CredNinja is a multithreaded tool designed to identify if credentials are valid, invalid, or local admin valid credentials within a network at-scale via SMB, plus now with a user hunter
This tool is intended for penetration testers who want to perform an engagement quickly and efficiently.
While this tool can be used for more covert operations (including some additions below), it really shines when used at the scale of a large network.
At the core of it, you provide it a list of credentials you have dumped (or hashes, it can pass-the-hash) and a list of systems on the domain (I suggest scanning for port 445 first, or you can use “–scan”).
It will tell you if the credentials you dumped are valid on the domain, and if you have local administrator access to a host.
See below for additional features, like user hunting and host detail enumeration.
It is intended to be run on Kali Linux
Also Read – Memhunter : Live Hunting Of Code Injection Techniques
Required Arguments:
-a accounts_to_test.txt, --accounts accounts_to_test.txt
A word or file of user credentials to test. Usernames
are accepted in the form of "DOMAIN\USERNAME:PASSWORD"
-s systems_to_test.txt, --servers systems_to_test.txt
A word or file of servers to test against. This can
be a single system, a filename containing a list of
systems, a gnmap file, or IP addresses in cidr notation.
Each credential will be tested against each of these
servers by attempting to browse C$ via SMB
Optional Arguments:
-t THREADS, --threads THREADS
Number of threads to use. Defaults to 10
--ntlm Treat the passwords as NTLM hashes and attempt to
pass-the-hash!
--valid Only print valid/local admin credentials
--invalid Only print invalid credentials
-o OUTPUT, --output OUTPUT
Print results to a file
-p PASSDELIMITER, --passdelimiter PASSDELIMITER
Change the delimiter between the account username and
password. Defaults to ":"
--delay SECONDS %JITTER
Delay each request per thread by specified seconds
with jitter (example: --delay 20 10, 20 second delay
with 10% jitter)
--timeout TIMEOUT Amount of seconds wait for data before timing out.
Default is 15 seconds
--stripe Only test one credential on one host to avoid spamming
a single system with multiple login attempts (used to
check validity of credentials). This will randomly
select hosts from the provided host file.
--scan Perform a quick check to see port 445 is available on
the host before queueing it up to be processed
--scan-timeout SCAN_TIMEOUT
Sets the timeout for the scan specified by --scan
argument. Default of 2 seconds
-h, --help Get help about this script's usage
--no-color Turns off output color. Written file is always
colorless
Additional Information Retrieval:
--os Display the OS of the system if available (no extra
request is being sent)
--domain Display the primary domain of the system if available
(no extra request is being sent)
--users List the users that have logged in to the system in
the last 6 months (requires LOCAL ADMIN). Returns
usernames with the number of days since their home
directory was changed. This sends one extra request to
each host
--users-time USERS_TIME
Modifies --users to search for users that have logged
in within the last supplied amount of days (default
100 days)
Changelog:
v2.3 – Updated with some additional features:
v2.0 – Initial release of CredNinja from the predecessor CredSwissArmy:
AND NOW THE COOL ADDITIONS
Coming Soon:
bomber is an application that scans SBOMs for security vulnerabilities. So you've asked a vendor…
Embed a payload within a PNG file by splitting the payload across multiple IDAT sections.…
Exploit-Street, where we dive into the ever-evolving world of cybersecurity with a focus on Local…
Shadow Dumper is a powerful tool used to dump LSASS (Local Security Authority Subsystem Service)…
shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…
Extract and execute a PE embedded within a PNG file using an LNK file. The…