Vault

┌──(kali㉿kali)-[~/PGP/Vault]
└─$ sudo nmap -Pn --script vuln vault.offsec                                                                             1 ⨯
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-05 16:51 EST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for vault.offsec (192.168.187.172)
Host is up (0.064s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server

Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

Nmap done: 1 IP address (1 host up) scanned in 74.22 seconds

┌──(kali㉿kali)-[~/PGP/Vault]
└─$ crackmapexec smb vault.offsec -u 'guest' -p '' 
SMB         192.168.187.172 445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB         192.168.187.172 445    DC               [+] vault.offsec\guest: 
                                                                                                                             
┌──(kali㉿kali)-[~/PGP/Vault]
└─$ crackmapexec smb vault.offsec -u 'guest' -p '' --shares
SMB         192.168.187.172 445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB         192.168.187.172 445    DC               [+] vault.offsec\guest: 
SMB         192.168.187.172 445    DC               [+] Enumerated shares
SMB         192.168.187.172 445    DC               Share           Permissions     Remark
SMB         192.168.187.172 445    DC               -----           -----------     ------
SMB         192.168.187.172 445    DC               ADMIN$                          Remote Admin
SMB         192.168.187.172 445    DC               C$                              Default share
SMB         192.168.187.172 445    DC               DocumentsShare  READ,WRITE      
SMB         192.168.187.172 445    DC               IPC$            READ            Remote IPC
SMB         192.168.187.172 445    DC               NETLOGON                        Logon server share 
SMB         192.168.187.172 445    DC               SYSVOL                          Logon server share 
                                                                                                                             
┌──(kali㉿kali)-[~/PGP/Vault]
└─$ crackmapexec smb vault.offsec -u 'guest' -p '' --rid-brute
SMB         192.168.187.172 445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB         192.168.187.172 445    DC               [+] vault.offsec\guest: 
SMB         192.168.187.172 445    DC               [+] Brute forcing RIDs
SMB         192.168.187.172 445    DC               498: VAULT\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         192.168.187.172 445    DC               500: VAULT\Administrator (SidTypeUser)
SMB         192.168.187.172 445    DC               501: VAULT\Guest (SidTypeUser)
SMB         192.168.187.172 445    DC               502: VAULT\krbtgt (SidTypeUser)
SMB         192.168.187.172 445    DC               512: VAULT\Domain Admins (SidTypeGroup)
SMB         192.168.187.172 445    DC               513: VAULT\Domain Users (SidTypeGroup)
SMB         192.168.187.172 445    DC               514: VAULT\Domain Guests (SidTypeGroup)
SMB         192.168.187.172 445    DC               515: VAULT\Domain Computers (SidTypeGroup)
SMB         192.168.187.172 445    DC               516: VAULT\Domain Controllers (SidTypeGroup)
SMB         192.168.187.172 445    DC               517: VAULT\Cert Publishers (SidTypeAlias)
SMB         192.168.187.172 445    DC               518: VAULT\Schema Admins (SidTypeGroup)
SMB         192.168.187.172 445    DC               519: VAULT\Enterprise Admins (SidTypeGroup)
SMB         192.168.187.172 445    DC               520: VAULT\Group Policy Creator Owners (SidTypeGroup)
SMB         192.168.187.172 445    DC               521: VAULT\Read-only Domain Controllers (SidTypeGroup)
SMB         192.168.187.172 445    DC               522: VAULT\Cloneable Domain Controllers (SidTypeGroup)
SMB         192.168.187.172 445    DC               525: VAULT\Protected Users (SidTypeGroup)
SMB         192.168.187.172 445    DC               526: VAULT\Key Admins (SidTypeGroup)
SMB         192.168.187.172 445    DC               527: VAULT\Enterprise Key Admins (SidTypeGroup)
SMB         192.168.187.172 445    DC               553: VAULT\RAS and IAS Servers (SidTypeAlias)
SMB         192.168.187.172 445    DC               571: VAULT\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         192.168.187.172 445    DC               572: VAULT\Denied RODC Password Replication Group (SidTypeAlias)
SMB         192.168.187.172 445    DC               1000: VAULT\DC$ (SidTypeUser)
SMB         192.168.187.172 445    DC               1101: VAULT\DnsAdmins (SidTypeAlias)
SMB         192.168.187.172 445    DC               1102: VAULT\DnsUpdateProxy (SidTypeGroup)
SMB         192.168.187.172 445    DC               1103: VAULT\anirudh (SidTypeUser)

