GOAD 정찰 및 열거
GOAD(Game Of Active Directory) 구축 과정에서 GOAD에 대한 구축을 진행하였다.
이번 포스팅에서는 구축한 환경의 네트워크(192.168.56/0/24)를 대상으로 호스트를 파악하고 포트 스캔 및 서비스를 열거하는 과정을 기록한다.
구축한 환경의 VirtualBox 호스트 전용 어댑터를 공격자 환경의 가상머신에 설정하여 동일한 네트워크 환경을 구성함
Host & Port Scan
nmap을 통해 192.168.56.0/24 네트워크 대상의 실행중인 호스트를 파악하는 스캔을 진행한다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root㉿kali)-[~/Desktop/Test]
└─# nmap -sn -PE 192.168.56.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-09 01:52 EST
...
...
...
Nmap scan report for sevenkingdoms.local (192.168.56.10)
Host is up (0.00031s latency).
MAC Address: 08:00:27:E8:C2:75 (Oracle VirtualBox virtual NIC)
Nmap scan report for winterfell.north.sevenkingdoms.local (192.168.56.11)
Host is up (0.00073s latency).
MAC Address: 08:00:27:68:6C:70 (Oracle VirtualBox virtual NIC)
Nmap scan report for essos.local (192.168.56.12)
Host is up (0.00068s latency).
MAC Address: 08:00:27:DB:36:D9 (Oracle VirtualBox virtual NIC)
Nmap scan report for castelblack.north.sevenkingdoms.local (192.168.56.22)
Host is up (0.00018s latency).
MAC Address: 08:00:27:06:69:AF (Oracle VirtualBox virtual NIC)
Nmap scan report for braavos.essos.local (192.168.56.23)
Host is up (0.00035s latency).
MAC Address: 08:00:27:1F:38:9F (Oracle VirtualBox virtual NIC)
...
...
...
다음으로 netexec를 이용하여 netbios response를 통한 호스트 스캔을 진행한다.
1
2
3
4
5
6
7
┌──(root㉿kali)-[~/Desktop/Test]
└─# netexec smb '192.168.56.0/24'
SMB 192.168.56.22 445 CASTELBLACK [*] Windows 10.0 Build 17763 x64 (name:CASTELBLACK) (domain:north.sevenkingdoms.local) (signing:False) (SMBv1:False)
SMB 192.168.56.10 445 KINGSLANDING [*] Windows 10.0 Build 17763 x64 (name:KINGSLANDING) (domain:sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.12 445 MEEREEN [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:MEEREEN) (domain:essos.local) (signing:True) (SMBv1:True)
SMB 192.168.56.11 445 WINTERFELL [*] Windows 10.0 Build 17763 x64 (name:WINTERFELL) (domain:north.sevenkingdoms.local) (signing:True) (SMBv1:False)
SMB 192.168.56.23 445 BRAAVOS [*] Windows Server 2016 Standard Evaluation 14393 x64 (name:BRAAVOS) (domain:essos.local) (signing:False) (SMBv1:True)
nmap과 netexec를 통해 호스트를 스캔한 결과를 정리하면 아래와 같이 3개의 도메인이 존재하며 5개의 호스트가 각 도메인에 속해있는것으로 정리할 수 있다.
- sevenkingdoms.local
- 192.168.56.10 (KINGSLANDING)
- north.sevenkingdoms.local
- 192.168.56.11 (WINTERFELL)
- 192.168.56.22 (CASTELBLACK)
- essos.local
- 192.168.56.12 (MEEREEN)
- 192.168.56.23 (BRAAVOS)
공격자 환경에서 /etc/hosts에 아래와 같은 내용을 추가하여 각 호스트를 매핑하였다.
1
2
3
4
5
6
7
8
# GOAD
192.168.56.10 sevenkingdoms.local kingslanding.sevenkingdoms.local
192.168.56.11 north.sevenkingdoms.local winterfell.north.sevenkingdoms.local
192.168.56.22 castelblack.sevenkingdoms.local
192.168.56.12 essos.local meereen.essos.local
192.168.56.23 braavos.essos.local
Port Scan
이제 각 대상에 포트를 스캔을 진행하여 어떤 서비스가 오픈되어있는지를 파악한다.
192.168.56.10 (kingslanding.sevenkingdoms.local)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-09 07:21:55Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-09T07:22:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2023-12-28T06:35:05
|_Not valid after: 2024-12-27T06:35:05
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
595/tcp closed cab-protocol
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-09T07:22:54+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2023-12-28T06:35:05
|_Not valid after: 2024-12-27T06:35:05
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:kingslanding.sevenkingdoms.local
| Not valid before: 2023-12-28T06:35:05
|_Not valid after: 2024-12-27T06:35:05
|_ssl-date: 2024-01-09T07:22:54+00:00; 0s from scanner time.
