-
The first two fields in /etc/shadow denotes the username and password hash. For users with second field as * or !, the remote access is not allowed.
-
/etc/passwd is prefered over /etc/shadow for authentication if password hash is available in passwd file.
-
Ports below 1024 requires admin/root priveleges to create listener.
-
Ensure to get & set execution policy if running powershell commands
Set-ExecutionPolicy UnrestrictedandGet-ExecutionPolicy -
When using public exploits, make sure the return address, shellcode and other key components are modified according to the needs.
-
To change the admin user's password, we must switch to a high integrity command prompt. Otherwise, it will fail even if we are logged in as an administrative user.
-
NTLM/LM password hashes are not salted(no timestamp either) and remain static between sessions making pass-the-hash attacks possible.
-
TGT can only be used on the machine it was created for, but the TGS potentially offers more flexibility.
-
The user and group permissions in TGS are not verified by the application. It blindly trusts it.