Lab 4: Enumeration

# Lab 4-1: Thăm dò các dịch vụ sử dụng Nmap ## Mục tiêu bài lab và Tools ### Mục tiêu bài lab Quét máy mục tiêu nơi các thiết bị khác nhau đang chạy. Chúng ta sẽ thăm dò host nào đang hoạt động, services, ports, OS bằng công cụ nmap ### Tools - nmap ## Cách thực hiện ### nmap Network Mapper (nmap) sử dụng để quét các mạng và xác định như port, hệ điều hành, các service bao gồm tên và version,… Bên cạnh đó, nmap cũng cung cấp các khả năng quét xác định xem các packet filters, firewalls hoặc IDS ![image](https://hackmd.io/_uploads/BkQvH91bxl.png) Ta sẽ sử dụng nmap với các option sau để lấy được các thông tin theo yêu cầu ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sP 192.168.190.0-255 ``` - `-sP` để kiểm tra xem host nào đang hoạt động và không quét cổng - `192.168.190.0-255` với IP mục tiêu quét dải từ `192.168.190.0`, `192.168.190.1`,..., `192.168.190.255` :::spoiler Sử dụng nmap để lấy thông tin host nào đang hoạt động ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sP 192.168.190.0-255 [sudo] password for kali: Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-11 07:45 EDT Nmap scan report for 192.168.190.1 (192.168.190.1) Host is up (0.0016s latency). MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.190.2 Host is up (0.00012s latency). MAC Address: 00:50:56:EA:70:A8 (VMware) Nmap scan report for 192.168.190.152 Host is up (0.00039s latency). MAC Address: 00:0C:29:9D:65:2E (VMware) Nmap scan report for 192.168.190.254 Host is up. MAC Address: 00:50:56:EA:2C:14 (VMware) Nmap scan report for 192.168.190.148 (192.168.190.148) Host is up. Nmap done: 256 IP addresses (5 hosts up) scanned in 25.29 seconds ``` ::: Tiếp theo là thông tin về port đang sử dụng giao thức UDP với lệnh sau ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sU 192.168.190.0-255 ``` :::spoiler Dùng nmap để lấy thông tin về port đang sử dụng giao thức UDP ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sU 192.168.190.0-255 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-11 07:44 EDT Nmap scan report for 192.168.190.1 Host is up (0.027s latency). All 1000 scanned ports on 192.168.190.1 are in ignored states. Not shown: 1000 open|filtered udp ports (no-response) MAC Address: 00:50:56:C0:00:08 (VMware) Nmap scan report for 192.168.190.2 Host is up (0.0071s latency). Not shown: 999 open|filtered udp ports (no-response) PORT STATE SERVICE 53/udp open domain MAC Address: 00:50:56:EA:70:A8 (VMware) Nmap scan report for 192.168.190.152 Host is up (0.0024s latency). Not shown: 938 closed udp ports (port-unreach), 61 open|filtered udp ports (no-response) PORT STATE SERVICE 137/udp open netbios-ns MAC Address: 00:0C:29:9D:65:2E (VMware) Nmap scan report for 192.168.190.254 Host is up (0.00024s latency). All 1000 scanned ports on 192.168.190.254 are in ignored states. Not shown: 1000 open|filtered udp ports (no-response) MAC Address: 00:50:56:EA:2C:14 (VMware) Nmap scan report for 192.168.190.148 (192.168.190.148) Host is up (0.0000050s latency). Not shown: 998 closed udp ports (port-unreach) PORT STATE SERVICE 5353/udp open|filtered zeroconf 5355/udp open|filtered llmnr Nmap done: 256 IP addresses (5 hosts up) scanned in 1024.02 seconds ``` ::: Từ output ta có một số thông tin: - Port 53 UDP mở, đây là **dịch vụ DNS** -> có thể lợi dụng tấn công DoS/DDoS, Zone Transfer (AXFR) nếu server cấu hình sai cho phép, để dump toàn bộ DNS zone - Port 137 UDP mở, chạy dịch vụ **NetBIOS** Name Service -> có thể lợi dụng để tấn công nếu config sai (NetBIOS Name Service Poisoning) - Port 5353 mở hoặc bị filter, thường là dịch vụ **mDNS** (Multicast DNS)(Multicast DNS cho phép các thiết bị trong cùng một mạng LAN tìm và kết nối với nhau bằng tên) - Port 5355 mở hoặc bị filter, thường là **LLMNR** (Link-Local Multicast Name Resolution) (ngược lại với **mDNS** nó sex phân giải tên thiết bị trong cùng mạng LAN sang địa chỉ IP) Cuối cùng là lấy danh sách ports đang mở và các service đang chạy ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sSV -O 192.168.190.0-255 ``` :::spoiler Sử dụng nmap để lấy danh sách ports đang mở và các service đang chạy ``` ┌──(kali㉿kali)-[~] └─$ sudo nmap -sSV -O 192.168.190.0-255 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-11 07:46 EDT Nmap scan report for 192.168.190.1 (192.168.190.1) Host