users from /etc/passwd
Extract accounts with an interactive shell from /etc/passwd to build a list of real login users.
enumerationlinuxtoolMetasploit Redis Scanner Module
Load the Metasploit Redis scanner auxiliary module to fingerprint and probe an exposed Redis service.
enumerationtoolMSSQL (1433)
Connect with impacket-mssqlclient, then go for xp_cmdshell (code exec), xp_dirtree (hash coercion), or EXECUTE AS to impersonate a privileged login.
mssqlenumerationportsMySQL (3306)
Connect with looted DB creds, dump user tables for hashes, and check app tables for credentials you can reuse or overwrite. Use \G for readable wide rows.
mysqlenumerationportsNmap Useful Switches
Handy Nmap switches for OSCP-style scans: -sn sweep, -sS SYN, -Pn no ping, -p- all ports, -sV versions, -A aggressive.
enumerationtoolOpenSSL — Inspect TLS Service
Pull certificates from TLS services to leak hostnames, domain names, and internal CN/SAN values useful for AD enumeration.
enumerationtoolPort Knocking to Open a Filtered Port
Send a sequence of connection attempts to the secret knock ports to unlock a firewalled service (e.g. SSH), then connect normally.
enumerationtoolRe-enumerate From the Internal Machine
Ports invisible externally may expose vulnerable internal web apps once you are on the box.
enumerationchecklistSearch Local Nmap NSE Scripts
List the installed Nmap NSE scripts and filter by service prefix to find relevant checks before scanning.
enumerationtoolSMB (445/139)
Always try null and guest sessions first. List shares, connect to readable ones, then spider for configs, scripts, and GPP passwords. Map share ACLs with smbmap.
smbenumerationportsSMB Enumeration with rpcclient
Connects to a target over MS-RPC with a null session and enumerates domain users via querydispinfo.
enumerationtoolSNMP (161/UDP)
SNMP is UDP/161 — easy to miss. The community string "public" is the common default. The gold is in running-process command lines, which often contain cleartext passwords.
snmpenumerationportsSSH (22)
SSH itself rarely has a direct exploit on OSCP — it's a place to spray recovered creds and to reconnect with looted private keys. Note the banner for the OS/version.
sshenumerationportsTop UDP Ports Scan (Nmap)
Quickly scans the 100 most common UDP ports with a high packet rate, since full UDP scans are otherwise very slow.
enumerationtoolUpgrade to a Full TTY (Linux)
Turn a dumb reverse shell into a fully interactive TTY so job control, arrow keys, and tab completion work.
enumerationlinuxtoolUsername Enumeration with ffuf
Enumerates valid usernames through a signup form by matching the "username already exists" response with ffuf.
enumerationtoolVhost & Parameter Fuzzing with Wfuzz
Uses Wfuzz for virtual host discovery (FUZZ in the Host header) and parameter fuzzing (FUZZ in the query string), hiding noise responses by character count with --hh.
enumerationtoolBash /dev/tcp Reverse Shell
Spawns an interactive Bash reverse shell back to the attacker using Bash's built-in /dev/tcp socket.
exploitationlinuxtoolBrute Force HTTP Login Forms with Hydra
Brute force web login forms with Hydra's http-post-form module; the syntax is "path:POSTDATA:CONDITION" using F= for a failure string or S= for success.
exploitationtoolBrute Force phpMyAdmin Login with Hydra
Example Hydra http(s)-post-form attack against a phpMyAdmin login, matching the "Incorrect password" failure string.
exploitationtoolBypass Whitespace Filters in Command Injection
Techniques to inject commands when spaces are filtered, using Bash brace expansion or the ${IFS} variable in place of whitespace.
exploitationtoolGenerate Payloads with msfvenom
Build reverse-shell / meterpreter payloads in various formats (asp, exe) with msfvenom, optionally encoding to evade simple AV.
exploitationtoolLinux Bash Reverse Shell Script
Write a small bash reverse-shell script that calls back to a listener, then execute it on the target.
exploitationlinuxtoolNetcat Reverse Shell
Call back to a Netcat listener with /bin/bash; use the mkfifo variant when the installed nc lacks the -e option.
exploitationlinuxtoolPHP Reverse Shell One-Liner
Drop a compact PHP payload that base64-decodes and pipes a bash reverse shell; the phar:// wrapper can trigger included PHP from an uploaded archive.
exploitationtoolPostgreSQL RCE / Reverse Shell
Use the squid22 PostgreSQL_RCE script to turn authenticated PostgreSQL access (superuser COPY ... PROGRAM) into command execution and a reverse shell.
