rpcclient enumeration oscp

Kareem Biggs'' Burke Married, Difference Between Epson 502 And 542 Ink, Articles R

Using lookupnames we can get the SID. enumdrivers Enumerate installed printer drivers It can be used on the rpcclient shell that was generated to enumerate information about the server. This can be obtained by running the lsaenumsid command. S-1-5-21-1835020781-2383529660-3657267081-1002 LEWISFAMILY\daemon (1) -c, --command=COMMANDS Execute semicolon separated cmds remark: IPC Service (Mac OS X) nmap -p 139,445 --open -oG smb.txt 192.168.1.0/24, nmap --script smb-enum-shares -p 139,445 $ip, smbclient -L //10.10.10.3/ --option='client min protocol=NT1', # if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED", SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipename, SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename, nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip, nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip, nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip, nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip, Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by default, Windows 2003, and XP SP2 onwards - NOT VULNERABLE: Null Sessions can't be created default. | 139/tcp open netbios-ssn | Comment: The ability to manipulate a user doesnt end with creating a user or changing the password of a user. This information can be elaborated on using the querydispinfo. A tag already exists with the provided branch name. . Using rpcclient it is possible to create a group. When used with the builtin parameter, it shows all the built-in groups by their alias names as demonstrated below. [+] IP: [ip]:445 Name: [ip] 631 - Internet Printing Protocol (IPP) 873 - Pentesting Rsync. Obviously the SIDS are different but you can still pull down the usernames and start bruteforcing those other open services. If used the RID is the parameter, the samlookuprids command can extract the username relevant to that particular RID. A null session is a connection with a samba or SMB server that does not require authentication with a password. --------------- ---------------------- Active Directory & Kerberos Abuse. If you're having trouble getting the version from the usual methods, you might have to use wireshark or tcpdump to inspect the packets. logonctrl Logon Control exit Exit program PORT STATE SERVICE In this specific demonstration, there are a bunch of users that include Administrator, yashika, aarti, raj, Pavan, etc. Similarly to enumerate the Primary Domain Information such as the Role of the machine, Native more of the Domain can be done using the dsroledominfo command as demonstrated. Disclaimer: These notes are not in the context of any machines I had during the OSCP lab or exam. Checklist - Local Windows Privilege Escalation, Pentesting JDWP - Java Debug Wire Protocol, 161,162,10161,10162/udp - Pentesting SNMP, 515 - Pentesting Line Printer Daemon (LPD), 548 - Pentesting Apple Filing Protocol (AFP), 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP, 1433 - Pentesting MSSQL - Microsoft SQL Server, 1521,1522-1529 - Pentesting Oracle TNS Listener, 2301,2381 - Pentesting Compaq/HP Insight Manager, 3690 - Pentesting Subversion (svn server), 4369 - Pentesting Erlang Port Mapper Daemon (epmd), 8009 - Pentesting Apache JServ Protocol (AJP), 8333,18333,38333,18444 - Pentesting Bitcoin, 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream), 10000 - Pentesting Network Data Management Protocol (ndmp), 24007,24008,24009,49152 - Pentesting GlusterFS, 50030,50060,50070,50075,50090 - Pentesting Hadoop, Reflecting Techniques - PoCs and Polygloths CheatSheet, Dangling Markup - HTML scriptless injection, HTTP Request Smuggling / HTTP Desync Attack, Regular expression Denial of Service - ReDoS, Server Side Inclusion/Edge Side Inclusion Injection, XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations), Pentesting CI/CD (Github, Jenkins, Terraform), Windows Exploiting (Basic Guide - OSCP lvl), INE Courses and eLearnSecurity Certifications Reviews, Stealing Sensitive Information Disclosure from a Web, Enumerate Users, Groups & Logged On Users, Manually enumerate windows shares and connect to them, . While Port 139 is known technically as NBT over IP, Port 445 is SMB over IP. The next command to observe is the lsaquerysecobj command. 