SMB
Nmap discovered a Windows Directory service on the target port 139 and 445
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-26 21:24 CEST
Nmap scan report for dc.university.htb (10.129.37.136)
Host is up (0.044s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.66 secondsAttempting to map the SMB shares fails likely due privileges-related issues
Null Session
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ crackmapexec smb dc.university.htb -u ' ' -p ' ' --shares
SMB dc.university.htb 445 DC [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC) (domain:university.htb) (signing:True) (SMBv1:False)
SMB dc.university.htb 445 DC [-] university.htb\ : STATUS_LOGON_FAILURE
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ smbclient -L //dc.university.htb/
Password for [WORKGROUP\kali]:
Anonymous login successful
Sharename Type Comment
--------- ---- -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to dc.university.htb failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableThe target SMB server does not allow anonymous access I would need a valid domain credential to enumerate the SMB server. Furthermore, the RID Cycling attack won’t be possible.