Vault

┌──(kali㉿kali)-[~/PGP/Vault]
└─$ sudo nmap -Pn --script vuln vault.offsec                                                                             1 ⨯
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-05 16:51 EST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
Nmap scan report for vault.offsec (192.168.187.172)
Host is up (0.064s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server

Host script results:
|_smb-vuln-ms10-054: false
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR

Nmap done: 1 IP address (1 host up) scanned in 74.22 seconds

┌──(kali㉿kali)-[~/PGP/Vault]
└─$ crackmapexec smb vault.offsec -u 'guest' -p '' 
SMB         192.168.187.172 445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB         192.168.187.172 445    DC               [+] vault.offsec\guest: 
                                                                                                                             
┌──(kali㉿kali)-[~/PGP/Vault]
└─$ crackmapexec smb vault.offsec -u 'guest' -p '' --shares
SMB         192.168.187.172 445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB         192.168.187.172 445    DC               [+] vault.offsec\guest: 
SMB         192.168.187.172 445    DC               [+] Enumerated shares
SMB         192.168.187.172 445    DC               Share           Permissions     Remark
SMB         192.168.187.172 445    DC               -----           -----------     ------
SMB         192.168.187.172 445    DC               ADMIN$                          Remote Admin
SMB         192.168.187.172 445    DC               C$                              Default share
SMB         192.168.187.172 445    DC               DocumentsShare  READ,WRITE      
SMB         192.168.187.172 445    DC               IPC$            READ            Remote IPC
SMB         192.168.187.172 445    DC               NETLOGON                        Logon server share 
SMB         192.168.187.172 445    DC               SYSVOL                          Logon server share 
                                                                                                                             
┌──(kali㉿kali)-[~/PGP/Vault]
└─$ crackmapexec smb vault.offsec -u 'guest' -p '' --rid-brute
SMB         192.168.187.172 445    DC               [*] Windows 10.0 Build 17763 x64 (name:DC) (domain:vault.offsec) (signing:True) (SMBv1:False)
SMB         192.168.187.172 445    DC               [+] vault.offsec\guest: 
SMB         192.168.187.172 445    DC               [+] Brute forcing RIDs
SMB         192.168.187.172 445    DC               498: VAULT\Enterprise Read-only Domain Controllers (SidTypeGroup)
SMB         192.168.187.172 445    DC               500: VAULT\Administrator (SidTypeUser)
SMB         192.168.187.172 445    DC               501: VAULT\Guest (SidTypeUser)
SMB         192.168.187.172 445    DC               502: VAULT\krbtgt (SidTypeUser)
SMB         192.168.187.172 445    DC               512: VAULT\Domain Admins (SidTypeGroup)
SMB         192.168.187.172 445    DC               513: VAULT\Domain Users (SidTypeGroup)
SMB         192.168.187.172 445    DC               514: VAULT\Domain Guests (SidTypeGroup)
SMB         192.168.187.172 445    DC               515: VAULT\Domain Computers (SidTypeGroup)
SMB         192.168.187.172 445    DC               516: VAULT\Domain Controllers (SidTypeGroup)
SMB         192.168.187.172 445    DC               517: VAULT\Cert Publishers (SidTypeAlias)
SMB         192.168.187.172 445    DC               518: VAULT\Schema Admins (SidTypeGroup)
SMB         192.168.187.172 445    DC               519: VAULT\Enterprise Admins (SidTypeGroup)
SMB         192.168.187.172 445    DC               520: VAULT\Group Policy Creator Owners (SidTypeGroup)
SMB         192.168.187.172 445    DC               521: VAULT\Read-only Domain Controllers (SidTypeGroup)
SMB         192.168.187.172 445    DC               522: VAULT\Cloneable Domain Controllers (SidTypeGroup)
SMB         192.168.187.172 445    DC               525: VAULT\Protected Users (SidTypeGroup)
SMB         192.168.187.172 445    DC               526: VAULT\Key Admins (SidTypeGroup)
SMB         192.168.187.172 445    DC               527: VAULT\Enterprise Key Admins (SidTypeGroup)
SMB         192.168.187.172 445    DC               553: VAULT\RAS and IAS Servers (SidTypeAlias)
SMB         192.168.187.172 445    DC               571: VAULT\Allowed RODC Password Replication Group (SidTypeAlias)
SMB         192.168.187.172 445    DC               572: VAULT\Denied RODC Password Replication Group (SidTypeAlias)
SMB         192.168.187.172 445    DC               1000: VAULT\DC$ (SidTypeUser)
SMB         192.168.187.172 445    DC               1101: VAULT\DnsAdmins (SidTypeAlias)
SMB         192.168.187.172 445    DC               1102: VAULT\DnsUpdateProxy (SidTypeGroup)
SMB         192.168.187.172 445    DC               1103: VAULT\anirudh (SidTypeUser)

PreviousVector NextQuarterJack

Last updated 3 years ago