banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

game of active directory(GOAD) part 1 Reconnaissance and Scanning

image

Reconnaissance and Scanning#

Preface#

Recently, I had some time to open my home computer, so I started experimenting with the GOAD target environment. The write-up for the GOAD target will follow the author's process first, and later I can add my own understanding and supplements after learning.

For environment setup, refer to the previous blog: https://lca.xlog.app/game-of-active-directoryGOAD-yu-huan-jing-da-jian

Before starting the experiment, take a snapshot of the VM.

image

Start all machines.

vargant up 

image

Network settings for the environment.

image

Ubuntu: The IP range for the VirtualBox VM is: 192.168.31.0/24
VirtualBox: The IP range for the GOAD target environment is 192.168.56.1/0

image

Thus, the overall access path for the environment is:

Windows (host IP: 192.168.31.151) -> Ubuntu (VM IP: 192.168.31.142) -> GOAD target (VirtualBox VM IP: 192.168.56.1/24)

I initially wanted to use Kali as the attack machine, but as mentioned in previous article comments, it would be inaccessible and would require a proxy for testing. However, running Kali would consume memory, and my host machine only has 32GB of RAM. If I start another Kali, the target machine would throw an error due to insufficient memory.

The CPU of the host machine would also spike.

image

So I decided to directly conduct attacks on Ubuntu. If the Ubuntu machine does not meet the attack requirements later, we can discuss that!

Network Enumeration#

image

cme

# Install cme
sudo snap install crackmapexec

# cme smb scan
crackmapexec smb 192.168.56.0/24

image

The results of the cme scan are shown in the image above, returning some useful information, including the IPs, names, and domain information of all target machines.

SMB         192.168.56.10   445    KINGSLANDING     [*] Windows 10.0 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.12   445    MEEREEN          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB         192.168.56.22   445    CASTELBLACK      [*] Windows 10.0 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB         192.168.56.11   445    WINTERFELL       [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB         192.168.56.23   445    BRAAVOS          [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
  • north.sevenkingdoms.local (2 IPs)
    • CASTELBLACK 192.168.56.22
    • WINTERFELL 192.168.56.11
  • sevenkingdoms.local (1 IP)
    • KINGSLANDING 192.168.56.10
  • essos.local (2 IPs)
    • MEEREEN 192.168.56.12
    • BRAAVOS 192.168.56.23

From the topology, it is clear that the GOAD target has three domains. The cme scan results also show that the DC signatures are all True (signing). In a real environment, to prevent NTLM relay attacks, all signatures must be set to True.

Finding the DC IP#

image

You can use nslookup to perform DNS queries to list the relevant information of the DC.

nslookup -type=srv _ldap._tcp.dc._msdcs.sevenkingdoms.local 192.168.56.10
  • nslookup: DNS query tool
    • -type=srv: Specifies to query SRV records, which are a type of DNS record used to identify specific services.
    • _ldap._tcp.dc._msdcs.sevenkingdoms.local: The hostname to query for information about the domain controller providing LDAP services in the "sevenkingdoms.local" domain.
    • The IP address of the DNS server being queried.

Querying sevenkingdoms.local

image

Querying north.sevenkingdoms.local

nslookup -type=srv _ldap._tcp.dc._msdcs.north.sevenkingdoms.local 192.168.56.10

image

Querying essos.local

nslookup -type=srv _ldap._tcp.dc._msdcs.north.essos.local 192.168.56.10

image

Setting /etc/hosts and Kerberos#

To use Kerberos in a Linux environment, some settings need to be made.

  1. Configure the /etc/hosts file to set DNS.
# /etc/hosts
# GOAD
192.168.56.10   sevenkingdoms.local kingslanding.sevenkingdoms.local kingslanding
192.168.56.11   winterfell.north.sevenkingdoms.local north.sevenkingdoms.local winterfell
192.168.56.12   essos.local meereen.essos.local meereen
192.168.56.22   castelblack.north.sevenkingdoms.local castelblack
192.168.56.23   braavos.essos.local braavos

image

Install the Kerberos Linux client.

sudo apt install krb5-user

image

image

Set admin_server to meereen.essos.local.

If krb5-user is already installed or needs reconfiguration, you can use dpkg-reconfigure or modify the /etc/krb5.conf file for reconfiguration, as follows:

sudo gedit /etc/krb5.conf
[libdefaults]
	default_realm = essos.local
	kdc_timesync = 1
	ccache_type = 4
	forwardable = true
	proxiable = true
	fcc-mit-ticketflags = true

[realms]
	north.sevenkingdoms.local = {
		kdc = winterfell.north.sevenkingdoms.local
		admin_server = winterfell.north.sevenkingdoms.local
	}

	sevenkingdoms.local = {
		kdc = kingslanding.sevenkingdoms.local
		admin_server = kingslanding.sevenkingdoms.local
	}

	essos.local = {
		kdc = meereen.essos.local
		admin_server = meereen.essos.local
	}

After completing the Kerberos setup, you can try to see if you can obtain a TGT ticket.

