MSRPC

# Nmap 7.92 scan initiated Thu Aug 11 16:17:32 2022 as: nmap -vv --reason -Pn -T4 -sV -p 135 --script=banner,msrpc-enum,rpc-grind,rpcinfo -oN /home/kali/Forest/results/10.10.10.161/scans/tcp135/tcp_135_rpc_nmap.txt -oX /home/kali/Forest/results/10.10.10.161/scans/tcp135/xml/tcp_135_rpc_nmap.xml 10.10.10.161
Nmap scan report for htb.local (10.10.10.161)
Host is up, received user-set (0.062s latency).
Scanned at 2022-08-11 16:17:33 EDT for 22s

PORT    STATE SERVICE REASON          VERSION
135/tcp open  msrpc   syn-ack ttl 127 Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Read data files from: /usr/bin/../share/nmap

64-BIT computer

Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Gathering OS architecture for 1 machines
[*] Socket connect timeout set to 2 secs
10.10.10.161 is 64-bit

Null share displays various users. 

RPCEnum -i 10.10.10.161 -e All

[*] Enumerating Domain Users...

  +                       +
  | Users                 |
  +                       +
  | Administrator         |
  | Guest                 |
  | krbtgt                |
  | DefaultAccount        |
  | $331000-VK4ADACQNUCA  |
  | SM_2c8eef0a09b545acb  |
  | SM_ca8c2ed5bdab4dc9b  |
  | SM_75a538d3025e4db9a  |
  | SM_681f53d4942840e18  |
  | SM_1b41c9286325456bb  |
  | SM_9b69f1b9d2cc45549  |
  | SM_7c96b981967141ebb  |
  | SM_c75ee099d0a64c91b  |
  | SM_1ffab36a2f5f479cb  |
  | HealthMailboxc3d7722  |
  | HealthMailboxfc9daad  |
  | HealthMailboxc0a90c9  |
  | HealthMailbox670628e  |
  | HealthMailbox968e74d  |
  | HealthMailbox6ded678  |
  | HealthMailbox83d6781  |
  | HealthMailboxfd87238  |
  | HealthMailboxb01ac64  |
  | HealthMailbox7108a4e  |
  | HealthMailbox0659cc1  |
  | sebastien             |
  | lucinda               |
  | svc-alfresco          |
  | andy                  |
  | mark                  |
  | santi                 |
  +                       +

I ran the following command to try to make a list out of thses users .

rpcclient -U "" <ip> -N -c "enumdomusers" | grep -oP '\[.*?\]' | grep "0x" -v | tr -d '[]' > userlist.txt

cat userlist.txt Administrator Guest krbtgt DefaultAccount $331000-VK4ADACQNUCA SM_2c8eef0a09b545acb SM_ca8c2ed5bdab4dc9b SM_75a538d3025e4db9a SM_681f53d4942840e18 SM_1b41c9286325456bb SM_9b69f1b9d2cc45549 SM_7c96b981967141ebb SM_c75ee099d0a64c91b SM_1ffab36a2f5f479cb HealthMailboxc3d7722 HealthMailboxfc9daad HealthMailboxc0a90c9 HealthMailbox670628e HealthMailbox968e74d HealthMailbox6ded678 HealthMailbox83d6781 HealthMailboxfd87238 HealthMailboxb01ac64 HealthMailbox7108a4e HealthMailbox0659cc1 sebastien lucinda svc-alfresco andy mark santi

PreviousSMTPNextKerberos

Last updated