Will continue eventually (Initial Access requires BOF)
Nmap Scan
$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.206.31
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-10 11:07 +08
Nmap scan report for 192.168.206.31
Host is up (0.0073s latency).
Not shown: 65505 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp?
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-06-10 03:08:02Z)
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/tcp6 rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 2,3,4 111/udp6 rpcbind
| 100003 2,3 2049/udp nfs
| 100003 2,3 2049/udp6 nfs
| 100003 2,3,4 2049/tcp nfs
| 100003 2,3,4 2049/tcp6 nfs
| 100005 1,2,3 2049/tcp mountd
| 100005 1,2,3 2049/tcp6 mountd
| 100005 1,2,3 2049/udp mountd
| 100005 1,2,3 2049/udp6 mountd
| 100021 1,2,3,4 2049/tcp nlockmgr
| 100021 1,2,3,4 2049/tcp6 nlockmgr
| 100021 1,2,3,4 2049/udp nlockmgr
| 100021 1,2,3,4 2049/udp6 nlockmgr
| 100024 1 2049/tcp status
| 100024 1 2049/tcp6 status
| 100024 1 2049/udp status
|_ 100024 1 2049/udp6 status
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Kyotosoft.com0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
2049/tcp open nlockmgr 1-4 (RPC #100021)
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: Kyotosoft.com0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: KYOTOSOFT
| NetBIOS_Domain_Name: KYOTOSOFT
| NetBIOS_Computer_Name: KYOTO
| DNS_Domain_Name: Kyotosoft.com
| DNS_Computer_Name: kyoto.Kyotosoft.com
| DNS_Tree_Name: Kyotosoft.com
| Product_Version: 10.0.20348
|_ System_Time: 2024-06-10T03:08:57+00:00
|_ssl-date: 2024-06-10T03:09:05+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=kyoto.Kyotosoft.com
| Not valid before: 2024-05-15T10:35:58
|_Not valid after: 2024-11-14T10:35:58
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49675/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49676/tcp open msrpc Microsoft Windows RPC
49694/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
49709/tcp open msrpc Microsoft Windows RPC
49734/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: Simple, KYOTO; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-06-10T03:08:57
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.86 seconds
Initial Access
Enum4linux
Anonymous
Guest
We will also add to host file
dev Share enumeration
During our enumeration using enum4linux, we can see that the guest account is able to access this share.
When we strings the ftp.exe, we can see the credentials.
However, if we try the credentials, it does not seems to work
$ enum4linux -a -u '' -p '' 192.168.206.31
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jun 10 11:12:45 2024
=========================================( Target Information )=========================================
Target ........... 192.168.206.31
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.206.31 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 192.168.206.31 )===============================
Looking up status of 192.168.206.31
No reply from 192.168.206.31
==================================( Session Check on 192.168.206.31 )==================================
[+] Server 192.168.206.31 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.206.31 )===============================
Domain Name: KYOTOSOFT
Domain Sid: S-1-5-21-3637919013-4137434400-910849308
[+] Host is part of a domain (not a workgroup)
==================================( OS information on 192.168.206.31 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.206.31 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
======================================( Users on 192.168.206.31 )======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
================================( Share Enumeration on 192.168.206.31 )================================
do_connect: Connection to 192.168.206.31 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 192.168.206.31
===========================( Password Policy Information for 192.168.206.31 )===========================
[E] Unexpected error from polenum:
[+] Attaching to 192.168.206.31 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:192.168.206.31)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
======================================( Groups on 192.168.206.31 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.206.31 via RID cycling (RIDS: 500-550,1000-1050) )=================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
==============================( Getting printer info for 192.168.206.31 )==============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Mon Jun 10 11:13:07 2024
$ enum4linux -a -u '' -p '' 192.168.206.31
