Red Team Toolkit
  • 👊Welcome!
  • Methodology
    • MITRE
    • NIST
    • OWASP
    • PTES
    • SANS
  • Reconnaissance
    • DNS Recon
    • Open Source Intelligence
    • Web Application Recon
  • Initial Access
    • Phishing
    • Web Authentication Bypass
    • Network Services Attacks
    • Breaching Active Directory
    • Windows Exploits
    • Linux Exploits
    • SQL Injection
    • XSS
    • Burp Suite
    • Hyrdra
    • Metasploit
    • Nessus
    • Wordlists
    • OWASP ZAP
  • Discovery
    • NMAP
    • PowerView
    • Active Directory Enumeration
    • Windows Post Exploitation Discovery
    • Linux Post Exploitation Discovery
    • Other Scanning Methods
  • Privilege Escalation
    • Password Cracking
    • AD Privilege Escalation
    • Local Windows Privilege Escalation
    • Linux Privilege Escalation
    • Mimikatz
  • Movement
    • Movement
    • Evasion
  • Collection
    • Persistence
    • Exfiltration
  • Other
    • Bookmarks
    • OpeSec
Powered by GitBook
On this page
  • Windows Exploit Suggester
  • PowerShell Windows Exploit Tools
  • CMD.exe Windows Exploit Tools
  • Python
  • Privilege Escalation
  • Password Tools

Was this helpful?

  1. Initial Access

Windows Exploits

PreviousBreaching Active DirectoryNextLinux Exploits

Last updated 1 year ago

Was this helpful?

Windows Exploit Suggester

./wes.py --update
systeminfo > systeminfo.txt
wes.py systeminfo.txt
Get-HotFix | Sort-Object InstalledOn -Descending

PowerShell Windows Exploit Tools

Search DIRECTORY for files that contain STRING

ls -r c:\PATH\TO\DIRECTORY -file | % {Select-String -path $_ -pattern STRING}

CMD.exe Windows Exploit Tools

Configure a Windows machine as a WPA2-PSK Access Point

netsh wlan set hostednetwork mode=allow ssid=<MYSSID> key=<MYPASSWORD> && netsh wlan start hostednetwork

Configure a TCP port forwarding relay from IPv4 to IPv6

netsh interface portproxy add v4tov6 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST>

Mount Remote Network Share

net use X: \\IP_Address\c$

Add New User to Current Host

net user <UserName> <Password> /add

Add User to Local Admin Group

net localgroup Administrators <UserName> /add

Enumerate presence of files with SID access of User on ACLs of c:

icacls c:\*. /findsid <UserName> /t /c /l

Python

Python Web Client: download file/webpage to file

import urllib.request; urllib.request.urlretrieve("http://google.com","/google.html")

Python Web Server: serve up current directory on port 8000

-m http.server 8000

Privilege Escalation

Password Tools

  • pwdump

  • cachedump

  • lsadump

  • metasploit's psexec_psh

  • load kiwi

  • https://github.com/gentilkiwi/mimikatz

https://github.com/bitsadmin/wesng
PowerUP
bypassuac
Creds_wdigest