$ nmap -sC -sV -Pn -oN nmap 10.10.10.175
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-24 15:53 +08
Nmap scan report for 10.10.10.175
Host is up (0.012s latency).
Not shown: 988 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Egotistical Bank :: Home
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-05-24 14:48:04Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: EGOTISTICAL-BANK.LOCAL0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
Service Info: Host: SAUNA; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: 6h54m24s
| smb2-time:
| date: 2024-05-24T14:48:06
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.14 seconds
Initial Access
enum4linux
Anonymous
Guest
LDAP Enumeration
Port 80
There is this website on port 80. But there is nothing much on there. However, there are also no results in directory enumeration.
AS-REP Roasting
Maybe we can try to create the usernames based on the information on the website.
However, due to the time difference between the local host and the server, we need to follow the dc timing.
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 24 15:56:50 2024
=========================================( Target Information )=========================================
Target ........... 10.10.10.175
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.10.175 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.10.10.175 )================================
Looking up status of 10.10.10.175
No reply from 10.10.10.175
===================================( Session Check on 10.10.10.175 )===================================
[+] Server 10.10.10.175 allows sessions using username '', password ''
================================( Getting domain SID for 10.10.10.175 )================================
Domain Name: EGOTISTICALBANK
Domain Sid: S-1-5-21-2966785786-3096785034-1186376766
[+] Host is part of a domain (not a workgroup)
===================================( OS information on 10.10.10.175 )===================================
[E] Can't get OS info with smbclient
[+] Got OS info for 10.10.10.175 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=======================================( Users on 10.10.10.175 )=======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
=================================( Share Enumeration on 10.10.10.175 )=================================
do_connect: Connection to 10.10.10.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 10.10.10.175
============================( Password Policy Information for 10.10.10.175 )============================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.10.175 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:10.10.10.175)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
=======================================( Groups on 10.10.10.175 )=======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
==================( Users on 10.10.10.175 via RID cycling (RIDS: 500-550,1000-1050) )==================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
===============================( Getting printer info for 10.10.10.175 )===============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Fri May 24 15:57:13 2024
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri May 24 15:59:02 2024
=========================================( Target Information )=========================================
Target ........... 10.10.10.175
RID Range ........ 500-550,1000-1050
Username ......... 'guest'
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.10.175 )============================
[E] Can't find workgroup/domain
================================( Nbtstat Information for 10.10.10.175 )================================
Looking up status of 10.10.10.175
No reply from 10.10.10.175
===================================( Session Check on 10.10.10.175 )===================================
[E] Server doesn't allow session using username 'guest', password ''. Aborting remainder of tests.
