Technical Report
Uploaded by
jhondiu796Technical Report
Uploaded by
jhondiu796Horario de despliegue agente
TECHNICAL REPORT
Salud Total
October 04, 2024
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 1 of 1
Copyright
© Vonahi Security. All Rights Reserved. This is unpublished material and contains trade secrets and other confidential information
and is subject to a confidentiality agreement. The unauthorized possession, use, reproduction, distribution, display, or disclosure
of this material or the information contained herein is prohibited.
The methodology used to audit the computer systems is considered proprietary intellectual information of Vonahi Security and
may not be disclosed without written permission from Vonahi Security. Vonahi Security gives permission to copy this report for the
purpose of disseminating information within your organization, or any regulatory agency.
Confidentiality
This document contains company confidential information of a proprietary and sensitive nature. As such, this document should be
afforded the security and handling precautions that a confidential document warrants. This document should have a controlled
distribution to relevant parties only and should not be copied without written permission. Vonahi Security treats the contents of a
security audit as company confidential material and will not disclose the contents of this document to anyone without written
permission.
Assessment Project Team
Below is a list of contacts that were involved in this engagement. Should you have any questions pertaining to the content of this
document or any project and non-project-related items, please feel free to reach out to the necessary project contacts.
Primary Point of Contact
Name: vPenTest Support
Title: Support
Office:
Email: [email protected]
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 1 of 93
Threat Severity Rankings
To assist the organization with prioritizing findings, the findings and observations have been categorized with threat severity
rankings based on the following guidelines:
SEVERITY DESCRIPTION
A critical threat ranking requires immediate remediation or mitigation. Exploiting these vulnerabilities
require a minimal amount of effort by the adversary but poses a significant threat to the confidentiality,
Critical integrity, and/or availability of the organization's systems and data. A successful compromise of
findings of this ranking leads to access to multiple systems and/or several pieces of sensitive
information.
A high threat ranking requires immediate remediation or mitigation. Exploiting these vulnerabilities
require a minimal amount of effort by the adversary but poses a significant threat to the confidentiality,
High
integrity, or availability of the organization's systems or data. A successful compromise of findings of
this ranking leads to access to a single system or limited sensitive information.
A medium threat ranking requires remediation or mitigation within a short and reasonable amount of
Medium time. These findings typically lead to a compromise of non-privileged user accounts on systems
and/or applications or denote a denial-of-service (DoS) condition of the host, service, or application.
A low threat ranking requires remediation or mitigation once all higher prioritized findings have been
Low remediated. These findings typically leak information to unauthorized or anonymous users and may
lead to more significant attacks when combined with other attack vectors.
An informational threat ranking does not pose a significant threat to the environment and may just be
findings that could potentially disclose valuable information but do not expose the organization to any
Informational
technical attacks. Findings rated as informational may be useful for an attacker performing information
gathering on the organization to leverage in other attacks, such as social engineering or phishing.
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 2 of 93
Discovered Threats
DISCOVERED THREATS THREAT SEVERITY RANKINGS
Internal Network Penetration Test (16)
IPMI Authentication Bypass Critical
IPv6 DNS Spoofing Critical
Link-Local Multicast Name Resolution (LLMNR) Spoofing Critical
Multicast DNS (mDNS) Spoofing Critical
NetBIOS Name Service (NBNS) Spoofing Critical
Outdated Microsoft Windows Systems Critical
FTP Servers Accept Default Credentials High
SMBv1 Enabled High
Weak Active Directory Account Password Policy High
Anonymous FTP Enabled Medium
Insecure Protocol - FTP Medium
Insecure Protocol - Telnet Medium
SMB NULL Session Authentication Medium
SMB Signing Not Required Medium
Weak SNMP Community Strings Medium
Egress Filtering Deficiencies Informational
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 3 of 93
MITRE ATT&CK Mappings
This section of the report contains details about the tactics, techniques, and procedures as defined by the MITRE ATT&CK
Framework. For additional details relating to these tactics, techniques, and procedures (TTPs), Vonahi Security recommends that
SaTo visit the specific URLs provided within the table below. Furthermore, Vonahi Security has also elaborated on how these
TTPs were used during the penetration test in this report's Penetration Test Narrative section.
Vonahi Security recommends SaTo thoroughly leverage this report section to investigate and improve network security policies,
procedures, and controls within the organization's environment. All of the attacks mentioned in this report section should have
been detected and properly logged for investigation purposes by the organization.
Time Name Tactic TTPID
Fri, Oct 04, 2024 @ 12:04:45 AM -05 Active Scanning: Scanning IP Blocks Reconnaissance T1595.001
Fri, Oct 04, 2024 @ 12:04:46 AM -05 Network Service Discovery Discovery T1046
Fri, Oct 04, 2024 @ 12:11:42 AM -05 Remote System Discovery Discovery T1018
Fri, Oct 04, 2024 @ 12:17:18 AM -05 System Information Discovery Discovery T1082
Fri, Oct 04, 2024 @ 12:17:36 AM -05 Network Service Discovery Discovery T1046
Fri, Oct 04, 2024 @ 12:17:40 AM -05 Network Service Discovery Discovery T1046
Fri, Oct 04, 2024 @ 12:18:44 AM -05 Gather Victim Host Information: Software Reconnaissance T1592.002
Fri, Oct 04, 2024 @ 12:18:58 AM -05 Network Service Discovery Discovery T1046
Fri, Oct 04, 2024 @ 12:27:20 AM -05 Exploitation of Remote Services Lateral-movement T1210
Fri, Oct 04, 2024 @ 12:38:31 AM -05 System Owner/User Discovery Discovery T1033
Fri, Oct 04, 2024 @ 12:39:08 AM -05 Brute Force: Password Spraying Credential-access T1110.003
Fri, Oct 04, 2024 @ 12:41:34 AM -05 Brute Force: Password Guessing Credential-access T1110.001
Fri, Oct 04, 2024 @ 12:42:58 AM -05 Gather Victim Host Information: Software Reconnaissance T1592.002
Fri, Oct 04, 2024 @ 12:44:14 AM -05 Brute Force: Password Guessing Credential-access T1110.001
Fri, Oct 04, 2024 @ 12:45:28 AM -05 Brute Force: Password Guessing Credential-access T1110.001
Fri, Oct 04, 2024 @ 12:47:59 AM -05 Brute Force: Password Guessing Credential-access T1110.001
Adversary-in-the-Middle: LLMNR/NBT-NS
Fri, Oct 04, 2024 @ 12:52:03 AM -05 Credential-access T1557.001
Poisoning and SMB Relay
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 4 of 93
Horario de despliegue agente
Engagement Scope of Work
Through discussions with SaTo's staff, the following target applications, IP addresses, and/or ranges were included as part of the
engagement scope.
IP ADDRESSES & RANGES
10.10.150.0/24 10.10.181.0/24
Agent Information
To perform this assessment, Vonahi Security used an agent consisting of the necessary tools to conduct discovery, enumeration,
attacks, etc. The agent used in this assessment contained the following information:
DESCRIPTION DETAILS
Agent Name Agente SaTo
Private IP Address 10.10.150.224
Subnet Mask 255.255.255.0 (/24)
DNS Server 127.0.0.53
Default Gateway 10.10.150.1
Task Performed
To assess the targets listed above fully, Vonahi Security performed the following tasks:
TASK PERFORMED DEVICES/LOCATIONS ASSESSED
Performed information gathering:
All targets
NSlookup, and Ping/SNMP sweeping
Performed port scans All active targets identified
Performed vulnerability scanning All active targets identified
Performed web application vulnerability testing Active/Select targets
Performed vulnerability validation All active targets identified
Performed penetration testing Active/Select targets
Rules of Engagement
Vonahi Security and SaTo agreed to the following rules of engagements:
ACTIVITY DEFINITION PERMISSION
Vonahi Security consultants will cautiously execute exploitation
Exploitation Yes
techniques to gain access to sensitive data and/or systems.
If exploitation is successful, Vonahi Security will attempt to escalate
Post Exploitation privileges within the environment to gain further access to systems Yes
and/or data.
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 5 of 93
The following activities were either disabled or reduced as part of the penetration testing engagement to comply with the scope
requirements:
ACTIVITY CONFIGURED SETTING RECOMMENDED
Password Guessing Limit Against Database Services 1 3
Password Guessing Limit Against Domain Accounts 1 2
Password Guessing Limit Against Other Network Services 1 3
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 6 of 93
Penetration Test Narrative
This phase of the internal network penetration test describes some of the action performed as part of the penetration test,
including host discovery, enumeration, exploitation, and post-exploitation (if opportunities were identified). It should be noted that
this portion of the report does not represent the entire list of activities that were performed as part of this assessment, primarily
just those that led to some level of access, significant exposure to information, and other activities relevant to the goal of the
assessment. It should also be noted that this portion of the test heavily focused on the network layer within the environment.
Host Discovery
The first process that was performed during the penetration test was host discovery. Host discovery includes several tasks,
including port scanning and ping sweeps, to identify the active systems within the environment. This is a crucial step in the
penetration test as it allows attackers to determine what systems are active within the targeted IP addresses and/or ranges.
Of the two (2) IP addresses/ranges that were provided as part of the scope, Vonahi Security was able to identify a total of two
hundred and ninety-seven (297) systems to be active within the targeted environment.
Name Active Scanning: Scanning IP Blocks
Tactic Reconnaissance
TTP ID T1595.001
Vonahi Security also performed a port scan against two hundred and ninety-seven (297) targets to identify opened
ports and running services. Port scanning is also important in that it allows one to identify which ports are opened
Note
and visible from the tested system. By discovering opened ports within the environment, it is then possible to
determine which services are running and if any of the running services are vulnerable.
Of the two hundred and ninety-seven (297) addresses/ranges that were scanned, Vonahi Security found two thousand, one
hundred and seventy-two (2,172) ports opened.
Enumeration
After identifying the available hosts within the network, the next phase is to conduct enumeration. Enumeration consists of
scanning the identified ports to determine what services are running. Additional scans are performed based on the running
services to attempt enumerating information from the running services (if possible). Such information may be useful for identifying
additional vulnerabilities or knowledge for performing an attack against the service.
To help understand the operating systems and ports that were found to be most common within the environment, the following
tables display the top 10 operating systems and top 10 ports.
OPERATING SYSTEM COUNT
Undetected 124
Windows 10 / Server 2019 Build 17763 x64 89
Windows Server 2022 Build 20348 x64 70
Windows Server 2012 R2 Standard 9600 x64 7
Windows Server 2022 Standard 20348 x64 3
Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 2
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 7 of 93
Windows Server 2008 R2 Standard 7601 Service Pack 1 1
Windows Server 2016 Standard 14393 x64 1
PORT/PROTOCOL COUNT
80/tcp 211
3389/tcp 176
445/tcp 174
135/tcp 173
5985/tcp 172
47001/tcp 170
139/tcp 165
443/tcp 147
5666/tcp 140
22/tcp 93
The first step in the enumeration phase was the discovery of systems on the local subnet.
Name Remote System Discovery
Tactic Discovery
TTP ID T1018
Vonahi Security performed an arp-scan across the local network subnet to determine which systems are on the local
Note subnet (10.10.150.224/24). This is also an essential task as these systems would be targets for man-in-the-middle attacks
since they are on the same subnet. To facilitate this task, Vonahi Security used a tool known as arp-scan.
The following results demonstrate that two hundred and eighteen (218) systems exist on the same local subnet:
Interface: ens32, type: EN10MB, MAC: 00:50:56:ba:ce:a5, IPv4: 10.10.150.224
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
10.10.150.1 00:09:0f:09:15:15 Fortinet, Inc.
10.10.150.2 00:50:56:ba:3f:e6 VMware, Inc.
10.10.150.4 8c:85:c1:a7:79:00 Aruba, a Hewlett Packard Enterprise Company
10.10.150.6 8c:85:c1:a7:85:40 Aruba, a Hewlett Packard Enterprise Company
10.10.150.3 8c:85:c1:a7:b6:80 Aruba, a Hewlett Packard Enterprise Company
10.10.150.8 e8:f7:24:83:f2:09 Hewlett Packard Enterprise
10.10.150.9 00:50:56:ba:31:39 VMware, Inc.
10.10.150.5 8c:85:c1:a7:b9:80 Aruba, a Hewlett Packard Enterprise Company
10.10.150.10 00:50:56:ba:39:2d VMware, Inc.