exploitationtoolPython Reverse Shell One-Liner
One-line Python reverse shell that connects back and spawns an interactive /bin/bash PTY via pty.spawn.
exploitationlinuxtoolRead PHP Source via php://filter LFI
Abuse an LFI with the php://filter base64 wrapper to leak PHP source code, then decode the returned blob locally.
exploitationtoolRedis RCE
Achieves remote code execution on an exposed Redis server by loading a malicious module (.so) via a public exploit.
exploitationtoolSQL Injection with sqlmap
Automates SQL injection detection and data extraction; feed it a saved request with -r or a URL with -u, then drill from databases to tables to columns.
exploitationtoolWindows Library-ms Client-Side Attack
Phish a Windows user with a .Library-ms file pointing at an attacker WebDAV share, chaining a malicious shortcut that downloads powercat for a reverse shell.
exploitationwindowstoolCheck for SUID Binaries
List SUID binaries and cross-check anything unusual against GTFOBins.
privesclinuxchecklistCheck Linux Capabilities
Capabilities like cap_setuid on a binary can grant a root shell (check GTFOBins).
privesclinuxchecklistCheck Writable Files and Directories
Writable scripts, configs, or directories in a root-run path are common escalation vectors.
privesclinuxchecklistCheck for PATH Hijacking
If a privileged binary calls another program by relative name, hijack it via a writable PATH entry.
privesclinuxchecklistAnalyze Binary Execution
Watch for shelled-out commands you can break out of with && or ;.
privesclinuxchecklistRun LinPEAS
Read the output slowly — crons, SUIDs, users, site config, and timers.
privesclinuxchecklistRun LSE (Linux Smart Enumeration)
Level 1 shows more detail than the default summary.
privesclinuxchecklistCheck Cron Jobs
Writable scripts run by root cron jobs are an easy escalation path.
privesclinuxchecklistSearch for Passwords in App Directories
Reuse any discovered credentials against other users and services.
privesclinuxchecklistRead Proof Files via sudo find
Works when sudo find is allowed; find's -exec runs as root.
privesclinuxchecklistCheck Firewall Port Rules
Firewall rules can reveal internally bound services worth pivoting to.
privesclinuxchecklistCheck Unmounted Drives
fstab may store credentials and unmounted volumes can hold sensitive data.
privesclinuxchecklistKernel Exploit (Last Resort)
Consider PwnKit or DirtyPipe only when no other vector exists; kernel exploits can crash the box.
privesclinuxchecklistQuick Check sudo -l and env
Always run first — sudo rules and environment variables often reveal an instant win.
privesclinuxchecklistReview LinPEAS for Writable Files
Focus on writable files owned or used by root highlighted in the LinPEAS output.
privesclinuxchecklistCheck Aliases and Process Cmdline
Aliases and command lines can leak credentials or hijackable commands.
privesclinuxchecklistCheck Bash History
History files frequently contain plaintext passwords typed by mistake.
privesclinuxchecklistLook for Reusable Root SSH Key
Test any private keys you find against root over loopback.
privesclinuxchecklistAnalyze Root Processes
Root-owned services may be vulnerable or call writable files.
privesclinuxchecklistCheck Loopback Traffic for Credentials
Internal services often pass credentials in cleartext over loopback.
privesclinuxchecklistCheck Vulnerable Library in Cron Script
If a root cron script imports a library you can write to, modify that library to run your payload.
privesclinuxchecklistAdd a User to the Local Administrators Group
Adds an existing local user to the built-in Administrators group to gain administrative privileges on a Windows host.
privescwindowstoolFind SUID Binaries for Privilege Escalation
Enumerates SUID binaries on a Linux host; misconfigured or known-exploitable SUID files (see GTFOBins) can be abused to escalate to root.
privesclinuxtoolPrintNightmare Local Privesc (CVE-2021-1675)
Exploit the Print Spooler (CVE-2021-1675) with Invoke-Nightmare to create a local admin; then optionally dump NTDS and psexec in with the recovered hash.
privescwindowstoolPrintSpoofer Privesc (Windows Server 2019)
Abuse SeImpersonatePrivilege on Windows Server 2019 with PrintSpoofer to spawn an interactive SYSTEM process; Invoke-TokenManipulation is an alternative.
privescwindowstoolPwnKit Polkit Privesc (CVE-2021-4034)
Exploit the polkit pkexec vulnerability (CVE-2021-4034) with the ly4k PwnKit one-liner to get an instant root shell on vulnerable Linux hosts.
privesclinuxtoolSeBackupPrivilege — Dump SAM/SYSTEM (or NTDS)
SeBackupPrivilege lets you read any file regardless of ACLs. Use a shadow copy to grab NTDS.dit (on a DC) or save the SAM/SYSTEM hives, then dump hashes offline with secretsdump.
