11. Credentialed Enumeration - from Linux

1. CrackMapExec (CME)

Function:

Post-exploitation tool for Active Directory assessment.
Enumerates users, groups, logged-on users, and SMB shares.
Supports share spidering.

Commands:

sudo crackmapexec smb <target_ip> -u <username> -p <password> --users  # Enumerate users
sudo crackmapexec smb <target_ip> -u <username> -p <password> --groups  # Enumerate groups
sudo crackmapexec smb <target_ip> -u <username> -p <password> --loggedon-users  # Enumerate logged-on users
sudo crackmapexec smb <target_ip> -u <username> -p <password> --shares  # Enumerate shares
sudo crackmapexec smb <target_ip> -u <username> -p <password> -M spider_plus --share '<share_name>'  # Share spidering

Additional Features:

Use crackmapexec -h for help.
Redirect output: sudo crackmapexec smb <target_ip> --users > users.txt.

2. SMBMap

Function:

Enumerates SMB shares, permissions, and file structures.

Commands:

smbmap -u <username> -p <password> -d <domain> -H <target_ip>  # Enumerate shares
smbmap -u <username> -p <password> -d <domain> -H <target_ip> -R '<share_name>' --dir-only  # Recursive directory listing

Additional Features:

Supports searching file contents within shares.

3. rpcclient

Function:

Interacts with MS-RPC for Active Directory enumeration.

Commands:

rpcclient -U "" -N <target_ip>  # Unauthenticated connection
rpcclient $> enumdomusers  # Enumerate domain users
rpcclient $> queryuser <rid>  # Query user by RID

Additional Features:

Check all options with man rpcclient.

4. Impacket

Function:

Python toolkit for Windows protocol interaction.

Commands:

psexec.py <domain>/<username>:'<password>'@<target_ip>  # Remote interactive shell
wmiexec.py <domain>/<username>:'<password>'@<target_ip>  # Semi-interactive WMI shell

Additional Features:

Supports hash authentication: psexec.py <domain>/<username>@<target_ip> -hashes <LM hash>:<NT hash>

5. Windapsearch

Function:

LDAP-based enumeration of users, groups, and GPOs.

Commands:

windapsearch.py -d <domain> --dc-ip <dc_ip> -u <username> -p <password> --users  # Enumerate users

Additional Features:

Supports GPO enumeration with --gpos.

Summary

CrackMapExec: Powerful SMB enumeration and exploitation.
SMBMap: Detailed SMB share analysis.
rpcclient: Low-level AD interaction.
Impacket: Remote execution and shell access.
Windapsearch: Efficient LDAP-based enumeration.

Monitor and log enumeration activities to detect potential attacks!

Previous10. Enumerating Security Controls Next12.Credentialed Enumeration - from Windows

Last updated 8 months ago

hashtag1. CrackMapExec (CME)

hashtagFunction:

hashtagCommands:

hashtagAdditional Features:

hashtag2. SMBMap

hashtagFunction:

hashtagCommands:

hashtagAdditional Features:

hashtag3. rpcclient

hashtagFunction:

hashtagCommands:

hashtagAdditional Features:

hashtag4. Impacket

hashtagFunction:

hashtagCommands:

hashtagAdditional Features:

hashtag5. Windapsearch

hashtagFunction:

hashtagCommands:

hashtagAdditional Features:

hashtagSummary

1. CrackMapExec (CME)

Function:

Commands:

Additional Features:

2. SMBMap

Function:

Commands:

Additional Features:

3. rpcclient

Function:

Commands:

Additional Features:

4. Impacket

Function:

Commands:

Additional Features:

5. Windapsearch

Function:

Commands:

Additional Features:

Summary