Hunting Sensitive Web Files

Hunting Sensitive Web Files

Something I like to do when testing a web application is to look for sensitive files that have been placed in web-exposed directories. Application administrators sometimes leave files in places they shouldn’t that contain information which may help advance your attack chain. Source code, configuration files, and…

Continue Reading

Credential spraying with CrackMapExec - Safely

Credential spraying with CrackMapExec (safely)

Not too long ago I worked up an SMB credential spraying script using rpcclient. I haven’t really been using this much as I tend to favor byt3bl33d3r’s CrackMapExec when attacking SMB. On a recent engagement, I accidentally locked out a good number of Windows domain accounts during…

Continue Reading

Credential spraying SMB servers with rpcclient

Credential spraying SMB servers with rpcclient

I’ve been wanting an efficient way to credential spray SMB servers. I typically use byt3bl33d3r’s CrackMapExec when poking SMB servers but wanted a way to rotate single users over multiple passwords and then force the process to sleep for a while (for the sake of account lock-out).…

Continue Reading