privescwindowstoolUAC Bypass via Auto-Elevate Binaries
When you are in the Administrators group but running at medium integrity, check whether trusted binaries like fodhelper.exe or eventvwr.exe are flagged autoElevate, which makes them candidates for a UAC bypass.
privescwindowstoolWildcard Abuse for PrivEsc (tar/borg)
Abuses a privileged command that uses a shell wildcard (*) by planting files whose names are interpreted as command-line options, achieving code execution.
privesclinuxtoolWindows Exploit Suggester (WES-NG)
Compares a target's systeminfo output against a database of known patches to suggest missing-patch privilege escalation exploits.
privescwindowstoolWindows PrivEsc Checks with PowerUp.ps1
Run PowerUp's Invoke-AllChecks to find privesc paths; abuse AlwaysInstallElevated with a malicious MSI or weak services with Invoke-ServiceAbuse.
privescwindowstoolCheck Stored Credentials with cmdkey
Saved credentials can be reused with runas /savecred without knowing the password.
credentialswindowschecklistDump SAM Hashes via SMB
Dumped SAM hashes can be cracked or used for pass-the-hash.
credentialswindowschecklistRun Mimikatz to Dump Credentials
Requires admin/debug privileges; extracts plaintext passwords, hashes, and tickets from LSASS.
credentialswindowschecklistGrab Linux passwd and shadow
If you can read /etc/shadow, unshadow and crack the hashes offline with john or hashcat.
credentialslinuxchecklistBrute-Force Web Login Forms with ffuf
Brute-forces HTTP POST login forms with ffuf, using single or clustered wordlists and filtering out the failed-login response code.
credentialstoolCrack & Open KeePass Databases
Convert a .kdbx file to a crackable hash for hashcat/john, or recover the master key from a memory dump (CVE-2023-32784), then browse entries with kpcli.
credentialstoolDecode a Base64-Encoded File
Decodes a Base64-encoded file (e.g. an obfuscated password) back to plaintext.
credentialstoolDump Credentials with Mimikatz
Transfer and run Mimikatz to enable debug privileges, then dump SAM hashes and cached logon credentials from LSASS.
credentialswindowstoolDump gMSA Passwords with gMSADumper
Retrieve the managed password blob (NT hash) of Group Managed Service Accounts from a domain controller using valid domain credentials.
credentialswindowstoolExtract an SSH Private Key Hash with ssh2john
Converts a passphrase-protected SSH private key into a John-compatible hash so the passphrase can be cracked with john/hashcat.
credentialstoolLogin Brute Force with Success Match (Hydra)
Brute-forces a login form using a success condition (S=) instead of a failure string, matching the post-login redirect to /admin.
credentialstoolOpenSSL — Extract Key & Cert from PFX
When you loot a .pfx, split it into a key and certificate with OpenSSL, then use them for certificate-based WinRM auth.
credentialstoolRails Login Brute Force (Hydra)
Brute-forces a Rails login form with Hydra; the CSRF authenticity_token must be captured and supplied, and F= marks the failure string.
credentialstoolRemote Credential Dumping with NetExec
Use NetExec/nxc to remotely dump LSASS, SAM, LSA, NTDS, and LAPS credentials over SMB/LDAP with admin creds, then crack the recovered hashes.
credentialswindowstoolSpray Hashes Across Hosts
Local admin accounts often share the same password, so a single hash can unlock many hosts.
credentialschecklistSSH Login with a Private Key
Authenticates over SSH with a discovered private key; the key file must have 600 permissions, and IdentitiesOnly forces use of the supplied key.
credentialstoolDownload Files to Windows with certutil / iwr
Transfers files onto a Windows target from your attacker HTTP server using the built-in certutil (cmd) or Invoke-WebRequest (PowerShell).
Pivoting & TransferwindowstoolFile Download with NetExec (SMB)
Pulls a file off a remote SMB share using NetExec credentials, saving it locally with --get-file.
Pivoting & TransfertoolFile Transfer with impacket-smbserver
Spins up an authenticated SMB share on the attacker host so a Windows target can map it and copy files in or out.
Pivoting & TransfertoolFile Transfer with netcat
Transfers a file over a raw TCP connection: the receiver listens and redirects to a file, the sender pipes the file in; verify integrity with md5sum.
Pivoting & TransfertoolFile Transfer with scp
Copies a file to a remote host securely over SSH using valid SSH credentials.
