rpcclient enumeration oscp

| Type: STYPE_DISKTREE rpcclient $> enumprivs LEWISFAMILY Wk Sv PrQ Unx NT SNT Mac OS X 445/tcp open microsoft-ds Example output is long, but some highlights to look for: ngrep is a neat tool to grep on network data. -U, --user=USERNAME Set the network username result was NT_STATUS_NONE_MAPPED [Original] As Ive been working through PWK/OSCP for the last month, one thing Ive noticed is that enumeration of SMB is tricky, and different tools fail / succeed on different hosts. In this article, we are going to focus on the enumeration of the Domain through the SMB and RPC channels. . -i, --scope=SCOPE Use this Netbios scope, Authentication options: -n, --netbiosname=NETBIOSNAME Primary netbios name rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2002 Server Message Block in modern language is also known as. MSRPC was originally derived from open source software but has been developed further and copyrighted by . The system operates as an application-layer network protocol primarily used for offering shared access to files, printers, serial ports, and other sorts of communications between nodes on a network. [+] User SMB session establishd on [ip] # Search the file in recursive mode and download it inside /usr/share/smbmap, #Download everything to current directory, mask: specifies the mask which is used to filter the files within the directory (e.g. "" Start by typing "enum" at the prompt and hitting <tab><tab>: rpcclient $> enum enumalsgroups enumdomains enumdrivers enumkey enumprivs enumdata enumdomgroups enumforms enumports enumtrust enumdataex enumdomusers enumjobs enumprinter. getdriver Get print driver information Disclaimer: These notes are not in the context of any machines I had during the OSCP lab or exam. In this article, we were able to enumerate a wide range of information through the SMB and RPC channel inside a domain using the rpcclient tool. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-501 I tend to check: nbtscan. . S-1-5-21-1835020781-2383529660-3657267081-2002 LEWISFAMILY\user (1) --------------- ---------------------- Forbid the creation and modification of files? rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-2001 Assumes valid machine account to this domain controller. help Get help on commands dsenumdomtrusts Enumerate all trusted domains in an AD forest 623/UDP/TCP - IPMI. |_ Current user access: READ This is an enumeration cheat sheet that I created while pursuing the OSCP. In the previous command, we used the getdompwinfo to get the password properties of the domain administrated by the policies. SeSecurityPrivilege 0:8 (0x0:0x8) *[[:digit:]]' port 139 in one terminal and then echo exit | smbclient -L [IP] in another will dump out a bunch of info including the version. | smb-enum-shares: In the demonstration, a user hacker is created with the help of a createdomuser and then a password is provided to it using the setuserinfo2 command. Host is up (0.037s latency). rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1004 Second - attacker opens a socks4 proxy on port 7777 on his local kali machine (10.0.0.5) by issuing: This means that the attacker can now use proxychains to proxy traffic from their kali box through the beacon to the target (attacker ---> beacon ---> end target). Many groups are created for a specific service. 3. To do this first, the attacker needs a SID. If used the RID is the parameter, the samlookuprids command can extract the username relevant to that particular RID. Checklist - Local Windows Privilege Escalation, Pentesting JDWP - Java Debug Wire Protocol, 161,162,10161,10162/udp - Pentesting SNMP, 515 - Pentesting Line Printer Daemon (LPD), 548 - Pentesting Apple Filing Protocol (AFP), 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP, 1433 - Pentesting MSSQL - Microsoft SQL Server, 1521,1522-1529 - Pentesting Oracle TNS Listener, 2301,2381 - Pentesting Compaq/HP Insight Manager, 3690 - Pentesting Subversion (svn server), 4369 - Pentesting Erlang Port Mapper Daemon (epmd), 8009 - Pentesting Apache JServ Protocol (AJP), 8333,18333,38333,18444 - Pentesting Bitcoin, 9100 - Pentesting Raw Printing (JetDirect, AppSocket, PDL-datastream), 10000 - Pentesting Network Data Management Protocol (ndmp), 24007,24008,24009,49152 - Pentesting GlusterFS, 50030,50060,50070,50075,50090 - Pentesting Hadoop, Reflecting Techniques - PoCs and Polygloths CheatSheet, Dangling Markup - HTML scriptless injection, HTTP Request Smuggling / HTTP Desync Attack, Regular expression Denial of Service - ReDoS, Server Side Inclusion/Edge Side Inclusion