OSCP Security Technology

Posted 一蓑烟雨

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了OSCP Security Technology相关的知识,希望对你有一定的参考价值。

OSCP Security Technology - Enumeration(2)

SMB Enumeration

We found the tcp port 111 is open from the scanning result.

image-20210617214701826

locate smb.conf

image-20210617215047989

nano /etc/samba/smb.conf

Add some new global settings and save it.

image-20210617221823151

enum4linux 192.168.2.28

image-20210619131201777

kali@kali:~$ sudo enum4linux 192.168.2.28
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Thu Jun 17 10:17:55 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 192.168.2.28
RID Range ........ 500-550,1000-1050
Username ......... \'\'
Password ......... \'\'
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ==================================================== 
|    Enumerating Workgroup/Domain on 192.168.2.28    |
 ==================================================== 
[+] Got domain/workgroup name: MYGROUP

 ============================================ 
|    Nbtstat Information for 192.168.2.28    |
 ============================================ 
Looking up status of 192.168.2.28
        KIOPTRIX        <00> -         B <ACTIVE>  Workstation Service
        KIOPTRIX        <03> -         B <ACTIVE>  Messenger Service
        KIOPTRIX        <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        MYGROUP         <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        MYGROUP         <1d> -         B <ACTIVE>  Master Browser
        MYGROUP         <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

 ===================================== 
|    Session Check on 192.168.2.28    |
 ===================================== 
[+] Server 192.168.2.28 allows sessions using username \'\', password \'\'

 =========================================== 
|    Getting domain SID for 192.168.2.28    |
 =========================================== 
Domain Name: MYGROUP
Domain Sid: (NULL SID)
[+] Can\'t determine if host is part of domain or part of a workgroup

 ====================================== 
|    OS information on 192.168.2.28    |
 ====================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.2.28 from smbclient: 
[+] Got OS info for 192.168.2.28 from srvinfo:
        KIOPTRIX       Wk Sv PrQ Unx NT SNT Samba Server
        platform_id     :       500
        os version      :       4.5
        server type     :       0x9a03

 ============================= 
|    Users on 192.168.2.28    |
 ============================= 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 ========================================= 
|    Share Enumeration on 192.168.2.28    |
 ========================================= 
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
lpcfg_do_global_parameter: WARNING: The "client ntlmv2 auth" option is deprecated

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (Samba Server)
        ADMIN$          IPC       IPC Service (Samba Server)
Reconnecting with SMB1 for workgroup listing.

        Server               Comment
        ---------            -------
        KIOPTRIX             Samba Server

        Workgroup            Master
        ---------            -------
        MYGROUP              KIOPTRIX

[+] Attempting to map shares on 192.168.2.28
//192.168.2.28/IPC$     [E] Can\'t understand response:
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
lpcfg_do_global_parameter: WARNING: The "client ntlmv2 auth" option is deprecated
NT_STATUS_NETWORK_ACCESS_DENIED listing \\*
//192.168.2.28/ADMIN$   [E] Can\'t understand response:
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
lpcfg_do_global_parameter: WARNING: The "client ntlmv2 auth" option is deprecated
tree connect failed: NT_STATUS_WRONG_PASSWORD

 ==================================================== 
|    Password Policy Information for 192.168.2.28    |
 ==================================================== 
[E] Unexpected error from polenum:


[+] Attaching to 192.168.2.28 using a NULL share

[+] Trying protocol 139/SMB...

        [!] Protocol failed: SMB SessionError: 0x5

[+] Trying protocol 445/SMB...

        [!] Protocol failed: [Errno Connection error (192.168.2.28:445)] [Errno 111] Connection refused


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 0


 ============================== 
|    Groups on 192.168.2.28    |
 ============================== 

[+] Getting builtin groups:
group:[Administrators] rid:[0x220]
group:[Users] rid:[0x221]
group:[Guests] rid:[0x222]
group:[Power Users] rid:[0x223]
group:[Account Operators] rid:[0x224]
group:[System Operators] rid:[0x225]
group:[Print Operators] rid:[0x226]
group:[Backup Operators] rid:[0x227]
group:[Replicator] rid:[0x228]