10.10.150.11 00:50:56:ba:17:ff VMware, Inc.
10.10.150.7 8c:85:c1:a7:ac:c0 Aruba, a Hewlett Packard Enterprise Company
10.10.150.12 00:50:56:ba:46:e7 VMware, Inc.
10.10.150.13 00:50:56:b6:c8:80 VMware, Inc.
10.10.150.14 00:50:56:ba:ca:ad VMware, Inc.
10.10.150.15 00:50:56:ba:fa:b5 VMware, Inc.
10.10.150.16 00:50:56:ba:56:06 VMware, Inc.
10.10.150.17 02:e0:ed:34:28:d8 (Unknown: locally administered)
10.10.150.18 00:50:56:ba:6e:b4 VMware, Inc.
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 8 of 93
Vonahi Security identified twenty-two (22) VPN gateways listening on port 500/udp. Vonahi Security analyzed the VPN gateways
to determine if they were configured with a common, weak configuration known as IKE Aggressive Mode. IKE Aggressive Mode
allows malicious attackers to obtain the hashed pre-shared key (PSK) from the VPN gateway, which could then be used in an
offline dictionary/brute-force attack. Successfully revealing the PSK could potentially result in an attacker establishing VPN
access.
During the analysis, no VPN gateways were configured with IKE Aggressive Mode.
Vonahi Security identified nineteen (19) Microsoft SQL (MSSQL) Services present within the tested environment. While this
discovery does not indicate any significant issues were found, MSSQL services are often targeted by attackers in a form of a
password attack. A successful password attack will usually result in limited or elevated privileges to the SQL server, at which point
an attacker can begin to run SQL commands or execute system level commands.
Name Network Service Discovery
Tactic Discovery
TTP ID T1046
Vonahi Security performed an enumeration to identify information about Microsoft SQL servers found within the discovery
Note
phase.
The following information was discovered from the Microsoft SQL servers:
[+] 10.10.181.246: - ServerName = SRVBDDEV001
[+] 10.10.150.111: - ServerName = DBPOS
[+] 10.10.181.246: - InstanceName = MSSQLSERVER
[+] 10.10.150.111: - InstanceName = POS
[+] 10.10.181.248: - ServerName = SRVBDDEV003
[+] 10.10.181.248: - InstanceName = OPCTASALUD
[+] 10.10.150.111: - IsClustered = Yes
[+] 10.10.181.249: - ServerName = SRVBDDEV004
[+] 10.10.181.246: - IsClustered = No
[+] 10.10.181.248: - IsClustered = No
[+] 10.10.181.249: - InstanceName = IPS
[+] 10.10.181.249: - IsClustered = No
[+] 10.10.150.111: - Version = 15.0.2000.5
[+] 10.10.181.249: - Version = 15.0.2000.5
[+] 10.10.181.246: - Version = 15.0.2000.5
[+] 10.10.181.246: - tcp = 1433
[+] 10.10.150.111: - tcp = 1590
[+] 10.10.181.249: - tcp = 1433
[+] 10.10.181.248: - Version = 15.0.2000.5
[+] 10.10.150.111: - np = \\DBPOS\pipe\MSSQL$POS\sql\query
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
Vonahi Security identified five (5) MySQL services present within the tested environment. While this discovery does not indicate
any significant issues were found, MySQL services are often targeted by attackers in a form of a password attack. A successful
password attack will usually result in limited or elevated privileges to the SQL service, at which point an attacker can begin to run
SQL commands or execute system level commands.
Name Network Service Discovery
Tactic Discovery
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 9 of 93
TTP ID T1046
Vonahi Security performed an enumeration to identify information about the MySQL services found during the discovery
Note
phase.
The following information was enumerated from the MySQL service(s) found during this assessment:
[*] 10.10.150.37:3306 - 10.10.150.37:3306 is running MySQL, but responds with an error: \x04Host '10.10.150.224' is not al
lowed to connect to this MySQL server
[+] 10.10.181.192:3306 - 10.10.181.192:3306 is running MySQL 8.0.31 (protocol 10)
[+] 10.10.150.139:3306 - 10.10.150.139:3306 is running MySQL 5.7.22 (protocol 10)
[+] 10.10.181.194:3306 - 10.10.181.194:3306 is running MySQL 8.0.31 (protocol 10)
[*] 10.10.150.152:3306 - 10.10.150.152:3306 is running MySQL, but responds with an error: \x04Host '10.10.150.224' is not
allowed to connect to this MySQL server
Next, Vonahi Security identified one hundred and seventy-four (174) systems that exposed the Remote Desktop Protocol (RDP)
service on port 3389/tcp. The following scan results display (some of) the identified services:
[*] 10.10.150.113:3389 - Detected RDP on 10.10.150.113:3389 (name:SRVBDBOGN3) (domain:SALUDTOTAL) (domain_fqdn:salud
total.lo -- snipped --
[*] 10.10.150.112:3389 - Detected RDP on 10.10.150.112:3389 (name:SRVBDBOGN2) (domain:SALUDTOTAL) (domain_fqdn:salud
total.lo -- snipped --
[*] 10.10.150.123:3389 - Detected RDP on 10.10.150.123:3389 (name:SRVBDBOGN4) (domain:SALUDTOTAL) (domain_fqdn:salud
total.lo -- snipped --
[*] 10.10.150.110:3389 - Detected RDP on 10.10.150.110:3389 (name:SRVBDBOGN1) (domain:SALUDTOTAL) (domain_fqdn:salud
total.lo -- snipped --
[*] 10.10.150.111:3389 - Detected RDP on 10.10.150.111:3389 (name:SRVBDBOGN1) (domain:SALUDTOTAL) (domain_fqdn:salud
total.lo -- snipped --
[*] 10.10.181.216:3389 - Detected RDP on 10.10.181.216:3389 (name:SRVIISITDEV002) (domain:SALUDTOTAL) (domain_fqdn:s
aludtota -- snipped --
[*] 10.10.181.217:3389 - Detected RDP on 10.10.181.217:3389 (name:SRVIISPNDEV001) (domain:SALUDTOTAL) (domain_fqdn:s
aludtota -- snipped --
[*] 10.10.181.228:3389 - Detected RDP on 10.10.181.228:3389 (name:SRVIISCMPRB001) (domain:SALUDTOTAL) (domain_fqdn:s
aludtota -- snipped --
[*] 10.10.181.215:3389 - Detected RDP on 10.10.181.215:3389 (name:SRVIISITDEV001) (domain:SALUDTOTAL) (domain_fqdn:s
aludtota -- snipped --
[*] 10.10.181.214:3389 - Detected RDP on 10.10.181.214:3389 (name:SRVPACDEV001) (domain:SALUDTOTAL) (domain_fqdn:sal
udtotal. -- snipped --
[*] 10.10.181.221:3389 - Detected RDP on 10.10.181.221:3389 (name:SRVUBKBOG01) (domain:SALUDTOTAL) (domain_fqdn:salu
dtotal.l -- snipped --
[*] 10.10.181.222:3389 - Detected RDP on 10.10.181.222:3389 (name:SRVIISPNCAP001) (domain:SALUDTOTAL) (domain_fqdn:s
aludtota -- snipped --
[*] 10.10.181.220:3389 - Detected RDP on 10.10.181.220:3389 (name:SRVFSPYD001) (domain:SALUDTOTAL) (domain_fqdn:salu
dtotal.l -- snipped --
[*] 10.10.181.219:3389 - Detected RDP on 10.10.181.219:3389 (name:SRV3PARPYD001) (domain:SALUDTOTAL) (domain_fqdn:sa
ludtotal -- snipped --
[*] 10.10.181.233:3389 - Detected RDP on 10.10.181.233:3389 (name:SRVIISENLPRB001) (domain:SALUDTOTAL) (domain_fqdn:
saludtot -- snipped --
[*] 10.10.181.229:3389 - Detected RDP on 10.10.181.229:3389 (name:SRVIISITPRB001) (domain:SALUDTOTAL) (domain_fqdn:s
aludtota -- snipped --
[*] 10.10.181.230:3389 - Detected RDP on 10.10.181.230:3389 (name:SRVIISPNPRB001) (domain:SALUDTOTAL) (domain_fqdn:s
aludtota -- snipped --
[*] 10.10.181.246:3389 - Detected RDP on 10.10.181.246:3389 (name:SRVBDDEV001) (domain:SALUDTOTAL) (domain_fqdn:salu
dtotal.l -- snipped --
[*] 10.10.181.240:3389 - Detected RDP on 10.10.181.240:3389 (name:SRVBDPRB001) (domain:SALUDTOTAL) (domain_fqdn:salu
dtotal.l -- snipped --
[*] 10.10.181.241:3389 - Detected RDP on 10.10.181.241:3389 (name:SRVBDPRB002) (domain:SALUDTOTAL) (domain_fqdn:salu
dtotal.l -- snipped --
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
Vonahi Security began enumerating information from the available RDP services with the goal of identifying if the targets were
vulnerable to common vulnerabilities that could be exploited to achieve remote code execution or denial-of-service (DoS).
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 10 of 93
One hundred and seventy-four (174) systems were scanned using the cve_2019_0708_bluekeep module to identify potential
RDP vulnerabilities. This module attempts to discover systems that contain a common and old vulnerability known as BlueKeep.
When successfully exploited, this vulnerability could allow an attacker with system-level privileges on the system, allowing them to
perform several post-exploitation techniques. Such post-exploitation techniques include enumeration of local administrator
password hashes, enumeration of Active Directory infrastructure data, and more. Scans indicate that no systems were found to
be vulnerable at the time of testing. The following results were obtained from this scan:
[*] file:/root/pentest/172483/enumeration/rdp/verified_rdp_ips.txt:3389 - Scanned 47 of 174 hosts (27% complete)
[*] file:/root/pentest/172483/enumeration/rdp/verified_rdp_ips.txt:3389 - Scanned 70 of 174 hosts (40% complete)
[*] file:/root/pentest/172483/enumeration/rdp/verified_rdp_ips.txt:3389 - Scanned 84 of 174 hosts (48% complete)
[*] file:/root/pentest/172483/enumeration/rdp/verified_rdp_ips.txt:3389 - Scanned 103 of 174 hosts (59% complete)
[*] file:/root/pentest/172483/enumeration/rdp/verified_rdp_ips.txt:3389 - Scanned 117 of 174 hosts (67% complete)
[*] file:/root/pentest/172483/enumeration/rdp/verified_rdp_ips.txt:3389 - Scanned 134 of 174 hosts (77% complete)
[*] file:/root/pentest/172483/enumeration/rdp/verified_rdp_ips.txt:3389 - Scanned 143 of 174 hosts (82% complete)
[*] file:/root/pentest/172483/enumeration/rdp/verified_rdp_ips.txt:3389 - Scanned 148 of 174 hosts (85% complete)
[*] file:/root/pentest/172483/enumeration/rdp/verified_rdp_ips.txt:3389 - Scanned 157 of 174 hosts (90% complete)
[*] file:/root/pentest/172483/enumeration/rdp/verified_rdp_ips.txt:3389 - Scanned 174 of 174 hosts (100% complete)
[*] Auxiliary module execution completed
Vonahi Security scanned SNMP-enabled devices to determine if any weak SNMP community strings were present. SNMP
community strings act as passwords for the SNMP protocol and allow network administrators to monitor the performance of
SNMP-enabled devices remotely. SNMP-enabled devices often come pre-installed with weak or default SNMP community strings.
This weakness could allow a malicious attacker to enumerate information from the remote devices.
