Disclaimer: This material is provided for educational purposes and authorized security testing only.
You are solely responsible for how
you use the information. Do not use these techniques on systems without explicit permission from the owner.
We
do not encourage any kind of illegal or harmful activity
Using CrackMapExec (CME)
-
Enumerate domain users:
sudo crackmapexec smb [IP-ADDRESS] -u [USERNAME] -p [PASSWORD] --users
-
Enumerate domain groups:
sudo crackmapexec smb [IP-ADDRESS] -u [USERNAME] -p [PASSWORD] --groups
-
Enumerate logged-on users:
sudo crackmapexec smb [IP-ADDRESS] -u [USERNAME] -p [PASSWORD] --loggedon-users
-
Enumerate shares:
sudo crackmapexec smb [IP-ADDRESS] -u [USERNAME] -p [PASSWORD] --shares
-
Enumerate shares recursively (Spider):
sudo crackmapexec smb [IP-ADDRESS] -u [USERNAME] -p [PASSWORD] -M spider_plus --share
Using SMBMap
-
Check access:
smbmap -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -H [IP-ADDRESS]
-
Recursively list all directories:
smbmap -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -H [IP-ADDRESS] -R 'Department Shares' --dir-only
Using Windapsearch
-
Enumerate Domain Admins:
python3 windapsearch.py --dc-ip [IP_ADDRESS] -u [USERNAME]@[DOMAIN] -p [PASSWORD] --da
-
Enumerate privileged users:
python3 windapsearch.py --dc-ip [IP_ADDRESS] -u [USERNAME]@[DOMAIN] -p [PASSWORD] -PU
Using BloodHound
-
Execute BloodHound.py:
sudo bloodhound-python -u '[USERNAME]' -p '[PASSWORD]' -ns [IP-ADDRESS] -d [DOMAIN] -c all
-
Start Neo4j service:
-
Start BloodHound GUI:
Example:
/opt/Windows/BloodHound_Python/bloodhound.py -d hutch.offsec -u fmcsorley -p CrabSharkJellyfish192 -c all -ns 192.168.219.122
Using Impacket PsExec
-
Remote command execution with PsExec:
psexec.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS]
-
Remote command execution with WMIExec:
wmiexec.py [DOMAIN]/[USERNAME]:[PASSWORD]@[IP-ADDRESS]