[+] Getting builtin group memberships:
Group \'Power Users\' (RID: 547) has member: Couldn\'t find group Power Users
Group \'Administrators\' (RID: 544) has member: Couldn\'t find group Administrators
Group \'Guests\' (RID: 546) has member: Couldn\'t find group Guests
Group \'Users\' (RID: 545) has member: Couldn\'t find group Users
Group \'Replicator\' (RID: 552) has member: Couldn\'t find group Replicator
Group \'System Operators\' (RID: 549) has member: Couldn\'t find group System Operators
Group \'Account Operators\' (RID: 548) has member: Couldn\'t find group Account Operators
Group \'Print Operators\' (RID: 550) has member: Couldn\'t find group Print Operators
Group \'Backup Operators\' (RID: 551) has member: Couldn\'t find group Backup Operators

[+] Getting local groups:
group:[sys] rid:[0x3ef]
group:[tty] rid:[0x3f3]
group:[disk] rid:[0x3f5]
group:[mem] rid:[0x3f9]
group:[kmem] rid:[0x3fb]
group:[wheel] rid:[0x3fd]
group:[man] rid:[0x407]
group:[dip] rid:[0x439]
group:[lock] rid:[0x455]
group:[users] rid:[0x4b1]
group:[slocate] rid:[0x413]
group:[floppy] rid:[0x40f]
group:[utmp] rid:[0x415]

[+] Getting local group memberships:

[+] Getting domain groups:
group:[Domain Admins] rid:[0x200]
group:[Domain Users] rid:[0x201]

[+] Getting domain group memberships:
Group \'Domain Users\' (RID: 513) has member: Couldn\'t find group Domain Users
Group \'Domain Admins\' (RID: 512) has member: Couldn\'t find group Domain Admins

