Identificando o escopo na rede.
Vamos supor que o escopo do pentest seja o seguinte:
Apenas hosts do domínio LOCAL ORIONSCORP2;
Rede: 172.16.1.0/24
Como nosso alvo é comprometer um domínio local, podemos fazer uma varredura por portas 445 abertas.
$ sudo nmap --open -v -sS -p 445 -Pn 172.16.1.0/24 -oG smb.txt
$ cat smb.txt | grep "Up" | cut -d " " -f 2 > targets
Podemos usar o crackmapexec para fazer a enumeração no arquivo targets para fazer a enumeração desses hosts.
$ crackmapexec smb targets
SMB 172.16.1.5 445 SERVER5 [*] Unix (name:SERVER5) (domain:SERVER5) (signing:False) (SMBv1:True)
SMB 172.16.1.60 445 SRVINT [*] Windows Server 2008 R2 Enterprise 7600 x64 (name:SRVINT) (domain:GBUSINESS) (signing:True) (SMBv1:True)
SMB 172.16.1.233 445 SRVSPIDER [*] Windows Server 2012 R2 Datacenter 9600 x64 (name:SRVSPIDER) (domain:DHCE) (signing:True) (SMBv1:True)
SMB 172.16.1.107 445 SMB [*] Windows 6.1 (name:SMB) (domain:SMB) (signing:False) (SMBv1:True)
SMB 172.16.1.245 445 CORPPC01 [*] Windows 10.0 Build 18362 x64 (name:CORPPC01) (domain:ORIONSCORP2) (signing:False) (SMBv1:False)
SMB 172.16.1.243 445 SERVAD02 [*] Windows 10.0 Build 17763 x64 (name:SERVAD02) (domain:ORIONSCORP2) (signing:True) (SMBv1:False)
SMB 172.16.1.253 445 CORPPC02 [*] Windows 10.0 Build 18362 x64 (name:CORPPC02) (domain:ORIONSCORP2) (signing:False) (SMBv1:False)
SMB 172.16.1.249 445 SMB12 [*] b'W\x00i\x00n\x00d\x00o\x00w\x00s\x00 \x00S\x00e\x00r\x00v\x00e\x00r\x00 \x002\x000\x000\x003\x00 \x003\x007\x009\x000\x00 \x00S\x00e\x00r\x00v\x00i\x00c\x00e\x00 \x00P\x00a\x00c\x00k\x00 \x002\x00' (name:SMB12) (domain:NOMATCH) (signing:False) (SMBv1:True)
SMB 172.16.1.4 445 WKS01 [*] Windows 5.1 (name:WKS01) (domain:GBUSINESS) (signing:False) (SMBv1:True)
Podemos assim verificar quais são os hosts que pertencem ao domínio ORIONSCORP2. Para verificarmos, se de fato o host 1.243 é um servidor AD, podemos fazer um scan para ver suas portas.
$ sudo nmap -v --open -Pn 172.16.1.243
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-15 23:15 -03
Initiating ARP Ping Scan at 23:15
Scanning 172.16.1.243 [1 port]
Completed ARP Ping Scan at 23:15, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:15
Completed Parallel DNS resolution of 1 host. at 23:15, 0.00s elapsed
Initiating SYN Stealth Scan at 23:15
Scanning 172.16.1.243 [1000 ports]
Discovered open port 139/tcp on 172.16.1.243
Discovered open port 135/tcp on 172.16.1.243
Discovered open port 53/tcp on 172.16.1.243
Discovered open port 3389/tcp on 172.16.1.243
Discovered open port 445/tcp on 172.16.1.243
Discovered open port 636/tcp on 172.16.1.243
Discovered open port 3268/tcp on 172.16.1.243
Discovered open port 3269/tcp on 172.16.1.243
Discovered open port 593/tcp on 172.16.1.243
Discovered open port 88/tcp on 172.16.1.243
Discovered open port 389/tcp on 172.16.1.243
Discovered open port 464/tcp on 172.16.1.243
Completed SYN Stealth Scan at 23:15, 4.25s elapsed (1000 total ports)
Nmap scan report for 172.16.1.243
Host is up (0.00018s latency).
Not shown: 988 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-wbt-server
MAC Address: 00:50:56:37:F9:7C (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.29 seconds
Raw packets sent: 1989 (87.500KB) | Rcvd: 13 (556B)
Podemos confirmar que é de fato pelas suas portas. Também podemos fazer algumas pesquisas DNS já que esse host faz resolução DNS para comprovar o nome das máquinas.
$ host 172.16.1.243 172.16.1.243
Using domain server:
Name: 172.16.1.243
Address: 172.16.1.243#53
Aliases:
243.1.16.172.in-addr.arpa domain name pointer SERVAD02.ORIONSCORP2.LOCAL.
$ host 172.16.1.245 172.16.1.243
Using domain server:
Name: 172.16.1.243
Address: 172.16.1.243#53
Aliases:
245.1.16.172.in-addr.arpa domain name pointer CORPPC01.ORIONSCORP2.LOCAL.
Last updated
Was this helpful?