is up (0.015s latency). All 1000 scanned ports on 192.168.190.1 (192.168.190.1) are in ignored states. Not shown: 1000 filtered tcp ports (no-response) MAC Address: 00:50:56:C0:00:08 (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop Nmap scan report for 192.168.190.2 (192.168.190.2) Host is up (0.0043s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain (unknown banner: x.x.x) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port53-TCP:V=7.94SVN%I=7%D=5/11%Time=68208E4B%P=x86_64-pc-linux-gnu%r(D SF:NSVersionBindReqTCP,32,"\x000\0\x06\x85\0\0\x01\0\x01\0\0\0\0\x07versio SF:n\x04bind\0\0\x10\0\x03\xc0\x0c\0\x10\0\x03\0\0\0\0\0\x06\x05x\.x\.x"); MAC Address: 00:50:56:EA:70:A8 (VMware) Device type: specialized Running: VMware Player OS CPE: cpe:/a:vmware:player OS details: VMware Player virtual NAT device Network Distance: 1 hop Nmap scan report for 192.168.190.152 (192.168.190.152) Host is up (0.00056s latency). Not shown: 997 closed tcp ports (reset) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds MAC Address: 00:0C:29:9D:65:2E (VMware) Device type: general purpose Running: Microsoft Windows 2016 OS CPE: cpe:/o:microsoft:windows_server_2016 OS details: Microsoft Windows Server 2016 build 10586 - 14393 Network Distance: 1 hop Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Nmap scan report for 192.168.190.254 (192.168.190.254) Host is up (0.00018s latency). All 1000 scanned ports on 192.168.190.254 (192.168.190.254) are in ignored states. Not shown: 1000 filtered tcp ports (no-response) MAC Address: 00:50:56:EA:2C:14 (VMware) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop Nmap scan report for 192.168.190.148 (192.168.190.148) Host is up (0.000059s latency). Not shown: 999 closed tcp ports (reset) PORT STATE SERVICE VERSION 389/tcp open ldap OpenLDAP 2.2.X - 2.3.X No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94SVN%E=4%D=5/11%OT=389%CT=1%CU=41050%PV=Y%DS=0%DC=L%G=Y%TM=682 OS:08E6B%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A) OS:OPS(O1=MFFD7ST11NW7%O2=MFFD7ST11NW7%O3=MFFD7NNT11NW7%O4=MFFD7ST11NW7%O5= OS:MFFD7ST11NW7%O6=MFFD7ST11)WIN(W1=8200%W2=8200%W3=8200%W4=8200%W5=8200%W6 OS:=8200)ECN(R=Y%DF=Y%T=40%W=8200%O=MFFD7NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S= OS:O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD OS:=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0 OS:%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1 OS:(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI OS:=N%T=40%CD=S) Network Distance: 0 hops OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 256 IP addresses (5 hosts up) scanned in 65.71 seconds ``` ::: Từ output ta có một số thông tin: - Port 53 TCP mở, đây là **dịch vụ DNS** -> có thể lợi dụng tấn công DoS/DDoS, Zone Transfer (AXFR) nếu server cấu hình sai cho phép, để dump toàn bộ DNS zone - Các ports mở: + 135: **Microsoft RPC**. + 139 (netbios-ssn): **NetBIOS**. + 445 (microsoft-ds): **SMB** (Server Message Block) -> 3 port kết hợp có thể dẫn đến tấn công [EternalBlue](https://vi.wikipedia.org/wiki/EternalBlue) - Port 389 mở, đây là dịch vụ **OpenLDAP** -> có thể nghiên cứu khai thác LDAP Injection hoặc DoS # Lab 4-2: Thăm dò sử dụng công cụ SuperScan và Sử dụng Net View để thăm dò tài nguyên được chia sẻ ## Mục tiêu bài lab và Tools ### Mục tiêu bài lab Thu thập thông tin về máy chủ mục tiêu như thông tin địa chỉ MAC, thông tin hệ điều hành và các loại thông tin khác đồng thời Sử dụng Net View để thăm dò tài nguyên được chia sẻ ### Tools - SuperScan - Cmd ## Cách thực hiện ### SuperScan ![image](https://hackmd.io/_uploads/SJZBhc1Zll.png) **SuperScan** là một công cụ quét mạng chủ yếu được sử dụng trong việc kiểm tra và xác định các dịch vụ đang chạy trên một máy chủ hoặc mạng đặc biệt là trong việc quét và tìm kiếm các port mở, xác định dịch vụ mạng, và kiểm tra lỗ hổng bảo mật Giao diện của phiên bản 4.1 như sau ![image](https://hackmd.io/_uploads/rJt76q1Zgg.png) Vì mục tiêu của ta là Windows -> CHọn `Windows Enumeration` -> Nhập IP mục tiêu -> `Enumerate` ![image](https://hackmd.io/_uploads/r1g505J-gg.png) :::spoiler Output sử dụng SuperScan ``` NetBIOS information on 192.168.190.152 Attempting a NULL session connection on 192.168.190.152 MAC addresses on 192.168.190.152 MAC address 0: 00:0C:29:9D:65:2E \Device\NetBT_Tcpip_{C0ED5487-1B26-4FB9-85F6-6855CD0979F7} Workstation/server type on 192.168.190.152 Unknown OS Workstation/Server Name : "192.168.190.152" Platform ID : 500 Version : 10.0 Comment : "" Type : 00009003 LAN Manager Workstation LAN Manager Server NT/2000 Member Server (non domain controller) NT/2000 Workstation Computer Name : WIN-J3GDS2EJRA2 Workgroup/Domain : WORKGROUP Lan Root : Logged On User Count : 1 Users on 192.168.190.152 Total Users: 3 --- 1 --- Admin "Administrator" Full Name: "" System Comment: "Built-in account for administering the computer/domain" User Comment: "" Last logon: Sun May 11 04:09:12 2025 (0 days ago) Password expires: Never Password changed: 0 days ago Locked out: No Disabled: No Number of logons: 4 Bad password count: 0 --- 2 --- User "DefaultAccount" Full Name: "" System Comment: "A user account managed by the system." User Comment: "" Last logon: Never Password expires: Never Password changed: Never Locked out: No Disabled: Yes Number of logons: 0 Bad password count: 0 --- 3 --- User "Guest" Full Name: "" System Comment: "Built-in account for guest access to the computer/domain" User Comment: "" Last logon: Never Password expires: Never Password changed: Never Locked out: No Disabled: Yes Number of logons: 0 Bad password count: 0 Groups on 192.168.190.152 Group: Access Control Assistance Operators Group: Administrators WIN-J3GDS2EJRA2\Administrator Group: Backup Operators Group: Certificate Service DCOM Access Group: Cryptographic Operators Group: Distributed COM Users Group: Event Log Readers Group: Guests WIN-J3GDS2EJRA2\Guest Group: Hyper-V Administrators Group: IIS_IUSRS NT AUTHORITY\IUSR Group: Network Configuration Operators Group: Performance Log Users Group: Performance Monitor Users Group: Power Users Group: Print Operators Group: RDS Endpoint Servers Group: RDS Management Servers Group: RDS Remote Access Servers Group: Remote Desktop Users Group: Remote Management Users Group: Replicator Group: Storage Replica Administrators Group: System Managed Accounts Group WIN-J3GDS2EJRA2\DefaultAccount Group: Users NT AUTHORITY\INTERACTIVE NT AUTHORITY\Authenticated Users RPC endpoints on 192.168.190.152 Entry 0 Interface: "d95afe70-a6d5-4259-822e-2c84da1ddb0d" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49664]" Object Id: "765294ba-60bc-48b8-92e9-89fd77769d91" Annotation: "" Entry 1 Interface: "12345778-1234-abcd-ef00-0123456789ac" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\lsass]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 2 Interface: "12345778-1234-abcd-ef00-0123456789ac" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49673]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 3 Interface: "b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86" ver 2.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\lsass]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "KeyIso" Entry 4 Interface: "b25a52bf-e5dd-4f4a-aea6-8ca7272a0e86" ver 2.0 Binding: "ncacn_ip_tcp:192.168.190.152[49673]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "KeyIso" Entry 5 Interface: "8fb74744-b2ff-4c00-be0d-9ef9a191fe1b" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\lsass]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "Ngc Pop Key Service" Entry 6 Interface: "8fb74744-b2ff-4c00-be0d-9ef9a191fe1b" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49673]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "Ngc Pop Key Service" Entry 7 Interface: "51a227ae-825b-41f2-b4a9-1ac9557a1018" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\lsass]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "Ngc Pop Key Service" Entry 8 Interface: "51a227ae-825b-41f2-b4a9-1ac9557a1018" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49673]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "Ngc Pop Key Service" Entry 9 Interface: "367abb81-9844-35f1-ad32-98f038001003" ver 2.0 Binding: "ncacn_ip_tcp:192.168.190.152[49672]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 10 Interface: "12345678-1234-abcd-ef00-0123456789ab" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49671]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 11 Interface: "0b6edbfa-4a24-4fc6-8a23-942b1eca65d1" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49671]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 