During testing, Vonahi Security discovered thirteen (13) SNMP-enabled devices that contained a weak and/or default SNMP
community string. The output below demonstrates sample results from this scan
[161][snmp] host: 10.10.181.50 password: private
[161][snmp] host: 10.10.181.51 password: private
[161][snmp] host: 10.10.181.212 password: private
[161][snmp] host: 10.10.150.5 password: public
[161][snmp] host: 10.10.150.62 password: private
[161][snmp] host: 10.10.150.63 password: private
[161][snmp] host: 10.10.150.64 password: public
[161][snmp] host: 10.10.150.199 password: public
[161][snmp] host: 10.10.150.208 password: private
[161][snmp] host: 10.10.150.209 password: private
[161][snmp] host: 10.10.150.243 password: public
[161][snmp] host: 10.10.181.213 password: private
[161][snmp] host: 10.10.150.4 password: public
Vonahi Security used the weak SNMP community strings to enumerate information. The output below demonstrates the results
from one affected system:
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.10.150.4:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.10.150.4
Hostname : SW1-Rack2AP11
Description : Aruba JL678A 6100 24G 4SFP+ Swch PL.10.14.1000
Contact : ""
Location : ""
Uptime snmp : 5 days, 00:00:34.68
Uptime system : 5 days, 00:00:34.68
System date : 2024-10-4 00:05:19.0
[*] Network information:
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 11 of 93
IP forwarding enabled : yes
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
Vonahi Security identified twelve (12) Telnet services within the environment. As Telnet is an insecure protocol, it could potentially
expose sensitive information such as user credentials or device configuration information in a man-in-the-middle attack. The
following scan results display some information that was discovered as a result of these scans:
[+] 10.10.181.1:23 - 10.10.181.1:23 TELNET login :
[+] 10.10.150.8:23 - 10.10.150.8:23 TELNET ********** -- snipped --
[+] 10.10.150.63:23 - 10.10.150.63:23 TELNET Fabric OS -- snipped --
[+] 10.10.150.62:23 - 10.10.150.62:23 TELNET Fabric OS -- snipped --
[+] 10.10.150.188:23 - 10.10.150.188:23 TELNET Welcome -- snipped --
[+] 10.10.181.50:23 - 10.10.181.50:23 TELNET Fabric OS -- snipped --
[+] 10.10.181.51:23 - 10.10.181.51:23 TELNET Fabric OS -- snipped --
[+] 10.10.181.212:23 - 10.10.181.212:23 TELNET Fabric O -- snipped --
[+] 10.10.181.213:23 - 10.10.181.213:23 TELNET Fabric O -- snipped --
[+] 10.10.150.208:23 - 10.10.150.208:23 TELNET Fabric O -- snipped --
[+] 10.10.150.209:23 - 10.10.150.209:23 TELNET Fabric O -- snipped --
[+] 10.10.150.217:23 - 10.10.150.217:23 TELNET Welcome -- snipped --
Testing of LDAP services identified that three (3) systems were found to accept anonymous LDAP bind queries, which allows
users to query information from within LDAP without proper authentication. This could allow an attacker to gain valuable
information about the Active Directory environment, such as domain information and possibly even usernames. The following
sample output was obtained while scanning for this weakness:
Nmap scan report for 10.10.150.2
Host is up, received arp-response (0.00052s latency).
Scanned at 2024-10-04 05:16:41 UTC for 1s
PORT STATE SERVICE REASON
389/tcp open ldap syn-ack ttl 128
| ldap-rootdse:
| LDAP Results
| <ROOT>
| domainFunctionality: 7
| forestFunctionality: 7
| domainControllerFunctionality: 7
| rootDomainNamingContext: DC=saludtotal,DC=loc
| ldapServiceName: saludtotal.loc:[email protected]
| isGlobalCatalogReady: TRUE
| supportedSASLMechanisms: GSSAPI
| supportedSASLMechanisms: GSS-SPNEGO
| supportedSASLMechanisms: EXTERNAL
| supportedSASLMechanisms: DIGEST-MD5
| supportedLDAPVersion: 3
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
Vonahi Security identified ninety-three (93) SSH services within the environment and attempted to retrieve banner information,
which can be used to identify specific server versions. The following scan results display some of the obtained information:
[*] 10.10.150.168 - SSH server version: SSH-2.0-OpenSSH_8.4p1 Debian-5+deb11u3
[*] 10.10.150.97 - SSH server version: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
[*] 10.10.150.175 - SSH server version: SSH-2.0-OpenSSH_8.0
[*] 10.10.150.125 - SSH server version: SSH-2.0-OpenSSH_7.4
[*] 10.10.150.95 - SSH server version: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 12 of 93
[*] 10.10.150.93 - SSH server version: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
[*] 10.10.150.92 - SSH server version: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
[*] 10.10.150.96 - SSH server version: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.8
[*] 10.10.150.99 - SSH server version: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.7
[*] 10.10.150.134 - SSH server version: SSH-2.0-OpenSSH_8.7
[*] 10.10.150.176 - SSH server version: SSH-2.0-OpenSSH_8.0
[*] 10.10.150.177 - SSH server version: SSH-2.0-OpenSSH_8.0
[*] 10.10.150.193 - SSH server version: SSH-2.0-OpenSSH_7.4
[*] 10.10.181.185 - SSH server version: SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.7
[*] 10.10.181.194 - SSH server version: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7
[*] 10.10.181.204 - SSH server version: SSH-2.0-OpenSSH_5.6
[*] 10.10.181.205 - SSH server version: SSH-2.0-OpenSSH_5.6
[*] 10.10.181.201 - SSH server version: SSH-2.0-OpenSSH_5.6
[*] 10.10.181.203 - SSH server version: SSH-2.0-OpenSSH_7.3
[*] 10.10.181.51 - SSH server version: SSH-2.0-OpenSSH_6.2
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
Vonahi Security identified nine (9) FTP services within the environment. As FTP is an insecure protocol, it could potentially expose sensitive
information such as user credentials or device configuration information in a man-in-the-middle attack. The following scan results display
some information that was discovered as a result of these scans:
[+] 10.10.150.10:21 - FTP Banner: '220-Microsoft FTP S -- snipped --
[+] 10.10.181.1:21 - FTP Banner: '220 FTP server read -- snipped --
[+] 10.10.150.75:21 - FTP Banner: '220 Microsoft FTP S -- snipped --
[+] 10.10.150.79:21 - FTP Banner: '220 Microsoft FTP S -- snipped --
[+] 10.10.150.139:21 - FTP Banner: '220 (vsFTPd 3.0.2)'
[+] 10.10.181.232:21 - FTP Banner: '220 Microsoft FTP S -- snipped --
[+] 10.10.150.33:21 - FTP Banner: '220-Microsoft FTP S -- snipped --
[+] 10.10.181.80:21 - FTP Banner: '220-Microsoft FTP S -- snipped --
[+] 10.10.181.88:21 - FTP Banner: '220-Microsoft FTP S -- snipped --
Testing of FTP services identified one (1) system to accept anonymous FTP authentication credentials. Anonymous login
credentials would allow an attacker to identify files that may exist on an FTP server. If permissions allow for write access, an
attacker could also attempt to use this to store malicious code. The following output displays the results of this FTP scan:
Nmap scan report for 10.10.150.139
Host is up, received arp-response (0.0020s latency).
Scanned at 2024-10-04 05:17:44 UTC for 0s
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 64
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
MAC Address: 00:50:56:97:73:FA (VMware)
While analyzing one of the FTP services at 10.10.150.139, Vonahi Security was able to enumerate the directory structure. The
results of the directory structure listing are below:
./
Name Network Service Discovery
Tactic Discovery
TTP ID T1046
Vonahi Security continued testing against these services by attempting to enumerate the files stored on the affected FTP
Note server. To facilitate this process, Vonahi Security leveraged the lftp tool, which can significantly expedite the time it takes to
enumerate FTP services.
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 13 of 93
Based on the results of the reviewed FTP services, no sensitive information was identified.
During testing, Vonahi Security identified one (1) Microsoft Exchange server and performed a simple check to test for Proxyshell,
a vulnerability that allows bypassing authentication on Microsoft Exchange servers and, potentially, remote code execution.
However, none of the tested servers were vulnerable to ProxyShell.
Next, Vonahi Security identified one hundred and seventy-four (174) systems that exposed port 445/tcp, which is for the Server
Message Block (SMB) service. This service was targeted for the enumeration of information that may be valuable. One of the first
things scanned during this process is the support for SMB signing. SMB signing, when enabled, helps mitigate SMB relay attacks.
SMB relay attacks are when an attacker performs a poisoning attack and tricks a vulnerable system into sending hashed
authentication credentials to the attacker. The attacker then takes these hashed credentials and relays them to another system,
pivoting off that authenticated session to perform additional attacks, such as remote code execution.
Testing identified one hundred and seventy (170) of the one hundred and seventy-four (174) systems with port 445/tcp opened
that did not require SMB signing, therefore being vulnerable to SMB relay attacks. The following sample output from
CrackMapExec identified this weakness:
10.10.181.233:(signing:False)
10.10.181.215:(signing:False)
10.10.150.11:(signing:False)
10.10.150.39:(signing:False)
10.10.150.113:(signing:False)
10.10.150.112:(signing:False)
10.10.181.219:(signing:False)
10.10.150.15:(signing:False)
10.10.150.33:(signing:False)
10.10.150.10:(signing:False)
10.10.150.14:(signing:False)
Name System Information Discovery
Tactic Discovery
TTP ID T1082
Additionally, scans were conducted across these systems to identify information about the operating systems, including
Note
operating system versions, service pack versions, domain membership, etc.
As part of this operating system identification process, Vonahi Security identified one hundred and seventy-three (173) operating
systems. It's important to note that the tools and techniques used to gather information about operating system versions are not
always 100% accurate. While Vonahi Security makes several attempts to confirm the accurate operating systems through
additional methods, it should be noted that some results may require additional validation from a system administrator. The
following output demonstrates some of the results obtained:
SMB 10.10.150.20 445 SVAPPXCAPBOG04 [*] Windows Server 2022 Build 20348 x64 (name:SVAPPXCAPBO
G04) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.181.36 445 SRVISWEBDEV001 [*] Windows Server 2022 Build 20348 x64 (name:SRVISWEBDEV
001) (domain:SRVISWEBDEV001) (SMBv1:False)
SMB 10.10.150.194 445 SRVODISSY05 [*] Windows Server 2022 Build 20348 x64 (name:SRVODISSY0
5) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.150.75 445 SRVFTPTEMP [*] Windows Server 2022 Build 20348 x64 (name:SRVFTPTEMP)
(domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.150.118 445 SRVIISITBOG11 [*] Windows 10 / Server 2019 Build 17763 x64 (name:SRVIIS
ITBOG11) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.150.98 445 SRVFSSOBOG01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:SRVFSS
OBOG01) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.181.37 445 SRVISWEBDEV002 [*] Windows Server 2022 Build 20348 x64 (name:SRVISWEBDEV
002) (domain:SRVISWEBDEV002) (SMBv1:False)
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 14 of 93
SMB 10.10.181.5 445 SRVIISCMDEV02 [*] Windows 10 / Server 2019 Build 17763 x64 (name:SRVIIS
CMDEV02) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.150.144 445 SRVIISBOG03 [*] Windows 10 / Server 2019 Build 17763 x64 (name:SRVIIS
BOG03) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.150.39 445 SRVINTRABOG02 [*] Windows Server 2022 Standard 20348 x64 (name:SRVINTRA
BOG02) (domain:saludtotal.loc) (SMBv1:True)
SMB 10.10.181.240 445 SRVBDPRB001 [*] Windows Server 2022 Build 20348 x64 (name:SRVBDPRB00
1) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.150.150 445 SRVDCBOG03 [*] Windows 10 / Server 2019 Build 17763 x64 (name:SRVDCB
OG03) (domain:saludtotal.loc) (signing:True) (SMBv1:False)
SMB 10.10.150.186 445 SRVPRTGBOG05 [*] Windows Server 2022 Build 20348 x64 (name:SRVPRTGBOG0
5) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.181.75 445 SRVBDCAP001 [*] Windows Server 2022 Build 20348 x64 (name:SRVBDCAP00
1) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.150.116 445 SRVBDBOGN3 [*] Windows 10 / Server 2019 Build 17763 x64 (name:SRVBDB
OGN3) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.150.135 445 SRVIISITBOG06 [*] Windows 10 / Server 2019 Build 17763 x64 (name:SRVIIS
ITBOG06) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.181.186 445 SRVIISPNPRB002 [*] Windows 10 / Server 2019 Build 17763 x64 (name:SRVIIS
PNPRB002) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.150.149 445 SVAPPBOG08 [*] Windows Server 2022 Build 20348 x64 (name:SVAPPBOG08)
(domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.150.248 445 SRVPOCBOG04 [*] Windows 10 / Server 2019 Build 17763 x64 (name:SRVPOC
BOG04) (domain:saludtotal.loc) (SMBv1:False)
SMB 10.10.150.9 445 SRVRSBOG01 [*] Windows Server 2012 R2 Standard 9600 x64 (name:SRVRSB
OG01) (domain:saludtotal.loc) (SMBv1:True)
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
Vonahi Security also identified ten (10) systems that used an outdated operating system. Outdated operating systems are no
longer supported by their vendor and could pose a significant threat to the environment due to their lack of security updates. The
following output demonstrates an example of the outdated operating systems discovered:
SMB 10.10.150.11 445 SRVRSBOG02 [*] Windows Server 2012 R2 Standard 9600 x64 (name:SRVRSB
OG02) (domain:saludtotal.loc) (SMBv1:True)
SMB 10.10.150.10 445 SRVICPBOG01 [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x
64 (name:SRVICPBOG01) (domain:saludtotal.loc) (SMBv1:True)
SMB 10.10.150.33 445 SRVINTRANETNEW [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x
64 (name:SRVINTRANETNEW) (domain:saludtotal.loc) (SMBv1:True)
SMB 10.10.150.9 445 SRVRSBOG01 [*] Windows Server 2012 R2 Standard 9600 x64 (name:SRVRSB
OG01) (domain:saludtotal.loc) (SMBv1:True)
SMB 10.10.150.41 445 SRVMONBOG01 [*] Windows Server 2012 R2 Standard 9600 x64 (name:SRVMON
BOG01) (domain:saludtotal.loc) (SMBv1:True)
SMB 10.10.150.104 445 SRVODISSY01 [*] Windows Server 2012 R2 Standard 9600 x64 (name:SRVODI
SSY01) (domain:saludtotal.loc) (SMBv1:True)
SMB 10.10.150.156 445 SRVTMGBOG02 [*] Windows Server 2008 R2 Standard 7601 Service Pack 1
(name:SRVTMGBOG02) (domain:saludtotal.loc) (SMBv1:True)
SMB 10.10.150.161 445 SRVODISSY02 [*] Windows Server 2012 R2 Standard 9600 x64 (name:SRVODI
SSY02) (domain:saludtotal.loc) (SMBv1:True)
SMB 10.10.181.95 445 SRVODYPRB001 [*] Windows Server 2012 R2 Standard 9600 x64 (name:SRVODY
PRB001) (domain:saludtotal.loc) (SMBv1:True)
SMB 10.10.181.176 445 SRVREPPRB001 [*] Windows Server 2012 R2 Standard 9600 x64 (name:SRVREP
PRB001) (domain:saludtotal.loc) (SMBv1:True)
Name Gather Victim Host Information: Software
Tactic Reconnaissance
TTP ID T1592.002
Note Next, in an attempt to identify some common security vulnerabilities in outdated operating systems, Vonahi Security
leveraged the Metasploit Framework to perform specific checks to determine whether or not the targeted system(s) were
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 15 of 93
vulnerable. These vulnerabilities are often labeled as low-hanging fruit as they can easily provide full access to the
compromised system if an exploit is successful.