794699 blocks available, Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:37 EDT With some input from the NetSecFocus group, Im building out an SMB enumeration check list here. getprinter Get printer info SQL Injection & XSS Playground. maybe brute-force ; 22/SSH. S-1-5-21-1835020781-2383529660-3657267081-1005 LEWISFAMILY\kmem (2) Using rpcclient we can enumerate usernames on those OS's just like a windows OS. This command can be used to extract the details regarding the user that the SID belongs. -l, --log-basename=LOGFILEBASE Basename for log/debug files echodata Echo data From the demonstration, it can be observed that the domain that is being enumerated is IGNITE. RID is a suffix of the long SID in a hexadecimal format. If this information does not appear in other used tools, you can: # Requires root or enough permissions to use tcpdump, # Will listen for the first 7 packets of a null login, # Will sometimes not capture or will print multiple. The SID was retrieved using the lookupnames command. rewardone in the PWK forums posted a neat script to easily get Samba versions: When you run this on a box running Samba, you get results: When in doubt, we can check the smb version in PCAP. dfsremove Remove a DFS share -O, --socket-options=SOCKETOPTIONS socket options to use My #1 SMB tip: if the exploit you're using fails despite the target appearing vulnerable, reset the machine and try again. 2. [+] User SMB session establishd on [ip] rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1015 if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi, if [ ! These privileges can help the attacker plan for elevating privileges on the domain. | References: OSCP Enumeration Cheatsheet - CertCube Labs querydominfo Query domain info Are you sure you want to create this branch? setprinterdata Set REG_SZ printer data Manh-Dung Nguyen Blog Pentest Publications Whoami @ Can try without a password (or sending a blank password) and still potentially connect. setdriver Set printer driver This will use, as you point out, port 445. lookupdomain Lookup Domain Name GENERAL OPTIONS Pentesting Cheatsheets - Red Team Notes You get the idea, was pretty much the same for the Ubuntu guy cept that his user accounts were -3000. setform Set form [Update 2018-12-02] I just learned about smbmap, which is just great. In the demonstration, it can be observed that a query was generated for LSA which returned with information such as Domain Name and SID. SMB Enumeration (Port 139, 445) - OSCP Notes - GitBook In the demonstration, the user with RID 0x1f4 was enumerated regarding their password properties. In this communication, the child process can make requests from a parent process. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1008 | References: MAC Address = 00-50-56-XX-XX-XX, [+] Finding open SMB ports. The RPC service works on the RPC protocols that form a low-level inter-process communication between different Applications. S-1-5-21-1835020781-2383529660-3657267081-1007 LEWISFAMILY\sys (2) | Comment: Default share #These are the commands I run in order every time I see an open SMB port, smbclient -N //{IP}/ --option="client min protocol"=LANMAN1, crackmapexec smb {IP} --pass-pol -u "" -p "", crackmapexec smb {IP} --pass-pol -u "guest" -p "", GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all, GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat, GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/", smbmap -H {IP} -u {Username} -p {Password}, smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}, smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`, crackmapexec smb {IP} -u {Username} -p {Password} --shares, GetADUsers.py {Domain_Name}/{Username}:{Password} -all, GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat, GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request, https://book.hacktricks.xyz/pentesting/pentesting-smb, Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}, Description: SMB Vuln Scan With Nmap (Less Specific), Command: nmap --script smb-vuln* -Pn -p 139,445 {IP}, Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb, Name: SMB/SMB2 139/445 consolesless mfs enumeration, Description: SMB/SMB2 139/445 enumeration without the need to run msfconsole, Note: sourced from https://github.com/carlospolop/legion, Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'. The privileges can be enumerated using the enumprivs command on rpcclient. rpcclient $> lookupnames lewis 1026 - Pentesting Rusersd. sourcedata Source data March 8, 2021 by Raj Chandel. enumkey Enumerate printer keys If you want to enumerate all the shares then use netshareenumall. Moving on, same way, they can query info about specific AD users: Enumerate current user's privileges and many more (consult rpcclient for all available commands): Finally, of course they can run nmap if needed: Impacket provides even more tools to enumerate remote systems through compromised boxes. authentication This means that the attacker can now use proxychains to proxy traffic from their kali box through the beacon to the target (attacker ---> beacon ---> end target). Which script should be executed when the