search
LinkedInGithub
githubEdit

Credentialed Enumeration

hashtag
xfreerdp

Command:

xfreerdp /u:forend@inlanefreight.local /p:Klmcargo2 /v:172.16.5.25

Description: Connects to a Windows target using valid credentials. Performed from a Linux-based host.

hashtag
crackmapexec (Users)

Command:

sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --users

Description: Authenticates with a Windows target over SMB using valid credentials and attempts to discover more users in a target Windows domain. Performed from a Linux-based host.

hashtag
crackmapexec (Groups)

Command:

sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups

Description: Authenticates with a Windows target over SMB using valid credentials and attempts to discover groups in a target Windows domain. Performed from a Linux-based host.

hashtag
crackmapexec (Logged-on Users)

Command:

sudo crackmapexec smb 172.16.5.125 -u forend -p Klmcargo2 --loggedon-users

Description: Authenticates with a Windows target over SMB using valid credentials and attempts to check for a list of logged-on users on the target Windows host. Performed from a Linux-based host.

hashtag
crackmapexec (Shares)

Command:

Description: Authenticates with a Windows target over SMB using valid credentials and attempts to discover any SMB shares. Performed from a Linux-based host.

hashtag
crackmapexec (Spider Plus)

Command:

Description: Authenticates with a Windows target over SMB using valid credentials and utilizes the CrackMapExec module spider_plus to list all readable files in the specified share. The results are outputted in JSON. Performed from a Linux-based host.

hashtag
smbmap (Shares & Permissions)

Command:

Description: Enumerates the target Windows domain using valid credentials and lists shares & permissions available on each within the context of the credentials used. Performed from a Linux-based host.

hashtag
smbmap (Recursive Listing)

Command:

Description: Enumerates the target Windows domain using valid credentials and performs a recursive listing of the specified share while only outputting directories. Performed from a Linux-based host.

hashtag
rpcclient (Query User)

Command:

Description: Enumerates a target user account in a Windows domain using its relative identifier (RID). Performed from a Linux-based host.

hashtag
rpcclient (Enumerate Domain Users)

Command:

Description: Discovers user accounts in a target Windows domain and their associated RIDs. Performed from a Linux-based host.

hashtag
psexec.py

Command:

Description: Impacket tool used to connect to the CLI of a Windows target via the ADMIN$ administrative share with valid credentials. Performed from a Linux-based host.

hashtag
wmiexec.py

Command:

Description: Impacket tool used to connect to the CLI of a Windows target via WMI with valid credentials. Performed from a Linux-based host.

hashtag
windapsearch (Options Display)

Command:

Description: Displays the options and functionality of windapsearch.py. Performed from a Linux-based host.

hashtag
windapsearch (Domain Admins Enumeration)

Command:

Description: Enumerates the domain admins group using valid credentials on a target Windows domain. Performed from a Linux-based host.

hashtag
windapsearch (Recursive User Permissions Search)

Command:

Description: Performs a recursive search for users with nested permissions using valid credentials. Performed from a Linux-based host.

hashtag
bloodhound-python

Command:

Description: Executes the Python implementation of BloodHound (bloodhound.py) with valid credentials, specifying a name server and target Windows domain, and runs all checks. Performed from a Linux-based host.

PreviousACL Enumeration & TacticsNextEnumeration by Living Off the Land

Last updated