12 Interface: "ae33069b-a2a8-46ee-a235-ddfd339be281" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49671]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 13 Interface: "4a452661-8290-4b36-8fbe-7f4093a94978" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49671]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 14 Interface: "76f03f96-cdfd-44fc-a22c-64950a001209" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49671]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 15 Interface: "7f1343fe-50a9-4927-a778-0c5859517bac" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\wkssvc]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "DfsDs service" Entry 16 Interface: "338cd001-2244-31f1-aaaa-900038001003" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\winreg]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "RemoteRegistry Interface" Entry 17 Interface: "da5a86c5-12c2-4943-ab30-7f74a813d853" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\winreg]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "RemoteRegistry Perflib Interface" Entry 18 Interface: "1ff70682-0a51-30e8-076d-740be8cee98b" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\atsvc]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 19 Interface: "378e52b0-c0a9-11cf-822d-00aa0051e40f" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\atsvc]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 20 Interface: "33d84484-3626-47ee-8c6f-e7e98b113be1" ver 2.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\atsvc]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 21 Interface: "86d35949-83c9-4044-b424-db363231fd0c" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\atsvc]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 22 Interface: "86d35949-83c9-4044-b424-db363231fd0c" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49666]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 23 Interface: "3a9ef155-691d-4449-8d05-09ad57031823" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\atsvc]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 24 Interface: "3a9ef155-691d-4449-8d05-09ad57031823" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49666]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 25 Interface: "b18fbab6-56f8-4702-84e0-41053293a869" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\atsvc]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "UserMgrCli" Entry 26 Interface: "b18fbab6-56f8-4702-84e0-41053293a869" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49666]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "UserMgrCli" Entry 27 Interface: "0d3c7f20-1c8d-4654-a1b3-51563b298bda" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\atsvc]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "UserMgrCli" Entry 28 Interface: "0d3c7f20-1c8d-4654-a1b3-51563b298bda" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49666]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "UserMgrCli" Entry 29 Interface: "552d076a-cb29-4e44-8b6a-d15e59e2c0af" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\atsvc]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "IP Transition Configuration endpoint" Entry 30 Interface: "552d076a-cb29-4e44-8b6a-d15e59e2c0af" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49666]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "IP Transition Configuration endpoint" Entry 31 Interface: "2e6035b2-e8f1-41a7-a044-656b439c4c34" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\atsvc]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "Proxy Manager provider server endpoint" Entry 32 Interface: "2e6035b2-e8f1-41a7-a044-656b439c4c34" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49666]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "Proxy Manager provider server endpoint" Entry 33 Interface: "c36be077-e14b-4fe9-8abc-e856ef4f048b" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\atsvc]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "Proxy Manager client server endpoint" Entry 34 Interface: "c36be077-e14b-4fe9-8abc-e856ef4f048b" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49666]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "Proxy Manager client server endpoint" Entry 35 Interface: "c49a5a70-8a7f-4e70-ba16-1e8f1f193ef1" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\atsvc]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "Adh APIs" Entry 36 Interface: "c49a5a70-8a7f-4e70-ba16-1e8f1f193ef1" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49666]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "Adh APIs" Entry 37 Interface: "d09bdeb5-6171-4a34-bfe2-06fa82652568" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\atsvc]" Object Id: "582a47b2-bcd8-4d3c-8acb-fe09d5bd6eec" Annotation: "" Entry 38 Interface: "d09bdeb5-6171-4a34-bfe2-06fa82652568" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49666]" Object Id: "582a47b2-bcd8-4d3c-8acb-fe09d5bd6eec" Annotation: "" Entry 39 Interface: "f6beaff7-1e19-4fbb-9f8f-b89e2018337c" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\eventlog]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "Event log TCPIP" Entry 40 Interface: "f6beaff7-1e19-4fbb-9f8f-b89e2018337c" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49665]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "Event log TCPIP" Entry 41 Interface: "3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\eventlog]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "DHCPv6 Client LRPC Endpoint" Entry 42 Interface: "3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49665]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "DHCPv6 Client LRPC Endpoint" Entry 43 Interface: "3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\eventlog]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "DHCP Client LRPC Endpoint" Entry 44 Interface: "3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49665]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "DHCP Client LRPC Endpoint" Entry 45 Interface: "d09bdeb5-6171-4a34-bfe2-06fa82652568" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\eventlog]" Object Id: "b5ccd5ef-4238-440b-bba0-999f828f1cfe" Annotation: "" Entry 46 Interface: "d09bdeb5-6171-4a34-bfe2-06fa82652568" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49665]" Object Id: "b5ccd5ef-4238-440b-bba0-999f828f1cfe" Annotation: "" Entry 47 Interface: "a500d4c6-0dd1-4543-bc0c-d5f93486eaf8" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\eventlog]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 48 Interface: "a500d4c6-0dd1-4543-bc0c-d5f93486eaf8" ver 1.0 Binding: "ncacn_ip_tcp:192.168.190.152[49665]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 49 Interface: "2d98a740-581d-41b9-aa0d-a88b9d5ce938" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 50 Interface: "8bfc3be1-6def-4e2d-af74-7c47cd0ade4a" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 51 Interface: "1b37ca91-76b1-4f5e-a3c7-2abfc61f2bb0" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 52 Interface: "c605f9fb-f0a3-4e2a-a073-73560f8d9e3e" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 53 Interface: "0d3e2735-cea0-4ecc-a9e2-41a2d81aed4e" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 54 Interface: "2c7fd9ce-e706-4b40-b412-953107ef9bb0" ver 0.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 55 Interface: "c521facf-09a9-42c5-b155-72388595cbf0" ver 0.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 56 Interface: "1832bcf6-cab8-41d4-85d2-c9410764f75a" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 57 Interface: "4dace966-a243-4450-ae3f-9b7bcb5315b8" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 58 Interface: "55e6b932-1979-45d6-90c5-7f6270724112" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 59 Interface: "76c217bc-c8b4-4201-a745-373ad9032b1a" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 60 Interface: "88abcbc3-34ea-76ae-8215-767520655a23" ver 0.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 61 Interface: "2513bcbe-6cd4-4348-855e-7efb3c336dd3" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 62 Interface: "20c40295-8dba-48e6-aebf-3e78ef3bb144" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 63 Interface: "b8cadbaf-e84b-46b9-84f2-6f71c03f9e55" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 64 Interface: "857fb1be-084f-4fb5-b59c-4b2c4be5f0cf" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 65 Interface: "d09bdeb5-6171-4a34-bfe2-06fa82652568" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "db57eb61-1aa2-4906-9396-23e8b8024c32" Annotation: "" Entry 66 