Sauna is another interesting windows machine which retired recently.
Lets Start with normal NMAP scan
From the nmap results I get to know that we need to perform more enumeration on active directory services.
Port 389, used for LDAP service can be enumerated using scripts in nmap.
nmap -n -sV -script “ldap*” -p 389 10.10.10.175
I got a very long output with this command
We got the domain name as EGOTISTICAL-BANK.LOCAL
Now let’s take a look at port 80 from the browser. In the about us portion, I found few names which are interesting.
With the details from the above image I created a list of names for brute force attack
Before moving forward, take a look at the below link
GetNPUsers.py Explained (video)
Recently seen a few comments from people saying they'd like to understand how the Impacket GetNPUsers script works and…
Let's use GetNPUsers.py for more enumeration. You can get this script from Github
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
I initiated the brute force using below command
python3 GetNPUsers.py EGOTISTICAL-BANK.LOCAL/ -usersfile saunaUsers.txt -outputfile Hash.txt -dc-ip 10.10.10.175
Here saunaUsers.txt contains the combination of all usernames and the output Hash will be stored in Hash.txt