SMB
Nmap discovered a Windows Directory service on the target ports 139 and 445
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
starting nmap 7.94svn ( https://nmap.org ) at 2024-01-30 12:54 CET
Nmap scan report for research (10.10.11.129)
Host is up (0.029s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
service info: OS: Windows; CPE: cpe:/o:microsoft:windows
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 12.06 secondsAttempting to map the SMB shares failed, likely due to lack of privileges
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ crackmapexec smb research.search.htb -u ' ' -p ' ' --shares
SMB research.search.htb 445 RESEARCH [*] Windows 10.0 Build 17763 x64 (name:RESEARCH) (domain:search.htb) (signing:True) (SMBv1:False)
SMB research.search.htb 445 RESEARCH [-] search.htb\ : STATUS_LOGON_FAILURE
┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ smbclient -L //research.search.htb/
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to research.search.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableThe target SMB server does not allow anonymous access I would need a valid domain credential to enumerate the SMB server. Furthermore, the RID Cycling attack won’t be possible.