search

⚔️4 - Enumeration without Users

hashtag
Enumerate anonymously

## 192.168.56.10-12-22-23 ## NOTHING FOUND!
------------------------------------------
nxc smb 192.168.56.11 --users
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.11   445    WINTERFELL       -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         192.168.56.11   445    WINTERFELL       Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         192.168.56.11   445    WINTERFELL       arya.stark                    2024-03-21 12:06:52 0       Arya Stark
SMB         192.168.56.11   445    WINTERFELL       sansa.stark                   2024-03-21 12:07:03 0       Sansa Stark
SMB         192.168.56.11   445    WINTERFELL       brandon.stark                 2024-03-21 12:07:05 0       Brandon Stark
SMB         192.168.56.11   445    WINTERFELL       rickon.stark                  2024-03-21 12:07:08 0       Rickon Stark
SMB         192.168.56.11   445    WINTERFELL       hodor                         2024-03-21 12:07:10 0       Brainless Giant
SMB         192.168.56.11   445    WINTERFELL       jon.snow                      2024-03-21 12:07:13 0       Jon Snow
SMB         192.168.56.11   445    WINTERFELL       jeor.mormont                  2024-03-21 12:07:17 0       Jeor Mormont
SMB         192.168.56.11   445    WINTERFELL       sql_svc                       2024-03-21 12:07:20 0       sql service
SMB         192.168.56.11   445    WINTERFELL       [*] Enumerated 9 local users: NORTH

OKAY! This is the until IP with null sessions in smb and we can enumerate his users

hashtag
Password Policy

We can see with the flag --pass-pol the password policy and do a idea of the restrictions -->

It show us that if we fail 5 consecutives times (Minimum password length: 5), in 5 minutes (Reset Account Lockout Counter: 5 minutes), we will lock the accounts of that users for 5 minutes (Account Lockout Threshold: 5)

hashtag
With enum4linux

With it, we can confirm the anonymous listing of the part of NORTH DC

User list and password policy (same nxc)

enum4linux can also lit the full domain user listing members of domain group

hashtag
With rpc call (rpcclient)

The anonymous listing is available withe Remote Procedure Call -->

With its, we can use net rpc to get all domain users:

hashtag
Enumeration anonymously (when anonymous sessions are not allowed & users list)

With the above users enumeration, we can see a lot of users name, this i would saving into a .txt. Insert in it, all users name you should be exists.

hashtag
Kerberos Enumeration

We can see with the previus nmap scan the hosts with the port 88 (kerberos) up or, we can search again its -->

And with that we can send the user list that we have and existing users -->

hashtag
192.168.56.10

Remenber, for the nexts ips, change the <domain name> in nmap command: krb5-enum-users.realm='domain'

hashtag
192.168.56.11

192.168.56.12

Previous3 - Poisoning & Relay - IPv4Next4.1 - Guest access shares on SMB shares

Last updated