Download:

Impacket is a collection of Python classes for working with network protocols.

sudo pip3 install .
sudo python3 setup.py install
getTGT.py essos.local/khal.drogo:horse

image

export KRB5CCNAME=/home/lca/tools/impacket/examples/khal.drogo.ccache
python3 smbclient.py -k @braavos.essos.local
Impacket v0.12.0.dev1+20240502.235035.cb8467c3 - Copyright 2023 Fortra

Type help for list of commands
# shares
ADMIN$
all
C$
CertEnroll
IPC$
public
# use C$
# ls
drw-rw-rw-          0  Thu Feb 14 19:42:10 2019 $Recycle.Bin
-rw-rw-rw-     384322  Fri Feb 15 03:38:48 2019 bootmgr
-rw-rw-rw-          1  Fri Feb 15 03:38:48 2019 BOOTNXT
-rw-rw-rw-       1014  Thu Jan 18 00:00:49 2024 dns_log.txt
drw-rw-rw-          0  Wed Jan 17 07:27:46 2024 Documents and Settings
drw-rw-rw-          0  Wed Jan 17 22:04:13 2024 inetpub
-rw-rw-rw- 1476395008  Sun May  5 23:00:57 2024 pagefile.sys
drw-rw-rw-          0  Thu Feb 14 20:19:12 2019 PerfLogs
drw-rw-rw-          0  Wed Jan 17 23:07:58 2024 Program Files
drw-rw-rw-          0  Thu Jan 18 00:28:34 2024 Program Files (x86)
drw-rw-rw-          0  Thu Jan 18 00:17:10 2024 ProgramData
drw-rw-rw-          0  Tue Jan 16 23:28:06 2024 Recovery
drw-rw-rw-          0  Wed Jan 17 22:31:30 2024 setup
drw-rw-rw-          0  Thu Jan 18 00:32:16 2024 shares
drw-rw-rw-          0  Sun May  5 15:01:26 2024 System Volume Information
drw-rw-rw-          0  Wed Jan 17 21:53:12 2024 tmp
drw-rw-rw-          0  Wed Jan 17 23:57:19 2024 Users
drw-rw-rw-          0  Wed Jan 17 22:05:24 2024 Windows

As shown, Kerberos is set up.

Unset the ticket.

unset KRB5CCNAME

Test other domains.

image

export KRB5CCNAME=/home/lca/tools/impacket/examples/arya.stark.ccache 
python3 smbclient.py -k -no-pass @winterfell.north.servenkingdoms.local
Impacket v0.12.0.dev1+20240502.235035.cb8467c3 - Copyright 2023 Fortra

[-] [Errno Connection error (winterfell.north.servenkingdoms.local:445)] [Errno -3] Temporary failure in name resolution

image

I don't know why Kerberos does not work when using the full FQDN for Winterfell, but it works fine when just setting Winterfell instead of winterfell.north.sevenkingdoms.local.

image

Nmap Scan#

Install nmap.

sudo apt install nmap

Use nmap to perform a scan with the following parameters.

nmap -Pn -p- -sC -sV -oA full_scan_goad 192.168.56.10-12,22-23

Parameters are as follows:

  • -Pn: Do not perform ping scan.
  • -p-: Full port scan, 1-65535.
  • -sC: Run default detection scripts.
  • -sV: Perform service version detection on specified ports.
  • -oA: Output results in three formats.

The nmap scan results are as follows:

# Nmap 7.80 scan initiated Sun May  5 16:44:49 2024 as: nmap -Pn -p- -sC -sV -oA full_scan_goad 192.168.56.10-12,22-23
Nmap scan report for sevenkingdoms.local (192.168.56.10)
Host is up (0.0011s latency).
Not shown: 65505 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-05 08:45:23Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-17T13:15:48
|_Not valid after:  2025-01-16T13:15:48
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-17T13:15:48
|_Not valid after:  2025-01-16T13:15:48
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-17T13:15:48
|_Not valid after:  2025-01-16T13:15:48
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-17T13:15:48
|_Not valid after:  2025-01-16T13:15:48
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Not valid before: 2024-01-16T12:49:01
|_Not valid after:  2024-07-17T12:49:01
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T06:56:16
|_Not valid after:  2027-01-14T06:56:16
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
| tls-alpn: 
|_  http/1.1
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49671/tcp open  msrpc         Microsoft Windows RPC
49672/tcp open  msrpc         Microsoft Windows RPC
49674/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
49684/tcp open  msrpc         Microsoft Windows RPC
49696/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/5%Time=66374728%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: KINGSLANDING; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: KINGSLANDING, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:62:c4:af (Oracle VirtualBox virtual NIC)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-05-05T08:48:40
|_  start_date: N/A