Interface: "697dcda9-3ba9-4eb2-9247-e11f1901b0d2" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 67 Interface: "d09bdeb5-6171-4a34-bfe2-06fa82652568" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "9e56cbc5-e634-4267-818e-ffa7dce1fa86" Annotation: "" Entry 68 Interface: "9b008953-f195-4bf9-bde0-4471971e58ed" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 69 Interface: "fc48cd89-98d6-4628-9839-86f7a3e4161a" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\pipe\\LSM_API_service]" Object Id: "00000000-0000-0000-0000-000000000000" Annotation: "" Entry 70 Interface: "76f226c3-ec14-4325-8a99-6a46348418af" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\InitShutdown]" Object Id: "b08669ee-8cb5-43a5-a017-84fe00000000" Annotation: "" Entry 71 Interface: "d95afe70-a6d5-4259-822e-2c84da1ddb0d" ver 1.0 Binding: "ncacn_np:192.168.190.152[\\PIPE\\InitShutdown]" Object Id: "765294ba-60bc-48b8-92e9-89fd77769d91" Annotation: "" Password and account policies on 192.168.190.152 Account lockout threshold is 0 Account lockout duration is 30 mins Minimum password length is 0 Maximum password age is 42 days Shares on 192.168.190.152 Disk: ADMIN$ (Remote Admin) Disk: C$ (Default share) IPC: IPC$ (Remote IPC) Domains on 192.168.190.152 Remote time of day on 192.168.190.152 Date: 5/11/2025 Time: 11:14:38 Timezone: GMT -07:00 Uptime: 0 days, 0 hours, 5 minutes Logon sessions on 192.168.190.152 Total Sessions: 1 \\\\192.168.190.152 Administrator Uptime: 0:00:01 Idle: 0:00:01 Drives on 192.168.190.152 C D Trusted Domains on 192.168.190.152 Account Domain: WIN-J3GDS2EJRA2 Primary Domain: WORKGROUP Remote services on 192.168.190.152 AJRouter Stopped AllJoyn Router Service ALG Stopped Application Layer Gateway Service AppIDSvc Stopped Application Identity Appinfo Stopped Application Information AppMgmt Stopped Application Management AppReadiness Stopped App Readiness AppVClient Stopped Microsoft App-V Client AppXSvc Running AppX Deployment Service (AppXSVC) AudioEndpointBuilder Stopped Windows Audio Endpoint Builder Audiosrv Stopped Windows Audio AxInstSV Stopped ActiveX Installer (AxInstSV) BFE Running Base Filtering Engine BITS Running Background Intelligent Transfer Service BrokerInfrastructure Running Background Tasks Infrastructure Service Browser Stopped Computer Browser bthserv Stopped Bluetooth Support Service CDPSvc Running Connected Devices Platform Service CertPropSvc Stopped Certificate Propagation ClipSVC Stopped Client License Service (ClipSVC) COMSysApp Stopped COM+ System Application CoreMessagingRegistrar Running CoreMessaging CryptSvc Running Cryptographic Services CscService Stopped Offline Files DcomLaunch Running DCOM Server Process Launcher DcpSvc Stopped DataCollectionPublishingService defragsvc Stopped Optimize drives DeviceAssociationService Stopped Device Association Service DeviceInstall Stopped Device Install Service DevQueryBroker Stopped DevQuery Background Discovery Broker Dhcp Running DHCP Client diagnosticshub.standardcollector.service Stopped Microsoft (R) Diagnostics Hub Standard Collector Service DiagTrack Running Connected User Experiences and Telemetry DmEnrollmentSvc Stopped Device Management Enrollment Service dmwappushservice Stopped dmwappushsvc Dnscache Running DNS Client dot3svc Stopped Wired AutoConfig DPS Running Diagnostic Policy Service DsmSvc Running Device Setup Manager DsSvc Stopped Data Sharing Service Eaphost Stopped Extensible Authentication Protocol EFS Stopped Encrypting File System (EFS) embeddedmode Stopped Embedded Mode EntAppSvc Stopped Enterprise App Management Service EventLog Running Windows Event Log EventSystem Running COM+ Event System fdPHost Stopped Function Discovery Provider Host FDResPub Stopped Function Discovery Resource Publication FontCache Running Windows Font Cache Service FrameServer Stopped Windows Camera Frame Server gpsvc Running Group Policy Client hidserv Stopped Human Interface Device Service HvHost Stopped HV Host Service icssvc Stopped Windows Mobile Hotspot Service IKEEXT Stopped IKE and AuthIP IPsec Keying Modules iphlpsvc Running IP Helper KeyIso Running CNG Key Isolation KPSSVC Stopped KDC Proxy Server service (KPS) KtmRm Stopped KtmRm for Distributed Transaction Coordinator LanmanServer Running Server LanmanWorkstation Running Workstation lfsvc Running