One hundred (100) systems were scanned using the auxiliary/scanner/smb/smb_ms17_010 module. This module attempts to
discover systems that contain a common vulnerability named EternalBlue. When successfully exploited, this vulnerability could
allow an attacker with system-level privileges on the system, allowing them to perform several post-exploitation techniques. Such
post-exploitation techniques include the enumeration of local administrator password hashes, the enumeration of Active Directory
infrastructure data, and more. Scans indicate that no systems were found to be vulnerable at the time of testing. The following
results were obtained from this scan:
[-] 10.10.150.113:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.181.219:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.150.110:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.150.111:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.150.2:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.150.112:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.181.215:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.150.123:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.181.216:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.150.13:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.150.114:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.181.20:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.181.217:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.150.151:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.181.16:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.150.16:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.181.229:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.150.49:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.150.42:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[-] 10.10.150.40:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
Three (3) systems were scanned using the exploit/windows/smb/ms08_067_netapi module. This module attempts to discover
systems that contain a common and old vulnerability that affects older versions of Microsoft Windows. When successfully
exploited, this vulnerability could allow an attacker with system-level privileges on the system, allowing them to perform several
post-exploitation techniques. Such post-exploitation techniques include the enumeration of local administrator password hashes,
the enumeration of Active Directory infrastructure data, and more. Scans indicate that no systems were found to be vulnerable at
the time of testing. The following results were obtained from this scan:
[*] 10.10.150.33:445 - The target is not exploitable.
[*] 10.10.150.156:445 - The target is not exploitable.
[*] 10.10.150.10:445 - The target is not exploitable.
Vonahi Security then ran a custom script to check if any systems allowed for SMB NULL session authentication (i.e. without a
username or password). SMB NULL sessions can allow attackers with network access to identify and possibly retrieve files that
may exist on an SMB (445/tcp) server. If permissions allow for write access, an attacker could also attempt to use this to store
malicious code. The results showed that ten (10) systems accepted SMB NULL session authentication:
10.10.150.2
10.10.150.33
10.10.150.10
10.10.150.34
10.10.150.39
10.10.150.61
10.10.150.150
10.10.150.162
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 16 of 93
10.10.150.200
10.10.150.156
The below sample evidence shows some of the results of this attack:
[10.10.150.2]
# crackmapexec smb 10.10.150.2 -u '' -p '' --local-auth
SMB 10.10.150.2 445 SRVDCBOG02 [+] SRVDCBOG02\:
------------------------------------------------------------
[10.10.150.33]
# crackmapexec smb 10.10.150.33 -u '' -p '' --local-auth
SMB 10.10.150.33 445 SRVINTRANETNEW [+] SRVINTRANETNEW\:
------------------------------------------------------------
Vonahi Security then tried to take advantage of SMB NULL session authentication in order to enumerate the SMB shares
available on the affected systems. The aim of this process was to identify any accessible shares containing potentially sensitive
company data as well as shares configured with WRITE access. However, no accessible shares were identified.
Additionally, an enumeration of SMB services was performed in an attempt to identify whether usernames, password policies, or
additional computer and/or domain information could be obtained. Such information could be useful for performing a password
attack against the environment. A sample output of one of the results is as follows:
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Oct 4 05:23:14 2024
=========================================( Target Information )=========================================
Target ........... 10.10.150.110
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===========================( Enumerating Workgroup/Domain on 10.10.150.110 )===========================
[E] Can't find workgroup/domain
===============================( Nbtstat Information for 10.10.150.110 )===============================
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
It was possible to extract valuable information from two (2) IP addresses during testing. The following IP addresses were found to
be leaking excessive information via SMB:
10.10.150.150
10.10.150.2
The following table presents some statistics of the information captured while enumerating SMB services:
Enumerated Data via SMB
Enumerated Domain User Accounts 6570
Enumerated Local User Accounts 0
Enumerated Domain Groups 898
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 17 of 93
Enumerated First And Last Names 98
Enumerated Domain Computers 8467
Enumerated Password Policies 1
One example of a password policy that was obtained as part of this enumeration process can be found below:
Password Info for Domain: SALUDTOTAL
- Minimum password length: 8
- Password history length: 14
- Maximum password age: 29 days 23 hours 53 minutes
- Password Complexity Flags: 000001
- Domain Refuse Password Change: 0
- Domain Password Store Cleartext: 0
- Domain Password Lockout Admins: 0
- Domain Password No Clear Change: 0
- Domain Password No Anon Change: 0
- Domain Password Complex: 1
- Minimum password age: 25 days 5 minutes
- Reset Account Lockout Counter: 5 minutes
- Locked Account Duration: 5 minutes
- Account Lockout Threshold: 3
- Forced Log off Time: Not Set
Name Exploitation of Remote Services
Tactic Lateral-movement
TTP ID T1210
Vonahi Security tested 3 domain controllers for the critical vulnerability known as ZeroLogon. When exploited, ZeroLogon
allows an attacker to reset the password of the domain controller's machine account. This can lead to full domain
compromise. The following domain controllers were tested as part of this process:
Note 10.10.150.2 (srvdcbog02.saludtotal.loc)
10.10.150.132 (srvvcsabog01.saludtotal.loc.srvvcsabog01.saludtotal.loc)
10.10.150.150 (srvdcbog03.saludtotal.loc)
During testing, Vonahi Security was unable to identify any domain controllers that were vulnerable to ZeroLogon.
Next, Vonahi Security's objective was to perform a password attack against the Active Directory environment. However, Vonahi
Security needed to gather a list of potential domain user accounts to perform this process. Vonahi Security used the Kerbrute tool
to assist with this process. Kerbrute is a tool that can be used to enumerate domain user accounts by interacting with Kerberos.
Based on the response from a ticket-granting ticket (TGT) request to the key distribution center (KDC) server, Kerbrute is able to
deduce whether or not the domain user account provided was valid or not.
The following domain was observed as part of the initial host discovery scans performed at the beginning of the assessment:
saludtotal.loc
Vonahi Security used naming schemes for four different naming conventions: 1) first initial last name, 2) first name last initial, 3)
first name dot last initial (e.g. First.Last), and 4) first name. A combination of common first and last names was used as part of this
process, as well as publicly available resources. Vonahi Security also included usernames gathered via enum4linux.
Name System Owner/User Discovery
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 18 of 93
Tactic Discovery
TTP ID T1033
Vonahi Security targeted the following domain controller as part of this Kerberos user enumeration attack: 10.10.150.2
Note
(SRVDCBOG02)
During this process, Vonahi Security discovered five thousand, seven hundred and ninety-two (5792) valid domain user accounts
for one (1) domain. The following usernames were observed:
saludtotal.loc
----
$duplicate-2df65
$duplicate-2e34e
$duplicate-3b46d
-adm-infra
-adm-spadmin
-adm-spfarm
-adm-spservise
-adm-spsqlengine
___vmware_conv_sa___
abrahamia
--- snipped (max 10 of 5792) shown ---
During the enumeration phase of the test, Vonahi Security identified a total of five thousand, seven hundred and ninety-two
(5792) domain users. Vonahi Security carried out a limited password attack, consisting of one (1) login attempt per account,
against the identified users.
During this password attack, no successful login attempts were identified. The complete evidence of this login attack can be found
within the supporting evidence. The following is a short snippet of the password attack results:
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\$duplicate-2df65:Fal[obfuscated] STATU
S_LOGON_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\$duplicate-2e34e:Fal[obfuscated] STATU
S_LOGON_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\$duplicate-3b46d:Fal[obfuscated] STATU
S_LOGON_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\-adm-infra:Fal[obfuscated] STATUS_LOGO
N_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\-adm-spadmin:Fal[obfuscated] STATUS_LO
GON_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\-adm-spfarm:Fal[obfuscated] STATUS_LOG
ON_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\-adm-spservise:Fal[obfuscated] STATUS_
LOGON_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\-adm-spsqlengine:Fal[obfuscated] STATU
S_LOGON_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\___vmware_conv_sa___:Fal[obfuscated] S
TATUS_LOGON_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\abrahamia:Fal[obfuscated] STATUS_LOGON
_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\achcolombia:Fal[obfuscated] STATUS_LOG
ON_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\acredisoportes:Fal[obfuscated] STATUS_
LOGON_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\adalygm:Fal[obfuscated] STATUS_LOGON_F
AILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\adamarisrc:Fal[obfuscated] STATUS_LOGO
N_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\adconnect:Fal[obfuscated] STATUS_LOGON
_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\adelabp:Fal[obfuscated] STATUS_LOGON_F
AILURE
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 19 of 93
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\adelapea:Fal[obfuscated] STATUS_LOGON_
FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\adelinapr:Fal[obfuscated] STATUS_LOGON
_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\adhemedicaespe:Fal[obfuscated] STATUS_
LOGON_FAILURE
SMB 10.10.150.110 445 SRVBDBOGN1 [-] saludtotal.loc\adilenalm:Fal[obfuscated] STATUS_LOGON
_FAILURE
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
Name Brute Force: Password Guessing
Tactic Credential-access
TTP ID T1110.001
Note Vonahi Security launched a limited login attack against one (1) VNC server.
No servers were found to contain weak or default credentials at the time of testing. The following code snippet shows sample
output results of this scan:
[-] 10.10.150.217:5900 - 10.10.150.217:5900 - LOGIN FAILED: vnc:password (Unable to Connect: EOFError)
[-] 10.10.150.217:5900 - 10.10.150.217:5900 - LOGIN FAILED: vnc:password (Unable to Connect: EOFError)
Name Gather Victim Host Information: Software
Tactic Reconnaissance
TTP ID T1592.002
Vonahi Security then attempted to scan the previously identified one (1) Microsoft Exchange server for the ProxyLogon
Note
vulnerability.
However, testing showed that no target was vulnerable to ProxyLogon.
