Credentialed Enumeration
xfreerdp
Command:
xfreerdp /u:forend@inlanefreight.local /p:Klmcargo2 /v:172.16.5.25Description: Connects to a Windows target using valid credentials. Performed from a Linux-based host.
crackmapexec (Users)
Command:
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --usersDescription: Authenticates with a Windows target over SMB using valid credentials and attempts to discover more users in a target Windows domain. Performed from a Linux-based host.
crackmapexec (Groups)
Command:
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groupsDescription: Authenticates with a Windows target over SMB using valid credentials and attempts to discover groups in a target Windows domain. Performed from a Linux-based host.
crackmapexec (Logged-on Users)
Command:
sudo crackmapexec smb 172.16.5.125 -u forend -p Klmcargo2 --loggedon-usersDescription: Authenticates with a Windows target over SMB using valid credentials and attempts to check for a list of logged-on users on the target Windows host. Performed from a Linux-based host.
crackmapexec (Shares)
Command:
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --sharesDescription: Authenticates with a Windows target over SMB using valid credentials and attempts to discover any SMB shares. Performed from a Linux-based host.
crackmapexec (Spider Plus)
Command:
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share Dev-shareDescription: Authenticates with a Windows target over SMB using valid credentials and utilizes the CrackMapExec module spider_plus to list all readable files in the specified share. The results are outputted in JSON. Performed from a Linux-based host.
smbmap (Shares & Permissions)
Command:
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5Description: Enumerates the target Windows domain using valid credentials and lists shares & permissions available on each within the context of the credentials used. Performed from a Linux-based host.
smbmap (Recursive Listing)
Command:
smbmap -u forend -p Klmcargo2 -d INLANEFREIGHT.LOCAL -H 172.16.5.5 -R SYSVOL --dir-onlyDescription: Enumerates the target Windows domain using valid credentials and performs a recursive listing of the specified share while only outputting directories. Performed from a Linux-based host.
rpcclient (Query User)
Command:
rpcclient $> queryuser 0x457Description: Enumerates a target user account in a Windows domain using its relative identifier (RID). Performed from a Linux-based host.
rpcclient (Enumerate Domain Users)
Command:
rpcclient $> enumdomusersDescription: Discovers user accounts in a target Windows domain and their associated RIDs. Performed from a Linux-based host.
psexec.py
Command:
psexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.125Description: Impacket tool used to connect to the CLI of a Windows target via the ADMIN$ administrative share with valid credentials. Performed from a Linux-based host.
wmiexec.py
Command:
wmiexec.py inlanefreight.local/wley:'transporter@4'@172.16.5.5Description: Impacket tool used to connect to the CLI of a Windows target via WMI with valid credentials. Performed from a Linux-based host.
windapsearch (Options Display)
Command:
windapsearch.py -hDescription: Displays the options and functionality of windapsearch.py. Performed from a Linux-based host.
windapsearch (Domain Admins Enumeration)
Command:
python3 windapsearch.py --dc-ip 172.16.5.5 -u inlanefreight\wley -p transporter@4 --daDescription: Enumerates the domain admins group using valid credentials on a target Windows domain. Performed from a Linux-based host.
windapsearch (Recursive User Permissions Search)
Command:
python3 windapsearch.py --dc-ip 172.16.5.5 -u inlanefreight\wley -p transporter@4 -PUDescription: Performs a recursive search for users with nested permissions using valid credentials. Performed from a Linux-based host.
bloodhound-python
Command:
sudo bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c allDescription: Executes the Python implementation of BloodHound (bloodhound.py) with valid credentials, specifying a name server and target Windows domain, and runs all checks. Performed from a Linux-based host.
Last updated