Which script should be executed when the script gets closed? --------------- ---------------------- dfsexist Query DFS support Server Message Block in modern language is also known as. dfsenum Enumerate dfs shares You get the idea, was pretty much the same for the Ubuntu guy cept that his user accounts were -3000. . In the previous demonstration, the attacker was able to provide and remove privileges to a group. S-1-5-21-1835020781-2383529660-3657267081-1002 LEWISFAMILY\daemon (1) First one - two Cobalt Strike sessions: Second - attacker opens a socks4 proxy on port 7777 on his local kali machine (10.0.0.5) by issuing: {% code-tabs %} *' # download everything recursively in the wwwroot share to /usr/share/smbmap. root S-1-5-21-1835020781-2383529660-3657267081-1000 (User: 1) Then the attacker used the SID to enumerate the privileges using the lsaenumacctrights command. There are numerous tools and methods to perform enumeration, we will be finding different types of information on SMB throughout the article. In other words - it's possible to enumerate AD (or create/delete AD users, etc.) New Folder - 6 D 0 Sun Dec 13 06:55:42 2015 | Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010) | Type: STYPE_DISKTREE NETLOGON READ ONLY In this communication, the child process can make requests from a parent process. Flashcards. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1011 Learn offensive CTF training from certcube labs online . The polices that are applied on a Domain are also dictated by the various group that exists. sinkdata Sink data Once we are connected using a null session we get another set of options: This cheat sheet should not be considered to be complete and only represents a snapshot in time when I used these commands for performing enumeration during my OSCP journey. It is possible to enumerate the SAM data through the rpcclient as well. rpcclient $> queryuser msfadmin. result was NT_STATUS_NONE_MAPPED. Nmap scan report for [ip] That narrows the version that the attacker might be looking at to Windows 10, Windows Server 2016, and Windows Server 2019. logonctrl2 Logon Control 2 Software applications that run on a NetBIOS network locate and identify each other via their NetBIOS names. rewardone in the PWK forums posted a neat script to easily get Samba versions: When you run this on a box running Samba, you get results: When in doubt, we can check the smb version in PCAP. | Type: STYPE_DISKTREE_HIDDEN Hydra (http://www.thc.org) starting at 2007-07-27 21:51:46 Use `proxychains + command" to use the socks proxy. 623/UDP/TCP - IPMI. --------- -------, Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-27 16:25 EDT Start by typing "enum" at the prompt and hitting <tab><tab>: rpcclient $> enum enumalsgroups enumdomains enumdrivers enumkey enumprivs enumdata enumdomgroups enumforms enumports enumtrust enumdataex enumdomusers enumjobs enumprinter. found 5 privileges, SeMachineAccountPrivilege 0:6 (0x0:0x6) Let's see how this works by firstly updating the proxychains config file: Once proxychains are configured, the attacker can start enumerating the AD environment through the beacon like so: proxychains rpcclient 10.0.0.6 -U spotless, Victim (10.0.0.2) is enumerating DC (10.0.0.6) on behalf of attacker (10.0.0.5). Disclaimer: These notes are not in the context of any machines I had during the OSCP lab or exam. | State: VULNERABLE rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1000 Query Group Information and Group Membership. quit Exit program Heres an example Unix Samba 2.2.3a: Windows SMB is more complex than just a version, but looking in wireshark will give a bunch of information about the connection. authentication The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network. dsroledominfo Get Primary Domain Information This information can be elaborated on using the querydispinfo. In the demonstration, a user hacker is created with the help of a createdomuser and then a password is provided to it using the setuserinfo2 command. | grep -oP 'UnixSamba. It accepts the group name as a parameter. Using rpcclient we can enumerate usernames on those OS's just like a windows OS. RPC is built on Microsofts COM and DCOM technologies. -N, --no-pass Don't ask for a password *', # download everything recursively in the wwwroot share to /usr/share/smbmap. | account_used: guest Password Checking if you found with other enum . GENERAL OPTIONS getform Get form Read previous sections to learn how to connect with credentials/Pass-the-Hash. getdcname Get trusted DC name remark: IPC Service (Mac OS X) SQL Injection & XSS Playground. A Mind Map about OSCP Guide submitted by Rikunj Sindhwad on Jun 12, 2021. S-1-5-21-1835020781-2383529660-3657267081-1013 LEWISFAMILY\mail (2) deleteform Delete form | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143 lsaenumacctrights Enumerate the rights of an SID getdataex Get printer driver data with keyname rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1012 At last, it can be verified using the enumdomusers command. NETLOGON NO ACCESS SPOOLSS rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2001 change_trust_pw Change Trust Account Password Test. debuglevel Set debug level # Search the file in recursive mode and download it inside /usr/share/smbmap, #Download everything to current directory, mask: specifies the mask which is used to filter the files within the directory (e.g. "" My #1 SMB tip: if the exploit you're using fails despite the target appearing vulnerable, reset the machine and try again. enumdata Enumerate printer data if IPC$ share is enabled , and have anonymous access we can enumerate users through, SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipename, SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename, good script to use if none of scanner giving version for smb, # Requires root or enough permissions to use tcpdump, # Will listen for the first 7 packets of a null login, # Will sometimes not capture or will print multiple. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-502 |_smb-vuln-regsvc-dos: ERROR: Script execution failed (use -d to debug) | Comment: Remote Admin . rpcclient is a utility initially developed to test MS-RPC functionality in Samba itself. RID is a suffix of the long SID in a hexadecimal format. | \\[ip]\share: enumkey Enumerate printer keys There was a Forced Logging off on the Server and other important information. Assumes valid machine account to this domain controller. # download everything recursively in the wwwroot share to /usr/share/smbmap. With --pw-nt-hash, the pwd provided is the NT hash, #Use --no-pass -c 'recurse;ls' to list recursively with smbclient, #List with smbmap, without folder it list everything. -z $2 ]; then rport=$2; else rport=139; fi, tcpdump -s0 -n -i tap0 src $rhost and port $rport -A -c 7 2>/dev/null | grep -i "samba\|s.a.m" | tr -d '.' rffpcnex Rffpcnex test samlogon Sam Logon Enumerate Domain Groups. A tag already exists with the provided branch name. ENUMERATING USER ACCOUNTS ON LINUX AND OS X WITH RPCCLIENT, Hacking Samba on Ubuntu and Installing the Meterpreter. result was NT_STATUS_NONE_MAPPED In general, the rpcclient can be used to connect to the SMB protocol as well. A NetBIOS name is up to 16 characters long and usually, separate from the computer name. Two applications start a NetBIOS session when one (the client) sends a command to call another client (the server) over, 139/tcp open netbios-ssn Microsoft Windows netbios-ssn. Passing the SID as a parameter in the lsacreateaccount command will enable us as an attacker to create an account object as shown in the image below. 139/tcp open netbios-ssn To demonstrate this, the attacker first used the lsaaddpriv command to add the SeCreateTokenPrivielge to the SID and then used the lsadelpriv command to remove that privilege from that group as well. Are you sure you want to create this branch? A collection of commands and tools used for conducting enumeration during my OSCP journey. ? This is an enumeration cheat sheet that I created while pursuing the OSCP. From the enumdomusers command, it was possible to obtain the users of the domain as well as the RID. To explain how this fits in, let's look at the examples below: When an object is created within a domain, the number above (SID) will be combined with a RID to make a unique value used to represent the object. In the demonstration, it can be observed that lsaenumsid has enumerated 20 SIDs within the Local Security Authority or LSA. path: C:\tmp Forbid the creation and modification of files? May need to run a second time for success. In the case of queryusergroups, the group will be enumerated. Workgroup Master Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging This lab shows how it is possible to bypass commandline argument logging when enumerating Windows environments, using Cobalt Strike and its socks proxy (or any other post exploitation tool that supports socks proxying). rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1002 result was NT_STATUS_NONE_MAPPED result was NT_STATUS_NONE_MAPPED lookupnames Convert names to SIDs 4. The name is derived from the enumeration of domain users. Running something like ngrep -i -d tap0 's.?a.?m.?b.?a. object in the NAME_DOMAIN.LOCAL domain and you will never see this paired value tied to another object in this domain or any other. S-1-5-21-1835020781-2383529660-3657267081-500 LEWISFAMILY\Administrator (1) Finger. It may be possible that you are restricted to display any shares of the host machine and when you try to list them it appears as if there aren't any shares to connect to. getprintprocdir Get print processor directory As with the lsaenumsid, it was possible to extract the SID but it was not possible to tell which user has that SID. -k, --kerberos Use kerberos (active directory) May need to run a second time for success. After verifying that the privilege was added using the lsaenumprivaccount command, we removed the privileges from the user using the lsaremoveacctrights command. Using rpcclient we can enumerate usernames on those OSs just like a windows OS. This is an approach I came up with while researching on offensive security. SMB allows you to share your resources to other computers over the network, version susceptible to known attacks (Eternal blue , wanna cry), Disabled by default in newer Windows version, reduced "chattiness" of SMB1. A null session is a connection with a samba or SMB server that does not require authentication with a password. This command retrieves the domain, server, users on the system, and other relevant information. March 8, 2021 by Raj Chandel. The Windows library URLMon.dll automatically try to authenticaticate to the host when a page tries to access some contect via SMB, for example: Which are used by some browsers and tools (like Skype), From: http://www.elladodelmal.com/2017/02/como-hacer-ataques-smbtrap-windows-con.html, Similar to SMB Trapping, planting malicious files onto a target system (via SMB, for example) can illicit an SMB authentication attempt, allowing the NetNTLMv2 hash to be intercepted with a tool such as Responder. S-1-5-21-1835020781-2383529660-3657267081-1000 LEWISFAMILY\root (1) This will extend the amount of information about the users and their descriptions.