Injection, XSLT Server Side Injection (Extensible Stylesheet Languaje Transformations), Pentesting CI/CD (Github, Jenkins, Terraform), Windows Exploiting (Basic Guide - OSCP lvl), INE Courses and eLearnSecurity Certifications Reviews, Stealing Sensitive Information Disclosure from a Web, Enumerate Users, Groups & Logged On Users, Manually enumerate windows shares and connect to them, . os version : 4.9 What permissions must be assigned to the newly created directories? Learning about various kinds of compromises that can be performed using Mimikatz we know that the SID of a user is the security Identifier that can be used for a lot of elevating privileges and minting tickets attacks. path: C:\tmp A tag already exists with the provided branch name. rpcclient is a part of the Samba suite on Linux distributions. null session or valid credentials). The polices that are applied on a Domain are also dictated by the various group that exists. | \\[ip]\share: | Disclosure date: 2006-6-27 samsync Sam Synchronisation Host script results: An attacker can create an account object based on the SID of that user. . Enumerate Domain Groups. |_smb-vuln-ms10-061: false SMB allows you to share your resources to other computers over the network, version susceptible to known attacks (Eternal blue , wanna cry), Disabled by default in newer Windows version, reduced "chattiness" of SMB1. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1014 search type:exploit platform:windows target:2008 smb, domain.local/USERNAME%754d87d42adabcca32bdb34a876cbffb --pw-nt-hash, #You can use querydispinfo and enumdomusers to query user information, /usr/share/doc/python3-impacket/examples/samrdump.py, /usr/share/doc/python3-impacket/examples/rpcdump.py, # This info should already being gathered from enum4linux and enum4linux-ng, In file browser window (nautilus, thunar, etc), It is always recommended to look if you can access to anything, if you don't have credentials try using, #If you omit the pwd, it will be prompted. These may indicate whether the share exists and you do not have access to it or the share does not exist at all. getdispname Get the privilege name --------------- ---------------------- queryaliasmem Query alias membership shutdown Remote Shutdown | grep -oP 'UnixSamba. can be cracked with, For passwordless login, add id_rsa.pub to target's authorized_keys, Add the extracted domain to /etc/hosts and dig again, rpcclient --user="" --command=enumprivs -N 10.10.10.10, rpcdump.py 10.11.1.121 -p 135 | grep ncacn_np // get pipe names, smbclient -L //10.10.10.10 -N // No password (SMB Null session), crackmapexec smb 10.10.10.10 -u '' -p '' --shares, crackmapexec smb 10.10.10.10 -u 'sa' -p '' --shares, crackmapexec smb 10.10.10.10 -u 'sa' -p 'sa' --shares, crackmapexec smb 10.10.10.10 -u '' -p '' --share share_name, crackmapexec smb 192.168.0.115 -u '' -p '' --shares --pass-pol, ncrack -u username -P rockyou.txt -T 5 10.10.10.10 -p smb -v, mount -t cifs "//10.1.1.1/share/" /mnt/wins, mount -t cifs "//10.1.1.1/share/" /mnt/wins -o vers=1.0,user=root,uid=0,gid=0. Adding it to the original post. root S-1-5-21-1835020781-2383529660-3657267081-1000 (User: 1) In the demonstration presented, there are two domains: IGNITE and Builtin. It contains contents from other blogs for my quick reference, * nmap -sV --script=vulscan/vulscan.nse (https://securitytrails.com/blog/nmap-vulnerability-scan), masscan -p1-65535,U:1-65535 --rate=1000 10.10.10.x -e tun0 > ports, ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//'), nmap -Pn -sC -sV --script=vuln*.nse -p$ports 10.10.10.x -T5 -A, (performs full scan instead of syn-scan to prevent getting flagged by firewalls), From Apache Version to finding Ubuntu version -> ubuntu httpd versions, : Private key that is used for login. shutdowninit Remote Shutdown (over shutdown pipe) | This cheat sheet should not be considered to be complete and only represents a snapshot in time when I used these commands for performing enumeration during my OSCP journey. lookupsids Convert SIDs to names dfsenum Enumerate dfs shares Upon running this on the rpcclient shell, it will extract the groups with their RID. To enumerate these shares the attacker can use netshareenum on the rpcclient. 