11. Credentialed Enumeration - from Linux

1. CrackMapExec (CME)

Function:

  • Post-exploitation tool for Active Directory assessment.

  • Enumerates users, groups, logged-on users, and SMB shares.

  • Supports share spidering.

Commands:

sudo crackmapexec smb <target_ip> -u <username> -p <password> --users  # Enumerate users
sudo crackmapexec smb <target_ip> -u <username> -p <password> --groups  # Enumerate groups
sudo crackmapexec smb <target_ip> -u <username> -p <password> --loggedon-users  # Enumerate logged-on users
sudo crackmapexec smb <target_ip> -u <username> -p <password> --shares  # Enumerate shares
sudo crackmapexec smb <target_ip> -u <username> -p <password> -M spider_plus --share '<share_name>'  # Share spidering

Additional Features:

  • Use crackmapexec -h for help.

  • Redirect output: sudo crackmapexec smb <target_ip> --users > users.txt.

2. SMBMap

Function:

  • Enumerates SMB shares, permissions, and file structures.

Commands:

smbmap -u <username> -p <password> -d <domain> -H <target_ip>  # Enumerate shares
smbmap -u <username> -p <password> -d <domain> -H <target_ip> -R '<share_name>' --dir-only  # Recursive directory listing

Additional Features:

  • Supports searching file contents within shares.

3. rpcclient

Function:

  • Interacts with MS-RPC for Active Directory enumeration.

Commands:

rpcclient -U "" -N <target_ip>  # Unauthenticated connection
rpcclient $> enumdomusers  # Enumerate domain users
rpcclient $> queryuser <rid>  # Query user by RID

Additional Features:

  • Check all options with man rpcclient.

4. Impacket

Function:

  • Python toolkit for Windows protocol interaction.

Commands:

psexec.py <domain>/<username>:'<password>'@<target_ip>  # Remote interactive shell
wmiexec.py <domain>/<username>:'<password>'@<target_ip>  # Semi-interactive WMI shell

Additional Features:

  • Supports hash authentication: psexec.py <domain>/<username>@<target_ip> -hashes <LM hash>:<NT hash>

5. Windapsearch

Function:

  • LDAP-based enumeration of users, groups, and GPOs.

Commands:

windapsearch.py -d <domain> --dc-ip <dc_ip> -u <username> -p <password> --users  # Enumerate users

Additional Features:

  • Supports GPO enumeration with --gpos.

Summary

  • CrackMapExec: Powerful SMB enumeration and exploitation.

  • SMBMap: Detailed SMB share analysis.

  • rpcclient: Low-level AD interaction.

  • Impacket: Remote execution and shell access.

  • Windapsearch: Efficient LDAP-based enumeration.

Monitor and log enumeration activities to detect potential attacks!

Previous10. Enumerating Security ControlsNext12.Credentialed Enumeration - from Windows

Last updated