Enumerating Active Directory
Enumération
Nmap
cat nmap.txt
# Nmap 7.80 scan initiated Sun Oct 16 16:04:51 2022 as: nmap -sV -A -O -vv -oN nmap.txt 10.10.160.235
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 10.10.160.235
Host is up, received echo-reply ttl 127 (0.092s latency).
Scanned at 2022-10-16 16:04:51 UTC for 321s
Not shown: 989 filtered ports
Reason: 989 no-responses
PORT STATE SERVICE REASON VERSION
53/tcp open domain? syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2022-10-16 16:05:05Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds? syn-ack ttl 127
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped syn-ack ttl 127
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
TCP/IP fingerprint:
SCAN(V=7.80%E=4%D=10/16%OT=53%CT=%CU=%PV=Y%DS=2%DC=T%G=N%TM=634C2CE4%P=x86_64-pc-linux-gnu)
SEQ(SP=107%GCD=1%ISR=107%TI=I%II=I%SS=S%TS=U)
OPS(O1=M505NW8NNS%O2=M505NW8NNS%O3=M505NW8%O4=M505NW8NNS%O5=M505NW8NNS%O6=M505NNS)
WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)
ECN(R=Y%DF=Y%TG=80%W=FFFF%O=M505NW8NNS%CC=Y%Q=)
T1(R=Y%DF=Y%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=N)
T4(R=N)
U1(R=N)
IE(R=Y%DFI=N%TG=80%CD=Z)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=262 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: Host: WIN-2BO8M1OE1M1; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 37354/tcp): CLEAN (Timeout)
| Check 2 (port 25950/tcp): CLEAN (Timeout)
| Check 3 (port 20371/udp): CLEAN (Timeout)
| Check 4 (port 24661/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
| smb2-time:
| date: 2022-10-16T16:07:36
|_ start_date: N/A
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 30.11 ms 10.8.0.1
2 109.73 ms 10.10.160.235
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Oct 16 16:10:12 2022 -- 1 IP address (1 host up) scanned in 321.76 seconds
Liste des ports et services ouverts
| Port | Protocole | Services | Versions |
|---|---|---|---|
| 53 | tcp | domain? | DNS |
| 88 | tcp | kerberos-sec | Microsoft Windows Kerberos (server time: 2022-10-16 16:05:05Z) |
| 135 | tcp | msrpc | Microsoft Windows RPC |
| 139 | tcp | netbios-ssn | Microsoft Windows netbios-ssn |
| 389 | tcp | ldap | Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name) |
| 445 | tcp | microsoft-ds? | SMB |
| 464 | tcp | kpasswd5? | - |
| 593 | tcp | ncacn_http | Microsoft Windows RPC over HTTP 1.0 |
| 636 | tcp | tcpwrapped | - |
| 3268 | tcp | ldap | Microsoft Windows Active Directory LDAP (Domain: vulnnet-rst.local0., Site: Default-First-Site-Name) |
| 3269 | tcp | tcpwrapped | - |
Nom de domaine
vulnnet-rst.local
SMBCLIENT
smbclient --list 10.10.61.151
Enter WORKGROUP\someuser's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
VulnNet-Business-Anonymous Disk VulnNet Business Sharing
VulnNet-Enterprise-Anonymous Disk VulnNet Enterprise Sharing
SMB1 disabled -- no workgroup available
Kerbrute
kerbrute userenum --dc 10.10.61.151 -d 'vulnnet-rst.local' /usr/share/wordlists/seclists/Usernames/top-usernames-shortlist.tx
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: v1.0.3 (9dad6e1) - 10/16/22 - Ronnie Flathers @ropnop
2022/10/16 17:55:27 > Using KDC(s):
2022/10/16 17:55:27 > 10.10.61.151:88
2022/10/16 17:55:28 > [+] VALID USERNAME: administrator@vulnnet-rst.local
2022/10/16 17:55:28 > [+] VALID USERNAME: guest@vulnnet-rst.local
2022/10/16 17:
GetNPUsers
Impacket v0.10.1.dev1+20221010.112345.f94b47cf - Copyright 2022 SecureAuth Corporation
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User guest doesn't have UF_DONT_REQUIRE_PREAUTH set
Enum4linux
ENUM4LINUX - next generation
==========================
| Target Information |
==========================
[*] Target ........... 10.10.61.151
[*] Username ......... ''
[*] Random Username .. 'varuaaas'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
====================================
| Service Scan on 10.10.61.151 |
====================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
====================================================
| Domain Information via LDAP for 10.10.61.151 |
====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: vulnnet-rst.local
===========================================================
| NetBIOS Names and Workgroup/Domain for 10.10.61.151 |
===========================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out
=========================================
| SMB Dialect Check on 10.10.61.151 |
=========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
Supported dialects:
SMB 1.0: false
SMB 2.02: true
SMB 2.1: true
SMB 3.0: true
SMB 3.1.1: true
Preferred dialect: SMB 3.0
SMB1 only: false
SMB signing required: true
===========================================================
| Domain Information via SMB session for 10.10.61.151 |
===========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: WIN-2BO8M1OE1M1
NetBIOS domain name: VULNNET-RST
DNS domain: vulnnet-rst.local
FQDN: WIN-2BO8M1OE1M1.vulnnet-rst.local
Derived membership: domain member
Derived domain: VULNNET-RST
=========================================
| RPC Session Check on 10.10.61.151 |
=========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user
[+] Server allows session using username 'varuaaas', password ''
[H] Rerunning enumeration with user 'varuaaas' might give more results
===================================================
| Domain Information via RPC for 10.10.61.151 |
===================================================
[+] Domain: VULNNET-RST
[+] Domain SID: S-1-5-21-1589833671-435344116-4136949213
[+] Membership: domain member
===============================================
| OS Information via RPC for 10.10.61.151 |
===============================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 10, Windows Server 2019, Windows Server 2016
OS version: '10.0'
OS release: '1809'
OS build: '17763'
Native OS: not supported
Native LAN manager: not supported
Platform id: null
Server type: null
Server type string: null
=====================================
| Users via RPC on 10.10.61.151 |
=====================================
[*] Enumerating users via 'querydispinfo'
[-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED
[*] Enumerating users via 'enumdomusers'
[-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED
======================================
| Groups via RPC on 10.10.61.151 |
======================================
[*] Enumerating local groups
[-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_DENIED
[*] Enumerating builtin groups
[-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DENIED
[*] Enumerating domain groups
[-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED
======================================
| Shares via RPC on 10.10.61.151 |
======================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user
=========================================
| Policies via RPC for 10.10.61.151 |
=========================================
[*] Trying port 445/tcp
[-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED
[*] Trying port 139/tcp
[-] SMB connection error on port 139/tcp: session failed
=========================================
| Printers via RPC for 10.10.61.151 |
=========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED
Completed after 16.93 seconds