Thehackerslabs-Shadows
Nmap [/home/kali/temp]$ cat nmap.result # Nmap 7.95 scan initiated Sun Jul 12 10:00:50 2026 as: /usr/lib/nmap/nmap -A -p- -oN nmap.result 192.168.237.138 Nmap scan report for 192.168.237.138 Host is up (0.00049s latency). Not shown: 65514 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2026-07-12 02:02:41Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name) |_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=Seerver.shadow.thl | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl | Not valid before: 2026-06-21T22:08:16 |_Not valid after: 2027-06-21T22:08:16 445/tcp open microsoft-ds Windows Server 2016 Standard Evaluation 14393 microsoft-ds (workgroup: SHADOW) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name) |_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=Seerver.shadow.thl | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl | Not valid before: 2026-06-21T22:08:16 |_Not valid after: 2027-06-21T22:08:16 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name) |_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time. | ssl-cert: Subject: commonName=Seerver.shadow.thl | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl | Not valid before: 2026-06-21T22:08:16 |_Not valid after: 2027-06-21T22:08:16 3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: shadow.thl, Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=Seerver.shadow.thl | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1:<unsupported>, DNS:Seerver.shadow.thl | Not valid before: 2026-06-21T22:08:16 |_Not valid after: 2027-06-21T22:08:16 |_ssl-date: 2026-07-12T02:04:13+00:00; 0s from scanner time. 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 9389/tcp open mc-nmf .NET Message Framing 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 49686/tcp open msrpc Microsoft Windows RPC 49688/tcp open msrpc Microsoft Windows RPC 49704/tcp open msrpc Microsoft Windows RPC 57914/tcp open msrpc Microsoft Windows RPC 58794/tcp open msrpc Microsoft Windows RPC MAC Address: 00:0C:29:16:42:DB (VMware) Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|phone|specialized Running (JUST GUESSING): Microsoft Windows 2016|10|2012|2022|Phone|7 (97%) OS CPE: cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_10 cpe:/o:microsoft:windows_server_2012:r2 cpe:/o:microsoft:windows_server_2022 cpe:/o:microsoft:windows cpe:/o:microsoft:windows_7 Aggressive OS guesses: Microsoft Windows Server 2016 (97%), Microsoft Windows 10 1607 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows Server 2022 (91%), Microsoft Windows Phone 7.5 or 8.0 (88%), Microsoft Windows Embedded Standard 7 (87%) No exact OS matches for host (test conditions non-ideal). Network Distance: 1 hop Service Info: Host: SEERVER; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-os-discovery: | OS: Windows Server 2016 Standard Evaluation 14393 (Windows Server 2016 Standard Evaluation 6.3) | Computer name: Seerver | NetBIOS computer name: SEERVER\x00 | Domain name: shadow.thl | Forest name: shadow.thl | FQDN: Seerver.shadow.thl |_ System time: 2026-07-11T19:03:33-07:00 | smb2-time: | date: 2026-07-12T02:03:33 |_ start_date: 2026-07-12T01:52:20 | smb2-security-mode: | 3:1:1: |_ Message signing enabled and required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: required |_nbstat: NetBIOS name: SEERVER, NetBIOS user: <unknown>, NetBIOS MAC: 00:0c:29:16:42:db (VMware) |_clock-skew: mean: 59m59s, deviation: 2h38m44s, median: 0s TRACEROUTE HOP RTT ADDRESS 1 0.49 ms 192.168.237.138 UserEnum [/home/kali/temp]$ kerbrute userenum -d shadow.thl --dc 192.168.237.138 /usr/share/seclists/Usernames/xato-net-10-million-usernames-dup.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __/ /_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 07/12/26 - Ronnie Flathers @ropnop 2026/07/12 10:30:45 > Using KDC(s): 2026/07/12 10:30:45 > 192.168.237.138:88 2026/07/12 10:30:45 > [+] VALID USERNAME: shadow@shadow.thl 2026/07/12 10:30:45 > [+] VALID USERNAME: guest@shadow.thl 2026/07/12 10:30:45 > [+] VALID USERNAME: Shadow@shadow.thl 2026/07/12 10:30:45 > [+] VALID USERNAME: jsmith@shadow.thl 2026/07/12 10:30:45 > [+] VALID USERNAME: administrator@shadow.thl 2026/07/12 10:30:46 > [+] VALID USERNAME: SHADOW@shadow.thl 2026/07/12 10:30:46 > [+] VALID USERNAME: Guest@shadow.thl 2026/07/12 10:30:46 > [+] VALID USERNAME: Administrator@shadow.thl 2026/07/12 10:30:47 > [+] VALID USERNAME: helpdesk@shadow.thl 2026/07/12 10:30:49 > [+] VALID USERNAME: GUEST@shadow.thl 2026/07/12 10:30:50 > [+] VALID USERNAME: JSmith@shadow.thl 2026/07/12 10:30:58 > [+] VALID USERNAME: Jsmith@shadow.thl 2026/07/12 10:31:10 > [+] VALID USERNAME: itsupport@shadow.thl 2026/07/12 10:31:21 > [+] VALID USERNAME: JSMITH@shadow.thl 2026/07/12 10:31:27 > Done! Tested 624370 usernames (14 valid) in 42.334 seconds SMB - Get User(shadow) Password 用 smbmap 可以通过 guest 查看到 Incidents 目录 ...