⚔️4 - Enumeration without Users

Enumerate anonymously

## 192.168.56.10-12-22-23 ## NOTHING FOUND!
------------------------------------------
nxc smb 192.168.56.11 --users
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.11   445    WINTERFELL       -Username-                    -Last PW Set-       -BadPW- -Description-
SMB         192.168.56.11   445    WINTERFELL       Guest                         <never>             0       Built-in account for guest access to the computer/domain
SMB         192.168.56.11   445    WINTERFELL       arya.stark                    2024-03-21 12:06:52 0       Arya Stark
SMB         192.168.56.11   445    WINTERFELL       sansa.stark                   2024-03-21 12:07:03 0       Sansa Stark
SMB         192.168.56.11   445    WINTERFELL       brandon.stark                 2024-03-21 12:07:05 0       Brandon Stark
SMB         192.168.56.11   445    WINTERFELL       rickon.stark                  2024-03-21 12:07:08 0       Rickon Stark
SMB         192.168.56.11   445    WINTERFELL       hodor                         2024-03-21 12:07:10 0       Brainless Giant
SMB         192.168.56.11   445    WINTERFELL       jon.snow                      2024-03-21 12:07:13 0       Jon Snow
SMB         192.168.56.11   445    WINTERFELL       jeor.mormont                  2024-03-21 12:07:17 0       Jeor Mormont
SMB         192.168.56.11   445    WINTERFELL       sql_svc                       2024-03-21 12:07:20 0       sql service
SMB         192.168.56.11   445    WINTERFELL       [*] Enumerated 9 local users: NORTH

OKAY! This is the until IP with null sessions in smb and we can enumerate his users

Password Policy

We can see with the flag --pass-pol the password policy and do a idea of the restrictions -->

nxc smb 192.168.56.11 --pass-pol
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10 / Server 2019 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.11   445    WINTERFELL       [+] Dumping password info for domain: NORTH
SMB         192.168.56.11   445    WINTERFELL       Minimum password length: 5
SMB         192.168.56.11   445    WINTERFELL       Password history length: 24
SMB         192.168.56.11   445    WINTERFELL       Maximum password age: 311 days 2 minutes 
SMB         192.168.56.11   445    WINTERFELL       
SMB         192.168.56.11   445    WINTERFELL       Password Complexity Flags: 000000
SMB         192.168.56.11   445    WINTERFELL           Domain Refuse Password Change: 0
SMB         192.168.56.11   445    WINTERFELL           Domain Password Store Cleartext: 0
SMB         192.168.56.11   445    WINTERFELL           Domain Password Lockout Admins: 0
SMB         192.168.56.11   445    WINTERFELL           Domain Password No Clear Change: 0
SMB         192.168.56.11   445    WINTERFELL           Domain Password No Anon Change: 0
SMB         192.168.56.11   445    WINTERFELL           Domain Password Complex: 0
SMB         192.168.56.11   445    WINTERFELL       
SMB         192.168.56.11   445    WINTERFELL       Minimum password age: 1 day 4 minutes 
SMB         192.168.56.11   445    WINTERFELL       Reset Account Lockout Counter: 5 minutes 
SMB         192.168.56.11   445    WINTERFELL       Locked Account Duration: 5 minutes 
SMB         192.168.56.11   445    WINTERFELL       Account Lockout Threshold: 5
SMB         192.168.56.11   445    WINTERFELL       Forced Log off Time: Not Set

It show us that if we fail 5 consecutives times (Minimum password length: 5), in 5 minutes (Reset Account Lockout Counter: 5 minutes), we will lock the accounts of that users for 5 minutes (Account Lockout Threshold: 5)

With enum4linux

With it, we can confirm the anonymous listing of the part of NORTH DC

enum4linux 192.168.56.11

User list and password policy (same nxc)

enum4linux can also lit the full domain user listing members of domain group

With rpc call (rpcclient)

rpcclient -U "" -N 192.168.56.11

The anonymous listing is available withe Remote Procedure Call -->

srvsvccli> enumdomusers       # Enumerar usuarios del dominio
srvsvccli> enumdomgroups      # Enumerar grupos del dominio
srvsvccli> querydominfo       # Información del dominio
srvsvccli> enumalsgroups      # Enumerar grupos locales
srvsvccli> netshareenumall    # Listar recursos compartidos (shares)
srvsvccli> lookupnames        # Resolver nombres

With its, we can use net rpc to get all domain users:

net rpc group members 'Domain Users' -W 'NORTH' -I '192.168.56.11' -U '%'

Enumeration anonymously (when anonymous sessions are not allowed & users list)

With the above users enumeration, we can see a lot of users name, this i would saving into a .txt. Insert in it, all users name you should be exists.

Kerberos Enumeration

We can see with the previus nmap scan the hosts with the port 88 (kerberos) up or, we can search again its -->

nmap -p 88 --open --max-rate 500 -n -Pn 192.168.56.10 192.168.56.11 192.168.56.12 192.168.56.22 192.168.56.23
#################################################
Nmap scan report for 192.168.56.10
PORT   STATE SERVICE
88/tcp open  kerberos-sec

Nmap scan report for 192.168.56.11
PORT   STATE SERVICE
88/tcp open  kerberos-sec

Nmap scan report for 192.168.56.12
PORT   STATE SERVICE
88/tcp open  kerberos-sec

And with that we can send the user list that we have and existing users -->

192.168.56.10

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='sevenkingdoms.local',userdb=usersList.txt" 192.168.56.10
#######################################################
Nmap scan report for sevenkingdoms.local (192.168.56.10)
PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users: 
| Discovered Kerberos principals
|     tywin.lannister@sevenkingdoms.local
|     robert.baratheon@sevenkingdoms.local
|     cersei.lannister@sevenkingdoms.local
|     joffrey.baratheon@sevenkingdoms.local
|     renly.baratheon@sevenkingdoms.local
|     stannis.baratheon@sevenkingdoms.local
|_    jaime.lannister@sevenkingdoms.local

Remenber, for the nexts ips, change the <domain name> in nmap command: krb5-enum-users.realm='domain'

192.168.56.11

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='north.sevenkingdoms.local',userdb=usersList.txt" 192.168.56.11
#######################################################
PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users: 
| Discovered Kerberos principals
|     hodor@north.sevenkingdoms.local
|     robb.stark@north.sevenkingdoms.local
|     samwell.tarly@north.sevenkingdoms.local
|     arya.stark@north.sevenkingdoms.local
|     catelyn.stark@north.sevenkingdoms.local
|     jon.snow@north.sevenkingdoms.local
|     sansa.stark@north.sevenkingdoms.local
|     jeor.mormont@north.sevenkingdoms.local
|_    rickon.stark@north.sevenkingdoms.local

192.168.56.12

nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='essos.local',userdb=usersList.txt" 192.168.56.12 
#######################################################
PORT   STATE SERVICE
88/tcp open  kerberos-sec
| krb5-enum-users: 
| Discovered Kerberos principals
|     jorah.mormont@essos.local
|     daenerys.targaryen@essos.local
|     khal.drogo@essos.local
|     viserys.targaryen@essos.local
|_    missandei@essos.local

Previous3 - Poisoning & Relay - IPv4 Next4.1 - Guest access shares on SMB shares

Last updated 1 month ago