 ======================================================================= 
|    Users on 192.168.2.28 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
[I] Found new SID: S-1-5-21-4157223341-3243572438-1405127623
[+] Enumerating users using SID S-1-5-21-4157223341-3243572438-1405127623 and logon username \'\', password \'\'
S-1-5-21-4157223341-3243572438-1405127623-500 KIOPTRIX\\
                                                        (0)
S-1-5-21-4157223341-3243572438-1405127623-501 KIOPTRIX\\ (0)
S-1-5-21-4157223341-3243572438-1405127623-502 KIOPTRIX\\unix_group.2147483399 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-503 KIOPTRIX\\unix_group.2147483399 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-504 KIOPTRIX\\unix_group.2147483400 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-505 KIOPTRIX\\unix_group.2147483400 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-506 KIOPTRIX\\unix_group.2147483401 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-507 KIOPTRIX\\unix_group.2147483401 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-508 KIOPTRIX\\unix_group.2147483402 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-509 KIOPTRIX\\unix_group.2147483402 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-510 KIOPTRIX\\unix_group.2147483403 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-511 KIOPTRIX\\unix_group.2147483403 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-512 KIOPTRIX\\Domain Admins (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-513 KIOPTRIX\\Domain Users (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-514 KIOPTRIX\\Domain Guests (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-515 KIOPTRIX\\unix_group.2147483405 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-516 KIOPTRIX\\unix_group.2147483406 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-517 KIOPTRIX\\unix_group.2147483406 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-518 KIOPTRIX\\unix_group.2147483407 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-519 KIOPTRIX\\unix_group.2147483407 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-520 KIOPTRIX\\unix_group.2147483408 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-521 KIOPTRIX\\unix_group.2147483408 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-522 KIOPTRIX\\unix_group.2147483409 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-523 KIOPTRIX\\unix_group.2147483409 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-524 KIOPTRIX\\unix_group.2147483410 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-525 KIOPTRIX\\unix_group.2147483410 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-526 KIOPTRIX\\unix_group.2147483411 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-527 KIOPTRIX\\unix_group.2147483411 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-528 KIOPTRIX\\unix_group.2147483412 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-529 KIOPTRIX\\unix_group.2147483412 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-530 KIOPTRIX\\unix_group.2147483413 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-531 KIOPTRIX\\unix_group.2147483413 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-532 KIOPTRIX\\unix_group.2147483414 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-533 KIOPTRIX\\unix_group.2147483414 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-534 KIOPTRIX\\unix_group.2147483415 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-535 KIOPTRIX\\unix_group.2147483415 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-536 KIOPTRIX\\unix_group.2147483416 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-537 KIOPTRIX\\unix_group.2147483416 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-538 KIOPTRIX\\unix_group.2147483417 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-539 KIOPTRIX\\unix_group.2147483417 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-540 KIOPTRIX\\unix_group.2147483418 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-541 KIOPTRIX\\unix_group.2147483418 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-542 KIOPTRIX\\unix_group.2147483419 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-543 KIOPTRIX\\unix_group.2147483419 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-544 KIOPTRIX\\unix_group.2147483420 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-545 KIOPTRIX\\unix_group.2147483420 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-546 KIOPTRIX\\unix_group.2147483421 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-547 KIOPTRIX\\unix_group.2147483421 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-548 KIOPTRIX\\unix_group.2147483422 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-549 KIOPTRIX\\unix_group.2147483422 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-550 KIOPTRIX\\unix_group.2147483423 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1000 KIOPTRIX\\root (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1001 KIOPTRIX\\root (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1002 KIOPTRIX\\bin (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1003 KIOPTRIX\\bin (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1004 KIOPTRIX\\daemon (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1005 KIOPTRIX\\daemon (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1006 KIOPTRIX\\adm (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1007 KIOPTRIX\\sys (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1008 KIOPTRIX\\lp (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1009 KIOPTRIX\\adm (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1010 KIOPTRIX\\sync (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1011 KIOPTRIX\\tty (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1012 KIOPTRIX\\shutdown (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1013 KIOPTRIX\\disk (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1014 KIOPTRIX\\halt (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1015 KIOPTRIX\\lp (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1016 KIOPTRIX\\mail (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1017 KIOPTRIX\\mem (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1018 KIOPTRIX\\news (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1019 KIOPTRIX\\kmem (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1020 KIOPTRIX\\uucp (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1021 KIOPTRIX\\wheel (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1022 KIOPTRIX\\operator (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1023 KIOPTRIX\\unix_group.11 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1024 KIOPTRIX\\games (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1025 KIOPTRIX\\mail (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1026 KIOPTRIX\\gopher (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1027 KIOPTRIX\\news (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1028 KIOPTRIX\\ftp (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1029 KIOPTRIX\\uucp (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1030 KIOPTRIX\\unix_user.15 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1031 KIOPTRIX\\man (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1032 KIOPTRIX\\unix_user.16 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1033 KIOPTRIX\\unix_group.16 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1034 KIOPTRIX\\unix_user.17 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1035 KIOPTRIX\\unix_group.17 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1036 KIOPTRIX\\unix_user.18 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1037 KIOPTRIX\\unix_group.18 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1038 KIOPTRIX\\unix_user.19 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1039 KIOPTRIX\\floppy (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1040 KIOPTRIX\\unix_user.20 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1041 KIOPTRIX\\games (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1042 KIOPTRIX\\unix_user.21 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1043 KIOPTRIX\\slocate (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1044 KIOPTRIX\\unix_user.22 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1045 KIOPTRIX\\utmp (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1046 KIOPTRIX\\squid (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1047 KIOPTRIX\\squid (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1048 KIOPTRIX\\unix_user.24 (Local User)
S-1-5-21-4157223341-3243572438-1405127623-1049 KIOPTRIX\\unix_group.24 (Local Group)
S-1-5-21-4157223341-3243572438-1405127623-1050 KIOPTRIX\\unix_user.25 (Local User)

 ============================================= 
|    Getting printer info for 192.168.2.28    |
 ============================================= 
No printers returned.


enum4linux complete on Thu Jun 17 10:18:05 2021
msfconsole
search smb

image-20210619131642012

use auxiliary/scanner/smb/smb_version

image-20210619131934202

set rhosts 192.168.2.28
exploit

image-20210619132230784

searchsploit samba 2.2

image-20210619132618707

Search \'\'trans2open\'\' on Exploit-DB.

image-20210619133215718

https://www.exploit-db.com/exploits/22468

https://www.exploit-db.com/exploits/22470

nbtscan 192.168.2.28

image-20210619133736321

smbclient -L 192.168.2.28

image-20210619133943661

smbclient "\\\\\\\\192.168.2.28\\IPC$"

image-20210619134354715

以上是关于OSCP Security Technology的主要内容,如果未能解决你的问题,请参考以下文章

OSCP Security Technology

Internet History,Technology,and Security -Technology: Application Protocols(Week7)

Internet History, Technology, and Security(week8)——Security: Encrypting and Signing

Internet History, Technology, and Security----第四周

Internet History, Technology, and Security第八讲心得

Internet History, Technology, and Security第六讲心得