PreviousVector NextQuarterJack

Last updated 3 years ago

┌──(kali㉿kali)-[~/PGP/Vault] └─$ sudo nmap -Pn --script vuln vault.offsec 1 ⨯ [sudo] password for kali: Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-05 16:51 EST Pre-scan script results: | broadcast-avahi-dos: | Discovered hosts: | 224.0.0.251 | After NULL UDP avahi packet DoS (CVE-2011-1002). |_ Hosts are all up (not vulnerable). Nmap scan report for vault.offsec (192.168.187.172) Host is up (0.064s latency). Not shown: 988 filtered tcp ports (no-response) PORT STATE SERVICE 53/tcp open domain 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server Host script results: |_smb-vuln-ms10-054: false |_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR |_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR Nmap done: 1 IP address (1 host up) scanned in 74.22 seconds

┌──(kali㉿kali)-[~/PGP/Vault] └─$ crackmapexec smb vault.offsec -u 'guest' -p '' SMB 192.168.187.172 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False) SMB 192.168.187.172 445 DC [+] vault.offsec\guest: ┌──(kali㉿kali)-[~/PGP/Vault] └─$ crackmapexec smb vault.offsec -u 'guest' -p '' --shares SMB 192.168.187.172 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False) SMB 192.168.187.172 445 DC [+] vault.offsec\guest: SMB 192.168.187.172 445 DC [+] Enumerated shares SMB 192.168.187.172 445 DC Share Permissions Remark SMB 192.168.187.172 445 DC ----- ----------- ------ SMB 192.168.187.172 445 DC ADMIN$ Remote Admin SMB 192.168.187.172 445 DC C$ Default share SMB 192.168.187.172 445 DC DocumentsShare READ,WRITE SMB 192.168.187.172 445 DC IPC$ READ Remote IPC SMB 192.168.187.172 445 DC NETLOGON Logon server share SMB 192.168.187.172 445 DC SYSVOL Logon server share ┌──(kali㉿kali)-[~/PGP/Vault] └─$ crackmapexec smb vault.offsec -u 'guest' -p '' --rid-brute SMB 192.168.187.172 445 DC [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False) SMB 192.168.187.172 445 DC [+] vault.offsec\guest: SMB 192.168.187.172 445 DC [+] Brute forcing RIDs SMB 192.168.187.172 445 DC 498: VAULT\Enterprise Read-only Domain Controllers (SidTypeGroup) SMB 192.168.187.172 445 DC 500: VAULT\Administrator (SidTypeUser) SMB 192.168.187.172 445 DC 501: VAULT\Guest (SidTypeUser) SMB 192.168.187.172 445 DC 502: VAULT\krbtgt (SidTypeUser) SMB 192.168.187.172 445 DC 512: VAULT\Domain Admins (SidTypeGroup) SMB 192.168.187.172 445 DC 513: VAULT\Domain Users (SidTypeGroup) SMB 192.168.187.172 445 DC 514: VAULT\Domain Guests (SidTypeGroup) SMB 192.168.187.172 445 DC 515: VAULT\Domain Computers (SidTypeGroup) SMB 192.168.187.172 445 DC 516: VAULT\Domain Controllers (SidTypeGroup) SMB 192.168.187.172 445 DC 517: VAULT\Cert Publishers (SidTypeAlias) SMB 192.168.187.172 445 DC 518: VAULT\Schema Admins (SidTypeGroup) SMB 192.168.187.172 445 DC 519: VAULT\Enterprise Admins (SidTypeGroup) SMB 192.168.187.172 445 DC 520: VAULT\Group Policy Creator Owners (SidTypeGroup) SMB 192.168.187.172 445 DC 521: VAULT\Read-only Domain Controllers (SidTypeGroup) SMB 192.168.187.172 445 DC 522: VAULT\Cloneable Domain Controllers (SidTypeGroup) SMB 192.168.187.172 445 DC 525: VAULT\Protected Users (SidTypeGroup) SMB 192.168.187.172 445 DC 526: VAULT\Key Admins (SidTypeGroup) SMB 192.168.187.172 445 DC 527: VAULT\Enterprise Key Admins (SidTypeGroup) SMB 192.168.187.172 445 DC 553: VAULT\RAS and IAS Servers (SidTypeAlias) SMB 192.168.187.172 445 DC 571: VAULT\Allowed RODC Password Replication Group (SidTypeAlias) SMB 192.168.187.172 445 DC 572: VAULT\Denied RODC Password Replication Group (SidTypeAlias) SMB 192.168.187.172 445 DC 1000: VAULT\DC$ (SidTypeUser) SMB 192.168.187.172 445 DC 1101: VAULT\DnsAdmins (SidTypeAlias) SMB 192.168.187.172 445 DC 1102: VAULT\DnsUpdateProxy (SidTypeGroup) SMB 192.168.187.172 445 DC 1103: VAULT\anirudh (SidTypeUser)