script gets closed? To begin the enumeration, a connection needs to be established. SegFault:~ cg$rpcclient -U "" 192.168.182.36 rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2003 Try "help" to get a list of possible commands. At last, it can be verified using the enumdomusers command. The group information helps the attacker to plan their way to the Administrator or elevated access. IPC$ NO ACCESS The deletedomuser command is used to perform this action. The rpcclient was designed to perform debugging and troubleshooting tasks on a Windows Samba configuration. Impacket, 1a3487d42adaa12332bdb34a876cb7e6:1a3487d42adaa12332bdb34a876cb7e6 query. deldriverex Delete a printer driver with files dfsenum Enumerate dfs shares In other words - it's possible to enumerate AD (or create/delete AD users, etc.) CTF solutions, malware analysis, home lab development, Looking up status of [ip] path: C:\tmp enumprivs Enumerate privileges S-1-5-21-1835020781-2383529660-3657267081-1009 LEWISFAMILY\tty (2) Server Message Block in modern language is also known as. The name is derived from the enumeration of domain users. enumdomgroups Enumerate domain groups lsaaddacctrights Add rights to an account LEWISFAMILY Wk Sv PrQ Unx NT SNT Mac OS X It accepts the group name as a parameter. path: C:\tmp found 5 privileges, SeMachineAccountPrivilege 0:6 (0x0:0x6) Since the user and password-related information is stored inside the SAM file of the Server. To extract further information about that user or in case during the other enumeration the attacker comes into the touch of the SID of a user, then they cause to use the lookupsids command to get more information about that particular user. openprinter Open printer handle | smb-vuln-ms17-010: This will attempt to connect to the share. (MS)RPC - OSCP Playbook logonctrl2 Logon Control 2 SAMR |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug) Another command to use is the enumdomusers. SMB - OSCP Playbook -z $2 ]; then rport=$2; else rport=139; fi, tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' May need to run a second time for success. Password Spraying & Other Fun with RPCCLIENT - Black Hills Information S-1-5-21-1835020781-2383529660-3657267081-2002 LEWISFAMILY\user (1) getdcname Get trusted DC name is SMB over Ip. In the demonstration, a user hacker is created with the help of a createdomuser and then a password is provided to it using the setuserinfo2 command. offensive security. SegFault:~/Documents/Evil cg$ hydra -l lewis -P common-passwords.txt 192.168.182.36 smb -V As with the previous commands, the share enumeration command also comes with the feature to target a specific entity. enumdata Enumerate printer data | State: VULNERABLE | Risk factor: HIGH -s, --configfile=CONFIGFILE Use alternative configuration file Further, when the attacker used the same SID as a parameter for lsaenumprivaccount, they were able to enumerate the levels of privileges such as high, low, and attribute. result was NT_STATUS_NONE_MAPPED | VULNERABLE: Red Team Infrastructure. ADMIN$ Disk Remote Admin This lab shows how it is possible to bypass commandline argument logging when enumerating Windows environments, using Cobalt Strike and its socks proxy (or any other post exploitation tool that supports socks proxying). rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1012 Nowadays it is not very common to encounter hosts that have null sessions enabled, but it is worth a try if you do stumble across one. This is purely my experience with CTFs, Tryhackme, Vulnhub, and Hackthebox prior to enrolling in OSCP. When it was passed as a parameter in the command lookupsids, the attacker was able to know that this belongs to the group Everyone. PWK Notes: SMB Enumeration Checklist [Updated] - 0xdf hacks stuff S-1-5-21-1835020781-2383529660-3657267081-1015 LEWISFAMILY\bin (2) Usage: rpcclient [OPTION] It is also possible to manipulate the privileges of that SID to make them either vulnerable to a particular privilege or remove the privilege of a user altogether. Curious to see if there are any "guides" out there that delve into SMB . Allow connecting to the service without using a password? result was NT_STATUS_NONE_MAPPED Hashes work. so lets run rpcclient with no options to see whats available: SegFault:~ cg$ rpcclient The below shows a couple of things. Once proxychains are configured, the attacker can start enumerating the AD environment through the beacon like so: Moving on, same way, they can query info about specific AD users: Enumerate current user's privileges and many more (consult rpcclient for all available commands): Finally, of course they can run nmap if needed: Impacket provides even more tools to enumerate remote systems through compromised boxes.