setprinterdata Set REG_SZ printer data Custom wordlist. What permissions must be assigned to the newly created directories? In the demonstration, the user with RID 0x1f4 was enumerated regarding their password properties. Obviously the SIDS are different but you can still pull down the usernames and start bruteforcing those other open services. If proper privileges are assigned it also possible to delete a user using the rpcclient. Running something like ngrep -i -d tap0 's.?a.?m.?b.?a. After the user details and the group details, another information that can help an attacker that has retained the initial foothold on the domain is the Privileges. | IDs: CVE:CVE-2017-0143 To enumerate the shares manually you might want to look for responses like NT_STATUS_ACCESS_DENIED and NT_STATUS_BAD_NETWORK_NAME, when using a valid session (e.g. Code & Process Injection. The below shows a couple of things. It is a software protocol that allows applications, PCs, and Desktops on a local area network (LAN) to communicate with network hardware and to transmit data across the network. 1. Cracking Password. Password attack (Brute-force) Brute-force service password. Hence, the credentials were successfully enumerated and the account can be taken over now. On most Linuxes, we have tab auto-complete of commands, which extends into rpcclient commands. May need to run a second time for success. . getdcname Get trusted DC name The polices that are applied on a Domain are also dictated by the various group that exists. lookupnames Convert names to SIDs 139/tcp open netbios-ssn The Windows library URLMon.dll automatically try to authenticaticate to the host when a page tries to access some contect via SMB, for example: Which are used by some browsers and tools (like Skype), From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html, Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. If you get credentials, you can re-run to show new access: nmap --script smb-enum-shares -p 139,445 [ip]. |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug) rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2004 As with the lsaenumsid, it was possible to extract the SID but it was not possible to tell which user has that SID. | account_used: guest INet~Services <1c> - M rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1012 The tool that we will be using for all the enumerations and manipulations will be rpcclient. rpcclient $> netshareenum -I, --dest-ip=IP Specify destination IP address, Help options C$ NO ACCESS rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2003 lsalookupprivvalue Get a privilege value given its name Usage: rpcclient [OPTION] enumdomusers Enumerate domain users List of SMB versions and corresponding Windows versions: SMB1 Windows 2000, XP and Windows 2003. null session or valid credentials). See examples in the previous section. Moving on, same way, they can query info about specific AD users: Enumerate current user's privileges and many more (consult rpcclient for all available commands): Finally, of course they can run nmap if needed: Impacket provides even more tools to enumerate remote systems through compromised boxes. 631 - Internet Printing Protocol (IPP) 873 - Pentesting Rsync. -P, --machine-pass Use stored machine account password -z $2 ]; then rport=$2; else rport=139; fi, tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' rpcclient -U "" 192.168.1.100 rpcclient $> querydominfo . SecureAuthCorp/impacket, https://www.cobaltstrike.com/help-socks-proxy-pivoting. Depending on the user privilege it is possible to change the password using the chgpasswd command. With an anonymous null session you can access the IPC$ share and interact with services exposed via named pipes. querygroup Query group info Second - attacker opens a socks4 proxy on port 7777 on his local kali machine (10.0.0.5) by issuing: This means that the attacker can now use proxychains to proxy traffic from their kali box through the beacon to the target (attacker ---> beacon ---> end target). password: rpcclient $> srvinfo In general, the rpcclient can be used to connect to the SMB protocol as well. There are times where these share folders may contain sensitive or Confidential information that can be used to compromise the target. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1005 During that time, the designers of the rpcclient might be clueless about the importance of this tool as a penetration testing tool. timeout connecting to 192.168.182.36:445 Host is up (0.037s latency). Common share names for windows targets are, You can try to connect to them by using the following command, # null session to connect to a windows share, # authenticated session to connect to a windows share (you will be prompted for a password), "[+] creating a null session is possible for, # no output if command goes through, thus assuming that a session was created, # echo error message (e.g. The article is focused on Red Teamers but Blue Teamers and Purple Teamers can also use these commands to test the security configurations they deployed. | Comment: adddriver Add a print driver smbmap -u '' -p '' -H $ip # similar to crackmapexec --shares, smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip, smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -r # list top level dir, smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -R # list everything recursively, smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '. The next command to demonstrate is lookupsids. There was a Forced Logging off on the Server and other important information. certcube provides a detailed guide of oscp enumeration with step by step oscp enumeration cheatsheet. S-1-5-21-1835020781-2383529660-3657267081-1000 LEWISFAMILY\root (1) lookupsids Convert SIDs to names result was NT_STATUS_NONE_MAPPED . [STATUS] 29.00 tries/min, 29 tries in 00:01h, 787 todo in 00:28h --------------- ---------------------- The ability to enumerate individually doesnt limit to the groups but also extends to the users. | \\[ip]\IPC$: The next command that can be used via rpcclient is querydominfo. | grep -oP 'UnixSamba. To enumerate a particular user from rpcclient, the queryuser command must be used. Active Directory & Kerberos Abuse. S-1-5-21-1835020781-2383529660-3657267081-1005 LEWISFAMILY\kmem (2) Server Message Block (SMB) is a client-server protocol that regulates access to files and entire directories and other network resources such as printers, routers, or interfaces released for the network.The main application area of the protocol has been the Windows operating system series in particular, whose network services support SMB in a downward-compatible manner - which means that . getprinter Get printer info The name is derived from the enumeration of domain groups. This lab shows how it is possible to bypass commandline argument logging when enumerating Windows environments, using Cobalt Strike and its socks proxy (or any other post exploitation tool that supports socks proxying). It may be possible that you are restricted to display any shares of the host machine and when you try to list them it appears as if there aren't any shares to connect to. It can be used on the rpcclient shell that was generated to enumerate information about the server. lookupdomain Lookup Domain Name | Comment: Default share lewis S-1-5-21-1835020781-2383529660-3657267081-2002 (User: 1) In this article, we were able to enumerate a wide range of information through the SMB and RPC channel inside a domain using the rpcclient tool. That narrows the version that the attacker might be looking at to Windows 10, Windows Server 2016, and Windows Server 2019. Microsoft Remote Procedure Call, also known as a function call or a subroutine call, is a protocol that uses the client-server model in order to allow one program to request service from a program on another computer without having to understand the details of that computer's network. List of SMB versions and corresponding Windows versions: SMB1 Windows 2000, XP and Windows 2003. querygroupmem Query group membership You get the idea, was pretty much the same for the Ubuntu guy cept that his user accounts were -3000. nmap -p 139,445 --open -oG smb.txt 192.168.1.0/24, nmap --script smb-enum-shares -p 139,445 $ip, smbclient -L //10.10.10.3/ --option='client min protocol=NT1', # if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED", SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipename, SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename, nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip, nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip, nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip, nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip, Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by default, Windows 2003, and XP SP2 onwards - NOT VULNERABLE: Null Sessions can't be created default. Wordlist dictionary. Since we already performed the enumeration of such data before in the article, we will enumerate using enumdomgroup and enumdomusers and the query-oriented commands in this demonstration. Since we performed enumeration on different users, it is only fair to extend this to various groups as well. root S-1-5-21-1835020781-2383529660-3657267081-1000 (User: 1) object in the NAME_DOMAIN.LOCAL domain and you will never see this paired value tied to another object in this domain or any other. It also includes the commands that I used on platforms such as Vulnhub and Hack the Box. When used with the builtin parameter, it shows all the built-in groups by their alias names as demonstrated below. # lines. samsync Sam Synchronisation Disk Permissions While Port 139 is known technically as NBT over IP, Port 445 is SMB over IP. CTF solutions, malware analysis, home lab development, Looking up status of [ip] password: The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network. Enum4linux is a Linux alternative to enum.exe and is used to enumerate data from Windows and Samba hosts.