Nmap scan report for winterfell.north.sevenkingdoms.local (192.168.56.11)
Host is up (0.00079s latency).
Not shown: 65506 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-05 08:45:28Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-17T15:35:51
|_Not valid after:  2025-01-16T15:35:51
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-17T15:35:51
|_Not valid after:  2025-01-16T15:35:51
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-17T15:35:51
|_Not valid after:  2025-01-16T15:35:51
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-17T15:35:51
|_Not valid after:  2025-01-16T15:35:51
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Not valid before: 2024-01-16T12:59:52
|_Not valid after:  2024-07-17T12:59:52
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T07:00:27
|_Not valid after:  2027-01-14T07:00:27
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
| tls-alpn: 
|_  http/1.1
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49673/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49687/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
49701/tcp open  msrpc         Microsoft Windows RPC
49739/tcp open  msrpc         Microsoft Windows RPC
54275/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/5%Time=6637472E%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: WINTERFELL; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_nbstat: NetBIOS name: WINTERFELL, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:73:1f:da (Oracle VirtualBox virtual NIC)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-05-05T08:48:43
|_  start_date: N/A

Nmap scan report for essos.local (192.168.56.12)
Host is up (0.00043s latency).
Not shown: 65508 closed ports
PORT      STATE SERVICE       VERSION
53/tcp    open  domain?
| fingerprint-strings: 
|   DNSVersionBindReqTCP: 
|     version
|_    bind
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-05-05 08:46:22Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2024-01-17T13:55:53
|_Not valid after:  2025-01-16T13:55:53
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
445/tcp   open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: ESSOS)
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2024-01-17T13:55:53
|_Not valid after:  2025-01-16T13:55:53
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2024-01-17T13:55:53
|_Not valid after:  2025-01-16T13:55:53
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2024-01-17T13:55:53
|_Not valid after:  2025-01-16T13:55:53
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=meereen.essos.local
| Not valid before: 2024-01-16T12:49:13
|_Not valid after:  2024-07-17T12:49:13
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T07:08:56
|_Not valid after:  2027-01-14T07:08:56
|_ssl-date: 2024-05-05T08:48:58+00:00; 0s from scanner time.
| tls-alpn: 
|   h2
|_  http/1.1
9389/tcp  open  mc-nmf        .NET Message Framing
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49676/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49677/tcp open  msrpc         Microsoft Windows RPC
49681/tcp open  msrpc         Microsoft Windows RPC
49684/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  msrpc         Microsoft Windows RPC
49711/tcp open  msrpc         Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=5/5%Time=66374763%P=x86_64-pc-linux-gnu%r(DNSVe
SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x
SF:04bind\0\0\x10\0\x03");
Service Info: Host: MEEREEN; OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_nbstat: NetBIOS name: MEEREEN, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:c5:7e:aa (Oracle VirtualBox virtual NIC)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: required
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2024-05-05T08:48:42
|_  start_date: 2024-05-05T04:02:06

Nmap scan report for castelblack.north.sevenkingdoms.local (192.168.56.22)
Host is up (0.0022s latency).
Not shown: 65516 closed ports
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
1433/tcp  open  ms-sql-s      Microsoft SQL Server  15.00.2000.00
| ms-sql-ntlm-info: 
|   Target_Name: NORTH
|   NetBIOS_Domain_Name: NORTH
|   NetBIOS_Computer_Name: CASTELBLACK
|   DNS_Domain_Name: north.sevenkingdoms.local
|   DNS_Computer_Name: castelblack.north.sevenkingdoms.local
|   DNS_Tree_Name: sevenkingdoms.local
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-05T07:22:58
|_Not valid after:  2054-05-05T07:22:58
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info: 
|   Target_Name: NORTH
|   NetBIOS_Domain_Name: NORTH
|   NetBIOS_Computer_Name: CASTELBLACK
|   DNS_Domain_Name: north.sevenkingdoms.local
|   DNS_Computer_Name: castelblack.north.sevenkingdoms.local
|   DNS_Tree_Name: sevenkingdoms.local
|   Product_Version: 10.0.17763
|_  System_Time: 2024-05-05T08:48:42+00:00
| ssl-cert: Subject: commonName=castelblack.north.sevenkingdoms.local
| Not valid before: 2024-01-16T13:08:04
|_Not valid after:  2024-07-17T13:08:04
|_ssl-date: 2024-05-05T08:48:57+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T07:22:58
|_Not valid after:  2027-01-14T07:22:58
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
| tls-alpn: 
|_  http/1.1
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49690/tcp open  ms-sql-s      Microsoft SQL Server
| ms-sql-ntlm-info: 
|   Target_Name: NORTH
|   NetBIOS_Domain_Name: NORTH
|   NetBIOS_Computer_Name: CASTELBLACK
|   DNS_Domain_Name: north.sevenkingdoms.local
|   DNS_Computer_Name: castelblack.north.sevenkingdoms.local
|   DNS_Tree_Name: sevenkingdoms.local
|_  Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-05T07:22:58
|_Not valid after:  2054-05-05T07:22:58
|_ssl-date: 2024-05-05T08:48:57+00:00; -1s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port49865-TCP:V=7.80%I=7%D=5/5%Time=663747D6%P=x86_64-pc-linux-gnu%r(ms
SF:-sql-s,25,"\x04\x01\0%\0\0\x01\0\0\0\x15\0\x06\x01\0\x1b\0\x01\x02\0\x1
SF:c\0\x01\x03\0\x1d\0\0\xff\x0f\0\x07\xd0\0\0\0\0");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| ms-sql-info: 
|   192.168.56.22:1433: 
|     Version: 
|       name: Microsoft SQL Server 
|       number: 15.00.2000.00
|       Product: Microsoft SQL Server 
|_    TCP port: 1433
|_nbstat: NetBIOS name: CASTELBLACK, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:96:f0:ff (Oracle VirtualBox virtual NIC)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-05-05T08:48:44
|_  start_date: N/A