Pivoting & TransfertoolPivot into Internal Networks with Ligolo-ng
Stand up Ligolo-ng tunneling: bring up the tun interface, run the proxy on Kali, connect the agent from the victim, add a route to the internal subnet, start the session, then forward ports with listener_add.
Pivoting & TransfertoolPivot with Chisel (Reverse Port Forward & SOCKS)
Uses Chisel to tunnel a single port back over a reverse connection, or to set up a SOCKS5 proxy for routing tools through a compromised host via proxychains.
Pivoting & TransfertoolPivoting with sshuttle
Routes traffic to an internal subnet through an SSH connection, acting as a transparent VPN without extra setup on the target.
Pivoting & TransfertoolWindows File Transfer (certutil / nc)
Downloads a binary onto a Windows host with certutil, then uses the transferred nc.exe to spawn a reverse shell back to the attacker.
Pivoting & TransferwindowstoolAdd SSH persistence
Authorize your SSH public key so you can reconnect without a password after initial access.
persistencelinuxchecklist/etc/passwd persistence
Append a new line to /etc/passwd with UID 0 using the generated hash for a hidden root-equivalent account.
persistencelinuxchecklistBloodHound Collection
windowschecklistLAPS Check
Local LAPS install path: C:\Program Files\LAPS
windowschecklistCheck Current Privileges
windowschecklistCheck if Defender Active
windowschecklistCheck AppLocker Policies
windowschecklistCheck Certify and ADCS Vulns
windowschecklistCheck for NTLMv2 Capture
If the captured hash will not crack, relay it instead.
checklistNTLM Relay Check
checklistRun enum4linux
checklistCheck Possible Subdomains
checklistAuthenticate With Every Possible Cred
Also try -k (Kerberos), --local-auth, and --generate-krb5-file.
checklistTest for Kerberoasting
Requires valid creds; prioritize accounts in privileged groups.
checklistTest for AS-REP Roasting
checklistCheck LDAP/RPC/SMB With Creds
Re-run for every newly discovered user; watch for READ/WRITE shares.
checklistScan All TCP and UDP (AD)
checklistLDAP Search Info Field
checklistCheck SYSVOL
Logon scripts and Groups.xml can contain creds or GPP passwords.
checklistRID Brute After SMB
checklistCheck Upload to SMB/FTP
Drop the malicious file in a writable share to coerce NTLM auth.
checklistBruteforce Different Protocols
Try username-as-password; re-run against every newly found credential.
checklistFind Usernames
checklistCheck Environment With PowerView
windowschecklistCheck RDP Access (3389)
checklistAdd an AD DNS A Record with dnstool.py
Uses dnstool.py (from krbrelayx) to create a DNS A record in an AD-integrated zone, useful for coercion/relay setups where any authenticated user can add records.
windowstoolCollect BloodHound Data (nxc, bloodhound-python, SharpHound)
Multiple ways to gather BloodHound data — remotely with netexec or bloodhound-python from Kali, or on-host with SharpHound — plus the Neo4j/Java steps needed to view the results.
toolInstall BloodHound and Neo4j on Kali
Installs BloodHound, Neo4j and a compatible JDK on Kali, then sets the initial Neo4j password so you can log in to the database.
linuxtoolLDAP Enumeration with ldapsearch & ldapdomaindump
Query AD over LDAP with ldapsearch/netexec, then dump the whole directory to HTML with ldapdomaindump for offline review.
windowstoolQuery Active Directory with bloodyAD
Connects bloodyAD to a domain controller to read/modify AD objects — point -d at the domain, --host at the DC, and --dns when name resolution is flaky.
toolRun BloodHound CE in Docker
Runs BloodHound CE in Docker; grab the temp admin password from the startup logs and reset it on first login each time you spin up a fresh container.
linuxtoolCheck PowerShell history
windowschecklistCheck all installed applications
windowschecklistCheck running processes and services
windowschecklistCheck quoted and unquoted service paths
windowschecklistCheck scheduled tasks
windowschecklistCheck for strange exe (service/task/startup)
windowschecklistCheck for config and credential files
windowschecklistBloodHound on compromised host
windowschecklistRun winPEAS
Confirm hostname; re-run if you gain admin; also check PowerUp.
windowschecklistRun Windows Exploit Suggester
windowschecklistDump hashes remotely
windowschecklistRun secretsdump when domain admin
windowschecklistCheck Administrator and domain users
windowschecklistRun PowerUp and PrivescCheck
windowschecklistRun whoami /all
Look for easy wins.
windowschecklistPivot check
Relay tools to a jumpbox; check additional network adapters.
windowschecklistResponder in compromised host context
A writable share may enable hash capture.
windowschecklistCheck tasklist verbose
windowschecklist