Gathering Information Anonymously
Basic SMB Reconnaissance
Useful information can be gathered using the SMB protocol:
IP address
Windows version
Fully qualified domain name
SMB version
Target local name
Architecture (x86/x64)
SMB Signing Enabled
Example of command to perform reconnaissance on a network using the smb protocol.
To list all hosts with SMB signing disabled, we can add the flag --gen-relay-list
.
Exploiting NULL/Anonymous Session
Useful information about the network can be gathered if a host within the network, such as the domain controller, is vulnerable to NULL/Anonymous session. NULL session corresponds to access the IPC$ share (Inter-Process Communication) without authentication. Usually old Windows systems such as Windows 2000 and Windows XP are vulnerable to NULL/Anonymous session.
Domain users (
--users
)Domain groups (
--groups
)Password Policy (
--pass-pol
)Share folders (
--shares
)
Enumerating users
Below is an example of extracting domain users exploiting an NULL session. When enumerating users, we might want to check for secret or password in the description field.
When exporting data, the full path should be specified. $(PWD) will export the data in the current directory.
rid bruteforce
It is also possible to extract users of a domain using the flag --rid-brute [MAX_RID]. RID stands for relative identifier.
It corresponds to the last portion of the Domain Sid. The RID starts to 500 (administrator) and by default CME will rid up to 4000.
Enumerating shares
When enumerating shares, with NULL session we can let blank the -p
and -u
flag. We can also try the user guest
or anonymous
.
Checking for shares with READ and WRITE privileges.
Password Policy
When examining the password policy output, we might want to look for these specific information:
Domain password complex (if set to 1 meaning that it must complies with the Microsoft Password Complexity Policy).
Account Lockout Threshold
Account Lockout Duration
ASREPRoastable Account
To find accounts with Kerberoast preauthentication disabled. Uses the LDAP protocols. For more theory and explanations on ASREPRoasting see here.
Brute forcing ASREPRoastable Accounts
We can brute force for vulnerable ASREPRoastable accounts using only accounts usernames list.
Requirement
List of Active Directory users
Dumping all ASREPRoastable Accounts
If we have a valid set of credentials for an Active Directory users, we can list all accounts vulnerable to ASREPRoasting.
Cracking the collected hashes using Hashcat
ASREPRoasting attack allows to retrieve a chunk of encrypted data (the session key) that is derived from the user password. We can crack the data in the message receive (AS_REP) to retrieve the user password.
Last updated