Attacking Active Directory
  • Reconnaissance
    • Enumerate Network
    • Enumerating Users With CME - Anonymously
    • Enumerate Users Anonymously - RPC
    • Enumerating User with Ldapsearch and enum4linux - Anonymously
    • Enumerate Guest Access on Shares - CME
  • Exploiting With Poison and Relay
    • Responder
    • NTLM relay
    • Secretsdump
    • Lsassy
    • DonPapi
    • Pass The Hash with Winpexec.py
    • Pass The Hash with Evil-Winrm
    • Pass the Hash with CrackMapExec
    • Coerced auth smb + ntlmrelayx to ldaps with drop the mic
  • User Enumeration Exploit
    • setup /etc/hosts and kerberos
    • Exploiting Username - ASREPRoast
    • Password Spraying
    • User listing with GetADUsers and ldapsearch
    • Kerberoasting
    • Powerview
      • Setting Up PowerView
      • Get-NetUser
      • Get-NetGroup
      • Get-NetComputer
      • Get-NetFileServer
      • Get-NetGPO
      • Get-ObjectAcl
      • Get-NetDomainTrust
      • Invoke-Portscan
    • Enumerate Shares with User Account
  • Exploiting with Users
    • SamAccountName (NoPac)
      • Semi Manual Exploit
      • From Linux With NoPAC.py
      • From Windows With noPAC.exe
    • PrintNightmare - Bronx
      • Check and Prepare
      • windows and linux
    • PrintNightmare - Baltimore
      • Exploit
  • WSUS Exploit
  • Active Directory Certificate Services (ADCS)
    • Bloodhound
      • Bloodhound - Install Neo4j
      • Run BloodHound
      • ADCS reconnaissance and enumeration (with certipy and bloodhound)
    • ESC8 - coerce to domain admin
    • ESC8 - with certipy
    • ADCS - ESC1
    • ADCS - ESC2 & ESC3
    • ADCS - ESC4
    • ADCS - ESC6
    • Certifried - CVE-2022–26923
    • Shadow Credentials
  • Metasploit
    • Initial Shell Shell Shell
    • Enumeration 1 - Users, Groups, Computers
    • Enumeration 2 - Arp, Tokens, Patches
    • Enumeration 3 - Shares, SMB, and More
    • Back Door Add User
    • Metasploit Exploit Suggester
    • HashDump With Metasploit
    • Lateral Movement With Metasploit
    • DsSync With Metasploit from NT Autority/System to Administrator
    • Golden Ticket with Metasploit
    • Using a Keylogger with Metasploit
    • BackDoor Meterpreter Service
  • Privilege Escalation
  • User ACL Exploits
    • Hunting with bloodhound
    • ACL With BloodHound
    • ForceChangePassword on User (Donald-> Hugo)
    • GenericWrite on User (Hugo -> Ramon)
    • WriteDacl on User (Ramon-> Nicolas)
    • Add self on Group (Nicolas-> RadioCity)
    • AddMember on Group (RadioCity -> EmpireState)
    • WriteOwner on Group (EmpireState -> CentralPark)
    • Generic all on user (CentralPark -> diego.Montenegro)
      • machine account to administrator shell
      • Silver ticket
    • GPO abuse
    • Read Laps password
  • MSSQL servers Exploitation
    • Enumerate the MSSQL servers
    • Enumerate MSSQL servers with GetUserSPNs & NMAP
    • Enumerate MSSQL servers with CrackMap & Impacket
    • impersonate - execute as login
    • MSSQL Coerce and relay
    • MSSQL trusted links
    • MSSQL Command execution to shell - Yonkers
    • MSSQL Command execution to shell - Salisbury
  • Delegations
    • Unconstrain
    • Constrain Delegation
      • With Protocol Transmition
      • Without protocol transition
    • Resource Based Constrained Delegation
    • Unconstrained delegation Enum
  • Trust
    • Enumerate Trust
    • Domain Trust - child/parent (north.newyork.local -> newyork.local)
      • RaiseMeUp - Escalate with impacket raiseChild
      • Golden ticket + ExtraSid
      • Trust ticket - forge inter-realm TGT
    • Forest Trust (newyork.local -> maryland.local)
      • Foreign group and users
      • Use unconstrained delegation
      • Mssql Trusted link
      • Golden ticket with external forest, sid history ftw ( Maryland-> NewYork)
      • Trust ticket with external forest ( maryland.local-> newyork.local)
      • Exploit acl with external trust golden ticket
  • Exploiting IIS & Privilege escalation
    • IIS - webshell
    • Privesc SeImpersonatePrivilege
    • winPeas without touching disk
    • SeImpersonatePrivilege to Authority\system
    • KrbRelay Up - Linux
    • KrbRelay Up - Windows - PowerPack
    • KrbRelay Up - Windows V2
  • Impacket
    • Install Impacket
    • Getting Initial Shell
Powered by GitBook
On this page
  • SMBMap
  • CrackMapExec
  1. User Enumeration Exploit

Enumerate Shares with User Account

SMBMap

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.

smbmap -u elena.lopez -p princesa1 -H 192.168.56.10

CrackMapExec

Enumerate the share another time but with a user account.