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=kingslanding.sevenkingdoms.local
| Not valid before: 2023-12-27T05:41:32
|_Not valid after: 2024-06-27T05:41:32
|_ssl-date: 2024-01-09T07:22:54+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
| tls-alpn:
|_ http/1.1
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2023-12-26T21:16:07
|_Not valid after: 2026-12-25T21:16:07
|_http-title: Not Found
|_ssl-date: 2024-01-09T07:22:54+00:00; 0s from scanner time.
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49679/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49680/tcp open msrpc Microsoft Windows RPC
49682/tcp open msrpc Microsoft Windows RPC
49685/tcp open msrpc Microsoft Windows RPC
49695/tcp open msrpc Microsoft Windows RPC
49711/tcp open msrpc Microsoft Windows RPC
58731/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:E8:C2:75 (Oracle VirtualBox virtual NIC)
Service Info: Host: KINGSLANDING; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: KINGSLANDING, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:e8:c2:75 (Oracle VirtualBox virtual NIC)
| smb2-time:
| date: 2024-01-09T07:22:49
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
192.168.56.11 (winterfell.north.sevenkingdoms.local)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-09 07:26:47Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2023-12-29T13:15:46
|_Not valid after: 2024-12-28T13:15:46
|_ssl-date: 2024-01-09T07:27:49+00:00; 0s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-09T07:27:49+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2023-12-29T13:15:46
|_Not valid after: 2024-12-28T13:15:46
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2023-12-29T13:15:46
|_Not valid after: 2024-12-28T13:15:46
|_ssl-date: 2024-01-09T07:27:49+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sevenkingdoms.local0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-09T07:27:49+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:winterfell.north.sevenkingdoms.local
| Not valid before: 2023-12-29T13:15:46
|_Not valid after: 2024-12-28T13:15:46
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-01-09T07:27:49+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=winterfell.north.sevenkingdoms.local
| Not valid before: 2023-12-27T08:30:48
|_Not valid after: 2024-06-27T08:30:48
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
|_ http/1.1
|_http-title: Not Found
|_ssl-date: 2024-01-09T07:27:49+00:00; 0s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2023-12-26T21:18:50
|_Not valid after: 2026-12-25T21:18:50
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49679/tcp open msrpc Microsoft Windows RPC
49680/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49684/tcp open msrpc Microsoft Windows RPC
49690/tcp open msrpc Microsoft Windows RPC
49717/tcp open msrpc Microsoft Windows RPC
62039/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:68:6C:70 (Oracle VirtualBox virtual NIC)
Service Info: Host: WINTERFELL; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-01-09T07:27:40
|_ start_date: N/A
|_nbstat: NetBIOS name: WINTERFELL, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:68:6c:70 (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
192.168.56.22 (castelblack.north.sevenkingdoms.local)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title (text/html).
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-09T02:20:04
|_Not valid after: 2054-01-09T02:20:04
|_ssl-date: 2024-01-09T07:30:11+00:00; 0s from scanner time.
| ms-sql-ntlm-info:
| 192.168.56.22:1433:
| Target_Name: NORTH
| NetBIOS_Domain_Name: NORTH
| NetBIOS_Computer_Name: CASTELBLACK
| DNS_Domain_Name: north.sevenkingdoms.local
| DNS_Computer_Name: castelblack.north.sevenkingdoms.local
| DNS_Tree_Name: sevenkingdoms.local
|_ Product_Version: 10.0.17763
| ms-sql-info:
| 192.168.56.22:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3389/tcp open ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-01-09T07:30:11+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=castelblack.north.sevenkingdoms.local
| Not valid before: 2023-12-27T08:37:31
|_Not valid after: 2024-06-27T08:37:31
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2023-12-26T21:23:40
|_Not valid after: 2026-12-25T21:23:40
| tls-alpn:
|_ http/1.1
|_ssl-date: 2024-01-09T07:30:11+00:00; 0s from scanner time.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
52665/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-01-09T07:30:11+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-09T02:20:04
|_Not valid after: 2054-01-09T02:20:04
| ms-sql-info:
| 192.168.56.22:52665:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 52665
| ms-sql-ntlm-info:
| 192.168.56.22:52665:
| Target_Name: NORTH
| NetBIOS_Domain_Name: NORTH
| NetBIOS_Computer_Name: CASTELBLACK
| DNS_Domain_Name: north.sevenkingdoms.local
| DNS_Computer_Name: castelblack.north.sevenkingdoms.local
| DNS_Tree_Name: sevenkingdoms.local
|_ Product_Version: 10.0.17763
62394/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:06:69:AF (Oracle VirtualBox virtual NIC)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: CASTELBLACK, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:06:69:af (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-01-09T07:30:06
|_ start_date: N/A
192.168.56.12 (meereen.essos.local)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-09 07:31:25Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2023-12-28T06:35:19
|_Not valid after: 2024-12-27T06:35:19
|_ssl-date: 2024-01-09T07:32:27+00:00; 0s from scanner time.