4. queryuseraliases Query user aliases netname: ADMIN$ 2. --------------- ---------------------- | Anonymous access: Thus it might be worth a short to try to manually connect to a share. [Update 2018-12-02] I just learned about smbmap, which is just great. | Anonymous access: A collection of commands and tools used for conducting enumeration during my OSCP journey. We can filter on ntlmssp.ntlmv2_response to see NTLMv2 traffic, for example. In the case of queryusergroups, the group will be enumerated. enumdataex Enumerate printer data for a key Since the user and password-related information is stored inside the SAM file of the Server. After that command was run, rpcclient will give you the most excellent "rpcclient> " prompt. When provided with the username to the samlookupnames command, it can extract the RID of that particular user. lookupnames Convert names to SIDs -c, --command=COMMANDS Execute semicolon separated cmds getdcname Get trusted DC name rewardone in the PWK forums posted a neat script to easily get Samba versions: When you run this on a box running Samba, you get results: When in doubt, we can check the smb version in PCAP. PORT STATE SERVICE To look for possible exploits to the SMB version it important to know which version is being used. -O, --socket-options=SOCKETOPTIONS socket options to use netname: IPC$ Obviously the SIDS are different but you can still pull down the usernames and start bruteforcing those other open services . Dec 2, 2018, PWK Notes: SMB Enumeration Checklist [Updated]. .. D 0 Thu Sep 27 16:26:00 2018 Server Comment rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-500 | Current user access: READ/WRITE setdriver Set printer driver | Current user access: Nmap scan report for [ip] C$ NO ACCESS In the demonstration, it can be observed that the user has stored their credentials in the Description. List of SMB versions and corresponding Windows versions: SMB1 Windows 2000, XP and Windows 2003. timeout connecting to 192.168.182.36:445 rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1009 We have enumerated the users and groups on the domain but not enumerated the domain itself. All rights reserved. WORKGROUP <1e> - M If this information does not appear in other used tools, you can: # Requires root or enough permissions to use tcpdump, # Will listen for the first 7 packets of a null login, # Will sometimes not capture or will print multiple. S-1-5-21-1835020781-2383529660-3657267081-501 LEWISFAMILY\unknown (1) SHUTDOWN C$ NO ACCESS Learn offensive CTF training from certcube labs online . rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1004 | A buffer overflow vulnerability in the Routing and Remote Access service (RRAS) in Microsoft Windows 2000 SP4, XP SP1 [DATA] 1 tasks, 1 servers, 816 login tries (l:1/p:816), ~816 tries per task It is possible to target the group using the RID that was extracted while running the enumdomgroup. lsaremoveacctrights Remove rights from an account In other words - it's possible to enumerate AD (or create/delete AD users, etc.) rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1013 Nmap done: 1 IP address (1 host up) scanned in 5.58 seconds, # Requires root or enough permissions to use tcpdump, # Will listen for the first 7 packets of a null login, # Will sometimes not capture or will print multiple. | State: VULNERABLE --------------- ---------------------- password: | \\[ip]\IPC$: . SMB2 Windows Vista SP1 and Windows 2008, crackmapexec -u 'guest' -p '' --shares $ip, crackmapexec -u 'guest' -p '' --rid-brute 4000 $ip, crackmapexec -u 'guest' -p '' --users $ip, crackmapexec smb 192.168.1.0/24 -u Administrator -p, crackmapexec smb 192.168.1.0/24 -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B, crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -M mimikatz 192.168.1.0/24, crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B -x whoami $ip, crackmapexec -u Administrator -H E52CAC67419A9A2238F10713B629B565:64F12CDDAA88057E06A81B54E73B949B --exec-method smbexec -x whoami $ip# reliable pth code execution. [hostname] <00> - M As with the lsaenumsid, it was possible to extract the SID but it was not possible to tell which user has that SID. lsalookupprivvalue Get a privilege value given its name logonctrl Logon Control -l, --log-basename=LOGFILEBASE Basename for log/debug files sourcedata Source data In the scenarios where there is a possibility of multiple domains in the network, there the attacker can use enumdomains to enumerate all the domains that might be deployed in that network. IPC$ NO ACCESS C$ Disk Default share remark: IPC Service (Mac OS X) Further, when the attacker used the same SID as a parameter for lsaenumprivaccount, they were able to enumerate the levels of privileges such as high, low, and attribute. | References: ---- ----------- WORKGROUP <00> - M WARNING: Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort The next command that can be used is