Misc Snippets

Running tools from Non-Domain Joined Machines

Note

Tools may require additional environment variables, parameters and co to be set. You may also have issues with DNS if your routing is not set properly

Warning

The initial command does not check if the credentials are valid. Credentials are only checked during authentication when other tools are ran.

# Create a powershell instance running as the DOMAIN\USER account
runas /netonly /user:DOMAIN\USER "powershell.exe -exec bypass"

# check if the credentials are valid for example by running ls on a share you know if open and readable
ls \\<domain-controller>\SYSVOL\

# run commands that will make network communications
Enter-PSSession -ComputerName ...
Sharphound.exe

Other useful commands

Windows

# Windows useful commands

# list named pipes
ls \\.\pipe\

# Find all shares, List share content and cat remote file on a share
net view \\10.10.10.10 /all
Get-SmbShare -CimSession "10.10.10.10" IncludeHidden
ls \\10.10.10.10\SYSVOL\
cat \\10.10.10.10\public\asdf.txt

# shares on local machines
net shares
Get-SMBShare -IncludeHidden

Linux

# quick way to get all IPs for computers on the domain from a list of domain names
# replace 10.10.10.10 with the DNS server (most likely the domain controller)
proxychains4 -q bash -c 'for computer in `cat computers.txt`; do dig +noall +answer +tcp @10.10.10.10 "$computer" ; done' | tee dig-computers.txt