Geolocation Service LicenseManager Stopped Windows License Manager Service lltdsvc Stopped Link-Layer Topology Discovery Mapper lmhosts Running TCP/IP NetBIOS Helper LSM Running Local Session Manager MapsBroker Stopped Downloaded Maps Manager MozillaMaintenance Stopped Mozilla Maintenance Service MpsSvc Running Windows Firewall MSDTC Running Distributed Transaction Coordinator MSiSCSI Stopped Microsoft iSCSI Initiator Service msiserver Stopped Windows Installer NcaSvc Stopped Network Connectivity Assistant NcbService Running Network Connection Broker Netlogon Stopped Netlogon Netman Stopped Network Connections netprofm Running Network List Service NetSetupSvc Stopped Network Setup Service NetTcpPortSharing Stopped Net.Tcp Port Sharing Service NgcCtnrSvc Running Microsoft Passport Container NgcSvc Stopped Microsoft Passport NlaSvc Running Network Location Awareness nsi Running Network Store Interface Service PcaSvc Running Program Compatibility Assistant Service PerfHost Stopped Performance Counter DLL Host PhoneSvc Stopped Phone Service pla Stopped Performance Logs & Alerts PlugPlay Running Plug and Play PolicyAgent Stopped IPsec Policy Agent Power Running Power PrintNotify Stopped Printer Extensions and Notifications ProfSvc Running User Profile Service QWAVE Stopped Quality Windows Audio Video Experience RasAuto Stopped Remote Access Auto Connection Manager RasMan Stopped Remote Access Connection Manager RemoteAccess Stopped Routing and Remote Access RemoteRegistry Running Remote Registry RmSvc Stopped Radio Management Service RpcEptMapper Running RPC Endpoint Mapper RpcLocator Stopped Remote Procedure Call (RPC) Locator RpcSs Running Remote Procedure Call (RPC) RSoPProv Stopped Resultant Set of Policy Provider sacsvr Stopped Special Administration Console Helper SamSs Running Security Accounts Manager SCardSvr Stopped Smart Card ScDeviceEnum Stopped Smart Card Device Enumeration Service Schedule Running Task Scheduler SCPolicySvc Stopped Smart Card Removal Policy seclogon Stopped Secondary Logon SENS Running System Event Notification Service SensorDataService Stopped Sensor Data Service SensorService Stopped Sensor Service SensrSvc Stopped Sensor Monitoring Service SessionEnv Stopped Remote Desktop Configuration SharedAccess Stopped Internet Connection Sharing (ICS) ShellHWDetection Running Shell Hardware Detection smphost Stopped Microsoft Storage Spaces SMP SNMPTRAP Stopped SNMP Trap Spooler Running Print Spooler sppsvc Stopped Software Protection SSDPSRV Running SSDP Discovery SstpSvc Stopped Secure Socket Tunneling Protocol Service StateRepository Running State Repository Service stisvc Stopped Windows Image Acquisition (WIA) StorSvc Stopped Storage Service svsvc Stopped Spot Verifier swprv Stopped Microsoft Software Shadow Copy Provider SysMain Stopped Superfetch SystemEventsBroker Running System Events Broker TabletInputService Stopped Touch Keyboard and Handwriting Panel Service TapiSrv Stopped Telephony TermService Stopped Remote Desktop Services Themes Running Themes TieringEngineService Stopped Storage Tiers Management tiledatamodelsvc Running Tile Data model server TimeBrokerSvc Running Time Broker TrkWks Running Distributed Link Tracking Client TrustedInstaller Running Windows Modules Installer tzautoupdate Stopped Auto Time Zone Updater UALSVC Running User Access Logging Service UevAgentService Stopped User Experience Virtualization Service UI0Detect Stopped Interactive Services Detection UmRdpService Stopped Remote Desktop Services UserMode Port Redirector upnphost Stopped UPnP Device Host UserManager Running User Manager UsoSvc Running Update Orchestrator Service for Windows Update VaultSvc Running Credential Manager vds Stopped Virtual Disk vmicguestinterface Stopped Hyper-V Guest Service Interface vmicheartbeat Stopped Hyper-V Heartbeat Service vmickvpexchange Stopped Hyper-V Data Exchange Service vmicrdv Stopped Hyper-V Remote Desktop Virtualization Service vmicshutdown Stopped Hyper-V Guest Shutdown Service vmictimesync Stopped Hyper-V Time Synchronization Service vmicvmsession Stopped Hyper-V PowerShell Direct Service vmicvss Stopped Hyper-V Volume Shadow Copy Requestor VSS Stopped Volume Shadow Copy W32Time Running Windows Time WalletService Stopped WalletService WbioSrvc Stopped Windows Biometric Service