Nmap scan report for braavos.essos.local (192.168.56.23)
Host is up (0.00073s latency).
Not shown: 65516 closed ports
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1433/tcp  open  ms-sql-s      Microsoft SQL Server  15.00.2000.00
| ms-sql-ntlm-info: 
|   Target_Name: ESSOS
|   NetBIOS_Domain_Name: ESSOS
|   NetBIOS_Computer_Name: BRAAVOS
|   DNS_Domain_Name: essos.local
|   DNS_Computer_Name: braavos.essos.local
|   DNS_Tree_Name: essos.local
|_  Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-05T07:01:25
|_Not valid after:  2054-05-05T07:01:25
|_ssl-date: 2024-05-05T08:51:34+00:00; 0s from scanner time.
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=braavos.essos.local
| Not valid before: 2024-01-16T13:46:38
|_Not valid after:  2024-07-17T13:46:38
|_ssl-date: 2024-05-05T08:51:34+00:00; 0s from scanner time.
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp  open  ssl/http      Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2024-01-15T07:29:16
|_Not valid after:  2027-01-14T07:29:16
|_ssl-date: 2024-05-05T08:51:34+00:00; 0s from scanner time.
| tls-alpn: 
|   h2
|_  http/1.1
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49671/tcp open  msrpc         Microsoft Windows RPC
49693/tcp open  msrpc         Microsoft Windows RPC
49712/tcp open  msrpc         Microsoft Windows RPC
49724/tcp open  msrpc         Microsoft Windows RPC
49769/tcp open  msrpc         Microsoft Windows RPC
49773/tcp open  msrpc         Microsoft Windows RPC
49896/tcp open  ms-sql-s      Microsoft SQL Server
| ms-sql-ntlm-info: 
|   Target_Name: ESSOS
|   NetBIOS_Domain_Name: ESSOS
|   NetBIOS_Computer_Name: BRAAVOS
|   DNS_Domain_Name: essos.local
|   DNS_Computer_Name: braavos.essos.local
|   DNS_Tree_Name: essos.local
|_  Product_Version: 10.0.14393
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-05-05T07:01:25
|_Not valid after:  2054-05-05T07:01:25
|_ssl-date: 2024-05-05T08:51:34+00:00; 0s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port49896-TCP:V=7.80%I=7%D=5/5%Time=66374886%P=x86_64-pc-linux-gnu%r(ms
SF:-sql-s,25,"\x04\x01\0%\0\0\x01\0\0\0\x15\0\x06\x01\0\x1b\0\x01\x02\0\x1
SF:c\0\x01\x03\0\x1d\0\0\xff\x0f\0\x07\xd0\0\0\0\0");
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_ms-sql-info: ERROR: Script execution failed (use -d to debug)
|_nbstat: NetBIOS name: BRAAVOS, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:36:af:ca (Oracle VirtualBox virtual NIC)
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-05-05T08:51:30
|_  start_date: 2024-05-05T07:01:07

Post-scan script results:
| clock-skew: 
|   0s: 
|     192.168.56.10 (sevenkingdoms.local)
|     192.168.56.12 (essos.local)
|_    192.168.56.23 (braavos.essos.local)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May  5 16:51:34 2024 -- 5 IP addresses (5 hosts up) scanned in 404.39 seconds

Beautify the nmap output in XML format.

sudo apt install xsltproc
xsltproc full_scan_goad.xml -o full_scan_goad.html
firefox full_scan_goad.html 

image

References#

https://mayfly277.github.io/posts/GOADv2-pwning_part1/

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.