Attacking Common Services - Attacking SMB

Hi everyone!
I succeeded to enumerate two users using rpcclient where a ‘jason’ is among them.
However, I still have no success to get a valid jasons’ password via crackmapexec bruteforcing using a provided password wordlist from Resources as well as to download without authentication READ ONLY file from smb share .
(get id_rsa returns: ‘NT_STATUS_ACCESS_DENIED opening remote file …’).
I some confused, what have I do next. Please give me a hint how to move ahead.


You’ll need a domain for it, or you can use -d


Thank you very much my friend!
I don’t know how much time I would spend without your hint as the --help command does not describe this option as well as this section.


For anyone looking for this in the future, use the –local-auth flag


Hi everyone,

Can anyone tell me where de password’s wordlist are? The only ones i found are in /usr/share/… but i can’t understand where is the resources.


Hi, look closely in the hack the box web interface (top right of the page).

1 Like

Thanks for your help - I’m sure this isn’t even in the course material?!? how helpful of htb

Can anyone explain why --local-auth is required here? Only when authenticating to a domain joined machine using plain text password??

1 Like

thank’s a lot gingerwood !

How did you find the domain?!

1 Like

Run Enum4linux