Identificando o escopo na rede.

Vamos supor que o escopo do pentest seja o seguinte:

• Apenas hosts do domínio LOCAL ORIONSCORP2;

• Rede: 172.16.1.0/24

Como nosso alvo é comprometer um domínio local, podemos fazer uma varredura por portas 445 abertas.

$ sudo nmap --open -v -sS -p 445 -Pn 172.16.1.0/24 -oG smb.txt

$ cat smb.txt | grep "Up" | cut -d " " -f 2 > targets

Podemos usar o crackmapexec para fazer a enumeração no arquivo targets para fazer a enumeração desses hosts.

$ crackmapexec smb targets 
SMB         172.16.1.5      445    SERVER5          [*] Unix (name:SERVER5) (domain:SERVER5) (signing:False) (SMBv1:True)
SMB         172.16.1.60     445    SRVINT           [*] Windows Server 2008 R2 Enterprise 7600 x64 (name:SRVINT) (domain:GBUSINESS) (signing:True) (SMBv1:True)
SMB         172.16.1.233    445    SRVSPIDER        [*] Windows Server 2012 R2 Datacenter 9600 x64 (name:SRVSPIDER) (domain:DHCE) (signing:True) (SMBv1:True)
SMB         172.16.1.107    445    SMB              [*] Windows 6.1 (name:SMB) (domain:SMB) (signing:False) (SMBv1:True)
SMB         172.16.1.245    445    CORPPC01         [*] Windows 10.0 Build 18362 x64 (name:CORPPC01) (domain:ORIONSCORP2) (signing:False) (SMBv1:False)
SMB         172.16.1.243    445    SERVAD02         [*] Windows 10.0 Build 17763 x64 (name:SERVAD02) (domain:ORIONSCORP2) (signing:True) (SMBv1:False)
SMB         172.16.1.253    445    CORPPC02         [*] Windows 10.0 Build 18362 x64 (name:CORPPC02) (domain:ORIONSCORP2) (signing:False) (SMBv1:False)
SMB         172.16.1.249    445    SMB12            [*] b'W\x00i\x00n\x00d\x00o\x00w\x00s\x00 \x00S\x00e\x00r\x00v\x00e\x00r\x00 \x002\x000\x000\x003\x00 \x003\x007\x009\x000\x00 \x00S\x00e\x00r\x00v\x00i\x00c\x00e\x00 \x00P\x00a\x00c\x00k\x00 \x002\x00' (name:SMB12) (domain:NOMATCH) (signing:False) (SMBv1:True)
SMB         172.16.1.4      445    WKS01            [*] Windows 5.1 (name:WKS01) (domain:GBUSINESS) (signing:False) (SMBv1:True)

Podemos assim verificar quais são os hosts que pertencem ao domínio ORIONSCORP2. Para verificarmos, se de fato o host 1.243 é um servidor AD, podemos fazer um scan para ver suas portas.

$ sudo nmap -v --open -Pn 172.16.1.243
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-15 23:15 -03
Initiating ARP Ping Scan at 23:15
Scanning 172.16.1.243 [1 port]
Completed ARP Ping Scan at 23:15, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:15
Completed Parallel DNS resolution of 1 host. at 23:15, 0.00s elapsed
Initiating SYN Stealth Scan at 23:15
Scanning 172.16.1.243 [1000 ports]
Discovered open port 139/tcp on 172.16.1.243
Discovered open port 135/tcp on 172.16.1.243
Discovered open port 53/tcp on 172.16.1.243
Discovered open port 3389/tcp on 172.16.1.243
Discovered open port 445/tcp on 172.16.1.243
Discovered open port 636/tcp on 172.16.1.243
Discovered open port 3268/tcp on 172.16.1.243
Discovered open port 3269/tcp on 172.16.1.243
Discovered open port 593/tcp on 172.16.1.243
Discovered open port 88/tcp on 172.16.1.243
Discovered open port 389/tcp on 172.16.1.243
Discovered open port 464/tcp on 172.16.1.243
Completed SYN Stealth Scan at 23:15, 4.25s elapsed (1000 total ports)
Nmap scan report for 172.16.1.243
Host is up (0.00018s latency).
Not shown: 988 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server
MAC Address: 00:50:56:37:F9:7C (VMware)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.29 seconds
           Raw packets sent: 1989 (87.500KB) | Rcvd: 13 (556B)

Podemos confirmar que é de fato pelas suas portas. Também podemos fazer algumas pesquisas DNS já que esse host faz resolução DNS para comprovar o nome das máquinas.

$ host 172.16.1.243 172.16.1.243
Using domain server:
Name: 172.16.1.243
Address: 172.16.1.243#53
Aliases: 

243.1.16.172.in-addr.arpa domain name pointer SERVAD02.ORIONSCORP2.LOCAL.

$ host 172.16.1.245 172.16.1.243
Using domain server:
Name: 172.16.1.243
Address: 172.16.1.243#53
Aliases: 

245.1.16.172.in-addr.arpa domain name pointer CORPPC01.ORIONSCORP2.LOCAL.