Name Brute Force: Password Guessing
Tactic Credential-access
TTP ID T1110.001
Vonahi Security also reviewed a list of nineteen (19) Microsoft SQL (MSSQL) servers and conducted a limited password
attack to determine if any weak or default credentials could be discovered. Weak database credentials could result in an
Note
attacker gaining unauthorized access to confidential or valuable data. During this attack, Vonahi Security targeted one (1)
password against the 'sa' user.
No servers were found to contain weak or default credentials at the time of testing. The following code snippet shows sample
output results of this scan:
[-] 10.10.150.111:1433 - 10.10.150.111:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.181.240:1433 - 10.10.181.240:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.181.246:1433 - 10.10.181.246:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.181.248:1433 - 10.10.181.248:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.181.249:1433 - 10.10.181.249:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.150.14:1433 - 10.10.150.14:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 20 of 93
[-] 10.10.150.48:1433 - 10.10.150.48:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.150.49:1433 - 10.10.150.49:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.150.50:1433 - 10.10.150.50:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.150.51:1433 - 10.10.150.51:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.150.85:1433 - 10.10.150.85:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.150.117:1433 - 10.10.150.117:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.150.119:1433 - 10.10.150.119:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.150.127:1433 - 10.10.150.127:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.150.133:1433 - 10.10.150.133:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.150.171:1433 - 10.10.150.171:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.181.75:1433 - 10.10.181.75:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.181.89:1433 - 10.10.181.89:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 10.10.181.191:1433 - 10.10.181.191:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
Name Brute Force: Password Guessing
Tactic Credential-access
TTP ID T1110.001
Vonahi Security also reviewed a list of five (5) MySQL servers and conducted a password attack to determine if any weak
or default credentials could be discovered. Weak database credentials could result in an attacker gaining unauthorized
Note
access to confidential or valuable data. During this attack, Vonahi Security tried one (1) password against several
usernames that are commonly configured on MySQL servers.
No servers were found to contain weak or default credentials at the time of testing. The following code snippet shows sample
output results of this scan:
[-] 10.10.150.37:3306 - 10.10.150.37:3306 - Unsupported target version of MySQL detected. Skipping.
[-] 10.10.150.152:3306 - 10.10.150.152:3306 - Unsupported target version of MySQL detected. Skipping.
[+] 10.10.150.139:3306 - 10.10.150.139:3306 - Found remote MySQL version 5.7.22
[-] 10.10.150.139:3306 - 10.10.150.139:3306 - LOGIN FAILED: root:password (Incorrect: Access denied for user 'root'@'1
0.10.150.224' (using password: YES))
[-] 10.10.150.139:3306 - 10.10.150.139:3306 - LOGIN FAILED: root:password (Incorrect: Access denied for user 'root'@'1
0.10.150.224' (using password: YES))
[-] 10.10.150.139:3306 - 10.10.150.139:3306 - LOGIN FAILED: admin:password (Incorrect: Access denied for user 'admi
n'@'10.10.150.224' (using password: YES))
[-] 10.10.150.139:3306 - 10.10.150.139:3306 - LOGIN FAILED: administrator:password (Incorrect: Access denied for user
'administrator'@'10.10.150.224' (using password: YES))
[-] 10.10.150.139:3306 - 10.10.150.139:3306 - LOGIN FAILED: user:password (Incorrect: Access denied for user 'user'@'1
0.10.150.224' (using password: YES))
[-] 10.10.150.139:3306 - 10.10.150.139:3306 - LOGIN FAILED: test:password (Incorrect: Access denied for user 'test'@'1
0.10.150.224' (using password: YES))
[-] 10.10.150.139:3306 - 10.10.150.139:3306 - LOGIN FAILED: cloudera:password (Incorrect: Access denied for user 'cloud
era'@'10.10.150.224' (using password: YES))
[-] 10.10.150.139:3306 - 10.10.150.139:3306 - LOGIN FAILED: moves:password (Incorrect: Access denied for user 'move
s'@'10.10.150.224' (using password: YES))
Name Brute Force: Password Guessing
Tactic Credential-access
TTP ID T1110.001
Vonahi Security launched a login attack against thirteen (13) password-protected FTP servers. This attack was limited to
Note
one (1) password attempt per user account.
Vonahi Security detected seven (7) sets of weak or default credentials across two (2) hosts.
[+] 10.10.150.10:21 - 10.10.150.10:21 - Login Successful: default:[obfuscated]
[+] 10.10.150.33:21 - 10.10.150.33:21 - Login Successful: default:[obfuscated]
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 21 of 93
[+] 10.10.150.10:21 - 10.10.150.10:21 - Login Successful: localadmin:[obfuscated]
[+] 10.10.150.33:21 - 10.10.150.33:21 - Login Successful: localadmin:[obfuscated]
[+] 10.10.150.10:21 - 10.10.150.10:21 - Login Successful: user:[obfuscated]
[+] 10.10.150.33:21 - 10.10.150.33:21 - Login Successful: user:[obfuscated]
[+] 10.10.150.33:21 - 10.10.150.33:21 - Login Successful: user1:[obfuscated]
Name Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay
Tactic Credential-access
TTP ID T1557.001
As part of the exploitation phase, Vonahi Security continued to perform DNS poisoning attacks via NBNS, LLMNR and
Note
mDNS.
When enabled on Microsoft Windows systems, DNS names that cannot be resolved by a system's configured DNS server or local
hosts file will be communicated in the form of NBNS and/or LLMNR broadcast packets across the network environment. Similarly,
multicast DNS (mDNS) can be used within small networks to resolve a DNS name when no local DNS server exists. This is done
via IP multicast query messages to the hosts on the local subnet. The problem with this configuration is that it is possible to
respond to these broadcast/multicast packets and spoof the IP address of the DNS name in question. In other words, if SystemA
is attempting to resolve www.helloworld.com and cannot find its IP address, an attacking system can pretend to be the IP address
of www.helloworld.com. Upon a successful attack, it may be possible to capture cleartext or hashed credentials.
Vonahi Security deployed a rogue IPv6 router within the environment to determine if it'd be possible to conduct IPv6 attacks.
Since IPv6 is treated with higher priority than IPv4, any time a network device sees an IPv6 router available, it will attempt to
retrieve an IPv6 address. An attacker can abuse this by deploying a rogue DHCPv6 server within the environment and assigning
all IPv6 clients with an IP address and DNS configurations that route traffic through the attacker's system.
While Vonahi Security was successful with capturing NBNS/LLMNR/mDNS broadcast packets across the local subnet, it was not
possible to capture any credentials at the time of testing. This is primarily due to the lack of systems and/or services successfully
authenticating to the penetration testing VM during these attacks. An example of these successful NBNS/LLMNR/mDNS
poisoning attempts is shown below:
2024-10-04 06:11:33,110 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0 (service: Workstatio
n/Redirector)
2024-10-04 06:11:33,368 - [*] [MDNS] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0.local
2024-10-04 06:11:33,383 - [*] [MDNS] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0.local
2024-10-04 06:11:34,360 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.61 for name SERHSRTS01 (service: Workstation/Redi
rector)
2024-10-04 06:11:34,360 - [*] [MDNS] Poisoned answer sent to 10.10.150.61 for name SERHSRTS01.local
2024-10-04 06:11:34,361 - [*] [MDNS] Poisoned answer sent to 10.10.150.61 for name SERHSRTS01.local
2024-10-04 06:11:34,362 - [*] [LLMNR] Poisoned answer sent to 10.10.150.61 for name SERHSRTS01
2024-10-04 06:11:34,362 - [*] [LLMNR] Poisoned answer sent to 10.10.150.61 for name SERHSRTS01
2024-10-04 06:11:36,005 - [*] [MDNS] Poisoned answer sent to 10.10.150.16 for name SRVFACBOG01.local
2024-10-04 06:11:36,005 - [*] [MDNS] Poisoned answer sent to 10.10.150.16 for name SRVFACBOG01.local
2024-10-04 06:11:36,097 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.150 for name BOGCIR4313707 (service: Workstation/
Redirector)
2024-10-04 06:11:36,097 - [*] [MDNS] Poisoned answer sent to 10.10.150.150 for name BOGCIR4313707.local
2024-10-04 06:11:36,098 - [*] [LLMNR] Poisoned answer sent to 10.10.150.150 for name BOGCIR4313707
2024-10-04 06:11:36,189 - [*] [MDNS] Poisoned answer sent to 10.10.150.150 for name BOGCIR4313707.local
2024-10-04 06:11:36,189 - [*] [LLMNR] Poisoned answer sent to 10.10.150.150 for name BOGCIR4313707
2024-10-04 06:11:37,028 - [*] [MDNS] Poisoned answer sent to 10.10.150.114 for name DBAUTORIZACIONE.local
2024-10-04 06:11:37,378 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.33 for name NTAUTHORITY (service: File Server)
2024-10-04 06:11:37,581 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Workstation/R
edirector)
2024-10-04 06:11:38,330 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Workstation/R
edirector)
2024-10-04 06:11:39,080 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Workstation/R
edirector)
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 22 of 93
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
When attempting to perform IPv6 attacks, Vonahi Security successfully assigned IPv6 addresses with the attacking system set as
the default DNS server. An example of this can be found below:
Starting mitm6 using the following configuration:
Primary adapter: ens32 [00:50:56:ba:ce:a5]
IPv4 address: 10.10.150.224
IPv6 address: fe80::250:56ff:feba:cea5
Warning: Not filtering on any domain, mitm6 will reply to all DNS queries.
Unless this is what you want, specify at least one domain with -d
IPv6 address fe80::9345:3 is now assigned to mac=00:50:56:ba:f9:cb host=SRVIISBOG03.saludtotal.loc. ipv4=
IPv6 address fe80::9345:4 is now assigned to mac=00:50:56:ba:c7:a6 host=SRVINTRABOG01.saludtotal.loc. ipv4=
Sent spoofed reply for time.windows.com. to fe80::9345:3
IPv6 address fe80::9345:5 is now assigned to mac=00:50:56:ba:7e:ff host=SRVINTRABOG02.saludtotal.loc. ipv4=
IPv6 address fe80::9345:1 is now assigned to mac=2c:44:fd:7c:3d:39 host=ColectorST. ipv4=
IPv6 address fe80::9345:6 is now assigned to mac=52:54:00:73:fe:60 host=proxy-st. ipv4=
IPv6 address fe80::9345:7 is now assigned to mac=00:50:56:ba:f9:8a host=SRVNCHDBOG01. ipv4=
IPv6 address fe80::9345:8 is now assigned to mac=52:54:00:ad:d6:7a host=nessus-2. ipv4=
IPv6 address fe80::9345:9 is now assigned to mac=00:0c:29:9e:9b:c4 host=v1sg.64298aa2. ipv4=
IPv6 address fe80::9345:10 is now assigned to mac=00:50:56:ba:a0:77 host=SRVBDIBOG01. ipv4=
IPv6 address fe80::9345:2 is now assigned to mac=00:50:56:ab:00:02 host= ipv4=
IPv6 address fe80::9345:12 is now assigned to mac=00:50:56:ba:c6:0a host=srvitnbog01. ipv4=
IPv6 address fe80::9345:11 is now assigned to mac=38:68:dd:57:21:45 host= ipv4=
IPv6 address fe80::9345:9 is now assigned to mac=00:0c:29:9e:9b:c4 host=v1sg.64298aa2. ipv4=
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
At the time of testing, Vonahi Security was successful with capturing password hashes via NTLM relaying attacks. The following
output is a snippet of the NTLM relay log results:
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
[*] HTTPD(80): Client requested path: /wpad.dat
[*] Received connection from SALUDTOTAL/SRVINTRANETNEW$ at SRVINTRANETNEW, connection will be relayed after re-authenticat
ion
[*] SMBD-Thread-6 (process_request_thread): Connection from SALUDTOTAL/SRVINTRANETNEW$@::ffff:10.10.150.33 controlled, att
acking target smb://10.10.181.233
[*] Authenticating against smb://10.10.181.233 as SALUDTOTAL/SRVINTRANETNEW$ SUCCEED
[*] SMBD-Thread-6 (process_request_thread): Connection from SALUDTOTAL/SRVINTRANETNEW$@::ffff:10.10.150.33 controlled, att
acking target smb://10.10.181.215
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Authenticating against smb://10.10.181.215 as SALUDTOTAL/SRVINTRANETNEW$ SUCCEED
[*] SMBD-Thread-6 (process_request_thread): Connection from SALUDTOTAL/SRVINTRANETNEW$@::ffff:10.10.150.33 controlled, att
acking target smb://10.10.150.11
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Authenticating against smb://10.10.150.11 as SALUDTOTAL/SRVINTRANETNEW$ SUCCEED
[*] SMBD-Thread-6 (process_request_thread): Connection from SALUDTOTAL/SRVINTRANETNEW$@::ffff:10.10.150.33 controlled, att
acking target smb://10.10.150.39
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Authenticating against smb://10.10.150.39 as SALUDTOTAL/SRVINTRANETNEW$ SUCCEED
[*] SMBD-Thread-6 (process_request_thread): Connection from SALUDTOTAL/SRVINTRANETNEW$@::ffff:10.10.150.33 controlled, att
acking target smb://10.10.150.113
[-] DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Authenticating against smb://10.10.150.113 as SALUDTOTAL/SRVINTRANETNEW$ SUCCEED
[*] SMBD-Thread-6 (process_request_thread): Connection from SALUDTOTAL/SRVINTRANETNEW$@::ffff:10.10.150.33 controlled, att
acking target smb://10.10.150.112
----- SNIPPED -----
The remainder of this output has been snipped for reporting purposes.
