windows
tools
- bloodhound
- nishang - offensive powershell for red team, penetration testing and offensive security.
- snmpwalk
- hydra - bruteforce logins
- slow to avoid timeouts, so you want a smaller password lists
- enum4linux - null session enumeration
- crackmapexec - grab plaintext passwords out of memory
- responder - dns spoofing tool
- bettercap - arp spoofing
notes
- smb (server message block) for inter-node communication
- domain controllers 53 (dns), 88 (kerberos), 389 (ldap), rdp (3389)
- kerberoasting
- null session - anonymous
- connect with empty username and password
- ntlm
- getting system is higher than admin
- psexec - https://ss64.com/nt/psexec