445/tcp open Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: ESSOS)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2023-12-28T06:35:19
|_Not valid after: 2024-12-27T06:35:19
|_ssl-date: 2024-01-09T07:32:27+00:00; 0s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2023-12-28T06:35:19
|_Not valid after: 2024-12-27T06:35:19
|_ssl-date: 2024-01-09T07:32:27+00:00; 0s from scanner time.
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: essos.local, Site: Default-First-Site-Name)
|_ssl-date: 2024-01-09T07:32:27+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=meereen.essos.local
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:meereen.essos.local
| Not valid before: 2023-12-28T06:35:19
|_Not valid after: 2024-12-27T06:35:19
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: ESSOS
| NetBIOS_Domain_Name: ESSOS
| NetBIOS_Computer_Name: MEEREEN
| DNS_Domain_Name: essos.local
| DNS_Computer_Name: meereen.essos.local
| DNS_Tree_Name: essos.local
| Product_Version: 10.0.14393
|_ System_Time: 2024-01-09T07:32:19+00:00
| ssl-cert: Subject: commonName=meereen.essos.local
| Not valid before: 2023-12-27T05:41:31
|_Not valid after: 2024-06-27T05:41:31
|_ssl-date: 2024-01-09T07:32:27+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2023-12-26T21:21:07
|_Not valid after: 2026-12-25T21:21:07
| tls-alpn:
| h2
|_ http/1.1
|_http-server-header: Microsoft-HTTPAPI/2.0
|_ssl-date: 2024-01-09T07:32:27+00:00; 0s from scanner time.
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49688/tcp open msrpc Microsoft Windows RPC
49691/tcp open msrpc Microsoft Windows RPC
49701/tcp open msrpc Microsoft Windows RPC
65027/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:DB:36:D9 (Oracle VirtualBox virtual NIC)
Service Info: Host: MEEREEN; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: MEEREEN, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:db:36:d9 (Oracle VirtualBox virtual NIC)
| smb2-time:
| date: 2024-01-09T07:32:19
|_ start_date: 2024-01-09T02:19:08
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: meereen
| NetBIOS computer name: MEEREEN\x00
| Domain name: essos.local
| Forest name: essos.local
| FQDN: meereen.essos.local
|_ System time: 2024-01-08T23:32:19-08:00
|_clock-skew: mean: 48m00s, deviation: 2h31m47s, median: 0s
192.168.56.23 (bravvos.essos.local)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open Windows Server 2016 Standard Evaluation 14393 microsoft-ds
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
|_ssl-date: 2024-01-09T07:34:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-09T02:20:36
|_Not valid after: 2054-01-09T02:20:36
| ms-sql-ntlm-info:
| 192.168.56.23:1433:
| Target_Name: ESSOS
| NetBIOS_Domain_Name: ESSOS
| NetBIOS_Computer_Name: BRAAVOS
| DNS_Domain_Name: essos.local
| DNS_Computer_Name: braavos.essos.local
| DNS_Tree_Name: essos.local
|_ Product_Version: 10.0.14393
| ms-sql-info:
| 192.168.56.23:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: ESSOS
| NetBIOS_Domain_Name: ESSOS
| NetBIOS_Computer_Name: BRAAVOS
| DNS_Domain_Name: essos.local
| DNS_Computer_Name: braavos.essos.local
| DNS_Tree_Name: essos.local
| Product_Version: 10.0.14393
|_ System_Time: 2024-01-09T07:34:41+00:00
| ssl-cert: Subject: commonName=braavos.essos.local
| Not valid before: 2023-12-27T06:35:25
|_Not valid after: 2024-06-27T06:35:25
|_ssl-date: 2024-01-09T07:34:46+00:00; 0s from scanner time.