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 23 of 93
While conducting DNS poisoning and NTLM Relay attacks, it was possible to obtain one (1) new password hash. Vonahi Security
did not attempt to obtain the plaintext password for these credentials because they belonged to computer accounts. Microsoft
Windows automatically sets computer account passwords to be very complex, making the plaintext password extremely difficult to
recover. An example of up to five (5) captured hashes can be found below:
SRVINTRANETNEW$::SALUDTOTAL:4141414141414141:7b7ccc683ead4c48e1a21da9a98cf832:01...[partially-obfuscated]
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 24 of 93
Internal Network Environment Exposures
This phase of the security assessment focused on the security of network assets within the internal network environment. During
this phase, Vonahi Security used a comprehensive set of tools, custom scripts, and manual techniques to thoroughly identify
possible threats to the environment. Like a traditional penetration test, all identified threats were tested and validated to evaluate
the depth of compromise. Unlike a traditional penetration test, this evaluation of threats was not isolated or limited to a handful of
threats, but rather across all threats identified.
CRITICAL IPMI Authentication Bypass
Observation
Intelligent Platform Management Interface (IPMI) is a hardware solution that allows network administrators to centrally
control and manage servers. When setting up a server with IPMI, some servers may contain vulnerabilities that allow for
an attacker to remotely bypass the authentication process, resulting in extracting the password hash. In some cases, an
attacker may also be able to identify the cleartext password if the hash of the password is still default or weak.
Security Impact
By extracting the cleartext password, an attacker may be able to gain remote access to the service. This access may be
to the service's Secure Shell (SSH), Telnet, or even web interfaces. Successful access could result in the manipulation
of configurations that may negatively impact the availability of services provided by the compromised server.
Affected Nodes
SIXTEEN (16) NODES AFFECTED
IP Address Host Name Operating System
10.10.150.188 Undetected
10.10.150.23 Undetected
10.10.150.24 Undetected
10.10.150.25 Undetected
10.10.150.26 Undetected
10.10.150.27 Undetected
10.10.150.28 Undetected
10.10.150.29 Undetected
10.10.150.217 Undetected
10.10.150.220 Undetected
10.10.150.226 Undetected
10.10.150.227 Undetected
10.10.150.228 Undetected
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 25 of 93
10.10.150.229 Undetected
10.10.150.233 Undetected
10.10.150.234 Undetected
Recommendation
Since there is no patch available for this particular vulnerability, it is recommended to perform one or more of the
following actions.
Restrict IPMI access to a limited amount of systems - systems that require access for administration purposes.
Disable the IPMI service if it is not required for business operations.
Change the default administrator password to one that is strong and complex.
Only use secure protocols, such as HTTPS and SSH, on the service to limit the chances of an attacker
successfully obtaining this password in a man-in-the-middle attack.
Reproduction Steps
Leveraging the Metasploit framework, configure and run the following module against the affected service:
auxiliary/scanner/ipmi/ipmi_dumphashes
References
https://www.zenlayer.com/blog/what-is-ipmi/
https://www.tenable.com/plugins/nessus/68931
https://beyondsecurity.com/scan-pentest-network-multiple-vendor-ipmi-cipher-zero-authentication-bypass-
vulnerability.html?cn-reloaded=1
Evidence
[+] 10.10.150.26:623 - IPMI - Hash found: [+] 10.10.150.26:623 - IPMI - Hash found: USERID:10dd817204050003571d3a3
f267d51dc[partially-obfuscated]45524944:275d47c23482ada32189a0ac24459967a0ab71d0
[+] 10.10.150.28:623 - IPMI - Hash found: [+] 10.10.150.28:623 - IPMI - Hash found: USERID:fe41fca504050003bc5009c
193641db5[partially-obfuscated]45524944:3b4f7547f1462f31c9aaee1d35f07d457500269e
[+] 10.10.150.23:623 - IPMI - Hash found: [+] 10.10.150.23:623 - IPMI - Hash found: USERID:28ceaf0a040e00037367327
9142215ec[partially-obfuscated]45524944:84284de15b468e9458a0f46371f42cba17b12e9d
[+] 10.10.150.27:623 - IPMI - Hash found: [+] 10.10.150.27:623 - IPMI - Hash found: USERID:4a8c49a6040500032031bc0
46b39166d[partially-obfuscated]45524944:aa04a11c3e16b7fa6b9828657d28eeef286826f9
[+] 10.10.150.188:623 - IPMI - Hash found: [+] 10.10.150.188:623 - IPMI - Hash found: USERID:966126e000050003dfe60
21e83ad5aa5[partially-obfuscated]45524944:6f6e7efb6e6399e95bf428205d3c8fa46eec0865
[+] 10.10.150.25:623 - IPMI - Hash found: [+] 10.10.150.25:623 - IPMI - Hash found: USERID:46b1e49d0405000393ae128
b0ff53f67[partially-obfuscated]45524944:dc3d75992fada21f2f5ac2a0c2f9b1bedc40c29f
[+] 10.10.150.29:623 - IPMI - Hash found: [+] 10.10.150.29:623 - IPMI - Hash found: USERID:24069dd50405000301d163a
efcf86d20[partially-obfuscated]45524944:79a9cdadda41eef10c76d25fc8ec921c96686385
[+] 10.10.150.220:623 - IPMI - Hash found: [+] 10.10.150.220:623 - IPMI - Hash found: Administrator:26f14f553840a9
2eb1d88f8a90c3e8e4[partially-obfuscated]61746f72:4349868169de2601b9bf21a5181b34afd44ef29b
[+] 10.10.150.24:623 - IPMI - Hash found: [+] 10.10.150.24:623 - IPMI - Hash found: USERID:fba997b5040500030dce4e5
fba7c0052[partially-obfuscated]45524944:a9f08f9fa343d3035440d57a43be22e2db5aab8c
[+] 10.10.150.228:623 - IPMI - Hash found: [+] 10.10.150.228:623 - IPMI - Hash found: Administrator:28b383843311d3
530f1072bf0d9b74be[partially-obfuscated]61746f72:e1aae4a4c939d1f83eefb14f95d393b6de7ada6b
[+] 10.10.150.234:623 - IPMI - Hash found: [+] 10.10.150.234:623 - IPMI - Hash found: Administrator:64962315c273fb
649573048e6a6a9787[partially-obfuscated]61746f72:ae267cdfc3c1af5af92366a837586c8a611c05b7
[+] 10.10.150.227:623 - IPMI - Hash found: [+] 10.10.150.227:623 - IPMI - Hash found: Administrator:943d9c533311d3
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 26 of 93
532f728e42b99f854f[partially-obfuscated]61746f72:d923348b4e8d0a9ff541cb19f351d466d63ec1bf
[+] 10.10.150.226:623 - IPMI - Hash found: [+] 10.10.150.226:623 - IPMI - Hash found: Administrator:ff0992463311d3
53f2474cf24ae29e56[partially-obfuscated]61746f72:43d19227c4e15a3eb3c8157a3af5a17b3e7d7e7c
[+] 10.10.150.233:623 - IPMI - Hash found: [+] 10.10.150.233:623 - IPMI - Hash found: Administrator:836755013e571b
0af1b3e16cd642a559[partially-obfuscated]61746f72:fd0ba20d968f42be467510b65c3833cb27328c9e
[+] 10.10.150.229:623 - IPMI - Hash found: [+] 10.10.150.229:623 - IPMI - Hash found: Administrator:24e3dd61c97a70
00bbbb04d1510c14f5[partially-obfuscated]61746f72:f2887d5d7e83743a2eb284e315bead3dbbb97017
[+] 10.10.150.217:623 - IPMI - Hash found: [+] 10.10.150.217:623 - IPMI - Hash found: USERID:664e26e80005000321639
a7b34d39e59[partially-obfuscated]45524944:884e30c203834a40e3927e48fc7bc1f6afdc9070
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 27 of 93
CRITICAL IPv6 DNS Spoofing
Observation
IPv6 DNS spoofing is possible due to the possibility of deploying a rogue DHCPv6 server on the internal network. Since
Microsoft Windows systems prefer IPv6 over IPv4, IPv6-enabled clients will prefer to obtain IP address configurations
from a DHCPv6 server when one is available.
During an attack such as the one performed during this assessment, an IPv6 DNS server was assigned to IPv6-enabled
clients; however, the IPv6-enabled clients retained their pre-existing IPv4 address configurations - IP address, default
gateway, and subnet mask.
Security Impact
By deploying a rogue DHCPv6 server, an attacker is able to intercept DNS requests by reconfiguring IPv6-enabled
clients to use the attacker's system as the DNS server. Such an attack could potentially lead to the successful capture of
sensitive information, including user credentials and other information. Resolving all DNS names to an attacker's system
results in the victim's system communicating with services such as SMB, HTTP, RDP, MSSQL, etc. all hosted on the
attacker's system.
Affected Nodes
THIRTY-FIVE (35) NODES AFFECTED
IP Address Host Name Operating System
10.10.150.99 Undetected
10.10.150.134 Undetected
10.10.150.34 SRVINTRABOG01 Windows Server 2022 Standard 20348 x64
10.10.150.39 SRVINTRABOG02 Windows Server 2022 Standard 20348 x64
10.10.150.23 Undetected
10.10.150.24 Undetected
10.10.150.25 Undetected
10.10.150.26 Undetected
10.10.150.27 Undetected
10.10.150.28 Undetected
10.10.150.29 Undetected
10.10.150.30 Undetected
10.10.150.31 Undetected
10.10.150.32 Undetected
10.10.150.36 ProdTotalinfo.saludtotal.loc Undetected
10.10.150.37 Undetected
10.10.150.226 Undetected
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 28 of 93
10.10.150.227 Undetected
10.10.150.228 Undetected
10.10.150.144 SRVIISBOG03 Windows 10 / Server 2019 Build 17763 x64
10.10.150.215 Undetected
10.10.150.217 Undetected
10.10.150.220 Undetected
10.10.150.222 Undetected
10.10.150.229 Undetected
10.10.150.230 srvhsmbog01.saludtotal.loc Undetected
10.10.150.231 Undetected
10.10.150.232 Undetected
10.10.150.233 Undetected
10.10.150.234 Undetected
10.10.150.250 Undetected
10.10.150.251 Undetected
10.10.150.252 Undetected
10.10.150.253 Undetected
10.10.150.254 Undetected
Recommendation
Disable IPv6 unless it is required for business operations. As disabling IPv6 could potentially cause an interruption in
network services, it is strongly advised to test this configuration prior to mass deployment. An alternative solution would
be to implement DHCPv6 guard on network switches. Essentially, DHCPv6 guard ensures that only an authorized list of
DHCP servers are allowed to assign leases to clients.
Reproduction Steps
Leveraging the "mitm6" tool within Kali Linux, a user is able to quickly deploy a DHCPv6 server within the local network
and assign five-minute leases (by default) to IPv6-enabled clients.
