Attacking Common Services - Attacking SMB

Hi everyone!
I succeeded to enumerate two users using rpcclient where a ‘jason’ is among them.
However, I still have no success to get a valid jasons’ password via crackmapexec bruteforcing using a provided password wordlist from Resources as well as to download without authentication READ ONLY file from smb share .
(get id_rsa returns: ‘NT_STATUS_ACCESS_DENIED opening remote file …’).
I some confused, what have I do next. Please give me a hint how to move ahead.


You’ll need a domain for it, or you can use -d


Thank you very much my friend!
I don’t know how much time I would spend without your hint as the --help command does not describe this option as well as this section.


For anyone looking for this in the future, use the –local-auth flag


Hi everyone,

Can anyone tell me where de password’s wordlist are? The only ones i found are in /usr/share/… but i can’t understand where is the resources.


Hi, look closely in the hack the box web interface (top right of the page).

1 Like

Thanks for your help - I’m sure this isn’t even in the course material?!? how helpful of htb

Can anyone explain why --local-auth is required here? Only when authenticating to a domain joined machine using plain text password??


thank’s a lot gingerwood !

How did you find the domain?!

1 Like

Run Enum4linux

hint: i was about to give up on this section but then i remembered who i am and got the answer.


Where can I find a password list?
In FTP or somewhere else?
I tried passwords from FTP but it didn’t work, tried rockyou.txt and it didn’t work aswell.
I tried also with paremter -d and here domain found with ENUM4LINUX (same domain is added with --local-auth parameter in crackmapexec :confused:

What should I do, need a hint there.

As a guide.

  • For question 1, use the smbclient tool.
  • For question 2, use the crackmapexec tool and the --local-auth parameter and the dictionary provided by HTB in resources.
  • For question 3, you must download the file located in G** (smbmap -H -r G**), use the smbmap tool and add the corresponding credentials of jason to get the permissions to download and read the file.
    Do not forget to give the appropriate permissions (600).

Copy the id_rsa file and crack it.