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jun 10 11:12:45 2024
=========================================( Target Information )=========================================
Target ........... 192.168.206.31
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.206.31 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 192.168.206.31 )===============================
Looking up status of 192.168.206.31
No reply from 192.168.206.31
==================================( Session Check on 192.168.206.31 )==================================
[+] Server 192.168.206.31 allows sessions using username '', password ''
===============================( Getting domain SID for 192.168.206.31 )===============================
Domain Name: KYOTOSOFT
Domain Sid: S-1-5-21-3637919013-4137434400-910849308
[+] Host is part of a domain (not a workgroup)
==================================( OS information on 192.168.206.31 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.206.31 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
======================================( Users on 192.168.206.31 )======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
================================( Share Enumeration on 192.168.206.31 )================================
do_connect: Connection to 192.168.206.31 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 192.168.206.31
===========================( Password Policy Information for 192.168.206.31 )===========================
[E] Unexpected error from polenum:
[+] Attaching to 192.168.206.31 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:192.168.206.31)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
======================================( Groups on 192.168.206.31 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.206.31 via RID cycling (RIDS: 500-550,1000-1050) )=================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
==============================( Getting printer info for 192.168.206.31 )==============================
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Mon Jun 10 11:13:07 2024
┌──(ranay㉿kali)-[~/Desktop/PG]
└─$ enum4linux -a -u 'guest' -p '' 192.168.206.31
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jun 10 11:14:23 2024
=========================================( Target Information )=========================================
Target ........... 192.168.206.31
RID Range ........ 500-550,1000-1050
Username ......... 'guest'
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 192.168.206.31 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 192.168.206.31 )===============================
Looking up status of 192.168.206.31
No reply from 192.168.206.31
==================================( Session Check on 192.168.206.31 )==================================
[+] Server 192.168.206.31 allows sessions using username 'guest', password ''
===============================( Getting domain SID for 192.168.206.31 )===============================
Domain Name: KYOTOSOFT
Domain Sid: S-1-5-21-3637919013-4137434400-910849308
[+] Host is part of a domain (not a workgroup)
==================================( OS information on 192.168.206.31 )==================================
[E] Can't get OS info with smbclient
[+] Got OS info for 192.168.206.31 from srvinfo:
192.168.206.31 Wk Sv PDC Tim NT
platform_id : 500
os version : 10.0
server type : 0x80102b
======================================( Users on 192.168.206.31 )======================================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
================================( Share Enumeration on 192.168.206.31 )================================
do_connect: Connection to 192.168.206.31 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
dev Disk development & debugging share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
[+] Attempting to map shares on 192.168.206.31
//192.168.206.31/ADMIN$ Mapping: DENIED Listing: N/A Writing: N/A
//192.168.206.31/C$ Mapping: DENIED Listing: N/A Writing: N/A
//192.168.206.31/dev Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_NO_SUCH_FILE listing \*
//192.168.206.31/IPC$ Mapping: N/A Listing: N/A Writing: N/A
//192.168.206.31/NETLOGON Mapping: OK Listing: DENIED Writing: N/A
//192.168.206.31/SYSVOL Mapping: OK Listing: DENIED Writing: N/A
===========================( Password Policy Information for 192.168.206.31 )===========================
[E] Unexpected error from polenum:
[+] Attaching to 192.168.206.31 using guest
[+] Trying protocol 139/SMB...
[!] Protocol failed: Cannot request session (Called Name:192.168.206.31)
[+] Trying protocol 445/SMB...
[!] Protocol failed: SAMR SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.