References
https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/
Evidence
IPv6 address fe80::9345:3 is now assigned to mac=00:50:56:ba:f9:cb host=SRVIISBOG03.saludtotal.loc. ipv4=
IPv6 address fe80::9345:4 is now assigned to mac=00:50:56:ba:c7:a6 host=SRVINTRABOG01.saludtotal.loc. ipv4=
Sent spoofed reply for time.windows.com. to fe80::9345:3
IPv6 address fe80::9345:5 is now assigned to mac=00:50:56:ba:7e:ff host=SRVINTRABOG02.saludtotal.loc. ipv4=
IPv6 address fe80::9345:1 is now assigned to mac=2c:44:fd:7c:3d:39 host=ColectorST. ipv4=
IPv6 address fe80::9345:6 is now assigned to mac=52:54:00:73:fe:60 host=proxy-st. ipv4=
IPv6 address fe80::9345:7 is now assigned to mac=00:50:56:ba:f9:8a host=SRVNCHDBOG01. ipv4=
IPv6 address fe80::9345:8 is now assigned to mac=52:54:00:ad:d6:7a host=nessus-2. ipv4=
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 29 of 93
IPv6 address fe80::9345:9 is now assigned to mac=00:0c:29:9e:9b:c4 host=v1sg.64298aa2. ipv4=
IPv6 address fe80::9345:10 is now assigned to mac=00:50:56:ba:a0:77 host=SRVBDIBOG01. ipv4=
IPv6 address fe80::9345:2 is now assigned to mac=00:50:56:ab:00:02 host= ipv4=
IPv6 address fe80::9345:12 is now assigned to mac=00:50:56:ba:c6:0a host=srvitnbog01. ipv4=
IPv6 address fe80::9345:11 is now assigned to mac=38:68:dd:57:21:45 host= ipv4=
IPv6 address fe80::9345:9 is now assigned to mac=00:0c:29:9e:9b:c4 host=v1sg.64298aa2. ipv4=
IPv6 address fe80::9345:9 is now assigned to mac=00:0c:29:9e:9b:c4 host=v1sg.64298aa2. ipv4=
IPv6 address fe80::9345:13 is now assigned to mac=98:f2:b3:f5:be:be host= ipv4=
Sent spoofed reply for wpad.saludtotal.loc. to fe80::9345:3
Sent spoofed reply for wpad.saludtotal.loc. to fe80::9345:3
IPv6 address fe80::9345:9 is now assigned to mac=00:0c:29:9e:9b:c4 host=v1sg.64298aa2. ipv4=
Sent spoofed reply for xlogr-ue1.xdr.trendmicro.com. to fe80::9345:3
IPv6 address fe80::350:1 is now assigned to mac=00:50:56:ba:f9:8a host=SRVNCHDBOG01. ipv4=
--snipped--
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 30 of 93
CRITICAL Link-Local Multicast Name Resolution (LLMNR) Spoofing
Observation
Link-Local Multicast Name Resolution (LLMNR) is a protocol used amongst workstations within an internal network
environment to resolve a domain name system (DNS) name when a DNS server does not exist or cannot be helpful.
When a system attempts to resolve a DNS name, the system proceeds with the following steps:
1. The system checks its local host file to determine if an entry exists to match the DNS name in question with an IP
address.
2. If the system does not have an entry in its local host's file, the system then sends a DNS query to its configured DNS
server(s) to attempt to retrieve an IP address that matches the DNS name in question.
3. If the configured DNS server(s) cannot resolve the DNS name to an IP address, the system then sends an LLMNR
broadcast packet on the local network to seek assistance from other systems.
Security Impact
Since the LLMNR queries are broadcasted across the network, any system can respond to these queries with the IP
address of the DNS name in question. This can be abused by malicious attackers since an attacker can respond to all of
these queries with the IP address of the attacker's system. Depending on the service that the victim was attempting to
communicate with (e.g. SMB, MSSQL, HTTP, etc.), an attacker may be able to capture sensitive cleartext and/or hashed
account credentials. Hashed credentials can, many times, be recovered in a matter of time using computing modern-day
computing power and brute-force techniques.
Affected Nodes
SEVEN (7) NODES AFFECTED
IP Address Host Name Operating System
10.10.150.2 SRVDCBOG02 Windows 10 / Server 2019 Build 17763 x64
10.10.150.150 SRVDCBOG03 Windows 10 / Server 2019 Build 17763 x64
10.10.150.128 SVAPPBOG14 Windows Server 2022 Build 20348 x64
10.10.150.200 SRVTERBOG01 Windows Server 2022 Build 20348 x64
10.10.150.61 SRVTERBOG02 Windows 10 / Server 2019 Build 17763 x64
10.10.150.98 SRVFSSOBOG01 Windows 10 / Server 2019 Build 17763 x64
10.10.150.106 SRVIISITBOG02 Windows 10 / Server 2019 Build 17763 x64
Recommendation
The most effective method for preventing exploitation is to configure the Multicast Name Resolution registry key in order
to prevent systems from using LLMNR queries.
Using Group Policy: Computer Configuration\Administrative Templates\Network\DNS Client \Turn off Multicast
Name Resolution = Enabled (To administer a Windows 2003 DC, use the Remote Server Administration Tools for
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 31 of 93
Windows 7 - http://www.microsoft.com/en-us/download/details.aspx?id=7887)
Using the Registry for Windows Vista/7/10 Home Edition only:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient \EnableMulticast
Reproduction Steps
On a system configured with LLMNR, attempt to interact with a DNS name that is known to be invalid (e.g.
test123.local). On another system, use a network packet analyzer, such as Wireshark, to inspect the broadcasted traffic
on the internal network environment.
References
https://attack.mitre.org/techniques/T1557/001/
Evidence
2024-10-04 06:11:34,362 - [*] [LLMNR] Poisoned answer sent to 10.10.150.61 for name SERHSRTS01
2024-10-04 06:11:34,362 - [*] [LLMNR] Poisoned answer sent to 10.10.150.61 for name SERHSRTS01
2024-10-04 06:11:36,098 - [*] [LLMNR] Poisoned answer sent to 10.10.150.150 for name BOGCIR4313707
2024-10-04 06:11:36,189 - [*] [LLMNR] Poisoned answer sent to 10.10.150.150 for name BOGCIR4313707
2024-10-04 06:11:43,779 - [*] [LLMNR] Poisoned answer sent to 10.10.150.98 for name BOGSUCASDAUX188
2024-10-04 06:11:43,779 - [*] [LLMNR] Poisoned answer sent to 10.10.150.98 for name BOGSUCASDAUX188
2024-10-04 06:05:12,627 - [*] [LLMNR] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0
2024-10-04 06:05:12,627 - [*] [LLMNR] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0
2024-10-04 06:05:19,036 - [*] [LLMNR] Poisoned answer sent to 10.10.150.106 for name gpsutg
2024-10-04 06:05:19,037 - [*] [LLMNR] Poisoned answer sent to 10.10.150.106 for name gpsutg
2024-10-04 06:05:24,395 - [*] [LLMNR] Poisoned answer sent to 10.10.150.106 for name gpsutg
2024-10-04 06:05:24,396 - [*] [LLMNR] Poisoned answer sent to 10.10.150.106 for name gpsutg
2024-10-04 06:17:53,892 - [*] [LLMNR] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0
2024-10-04 06:17:53,892 - [*] [LLMNR] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0
2024-10-04 06:18:25,283 - [*] [LLMNR] Poisoned answer sent to 10.10.150.98 for name BOGADM109PSUP06
2024-10-04 06:18:25,284 - [*] [LLMNR] Poisoned answer sent to 10.10.150.98 for name BOGADM109PSUP06
2024-10-04 06:24:17,663 - [*] [LLMNR] Poisoned answer sent to 10.10.150.2 for name CPO11BHM
2024-10-04 06:24:17,695 - [*] [LLMNR] Poisoned answer sent to 10.10.150.2 for name CPO11BHM
2024-10-04 06:24:23,042 - [*] [LLMNR] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0
2024-10-04 06:24:23,042 - [*] [LLMNR] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0
2024-10-04 06:24:44,076 - [*] [LLMNR] Poisoned answer sent to 10.10.150.98 for name BOGADMA685LID02
--snipped--
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 32 of 93
CRITICAL Multicast DNS (mDNS) Spoofing
Observation
Multicast DNS (mDNS) is a protocol used within small networks to resolve a domain name system (DNS) name when a
local DNS server does not exist.
When a system attempts to resolve a DNS name, the system proceeds with the following steps:
1. The system checks its local host file to determine if an entry exists to match the DNS name in question with an IP
address.
2. On small networks where no DNS Server is configured, the system then uses mDNS to send an IP multicast query
message to the systems on the local subnet that asks the host having that name to identify itself. Attackers can take
advantage of this by answering this request and impersonating a system on the network.
Security Impact
Since the mDNS queries are sent to systems on the local subnet, any system can respond to these queries with the IP
address of the DNS name in question. This can be abused by malicious attackers since an attacker can respond to all of
these queries with the IP address of the attacker's system. Depending on the service that the victim was attempting to
communicate with (e.g. SMB, MSSQL, HTTP, etc.), an attacker may be able to capture sensitive cleartext and/or hashed
account credentials. Hashed credentials can, many times, be recovered in a matter of time using computing modern-day
computing power and brute-force techniques.
Affected Nodes
TWENTY (20) NODES AFFECTED
IP Address Host Name Operating System
10.10.150.2 SRVDCBOG02 Windows 10 / Server 2019 Build 17763 x64
10.10.150.150 SRVDCBOG03 Windows 10 / Server 2019 Build 17763 x64
10.10.150.74 SRVPACBOG03 Windows Server 2022 Build 20348 x64
10.10.150.128 SVAPPBOG14 Windows Server 2022 Build 20348 x64
10.10.150.147 SRVPACBOG04 Windows Server 2022 Build 20348 x64
10.10.150.171 SRVDWH001 Windows Server 2022 Build 20348 x64
10.10.150.200 SRVTERBOG01 Windows Server 2022 Build 20348 x64
10.10.150.16 SRVMNTBOG03 Windows 10 / Server 2019 Build 17763 x64
10.10.150.61 SRVTERBOG02 Windows 10 / Server 2019 Build 17763 x64
10.10.150.98 SRVFSSOBOG01 Windows 10 / Server 2019 Build 17763 x64
10.10.150.100 SRVIISITBOG01 Windows 10 / Server 2019 Build 17763 x64
10.10.150.102 SRVIISITBOG09 Windows 10 / Server 2019 Build 17763 x64
10.10.150.106 SRVIISITBOG02 Windows 10 / Server 2019 Build 17763 x64
10.10.150.114 SRVBDBOGN1 Windows 10 / Server 2019 Build 17763 x64
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 33 of 93
10.10.150.115 SRVBDBOGN2 Windows 10 / Server 2019 Build 17763 x64
10.10.150.116 SRVBDBOGN3 Windows 10 / Server 2019 Build 17763 x64
10.10.150.118 SRVIISITBOG11 Windows 10 / Server 2019 Build 17763 x64
10.10.150.122 SRVBDBOGN4 Windows 10 / Server 2019 Build 17763 x64
10.10.150.130 SRVIISITBOG05 Windows 10 / Server 2019 Build 17763 x64
10.10.150.135 SRVIISITBOG06 Windows 10 / Server 2019 Build 17763 x64
Recommendation
The most effective method for preventing exploitation is to disable mDNS altogether if it is not being used. Depending on
the implementation, this can be achieved by disabling the Apple Bonjour or avahi-daemon service.
Reproduction Steps
On a system configured with mDNS, attempt to interact with a DNS name that is known to be invalid (e.g. test123.local).
On another system, use a network packet analyzer, such as Wireshark, to inspect the mDNS traffic on the internal
network environment by filtering for UDP queries over port 5353.
