sinfulz / JustGetDA

JustGetDA, a cheat sheet which will aid you through internal network & red team engagements.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool


JustGetDA, a cheat sheet which will aid you through internal network & red team engagements.

AD Mindmap

(Click on the image for a larger image). Credit: mayfly (@M4yFly) & viking (@Vikingfr)

Privilege Escalations

The below privilege escalations are inspired from:

Local Privilege Escalation:

Domain Privilege Escalation:


certutil -config - -ping

How to get Domain Controller (including the Primary Domain Controller) info in dig.

How to find DC: 
dig @ SRV

How to find PDC:
dig @ SRV

Tools I use:

Password Auditing:

  • DPAT

Domain Auditing:

  • WinPwn
  • ADRecon (WinPwn has ADRecon features inside of it)
  • Group3r
  • Snaffler (Windows)
  • MANSPIDER (Linux)

Password Spraying externally:

  • CredMaster
  • adfsbrute
  • ADFSpray
  • o365spray
  • MSOLSpray
  • Spray365

Password Spraying internally:

  • Spray
  • TheSprayer
  • DomainPasswordSpray
  • Kerbrute
  • Metasploit
  • CrackMapExec
  • CredNinja


  • KrbRelay
  • KrbRelayUp
  • NTLMRelayX


  • Responder
  • mitm6
  • RITM
  • RoastInTheMiddle


  • DFScoerce
  • PetitPotam
  • ShadowCoerce
  • Coercer

My Internal Pentest Methodology

Physical Access (not always in-scope / part of a Internal Pentest)

One can get into a workstation / server via a few methods:

  • Offline NT Password & Registry Editor / chntpw
  • Kon-Boot

External Reconnaissance

A client may allow you onto the internal network on a Kali VM positioned somewhere within their network. Without domain credentials, there is not much one can do so tools like the following are useful to gather usernames/email addresses:

  • Weakest Link (browser extension)
  • theHarvester
  • Foca


Once usernames/email addresses are obtained from the above step, one can spray credentials across the network hoping to compromise weak domain credentials using the following tools:

  • SprayingToolkit (atomizer)
  • kerbrute
  • auxiliary/scanner/smb/smb_login (Metasploit)
  • MailSniper

Internal Reconnaissance

It is suggested to run tools in the background even if domain credentials are compromised. The more tools running, the better. Reccomended internal reconnaissance tools are as following:

  • Responder (Responder -I eth0
  • Responder (using NTLMRelayX - -t

Checking Access

If credentials are compromised, one can use them to authenticate into a machine using the following commands:

  • `crackmapexec smb -u Administrator -H hashes --lsa
  • pth-winexe U Administrator%hashes // cmd
  • -hashes :hashes administrator@ cmd
  • xfreerdp u:/administrator /d:test.local /pth:hashes /v:

Credential Harvesting

From here one can dump LSA / SAM / LSASS / etc. Hopefully from there a DA account is discovered and the domain is pwned.

< Adding more fine grained methods soon >

To be modified

  1. Domain Enumeration:
  • enum4linux
  • ADRecon
  • PingCastle
  • BloodHound
  1. Sniffing Traffic
  • Responder
    • NTLMRelayX
  • Invoke-Inveigh
  • Pretender
  • mitm6
  1. Password spraying (internally):
  • crackmapexec
  • smb_login (from Metasploit)
  • kerbrute
  • TheSprayer
  • DomainPasswordSpray? (PS1 script)
  • and many more (externally):
  • ruler
  • SprayingToolkit (,
  • MailSniper
  • use auxiliary/scanner/http/owa_login
  • use auxiliary/scanner/http/owa_ews_login
  • DomainPasswordSpray?
  1. Enumeration
  • PowerView
  • SharpHound
  • pywerview
  • BloodHound
  • SharpHound
  1. DCSync/Dump NTDS
  • secretsdump
  • VSSAdmin
  • ntdsutil.exe
  • CME
  • mimikatz


JustGetDA, a cheat sheet which will aid you through internal network & red team engagements.