PR Guidelines + User Hunting + HopLa Configuration

CONTRIBUTING.md

@@ -5,6 +5,19 @@ Feel free to improve with your payloads and techniques !
 
 You can also contribute with a :beers: IRL, or using the sponsor button.
 
+## Pull Requests Guidelines
+
+In order to provide the safest payloads for the community, the following rules must be followed for **every** Pull Request.
+
+- Payloads must be sanitized
+  - Use `id`, and `whoami`, for RCE Proof of Concepts
+  - Use `[REDACTED]` when the user has to replace a domain for a callback. E.g: XSSHunter, BurpCollaborator etc.
+  - Use `10.10.10.10` and `10.10.10.11` when the payload require IP addresses
+  - Use `Administrator` for privileged users and `User` for normal account
+  - Use `P@ssw0rd`, `Password123`, `password` as default passwords for your examples
+  - Prefer commonly used name for machines such as `DC01`, `EXCHANGE01`, `WORKSTATION01`, etc
+- References must have an `author`, a `title` and a `link`. The `date` is not mandatory but appreciated :)
+
 ## Techniques Folder
 
 Every section should contains the following files, you can use the `_template_vuln` folder to create a new technique folder:
@@ -40,6 +53,10 @@ Use the following example to create a new technique `README.md` file.
 
 Quick explanation
 
+### Subentry 1
+
+Something about the subentry 1
+
 ## References
 
 - [Blog title - Author, Date](https://example.com)

Methodology and Resources/Active Directory Attack.md

@@ -40,6 +40,7 @@
       - [Using Mimikatz DCSync](#using-mimikatz-dcsync)
       - [Using Mimikatz sekurlsa](#using-mimikatz-sekurlsa)
       - [Crack NTLM hashes with hashcat](#crack-ntlm-hashes-with-hashcat)
+    - [User Hunting](#user-hunting)
     - [Password spraying](#password-spraying)
       - [Kerberos pre-auth bruteforcing](#kerberos-pre-auth-bruteforcing)
       - [Spray a pre-generated passwords list](#spray-a-pre-generated-passwords-list)
@@ -401,7 +402,7 @@ Replace the customqueries.json file located at `/home/username/.config/bloodhoun
   #Find local admins on all machines of the domain:
   Invoke-EnumerateLocalAdmin -Verbose
 
-  #Find computers were a Domain Admin OR a spesified user has a session
+  #Find computers were a Domain Admin OR a specified user has a session
   Invoke-UserHunter
   Invoke-UserHunter -GroupName "RDPUsers"
   Invoke-UserHunter -Stealth
@@ -1294,6 +1295,32 @@ $ python2 maskgen.py hashcat.mask --targettime 3600 --optindex -q -o hashcat_1H.
 - [crackstation.net](https://crackstation.net)
 - [hashes.com](https://hashes.com/en/decrypt/hash)
 
+### User Hunting
+
+Sometimes you need to find a machine where a specific user is logged in.    
+You can remotely query every machines on the network to get a list of the users's sessions.
+
+* CrackMapExec
+  ```ps1
+  cme smb 10.10.10.0/24 -u Administrator -p 'P@ssw0rd' --sessions
+  SMB         10.10.10.10    445    WIN-8OJFTLMU1IG  [+] Enumerated sessions
+  SMB         10.10.10.10    445    WIN-8OJFTLMU1IG  \\10.10.10.10            User:Administrator
+  ```
+* Impacket Smbclient
+  ```ps1
+  $ impacket-smbclient Administrator@10.10.10.10
+  # who
+  host:  \\10.10.10.10, user: Administrator, active:     1, idle:     0
+  ```
+* PowerView Invoke-UserHunter
+  ```ps1
+  # Find computers were a Domain Admin OR a specified user has a session
+  Invoke-UserHunter
+  Invoke-UserHunter -GroupName "RDPUsers"
+  Invoke-UserHunter -Stealth
+  ```
+
+
 ### Password spraying
 
 Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. 

README.md

@@ -50,7 +50,7 @@ You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheT
 
 👨‍💻 Contributions
 -----
-
+Be sure to read [CONTRIBUTING.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CONTRIBUTING.md)
 
 <p align="center">
 <a href="https://github.com/swisskyrepo/PayloadsAllTheThings/graphs/contributors">