SMB
Nmap discovered a Windows Directory server on the target ports 139 and 445
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-01 17:44 CEST
Nmap scan report for dc1.blazorized.htb (10.10.11.22)
Host is up (0.020s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.64 secondsAttempting to map the SMB shares failed, likely due to lack of privileges
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/blazorized]
└─$ smbclient -L //dc1.blazorized.htb/
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to dc1.blazorized.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableThe target SMB server does not allow anonymous access I would need a valid domain credential to enumerate the SMB server. Furthermore, the RID Cycling attack won’t be possible.