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
5986/tcp open ssl/http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| tls-alpn:
| h2
|_ http/1.1
|_http-title: Not Found
|_ssl-date: 2024-01-09T07:34:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=VAGRANT
| Subject Alternative Name: DNS:VAGRANT, DNS:vagrant
| Not valid before: 2023-12-26T21:26:31
|_Not valid after: 2026-12-25T21:26:31
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
50939/tcp open msrpc Microsoft Windows RPC
63042/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-ntlm-info:
| 192.168.56.23:63042:
| Target_Name: ESSOS
| NetBIOS_Domain_Name: ESSOS
| NetBIOS_Computer_Name: BRAAVOS
| DNS_Domain_Name: essos.local
| DNS_Computer_Name: braavos.essos.local
| DNS_Tree_Name: essos.local
|_ Product_Version: 10.0.14393
| ms-sql-info:
| 192.168.56.23:63042:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 63042
|_ssl-date: 2024-01-09T07:34:46+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2024-01-09T02:20:36
|_Not valid after: 2054-01-09T02:20:36
64879/tcp open msrpc Microsoft Windows RPC
MAC Address: 08:00:27:1F:38:9F (Oracle VirtualBox virtual NIC)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: BRAAVOS, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:1f:38:9f (Oracle VirtualBox virtual NIC)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3)
| Computer name: braavos
| NetBIOS computer name: BRAAVOS\x00
| Domain name: essos.local
| Forest name: essos.local
| FQDN: braavos.essos.local
|_ System time: 2024-01-08T23:34:41-08:00
|_clock-skew: mean: 47m59s, deviation: 2h31m47s, median: 0s
| smb2-time:
| date: 2024-01-09T07:34:41
|_ start_date: 2024-01-09T02:20:29
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
Find Domain Controller
5개 호스트를 대상으로 포트 스캔 결과 DNS(53/tcp)가 오픈되어있는 3개의 서버에 dig 명령어를 이용하여 SRV 레코드를 조회하여 DC IP를 조회하는 쿼리를 전달한다.
첫번째로 sevenkingdoms.local의 DC는 192.168.56.10(kingslanding.sevenkingdoms.local)으로 확인된다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[~/Desktop/Test]
└─# dig srv _ldap._tcpd.dc._msdcs.sevenkingdoms.local @192.168.56.10
; <<>> DiG 9.18.16-1-Debian <<>> srv _ldap._tcpd.dc._msdcs.sevenkingdoms.local @192.168.56.10
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 30245
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcpd.dc._msdcs.sevenkingdoms.local. IN SRV
;; AUTHORITY SECTION:
_msdcs.sevenkingdoms.local. 3600 IN SOA kingslanding.sevenkingdoms.local. hostmaster.sevenkingdoms.local. 17 900 600 86400 3600
;; Query time: 0 msec
;; SERVER: 192.168.56.10#53(192.168.56.10) (UDP)
;; WHEN: Tue Jan 09 02:48:39 EST 2024
;; MSG SIZE rcvd: 156
두번째로 north.sevenkingdoms.local의 DC는 192.168.56.11(winterfell.north.sevenkingdoms.local)로 확인된다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kali)-[~/Desktop/Test]
└─# dig srv _ldap._tcpd.dc._msdcs.north.sevenkingdoms.local @192.168.56.11
; <<>> DiG 9.18.16-1-Debian <<>> srv _ldap._tcpd.dc._msdcs.north.sevenkingdoms.local @192.168.56.12
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39306
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: 60bb857edefed3d7 (echoed)
;; QUESTION SECTION:
;_ldap._tcpd.dc._msdcs.north.sevenkingdoms.local. IN SRV
;; AUTHORITY SECTION:
north.sevenkingdoms.local. 898 IN SOA winterfell.north.sevenkingdoms.local. hostmaster.north.sevenkingdoms.local. 67 900 600 86400 3600
;; Query time: 4 msec
;; SERVER: 192.168.56.12#53(192.168.56.12) (UDP)
;; WHEN: Tue Jan 09 02:50:20 EST 2024
;; MSG SIZE rcvd: 146
마지막으로 essos.local의 DC는 192.168.56.12(meereen.essos.local)로 확인되었다.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
┌──(root㉿kali)-[~/Desktop/Test]
└─# dig srv _ldap._tcpd.dc._msdcs.essos.local @192.168.56.12
; <<>> DiG 9.18.16-1-Debian <<>> srv _ldap._tcpd.dc._msdcs.essos.local @192.168.56.12
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 27173
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
; COOKIE: f1f89a6609349d7a (echoed)
;; QUESTION SECTION:
;_ldap._tcpd.dc._msdcs.essos.local. IN SRV
;; AUTHORITY SECTION:
_msdcs.essos.local. 3600 IN SOA meereen.essos.local. hostmaster.essos.local. 12 900 600 86400 3600
;; Query time: 4 msec
;; SERVER: 192.168.56.12#53(192.168.56.12) (UDP)
;; WHEN: Tue Jan 09 02:53:22 EST 2024
;; MSG SIZE rcvd: 147
이번 포스팅에서는 GOAD의 네트워크 내 호스트를 확인하고 각 호스트에 대한 포트 스캔을 진행 후 DC를 식별하였다. 다음 포스팅에서는 포트 스캔 결과를 기준으로 사용자를 열거할 수 있는 포인트가 존재하는지 확인하도록 하겠다.
This post is licensed under CC BY 4.0 by the author.