:computer: Port Scanning # Nmap 7.92 scan initiated Thu Aug 25 18:16:41 2022 as: nmap -sV -T4 -sT -sC -v -oN nmap 10.10.10.175 Nmap scan report for 10.10.10.175 Host is up (0.066s latency). Not shown: 990 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods:

:computer: Port Scanning # Nmap 7.92 scan initiated Sun Aug 14 11:58:06 2022 as: nmap -sV -T4 -sS -sC -v -oN nmap 10.10.10.161 Nmap scan report for forest.htb (10.10.10.161) Host is up (0.12s latency). Not shown: 989 closed tcp ports (reset) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-08-14 16:05:06Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn

:computer: Port Scanning # Nmap 7.92 scan initiated Mon Aug 8 06:53:23 2022 as: nmap -sV -T4 -sT -sC -v -oN nmap 10.10.10.123 Nmap scan report for 10.10.10.123 Host is up (0.041s latency). Not shown: 993 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a9:68:24:bc:97:1f:1e:54:a5:80:45:e7:4c:d9:aa:a0 (RSA)

:computer: Port Scanning # Nmap 7.92 scan initiated Fri Jun 10 07:21:26 2022 as: nmap -sV -T4 -sS -v -sC -p- -Pn -oN ports3 10.10.10.84 Nmap scan report for 10.10.10.84 Host is up (0.042s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2 (FreeBSD 20161230; protocol 2.0) | ssh-hostkey: | 2048 e3:3b:7d:3c:8f:4b:8c:f9:cd:7f:d2:3a:ce:2d:ff:bb (RSA) | 256 4c:e8:c6:02:bd:fc:83:ff:c9:80:01:54:7d:22:81:72 (ECDSA)

:computer: Port Scanning # Nmap 7.92 scan initiated Sat May 28 05:48:07 2022 as: nmap -sV -T4 -sS -v -sC -p- -Pn -oN ports 10.10.10.93 Nmap scan report for 10.10.10.93 Host is up (0.034s latency). Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE

:computer: Port Scanning # Nmap 7.92 scan initiated Mon May 16 11:45:11 2022 as: nmap -sV -T4 -sS -v -sC -p- -Pn -oN ports 10.10.10.51 Nmap scan report for 10.10.10.51 Host is up (0.087s latency). Not shown: 65529 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u1 (protocol 2.0) | ssh-hostkey: | 2048 77:00:84:f5:78:b9:c7:d3:54:cf:71:2e:0d:52:6d:8b (RSA) | 256 78:b8:3a:f6:60:19:06:91:f5:53:92:1d:3f:48:ed:53 (ECDSA)

:computer: Port Scanning Nmap command nmap -sV -T4 -sS -v -sC -p- -oN Ports 10.10.10.82 # Nmap 7.92 scan initiated Thu May 5 06:28:23 2022 as: nmap -sV -T4 -sS -v -sC -p- -oN Ports 10.10.10.82 Increasing send delay for 10.10.10.82 from 0 to 5 due to 2935 out of 7337 dropped probes since last increase. Increasing send delay for 10.10.10.82 from 5 to 10 due to 11 out of 19 dropped probes since last increase. Warning: 10.10.10.82 giving up on port because retransmission cap hit (6). Nmap scan report for 10.10.10.82 Host is up (0.068s latency).

:computer: Port Scanning # Nmap 7.92 scan initiated Tue Apr 26 06:02:09 2022 as: nmap -sV -T4 -sS -sC -v -p- -oN Ports 10.10.10.15 Nmap scan report for 10.10.10.15 Host is up (0.058s latency). Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 6.0 | http-webdav-scan: | WebDAV type: Unknown | Server Date: Tue, 26 Apr 2022 10:03:49 GMT

:computer: Port Scanning # Nmap 7.92 scan initiated Sat Apr 23 14:11:29 2022 as: nmap -sV -T4 -sS -sC -v -p- -oN Ports 10.10.10.9 Nmap scan report for 10.10.10.9 Host is up (0.044s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 7.5 |_http-favicon: Unknown favicon MD5: CF2445DCB53A031C02F9B57E2199BC03 |_http-server-header: Microsoft-IIS/7.5 |_http-title: Welcome to 10.10.10.9 | 10.10.10.9