[E] Failed to get password policy with rpcclient
======================================( Groups on 192.168.206.31 )======================================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
=================( Users on 192.168.206.31 via RID cycling (RIDS: 500-550,1000-1050) )=================
[I] Found new SID:
S-1-5-21-3637919013-4137434400-910849308
[I] Found new SID:
S-1-5-21-3637919013-4137434400-910849308
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-21-3637919013-4137434400-910849308
[+] Enumerating users using SID S-1-5-90 and logon username 'guest', password ''
[+] Enumerating users using SID S-1-5-80 and logon username 'guest', password ''
[+] Enumerating users using SID S-1-5-80-3139157870-2983391045-3678747466-658725712 and logon username 'guest', password ''
[+] Enumerating users using SID S-1-5-21-1621186688-237916124-1956967552 and logon username 'guest', password ''
S-1-5-21-1621186688-237916124-1956967552-500 KYOTO\Administrator (Local User)
S-1-5-21-1621186688-237916124-1956967552-501 KYOTO\Guest (Local User)
S-1-5-21-1621186688-237916124-1956967552-503 KYOTO\DefaultAccount (Local User)
S-1-5-21-1621186688-237916124-1956967552-504 KYOTO\WDAGUtilityAccount (Local User)
S-1-5-21-1621186688-237916124-1956967552-513 KYOTO\None (Domain Group)
[+] Enumerating users using SID S-1-5-21-3637919013-4137434400-910849308 and logon username 'guest', password ''
S-1-5-21-3637919013-4137434400-910849308-500 KYOTOSOFT\Administrator (Local User)
S-1-5-21-3637919013-4137434400-910849308-501 KYOTOSOFT\Guest (Local User)
S-1-5-21-3637919013-4137434400-910849308-502 KYOTOSOFT\krbtgt (Local User)
S-1-5-21-3637919013-4137434400-910849308-512 KYOTOSOFT\Domain Admins (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-513 KYOTOSOFT\Domain Users (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-514 KYOTOSOFT\Domain Guests (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-515 KYOTOSOFT\Domain Computers (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-516 KYOTOSOFT\Domain Controllers (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-517 KYOTOSOFT\Cert Publishers (Local Group)
S-1-5-21-3637919013-4137434400-910849308-518 KYOTOSOFT\Schema Admins (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-519 KYOTOSOFT\Enterprise Admins (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-520 KYOTOSOFT\Group Policy Creator Owners (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-521 KYOTOSOFT\Read-only Domain Controllers (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-522 KYOTOSOFT\Cloneable Domain Controllers (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-525 KYOTOSOFT\Protected Users (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-526 KYOTOSOFT\Key Admins (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-527 KYOTOSOFT\Enterprise Key Admins (Domain Group)
S-1-5-21-3637919013-4137434400-910849308-1000 KYOTOSOFT\support (Local User)
S-1-5-21-3637919013-4137434400-910849308-1001 KYOTOSOFT\Access-Denied Assistance Users (Local Group)
S-1-5-21-3637919013-4137434400-910849308-1002 KYOTOSOFT\KYOTO$ (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username 'guest', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
==============================( Getting printer info for 192.168.206.31 )==============================
result was WERR_INVALID_NAME
enum4linux complete on Mon Jun 10 11:16:04 2024
$ echo "192.168.206.31 kyoto.Kyotosoft.com" | sudo tee -a /etc/hosts
[sudo] password for ranay:
192.168.206.31 kyoto.Kyotosoft.com
$ smbclient //192.168.206.31/dev -U guest
Password for [WORKGROUP\guest]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Wed Aug 9 04:39:28 2023
.. DHS 0 Mon Jun 10 11:07:35 2024
.git D 0 Wed Aug 9 04:39:26 2023
DEVLOG.txt A 155 Wed Aug 9 04:37:16 2023
ftp.exe A 155648 Wed Aug 9 03:08:10 2023
7699711 blocks of size 4096. 3032041 blocks available
smb: \>
$ strings ftp.exe
...
admin:SafariDozeDust17
...
$ ftp 192.168.206.31
Connected to 192.168.206.31.
220 Welcome to Simple FTP Server NG
Name (192.168.206.31:ranay): admin
331 User OK, password required
Password:
^C
421 Service not available, user interrupt. Connection closed.
ftp: Login failed
ftp>
ftp> exit