Im looking for some suggestions/help when it comes to red team operations, We’re doing a final pentesting project for school but we really only covered social engineering techniques which arent applicable to our scenario.
I am connected to the testing network through a vpn and there is a firewall on the other side aswell. the firewall also drops all icmp packets as well as any outgoing rst packets making OS detection tricky, we’ve narrowed it down to windows server 2016/2019, or win 10 1809 through ntlm checker.py. There is no traffic being generated on the other end as well as no user interaction on the test network so social engineering is out of the question. As of right now a quick outline of the known open ports can been seen below. More information about running services can be given if requested.
80 - http IIS 10
- attempted dirbuster, nikto and a few others. any returned directories are forbidden with error code 403.
- used burpsuite to send OPTIONS request, trace, get, head, post are allowed
- post requests return with method not allowed
135 - msrpc end mapper
- used endpoint mapper to obtain a list of services running on the rhost
- attempted to connect to endpoints as well as rpc in general with rpcclient but system requires authentication
- also obtained a list of named pipes on the rhost
445 - smb versions supported 2 and 3
- looked into smb ghost for version 3, but compression is not enabled
- cant ennumerate smb because null logins not allowed
- enum for linux returned with workstation service name, domain/workgroup name as well as a file sharing service
netbios enumeration returned with the hostname the external ip as well as possibly a internal ip, we cannot get access to the interal ip due to the firewall being active
tftp and ftp connect but time out when running a command
5357 - wsdapi
5985 - http
- we know that winrm is mostlikely enabled on the rhost because of the wsman file
- we known that host is using ntlm authentication
- attempted but force with no sucess
49664 - wininit.exe
49668 - services.exe
49667 - spoolsv.exe
49666 - schedsvc.sll
49668 - msrpc
49671 - samsrv.dll
im not looking for the answer just looking for advice on what to try next, if you need more information i have a 8 pages document on everything i’ve gathered so far.
Any suggestions or help would be amazing!