# Credentialed Enumeration From Linux ## **Authenticated Enumeration - from Linux** ### 1️⃣ CrackMapExec * `sudo crackmapexec smb 10.20.30.40 -u alex -p StrongPass123 --users` → Enumerates domain users\ Displays a list of domain users along with the `badPwdCount` attribute. * `sudo crackmapexec smb 10.20.30.40 -u alex -p StrongPass123 --groups` → Enumerates domain groups\ Provides a list of groups along with the number of users in each. * `sudo crackmapexec smb 10.20.30.150 -u alex -p StrongPass123 --loggedon-users` → Shows currently logged-in users. * `sudo crackmapexec smb 10.20.30.40 -u alex -p StrongPass123 --shares` → Lists available shared resources and access levels for the user. * `sudo crackmapexec smb 10.20.30.40 -u alex -p StrongPass123 -M spider_plus`\ This module scans all accessible shares for readable files. You can specify a particular share using `--share 'Finance Records'`.\ The output is saved in `/tmp/cme_spider_plus/`. ### 2️⃣ SMBMap * `smbmap -u alex -p StrongPass123 -d CORP.LOCAL -H 10.20.30.40` → Checks accessible resources and permission levels. * `smbmap -u alex -p StrongPass123 -d CORP.LOCAL -H 10.20.30.40 -R 'Finance Records' --dir-only`\ Displays all subdirectories within the specified directory without listing files. ### 3️⃣ rpcclient [`rpcclient`](https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html) is a useful tool for interacting with Samba and MS-RPC services. It allows enumeration, modification, and deletion of Active Directory objects. * `rpcclient -U "" -N 10.20.30.40` → Establishes a null session shell with the domain controller. * `rpcclient$> queryuser 0x457` → Enumerates user by RID (0x457 in hex = 111 in decimal). * `rpcclient$> enumdomusers` → Lists all domain users along with their RIDs. ### 4️⃣ Impacket Toolkit #### Psexec.py This tool uploads an executable to the `ADMIN$` share, creates a remote service, and establishes a SYSTEM-level shell. * `psexec.py corp.local/jdoe:'SecurePass!1'@10.20.30.125` → Spawns a remote shell. #### wmiexec.py `wmiexec.py` leverages Windows Management Instrumentation (WMI) for command execution. Unlike `psexec.py`, it does not leave artifacts on the target system. * `wmiexec.py corp.local/jdoe:'SecurePass!1'@10.20.30.40` → Opens a semi-interactive shell. ### 5️⃣ Windapsearch [Windapsearch](https://github.com/ropnop/windapsearch) is a Python script for querying LDAP and extracting user, group, and computer information from an Active Directory domain. * `python3 windapsearch.py --dc-ip 10.20.30.40 -u alex@corp.local -p StrongPass123 --da` → Retrieves members of the Domain Admins group. * `python3 windapsearch.py --dc-ip 10.20.30.40 -u alex@corp.local -p StrongPass123 -PU` → Identifies privileged users. ### 6️⃣ BloodHound.py Initially a PowerShell tool, `BloodHound.py` is a Python implementation useful for gathering AD-related data without needing a Windows machine. * `sudo bloodhound-python -u 'alex' -p 'StrongPass123' -ns 10.20.30.40 -d corp.local -c all` → Runs BloodHound data collection. * `-ns` = Name server * `-d` = Domain * `-c` = Collection type (all data in this case) The output consists of JSON files. * `zip -r corp_bh.zip *.json` → Compresses collected data into a ZIP file. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.dollarboysushil.com/active-directory-attacks/credentialed-enumeration-from-linux.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.