Wcmsvc Running Windows Connection Manager WdiServiceHost Stopped Diagnostic Service Host WdiSystemHost Stopped Diagnostic System Host WdNisSvc Stopped Windows Defender Network Inspection Service Wecsvc Stopped Windows Event Collector WEPHOSTSVC Stopped Windows Encryption Provider Host Service wercplsupport Stopped Problem Reports and Solutions Control Panel Support WerSvc Stopped Windows Error Reporting Service WiaRpc Stopped Still Image Acquisition Events WinDefend Running Windows Defender Service WinHttpAutoProxySvc Running WinHTTP Web Proxy Auto-Discovery Service Winmgmt Running Windows Management Instrumentation WinRM Running Windows Remote Management (WS-Management) wisvc Stopped Windows Insider Service wlidsvc Running Microsoft Account Sign-in Assistant WLMS Running Windows Licensing Monitoring Service wmiApSrv Stopped WMI Performance Adapter WPDBusEnum Stopped Portable Device Enumerator Service WpnService Running Windows Push Notifications System Service WSearch Stopped Windows Search wuauserv Running Windows Update wudfsvc Stopped Windows Driver Foundation - User-mode Driver Framework XblAuthManager Stopped Xbox Live Auth Manager XblGameSave Stopped Xbox Live Game Save CDPUserSvc_25060 Running CDPUserSvc_25060 OneSyncSvc_25060 Running Sync Host_25060 PimIndexMaintenanceSvc_25060 Stopped Contact Data_25060 UnistoreSvc_25060 Stopped User Data Storage_25060 UserDataSvc_25060 Stopped User Data Access_25060 WpnUserService_25060 Stopped Windows Push Notifications User Service_25060 GoogleUpdaterInternalService138.0.7156.0 Stopped Google Updater Internal Service (GoogleUpdaterInternalService138.0.7156.0) GoogleUpdaterService138.0.7156.0 Stopped Google Updater Service (GoogleUpdaterService138.0.7156.0) GoogleChromeElevationService Stopped Google Chrome Elevation Service (GoogleChromeElevationService) Remote registry items on 192.168.190.152 SOFTWARE\Microsoft\Windows NT\CurrentVersion "RegisteredOwner" = "Windows User" SOFTWARE\Microsoft\Windows NT\CurrentVersion "RegisteredOrganization" = "" SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "DefaultDomainName" = "" SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon "DefaultUserName" = "" SYSTEM\CurrentControlSet\Control\Terminal Server "fDenyTSConnections" = 1 (0x00000001) SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName "ComputerName" = "WIN-J3GDS2EJRA2" SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName "ComputerName" = "WIN-J3GDS2EJRA2" SYSTEM\CurrentControlSet\Control\LSA "RestrictAnonymous" = 0 (0x00000000) HARDWARE\DESCRIPTION\System\CentralProcessor\0 "~MHz" = 2803 (0x00000AF3) HARDWARE\DESCRIPTION\System\CentralProcessor\0 "VendorIdentifier" = "GenuineIntel" HARDWARE\DESCRIPTION\System\CentralProcessor\1 "~MHz" = 2803 (0x00000AF3) HARDWARE\DESCRIPTION\System\CentralProcessor\1 "VendorIdentifier" = "GenuineIntel" ``` ::: Một số thông tin quan trọng từ việc enum như: - Có thể sử dụng NULL session: một cách kết nối không cần xác thực đến hệ thống Windows - Enum ra được 3 user Administrator, DefaultAccount, Guest. Nguy hiểm nhất là biết được user **Administrator đang hoạt động và không bị khóa** - OS: Windows Server 2016 Standard 14393 - Địa chỉ MAC: `00:0C:29:73:5C:08` ### Net View Kết quả sử dụng lệnh như sau ![image](https://hackmd.io/_uploads/H1fClokWeg.png) Từ output ta tháy được ngoài các folder mặc định thì máy mục tiêu có thêm folder `leducvan` được tạo để chia sẻ -> mục tiêu được nhắm đến # Lab 4-3: Thăm dò bằng công cụ SoftPerfect Network Scanner ## Mục tiêu bài lab và Tools ### Mục tiêu bài lab Sử dụng Windows Server 2016 làm môi trường để SoftPerfect Network Scanner quét tài nguyên được chia sẻ trong mạng. ### Tools - SoftPerfect Network Scanner ## Cách thực hiện ### SoftPerfect Network Scanner ![image](https://hackmd.io/_uploads/rJtLzokWel.png) **SoftPerfect Network Scanner** là công cụ quét mạng đa năng dành cho Windows, rất phổ biến trong pentest nhằm quét tài nguyên được chia sẻ trong mạng Mở ứng dụng -> Nhập dải IP để quét (ở đây ta sẽ quét dải từ 192.168.190.1-255) ![image](https://hackmd.io/_uploads/HkgEMMsJZxg.png) -> `Start Scanning` output như sau ![image](https://hackmd.io/_uploads/H1TnMs1Wll.png) Từ output ta thấy được có 3 IP phản hồi lại --------------------------------- Hoàn thành bài lab! ---------------------------------