enumalsgroups. It has undergone several stages of development and stability. | Comment: |_ https://technet.microsoft.com/en-us/library/security/ms06-025.aspx May need to run a second time for success. In the demonstration, it can be observed that a query was generated for LSA which returned with information such as Domain Name and SID. found 5 privileges, SeMachineAccountPrivilege 0:6 (0x0:0x6) | execute arbitrary code via certain crafted "RPC related requests" aka the "RRAS Memory Corruption Vulnerability." The SID was retrieved using the lookupnames command. Honor privileges assigned to specific SID? It enumerates alias groups on the domain. | grep -oP 'UnixSamba. The command netsharegetinfo followed by the name of the share you are trying to enumerate will extract details about that particular share. | smb-vuln-ms17-010: First one - two Cobalt Strike sessions: Second - attacker opens a socks4 proxy on port 7777 on his local kali machine (10.0.0.5) by issuing: {% code-tabs %} IS~[hostname] <00> - M Nice! A Mind Map about OSCP Guide submitted by Rikunj Sindhwad on Jun 12, 2021. This can be verified using the enumdomgroups command. Two applications start a NetBIOS session when one (the client) sends a command to call another client (the server) over, 139/tcp open netbios-ssn Microsoft Windows netbios-ssn. --------------- ---------------------- without the likes of: which most likely are monitored by the blue team. | \\[ip]\wwwroot: This command is made from LSA Query Security Object. if [ -z $1 ]; then echo "Usage: ./smbver.sh RHOST {RPORT}" && exit; else rhost=$1; fi, if [ ! getform Get form rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1003 Since we already performed the enumeration of such data before in the article, we will enumerate using enumdomgroup and enumdomusers and the query-oriented commands in this demonstration. This information can be elaborated on using the querydispinfo. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1015 The next command that can help with the enumeration is lsaquery. | Type: STYPE_IPC_HIDDEN It contains contents from other blogs for my quick reference There are a couple of machines in the lab that will only work on the first attempt, and . Reverse Shell. rpcclient $> help Once proxychains are configured, the attacker can start enumerating the AD environment through the beacon like so: Moving on, same way, they can query info about specific AD users: Enumerate current user's privileges and many more (consult rpcclient for all available commands): Finally, of course they can run nmap if needed: Impacket provides even more tools to enumerate remote systems through compromised boxes. Software applications that run on a NetBIOS network locate and identify each other via their NetBIOS names. At last, it can be verified using the enumdomusers command. rpcclient $> lookupnames guest Hydra (http://www.thc.org) starting at 2007-07-27 21:51:46 result was NT_STATUS_NONE_MAPPED 1098/1099/1050 - Pentesting Java RMI - RMI-IIOP. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1007 deldriver Delete a printer driver enumkey Enumerate printer keys All this can be observed in the usage of the lsaenumprivaccount command. In this communication, the child process can make requests from a parent process. This group constitutes 7 attributes and 2 users are a member of this group. One of the first enumeration commands to be demonstrated here is the srvinfo command. Reconnecting with SMB1 for workgroup listing. A Little Guide to SMB Enumeration. yet another reason to adjust your file & printer sharing configurations when you take your computer on the road (especially if you share your My Documents folder), Yeah so i was bored on the hotel wirelesserrr laband started seeing who had ports 135, 139, 445 open. [STATUS] 29.00 tries/min, 29 tries in 00:01h, 787 todo in 00:28h authentication These commands can enumerate the users and groups in a domain. After verifying that the privilege was added using the lsaenumprivaccount command, we removed the privileges from the user using the lsaremoveacctrights command. This tool is part of the samba(7) suite. result was NT_STATUS_NONE_MAPPED debuglevel Set debug level After creating the users and changing their passwords, its time to manipulate the groups. There are multiple methods to connect to a remote RPC service. sign Force RPC pipe connections to be signed SRVSVC First one - two Cobalt Strike sessions: PID 260 - beacon injected into dllhost process. addprinter Add a printer Learn. Allow listing available shares in the current share? PORT STATE SERVICE A collection of commands and tools used for conducting enumeration during my OSCP journey. Usage: rpcclient [OPTION] 139/tcp open netbios-ssn This will attempt to connect to the share. password: The manipulation of the groups is not limited to the creation of a group. Using lookupnames we can get the SID. Most of the Corporate offices dont want their employees to use USB sticks or other mediums to share files and data among themselves. Metasploit SMB auxiliary scanners. abortshutdown Abort Shutdown {% code-tabs-item title="attacker@kali" %}. 