SMB

Nmap discovered a Windows Directory service on the ports 139 and 445 of the dc01.heist.offsec(192.168.198.165) host.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-07 15:55 CEST
Nmap scan report for dc01.heist.offsec (192.168.198.165)
Host is up (0.021s latency).
 
PORT    STATE SERVICE       VERSION
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.74 seconds

Share mapping failed.

Null Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ nxc smb dc01.heist.offsec -u 'blah' -p 'blah' --shares --interfaces
SMB         192.168.198.165 445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:heist.offsec) (signing:True) (SMBv1:False)
SMB         192.168.198.165 445    DC01             [-] heist.offsec\blah:blah STATUS_LOGON_FAILURE 
 
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ nxc smb dc01.heist.offsec -u '' -p '' --shares --interfaces     
SMB         192.168.198.165 445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:heist.offsec) (signing:True) (SMBv1:False)
SMB         192.168.198.165 445    DC01             [-] heist.offsec\: STATUS_ACCESS_DENIED 
SMB         192.168.198.165 445    DC01             [-] Error enumerating shares: Error occurs while reading from remote(104)

The target MSRPC server does not allow both guest and anonymous access.

`enox` Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ nxc smb dc01.heist.offsec -u 'enox' -p 'california' --shares --interfaces 
SMB         192.168.198.165 445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:heist.offsec) (signing:True) (SMBv1:False)
SMB         192.168.198.165 445    DC01             [+] heist.offsec\enox:california 
SMB         192.168.198.165 445    DC01             [*] Enumerated shares
SMB         192.168.198.165 445    DC01             Share           Permissions     Remark
SMB         192.168.198.165 445    DC01             -----           -----------     ------
SMB         192.168.198.165 445    DC01             ADMIN$                          Remote Admin
SMB         192.168.198.165 445    DC01             C$                              Default share
SMB         192.168.198.165 445    DC01             IPC$            READ            Remote IPC
SMB         192.168.198.165 445    DC01             NETLOGON        READ            Logon server share 
SMB         192.168.198.165 445    DC01             SYSVOL          READ            Logon server share

The compromised enox user has read access to IPC$, NETLOGON, and SYSVOL shares RID Cycling attacking is possible as the IPC$ share is readable, however, all the LOCAL users have already been enumerated.

`SYSVOL` Share

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/heist]
└─$ impacket-smbclient enox:california@dc01.heist.offsec
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies 
 
Type help for list of commands
# use SYSVOL
# tree
/heist.offsec/DfsrPrivate
/heist.offsec/Policies
/heist.offsec/scripts
/heist.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
/heist.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
/heist.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
/heist.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
/heist.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER
/heist.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI
/heist.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE
/heist.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/USER
/heist.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft
/heist.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol
/heist.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft
/heist.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT
/heist.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT
/heist.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
/heist.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
/heist.offsec/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
/heist.offsec/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
Finished - 21 files and folders

N/A

InfoSec LAB

Explorer

Heist_OffSec_SMB

SMB

Null Session

`enox` Session

Interactive Graph View

Table of Contents

Backlinks

InfoSec LAB

Explorer

Heist_OffSec_SMB

SMB

Null Session

enox Session

SYSVOL Share

Interactive Graph View

Table of Contents

Backlinks

`enox` Session

`SYSVOL` Share