11. Credentialed Enumeration - from Linux

1. CrackMapExec (CME)

Function:

Post-exploitation tool for Active Directory assessment.
Enumerates users, groups, logged-on users, and SMB shares.
Supports share spidering.

Commands:

sudo crackmapexec smb <target_ip> -u <username> -p <password> --users  # Enumerate users
sudo crackmapexec smb <target_ip> -u <username> -p <password> --groups  # Enumerate groups
sudo crackmapexec smb <target_ip> -u <username> -p <password> --loggedon-users  # Enumerate logged-on users
sudo crackmapexec smb <target_ip> -u <username> -p <password> --shares  # Enumerate shares
sudo crackmapexec smb <target_ip> -u <username> -p <password> -M spider_plus --share '<share_name>'  # Share spidering

Additional Features:

Use crackmapexec -h for help.
Redirect output: sudo crackmapexec smb <target_ip> --users > users.txt.

2. SMBMap

Function:

Enumerates SMB shares, permissions, and file structures.

Commands:

smbmap -u <username> -p <password> -d <domain> -H <target_ip>  # Enumerate shares
smbmap -u <username> -p <password> -d <domain> -H <target_ip> -R '<share_name>' --dir-only  # Recursive directory listing

Additional Features:

Supports searching file contents within shares.

3. rpcclient

Function:

Interacts with MS-RPC for Active Directory enumeration.

Commands:

rpcclient -U "" -N <target_ip>  # Unauthenticated connection
rpcclient $> enumdomusers  # Enumerate domain users
rpcclient $> queryuser <rid>  # Query user by RID

Additional Features:

Check all options with man rpcclient.

4. Impacket

Function:

Python toolkit for Windows protocol interaction.

Commands:

psexec.py <domain>/<username>:'<password>'@<target_ip>  # Remote interactive shell
wmiexec.py <domain>/<username>:'<password>'@<target_ip>  # Semi-interactive WMI shell

Additional Features:

Supports hash authentication: psexec.py <domain>/<username>@<target_ip> -hashes <LM hash>:<NT hash>

5. Windapsearch

Function:

LDAP-based enumeration of users, groups, and GPOs.

Commands:

windapsearch.py -d <domain> --dc-ip <dc_ip> -u <username> -p <password> --users  # Enumerate users

Additional Features:

Supports GPO enumeration with --gpos.

Summary

CrackMapExec: Powerful SMB enumeration and exploitation.
SMBMap: Detailed SMB share analysis.
rpcclient: Low-level AD interaction.
Impacket: Remote execution and shell access.
Windapsearch: Efficient LDAP-based enumeration.

Monitor and log enumeration activities to detect potential attacks!

Previous10. Enumerating Security Controls Next12.Credentialed Enumeration - from Windows

Last updated 12 days ago

sudo crackmapexec smb <target_ip> -u <username> -p <password> --users # Enumerate users sudo crackmapexec smb <target_ip> -u <username> -p <password> --groups # Enumerate groups sudo crackmapexec smb <target_ip> -u <username> -p <password> --loggedon-users # Enumerate logged-on users sudo crackmapexec smb <target_ip> -u <username> -p <password> --shares # Enumerate shares sudo crackmapexec smb <target_ip> -u <username> -p <password> -M spider_plus --share '<share_name>' # Share spidering

smbmap -u <username> -p <password> -d <domain> -H <target_ip> # Enumerate shares smbmap -u <username> -p <password> -d <domain> -H <target_ip> -R '<share_name>' --dir-only # Recursive directory listing