|
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Sep 25 17:51:22 2020 ========================== | Target Information | ========================== Target ........... 192.168.1.102 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none ==================================================== | Enumerating Workgroup/Domain on 192.168.1.102 | ==================================================== [E] Can't find workgroup/domain =========================================== | Getting domain SID for 192.168.1.102 | =========================================== Domain Name: MEGABANK Domain Sid: S-1-5-21-1392959593-3013219662-3596683436 [+] Host is part of a domain (not a workgroup) ============================= | Users on 192.168.1.102 | ============================= index: 0xfbc RID: 0x1f4 acb: 0x00000210 Account: Administrator Name: (null) Desc: Built-in account for administering the computer/domain index: 0x10b4 RID: 0x19ce acb: 0x00000010 Account: angela Name: (null) Desc: (null) index: 0x10bf RID: 0x19d9 acb: 0x00000010 Account: claude Name: (null) Desc: (null) index: 0xfbe RID: 0x1f7 acb: 0x00000215 Account: DefaultAccount Name: (null) Desc: A user account managed by the system. index: 0x10b5 RID: 0x19cf acb: 0x00000010 Account: felicia Name: (null) Desc: (null) index: 0x10b3 RID: 0x19cd acb: 0x00000010 Account: fred Name: (null) Desc: (null) index: 0xfbd RID: 0x1f5 acb: 0x00000215 Account: Guest Name: (null) Desc: Built-in account for guest access to the computer/domain index: 0x10b6 RID: 0x19d0 acb: 0x00000010 Account: gustavo Name: (null) Desc: (null) index: 0xff4 RID: 0x1f6 acb: 0x00000011 Account: krbtgt Name: (null) Desc: Key Distribution Center Service Account index: 0x10b1 RID: 0x19cb acb: 0x00000010 Account: marcus Name: (null) Desc: (null) index: 0x10a9 RID: 0x457 acb: 0x00000210 Account: marko Name: Marko Novak Desc: Account created. Password set to Welcome123! index: 0x10ba RID: 0x19d4 acb: 0x00000010 Account: paulo Name: (null) Desc: (null) index: 0x10be RID: 0x19d8 acb: 0x00000010 Account: per Name: (null) Desc: (null) index: 0x10a3 RID: 0x451 acb: 0x00000210 Account: ryan Name: Ryan Bertrand Desc: (null) index: 0x10c1 RID: 0x2776 acb: 0x00000010 Account: zach Name: (null) Desc: (null) ========================================= | Share Enumeration on 192.168.1.102 | ========================================= Sharename Type Comment --------- ---- ------- print$ Disk Printer Drivers tmp Disk oh noes! opt Disk IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian)) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- MEGABANK MEGABANK [+] Attempting to map shares on 192.168.1.102 //192.168.1.102/print$ Mapping: DENIED, Listing: N/A //192.168.1.102/tmp Mapping: OK, Listing: OK //192.168.1.102/opt Mapping: DENIED, Listing: N/A //192.168.1.102/IPC$ [E] Can't understand response: NT_STATUS_NETWORK_ACCESS_DENIED listing \* //192.168.1.102/ADMIN$ Mapping: DENIED, Listing: N/A ==================================================== | Password Policy Information for 192.168.1.102 | ==================================================== [+] Attaching to 192.168.1.102 using a NULL share [+] Trying protocol 445/SMB... [+] Found domain(s): [+] MEGABANK [+] Builtin [+] Password Info for Domain: MEGABANK [+] Minimum password length: 7 [+] Password history length: 24 [+] Maximum password age: Not Set [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: 1 day 4 minutes [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: Not Set [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 7 ============================== | Groups on 192.168.1.102 | ============================== ======================================================================= | Users on 192.168.1.102 via RID cycling (RIDS: 500-550,1000-1050) | ======================================================================= [E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible. ============================================= | Getting printer info for 192.168.1.102 | ============================================= Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED |
a. HostName: labs.portcullis.co.uk
IP Address: 192.168.1.102
b. Domain/Workgroup Name: MEGABANK
c. All users found:
Administrator, angela, claude, Default account, felicia, fred,
Guest, gustavo, krbtgt, Marcus, marko, paulo, per, Bryan, zach
d. As shown above enumerating users list RID cycling attack that try to enumerate the users account through null sessions. This extracts users from windows hosts. The users list can be also used in other hacking activities.
After extracting the users from windows hosts some users information like real name of the user and his profile along with his account passwords can be seen. These can be used furtherly for other hacking activities.
e. Shares available:
Sharenames are: Disk type shares are: print$, tmp, opt while IPC type shares are: IPC$, ADMIN$
All these belong to the workgroup of MEGABANK.
Get Answers For Free
Most questions answered within 1 hours.