PowerShell Remoting Setup Between Two Windows Machines This guide walks you through setting up PowerShell Remoting between two Windows machines (attacker and target) in a non-domain (workgroup) environment. It covers user creation, enabling remoting, setting TrustedHosts, and allowing unencrypted traffic — ideal for labs. On the Target Machine 1. Create a New Local User 2. […]
Responder: Capturing Credentials Like a Network Bandit Responder is a powerful LLMNR, NBT-NS, and MDNS poisoner designed for internal network attacks. It listens on a network interface and responds to broadcast name resolution requests, tricking machines into sending authentication attempts to the attacker’s machine — often handing over NTLMv1/v2 hashes or even clear-text creds if
NetExec: NetExec (formerly known as CrackMapExec or CME) is a powerful post-exploitation framework used by penetration testers and red teamers to automate the enumeration and exploitation of network protocols, particularly in Active Directory environments. It’s the tool you reach for when you have credentials and want to move fast — from validating access to enumerating
Mastering mssqlclient.py for Pentesters mssqlclient.py is part of the Impacket collection, and it’s one of the go-to tools for enumerating and interacting with Microsoft SQL Servers during a pentest. When you land credentials to a SQL Server or discover an exposed database instance, this tool can open the door to privilege escalation, lateral movement, or
Downloading Files from a Web Server in PowerShell & CMD 🔹 1. CertUtil (CMD-based, built-in since Windows XP) 🔹 2. Invoke-WebRequest (PowerShell) 🔹 3. Invoke-RestMethod (PowerShell) 🔹 4. BitsAdmin (Deprecated, but still present on many systems) 🔹 5. PowerShell WebClient (Legacy Method) Tips
CMSmap: Enumerating WordPress, Joomla, and Drupal Like a Pro When you’re testing a Content Management System (CMS) like WordPress, Joomla, or Drupal, your recon needs to go deeper than default credentials and login forms. This is where CMSmap comes in. It’s a Python-based scanner designed specifically for enumerating and testing known vulnerabilities in popular CMS
XFreeRDP: Access with and without Passwords xfreerdp is a powerful, flexible Remote Desktop Protocol (RDP) client for Linux that supports both password-based and Pass-the-Hash authentication. It’s a go-to tool when you’ve popped Windows credentials during an internal engagement. Basic Syntax Example: Domain User Authentication When authenticating as a domain user: Example: Alternatively: Pass-the-Hash (PtH) with
Mastering SSH: Keys, Tunnels, and Pivoting SSH (Secure Shell) is a foundational protocol for managing and accessing remote systems. For pentesters, it’s not just about logging in — it’s a powerful tool for pivoting, tunneling, and stealthy movement across networks. This post covers everything you need to know about SSH during an engagement: finding keys,
Nmblookup: NetBIOS Name Resolution in Action When you’re dealing with older Windows environments or internal networks, NetBIOS name resolution can still be in play. One lightweight tool for this is nmblookup, which lets you perform NetBIOS queries to identify hosts, workgroups, and domain names—especially when DNS isn’t available or reliable. This post breaks down: What
Enum4linux: SMB Enumeration for Pentesters When you come across an SMB service on a target, enum4linux is one of your go-to tools for fast and detailed enumeration. It’s basically a wrapper around smbclient, rpcclient, net, and nmblookup, automating the dirty work of probing Windows shares and services. This post will cover: What is enum4linux? enum4linux