✅ Enumeration :computer: Port Scanning We can see that we only have a webserver up, so it's time to bruteforce subdirectories and look into the web. # Nmap 7.92 scan initiated Mon Apr 18 11:35:37 2022 as: nmap -sV -T4 -sS -sC -v -p- -oN Ports 10.10.10.68 Nmap scan report for 10.10.10.68 Host is up (0.056s latency). Not shown: 65534 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

:computer: Port Scanning First we make a nmap to the ip an we discover some webservers and that is a windows machine. # Nmap 7.92 scan initiated Mon Mar 28 11:28:46 2022 as: nmap -sV -T4 -sS -v -p- -oN Ports 10.10.55.10 Increasing send delay for 10.10.55.10 from 0 to 5 due to 989 out of 2472 dropped probes since last increase. Increasing send delay for 10.10.55.10 from 5 to 10 due to 11 out of 20 dropped probes since last increase. Nmap scan report for 10.10.55.10 Host is up (0.14s latency). Not shown: 65520 closed tcp ports (reset) PORT STATE SERVICE VERSION

What is Kerberos? 🐕‍🦺 Kerberos is an authentication protocol used to verify the identity of a user or host. It's designed to provide secure authentication over an insecure network. What is a SPN? A service principal name (SPN) is a unique identifier of a service instace. SPNs are used by Kerberos to associate a service instance with a service logon account. The structure of a SPN it's composed by 2 parts: The Service type, like Web, File, SQL and the Host where the service is running, it is important to note that the host part must be written in FQDN and then write the port. What is FQDN?

Bloodhound is an application that uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment to make the privilege escalation paths more easy to recon. Attackers use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Blue Teams can use it too for identify and eliminate those same attack paths. Installing BloodHound Install BloodHound is a 3 step process, first install bloodhound GUI, then the Neo4j service for the graph database and last is to install the data ingestor. To install BloodHound in kali is as simple as type the following command on terminal and enter:

What is NTLM NTLM is an authentication protocol property of Microsoft and it started used in servers older than Windows 2000, before Kerberos became the successor for the authentication in Windows systems. The NTLM authentication protocol authenticate users and computers based on a challenge/response mechanism that proves to server or domain controller that a user knows the password associated with and account. Setting-up the environment To prepare our AD lab we need: 1 DC 2 Windows 10

In this post we are gonna learn an overview of LLMNR / NBT-NS Poisoning, how to capture NLTMv2 hashes and how to crack them with hashcat. What is LLMNR? The first to clarify is that link local multicast name resolution is not a substitute for DNS. While it’s true that both technologies are designed to provide name resolution services, link local multicast name resolution is much more limited in scope than DNS is. Knowing how works DNS, here the same thing happens. The DNS server checks to see if it has a record for the host, and if not it forwards the request to another DNS server. This could potentially keep happening until the request reaches the DNS server that is authoritative for the requested host's domain. With this in mind, let’s turn our attention to link local multicast name resolution. The biggest limitation with link local multicast name resolution is that it is not routable. The name resolution process can only be used for computers that share a common subnet. Computers across a router are inaccessible to the name resolution process. The reason why Microsoft chose to make link local multicast name resolution non-routable is because of the sheer number of hosts on the Internet. Link local multicast name resolution doesn't even have a name resolution database to fall back on. Instead, computers on the subnet broadcast their host names.

:computer: Port Scanning nmap -sC -sV -v -p- -T4 -oN Ports 10.10.124.152 There are two open ports: Port 22 : Default port for Secure Shell. Secure Protocol and encrypted data. Service name is OpenSSH and version is 7.6p1 Port 80 : Default HTTP port. Apache is the web server and the version is httpd 2.4.29 :eye: Enumeration Fuzzing HTTP Service