crackmapexec smb 192.168.56.10-23 -u elena.lopez -p princesa1 -d north.newyork.local --shares

SMB         192.168.56.23   445    SALISBURY        [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:SALISBURY) (domain:north.newyork.local) (signing:False) (SMBv1:True)
SMB         192.168.56.12   445    BALTIMORE        [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BALTIMORE) (domain:north.newyork.local) (signing:True) (SMBv1:True)
SMB         192.168.56.10   445    NYC              [*] Windows 10.0 Build 17763 x64 (name:NYC) (domain:north.newyork.local) (signing:True) (SMBv1:False)
SMB         192.168.56.22   445    YONKERS          [*] Windows 10.0 Build 17763 x64 (name:YONKERS) (domain:north.newyork.local) (signing:False) (SMBv1:False)
SMB         192.168.56.11   445    BRONX            [*] Windows 10.0 Build 17763 x64 (name:BRONX) (domain:north.newyork.local) (signing:True) (SMBv1:False)
SMB         192.168.56.23   445    SALISBURY        [+] north.newyork.local\elena.lopez:princesa1 
SMB         192.168.56.12   445    BALTIMORE        [+] north.newyork.local\elena.lopez:princesa1 
SMB         192.168.56.10   445    NYC              [+] north.newyork.local\elena.lopez:princesa1 
SMB         192.168.56.22   445    YONKERS          [+] north.newyork.local\elena.lopez:princesa1 
SMB         192.168.56.12   445    BALTIMORE        [+] Enumerated shares
SMB         192.168.56.12   445    BALTIMORE        Share           Permissions     Remark
SMB         192.168.56.12   445    BALTIMORE        -----           -----------     ------
SMB         192.168.56.12   445    BALTIMORE        ADMIN$                          Remote Admin
SMB         192.168.56.12   445    BALTIMORE        C$                              Default share
SMB         192.168.56.12   445    BALTIMORE        IPC$                            Remote IPC
SMB         192.168.56.12   445    BALTIMORE        NETLOGON        READ            Logon server share 
SMB         192.168.56.12   445    BALTIMORE        SYSVOL          READ            Logon server share 
SMB         192.168.56.23   445    SALISBURY        [+] Enumerated shares
SMB         192.168.56.23   445    SALISBURY        Share           Permissions     Remark
SMB         192.168.56.23   445    SALISBURY        -----           -----------     ------
SMB         192.168.56.23   445    SALISBURY        ADMIN$                          Remote Admin
SMB         192.168.56.23   445    SALISBURY        all             READ,WRITE      Basic RW share for all
SMB         192.168.56.23   445    SALISBURY        C$                              Default share
SMB         192.168.56.23   445    SALISBURY        CertEnroll      READ            Active Directory Certificate Services share
SMB         192.168.56.23   445    SALISBURY        IPC$                            Remote IPC
SMB         192.168.56.23   445    SALISBURY        public          READ,WRITE      Basic Read share for all domain users
SMB         192.168.56.11   445    BRONX            [+] north.newyork.local\elena.lopez:princesa1 
SMB         192.168.56.10   445    NYC              [+] Enumerated shares
SMB         192.168.56.10   445    NYC              Share           Permissions     Remark
SMB         192.168.56.10   445    NYC              -----           -----------     ------
SMB         192.168.56.10   445    NYC              ADMIN$                          Remote Admin
SMB         192.168.56.10   445    NYC              C$                              Default share
SMB         192.168.56.10   445    NYC              CertEnroll      READ            Active Directory Certificate Services share
SMB         192.168.56.10   445    NYC              IPC$            READ            Remote IPC
SMB         192.168.56.10   445    NYC              NETLOGON        READ            Logon server share 
SMB         192.168.56.10   445    NYC              SYSVOL          READ            Logon server share 
SMB         192.168.56.10   445    NYC              Users           READ            
SMB         192.168.56.22   445    YONKERS          [+] Enumerated shares
SMB         192.168.56.22   445    YONKERS          Share           Permissions     Remark
SMB         192.168.56.22   445    YONKERS          -----           -----------     ------
SMB         192.168.56.22   445    YONKERS          ADMIN$                          Remote Admin
SMB         192.168.56.22   445    YONKERS          all             READ,WRITE      Basic RW share for all
SMB         192.168.56.22   445    YONKERS          C$                              Default share
SMB         192.168.56.22   445    YONKERS          IPC$            READ            Remote IPC
SMB         192.168.56.22   445    YONKERS          public          READ            Basic Read share for all domain users
SMB         192.168.56.11   445    BRONX            [+] Enumerated shares
SMB         192.168.56.11   445    BRONX            Share           Permissions     Remark
SMB         192.168.56.11   445    BRONX            -----           -----------     ------
SMB         192.168.56.11   445    BRONX            ADMIN$                          Remote Admin
SMB         192.168.56.11   445    BRONX            C$                              Default share
SMB         192.168.56.11   445    BRONX            IPC$            READ            Remote IPC
SMB         192.168.56.11   445    BRONX            NETLOGON        READ            Logon server share 
SMB         192.168.56.11   445    BRONX            SYSVOL          READ            Logon server share

PreviousInvoke-PortscanNextExploiting with Users

Last updated 2 years ago