1433 - Pentesting MSSQL - Microsoft SQL Server. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. See the below example gif. NT_STATUS_ACCESS_DENIED or NT_STATUS_BAD_NETWORK_NAME), # returns NT_STATUS_ACCESS_DENIED or even gives you a session. . Server Message Block in modern language is also known as Common Internet File System. | State: VULNERABLE This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. As from the previous commands, we saw that it is possible to create a user through rpcclient. This information includes the Group Name, Description, Attributes, and the number of members in that group. But it is also possible to get the password properties of individual users using the getusrdompwinfo command with the users RID. In our previous attempt to enumerate SID, we used the lsaenumsid command. Guest access disabled by default. nmap -p 139,445 --open -oG smb.txt 192.168.1.0/24, nmap --script smb-enum-shares -p 139,445 $ip, smbclient -L //10.10.10.3/ --option='client min protocol=NT1', # if getting error "protocol negotiation failed: NT_STATUS_CONNECTION_DISCONNECTED", SAMBA 3.x-4.x # vulnerable to linux/samba/is_known_pipename, SAMBA 3.5.11 # vulnerable to linux/samba/is_known_pipename, nmap --script=smb-enum* --script-args=unsafe=1 -T5 $ip, nmap --script=smb-vuln* --script-args=unsafe=1 -T5 $ip, nmap --script=smb2-capabilities,smb-print-text,smb2-security-mode.nse,smb-protocols,smb2-time.nse,smb-psexec,smb2-vuln-uptime,smb-security-mode,smb-server-stats,smb-double-pulsar-backdoor,smb-system-info,smb-vuln-conficker,smb-enum-groups,smb-vuln-cve2009-3103,smb-enum-processes,smb-vuln-cve-2017-7494,smb-vuln-ms06-025,smb-enum-shares,smb-vuln-ms07-029,smb-enum-users,smb-vuln-ms08-067,smb-vuln-ms10-054,smb-ls,smb-vuln-ms10-061,smb-vuln-ms17-010,smb-os-discovery --script-args=unsafe=1 -T5 $ip, nmap -p139,445 -T4 -oN smb_vulns.txt -Pn --script 'not brute and not dos and smb-*' -vv -d $ip, Windows NT, 2000, and XP (most SMB1) - VULNERABLE: Null Sessions can be created by default, Windows 2003, and XP SP2 onwards - NOT VULNERABLE: Null Sessions can't be created default. 139/tcp open netbios-ssn netfileenum Enumerate open files CTF solutions, malware analysis, home lab development, Looking up status of [ip] [INFO] Reduced number of tasks to 1 (smb does not like parallel connections) rffpcnex Rffpcnex test # You will be asked for a password but leave it blank and press enter to continue. Copyright 2017 pentest.tonyng.net. For this particular demonstration, we will first need a SID. S-1-5-21-1835020781-2383529660-3657267081-2003 LEWISFAMILY\user (2) S-1-5-21-1835020781-2383529660-3657267081-500 LEWISFAMILY\Administrator (1) -A, --authentication-file=FILE Get the credentials from a file *' # download everything recursively in the wwwroot share to /usr/share/smbmap. A NetBIOS name is up to 16 characters long and usually, separate from the computer name. Code Execution. This lab shows how it is possible to bypass commandline argument logging when enumerating Windows environments, using Cobalt Strike and its socks proxy (or any other post exploitation tool that supports socks proxying). -k, --kerberos Use kerberos (active directory) This detail includes the path of the share, remarks, it will indicate if the share has a password for access, it will tell the number of users accessing the share and what kind of access is allowed on the share. If you want to enumerate all the shares then use netshareenumall. OSCP Enumeration Cheat Sheet. (MS)RPC. On other systems, youll find services and applications using port 139. SYSVOL READ ONLY, Enter WORKGROUP\root's password: Let's see how this works by firstly updating the proxychains config file: {% code-tabs %} --------------- ---------------------- -?, --help Show this help message With some input from the NetSecFocus group, Im building out an SMB enumeration check list here. rpcclient $> lookupsids S-1-5-21-1835020781-2383529660-3657267081-1008 result was NT_STATUS_NONE_MAPPED Get help on commands

Marie Louise Pauline Blanque, Articles R