References
http://www.multicastdns.org/
Evidence
2024-10-04 06:11:33,368 - [*] [MDNS] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0.local
2024-10-04 06:11:33,383 - [*] [MDNS] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0.local
2024-10-04 06:11:34,360 - [*] [MDNS] Poisoned answer sent to 10.10.150.61 for name SERHSRTS01.local
2024-10-04 06:11:34,361 - [*] [MDNS] Poisoned answer sent to 10.10.150.61 for name SERHSRTS01.local
2024-10-04 06:11:36,005 - [*] [MDNS] Poisoned answer sent to 10.10.150.16 for name SRVFACBOG01.local
2024-10-04 06:11:36,005 - [*] [MDNS] Poisoned answer sent to 10.10.150.16 for name SRVFACBOG01.local
2024-10-04 06:11:36,097 - [*] [MDNS] Poisoned answer sent to 10.10.150.150 for name BOGCIR4313707.local
2024-10-04 06:11:36,189 - [*] [MDNS] Poisoned answer sent to 10.10.150.150 for name BOGCIR4313707.local
2024-10-04 06:11:37,028 - [*] [MDNS] Poisoned answer sent to 10.10.150.114 for name DBAUTORIZACIONE.local
2024-10-04 06:11:39,994 - [*] [MDNS] Poisoned answer sent to 10.10.150.114 for name DBAUTORIZACIONE.local
2024-10-04 06:11:39,995 - [*] [MDNS] Poisoned answer sent to 10.10.150.114 for name DBAUTORIZACIONE.local
2024-10-04 06:11:40,369 - [*] [MDNS] Poisoned answer sent to 10.10.150.122 for name DBIPS.local
2024-10-04 06:11:40,369 - [*] [MDNS] Poisoned answer sent to 10.10.150.122 for name DBIPS.local
2024-10-04 06:11:43,388 - [*] [MDNS] Poisoned answer sent to 10.10.150.114 for name LS_AUTO.local
2024-10-04 06:11:43,388 - [*] [MDNS] Poisoned answer sent to 10.10.150.114 for name LS_AUTO.local
2024-10-04 06:11:43,779 - [*] [MDNS] Poisoned answer sent to 10.10.150.98 for name BOGSUCASDAUX188.local
2024-10-04 06:11:43,779 - [*] [MDNS] Poisoned answer sent to 10.10.150.98 for name BOGSUCASDAUX188.local
2024-10-04 06:11:44,893 - [*] [MDNS] Poisoned answer sent to 10.10.150.115 for name SHIELDDTC.local
2024-10-04 06:11:45,918 - [*] [MDNS] Poisoned answer sent to 10.10.150.116 for name LS_OPSALUD.local
2024-10-04 06:05:12,207 - [*] [MDNS] Poisoned answer sent to 10.10.150.114 for name SHIELD.local
2024-10-04 06:05:12,625 - [*] [MDNS] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0.local
--snipped--
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 34 of 93
CRITICAL NetBIOS Name Service (NBNS) Spoofing
Observation
NetBIOS Name Service (NBNS) is a protocol used amongst workstations within an internal network environment to
resolve a domain name system (DNS) name when a DNS server does not exist or cannot be helpful.
When a system attempts to resolve a DNS name, the system proceeds with the following steps:
1. The system checks its local host file to determine if an entry exists to match the DNS name in question with an IP
address.
2. If the system does not have an entry in its local hosts file, the system then sends a DNS query to its configured DNS
server(s) to attempt retrieving an IP address that matches the DNS name in question.
3. If the configured DNS server(s) cannot resolve the DNS name to an IP address, the system then sends an NBNS
broadcast packet on the local network to seek assistance from other systems.
Security Impact
Since the NBNS queries are broadcasted across the network, any system can respond to these queries with the IP
address of the DNS name in question. This can be abused by malicious attackers since an attacker can respond to all of
these queries with the IP address of the attacker's system. Depending on the service that the victim was attempting to
communicate with (e.g. SMB, MSSQL, HTTP, etc.), an attacker may be able to capture sensitive cleartext and/or hashed
account credentials. Hashed credentials can, many times, be recovered in a matter of time using computing modern-day
computing power and brute-force techniques.
Affected Nodes
TEN (10) NODES AFFECTED
IP Address Host Name Operating System
10.10.150.33 SRVINTRANETNEW Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
10.10.150.2 SRVDCBOG02 Windows 10 / Server 2019 Build 17763 x64
10.10.150.150 SRVDCBOG03 Windows 10 / Server 2019 Build 17763 x64
10.10.150.128 SVAPPBOG14 Windows Server 2022 Build 20348 x64
10.10.150.156 SRVTMGBOG02 Windows Server 2008 R2 Standard 7601 Service Pack 1
10.10.150.162 SRVIISAPIBOG01 Windows Server 2022 Standard 20348 x64
10.10.150.200 SRVTERBOG01 Windows Server 2022 Build 20348 x64
10.10.150.61 SRVTERBOG02 Windows 10 / Server 2019 Build 17763 x64
10.10.150.98 SRVFSSOBOG01 Windows 10 / Server 2019 Build 17763 x64
10.10.150.106 SRVIISITBOG02 Windows 10 / Server 2019 Build 17763 x64
Recommendation
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 35 of 93
The following are some strategies for preventing the use of NBNS in a Windows environment or reducing the impact of
NBNS Spoofing attacks:
Configure the UseDnsOnlyForNameResolutions registry key in order to prevent systems from using NBNS queries
(http://technet.microsoft.com/en-us/library/cc775874(v=ws.10).aspx). Set the registry DWORD to 1.
Disable the NetBIOS service for all Windows hosts in the internal network. This can be done via DHCP options,
network adapter settings, or a registry key.
Reproduction Steps
On a system configured with NBNS, attempt to interact with a DNS name that is known to be invalid (e.g. test123.local).
On another system, use a network packet analyzer, such as Wireshark, to inspect the broadcasted traffic on the internal
network environment.
References
http://markgamache.blogspot.com/2013/01/ntlm-challenge-response-is-100-broken.html
http://support.microsoft.com/kb/313314
http://develnet.blogspot.com/2006/10/disabling-netbios-over-tcpip-via.html
http://technet.microsoft.com/en-us/library/cc775874(v=ws.10).aspx
Evidence
2024-10-04 06:11:33,110 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.98 for name CPO31DIGITOUCH0 (service: Wor
kstation/Redirector)
2024-10-04 06:11:34,360 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.61 for name SERHSRTS01 (service: Workstat
ion/Redirector)
2024-10-04 06:11:36,097 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.150 for name BOGCIR4313707 (service: Work
station/Redirector)
2024-10-04 06:11:37,378 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.33 for name NTAUTHORITY (service: File Se
rver)
2024-10-04 06:11:37,581 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
2024-10-04 06:11:38,330 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
2024-10-04 06:11:39,080 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
2024-10-04 06:11:39,841 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
2024-10-04 06:11:40,590 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
2024-10-04 06:11:41,341 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
2024-10-04 06:11:43,778 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.98 for name BOGSUCASDAUX188 (service: Wor
kstation/Redirector)
2024-10-04 06:11:47,099 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
2024-10-04 06:11:47,848 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
2024-10-04 06:11:48,598 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
2024-10-04 06:11:54,359 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
2024-10-04 06:11:55,108 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
2024-10-04 06:05:15,930 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 36 of 93
2024-10-04 06:05:16,679 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
2024-10-04 06:05:17,167 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.162 for name SRVDCBOG03 (service: Worksta
tion/Redirector)
2024-10-04 06:05:17,173 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.162 for name SRVDCBOG03 (service: File Se
rver)
2024-10-04 06:05:17,430 - [*] [NBT-NS] Poisoned answer sent to 10.10.150.156 for name SRVTMOSBOG01 (service: Works
tation/Redirector)
--snipped--
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 37 of 93
CRITICAL Outdated Microsoft Windows Systems
Observation
An outdated Microsoft Windows system raises several concerns as the system is no longer receiving updates by
Microsoft. This could be a prime target for an attacker as these systems typically do not contain the latest security
updates, often times leaving them vulnerable to significant threats.
Security Impact
An exploited Microsoft Windows system could potentially result in an attacker gaining unauthorized access to the
affected system(s). Additionally, depending on the similarities in configurations between the compromised system(s) and
other systems within the network, an attacker may be able to pivot from this system to other systems and resources
within the environment.
Affected Nodes
TEN (10) NODES AFFECTED
IP Address Host Name Operating System
10.10.150.33 SRVINTRANETNEW Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
10.10.150.41 SRVMONBOG01 Windows Server 2012 R2 Standard 9600 x64
10.10.150.11 SRVRSBOG02 Windows Server 2012 R2 Standard 9600 x64
10.10.150.10 SRVICPBOG01 Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
10.10.150.9 SRVRSBOG01 Windows Server 2012 R2 Standard 9600 x64
10.10.150.104 SRVODISSY01 Windows Server 2012 R2 Standard 9600 x64
10.10.150.156 SRVTMGBOG02 Windows Server 2008 R2 Standard 7601 Service Pack 1
10.10.150.161 SRVODISSY02 Windows Server 2012 R2 Standard 9600 x64
10.10.181.95 SRVODYPRB001 Windows Server 2012 R2 Standard 9600 x64
10.10.181.176 SRVREPPRB001 Windows Server 2012 R2 Standard 9600 x64
Recommendation
Replace outdated versions of Microsoft Windows with operating systems that are up-to-date and supported by the
manufacturer.
Reproduction Steps
Use an operating system identification scanner, such as Nmap or Metasploit, to scan the affected targets to identify their
specific versions. Alternatively, a network administrator can check the operating system version by logging into the
system and viewing the operating system version through the system properties.
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 38 of 93
References
https://attack.mitre.org/mitigations/M1051/
https://support.microsoft.com/en-us/windows/what-does-it-mean-if-windows-isn-t-supported-08f3b92d-7539-671e-
1452-2e71cdad18b5
Evidence
SMB 10.10.150.10 445 SRVICPBOG01 [*] Windows Server 2008 R2 Standard 7601 Service
Pack 1 x64 (name:SRVICPBOG01) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.150.33 445 SRVINTRANETNEW [*] Windows Server 2008 R2 Standard 7601 Service
Pack 1 x64 (name:SRVINTRANETNEW) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.150.156 445 SRVTMGBOG02 [*] Windows Server 2008 R2 Standard 7601 Service
Pack 1 (name:SRVTMGBOG02) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.150.11 445 SRVRSBOG02 [*] Windows Server 2012 R2 Standard 9600 x64 (nam
e:SRVRSBOG02) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.150.9 445 SRVRSBOG01 [*] Windows Server 2012 R2 Standard 9600 x64 (nam
e:SRVRSBOG01) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.150.41 445 SRVMONBOG01 [*] Windows Server 2012 R2 Standard 9600 x64 (nam
e:SRVMONBOG01) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.150.104 445 SRVODISSY01 [*] Windows Server 2012 R2 Standard 9600 x64 (nam
e:SRVODISSY01) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.150.161 445 SRVODISSY02 [*] Windows Server 2012 R2 Standard 9600 x64 (nam
e:SRVODISSY02) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.181.95 445 SRVODYPRB001 [*] Windows Server 2012 R2 Standard 9600 x64 (nam
e:SRVODYPRB001) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 39 of 93
HIGH FTP Servers Accept Default Credentials
Observation
During testing, it was possible to discover the use of default/common credentials for FTP servers. A limited password
attack was performed against the identified applications to determine if weak or default credentials were present.
Caution was exercised to avoid locking out any legitimate user or service accounts.
Security Impact
Exposing the applications with default credentials could allow an attacker to authenticate to the affected applications.
Depending on the application's functionality, this could lead to the manipulation of critical network devices, resulting in a
compromise of data and/or systems.
Affected Nodes
TWO (2) NODES AFFECTED
IP Address Host Name Operating System
10.10.150.10 SRVICPBOG01 Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
10.10.150.33 SRVINTRANETNEW Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
Recommendation
Connect to the affected devices via FTP or otherwise and change the default credentials to use passwords that adhere
with the organization's password complexity requirements.
Reproduction Steps
Connect to the affected FTP server(s) and attempt to authenticate using default credentials.
Evidence
[+] 10.10.150.10:21 - 10.10.150.10:21 - Login Successful: default:[obfuscated]
[+] 10.10.150.33:21 - 10.10.150.33:21 - Login Successful: default:[obfuscated]
[+] 10.10.150.10:21 - 10.10.150.10:21 - Login Successful: localadmin:[obfuscated]
[+] 10.10.150.33:21 - 10.10.150.33:21 - Login Successful: localadmin:[obfuscated]
[+] 10.10.150.10:21 - 10.10.150.10:21 - Login Successful: user:[obfuscated]
[+] 10.10.150.33:21 - 10.10.150.33:21 - Login Successful: user:[obfuscated]
[+] 10.10.150.33:21 - 10.10.150.33:21 - Login Successful: user1:[obfuscated]
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 40 of 93
HIGH SMBv1 Enabled
Observation
Server Message Block (or SMB) is a communication protocol used in Windows operating systems to communicate with
each other over a network. SMB serves an important part in an Active Directory environment as it provides file sharing,
printer sharing, and network browsing to machines in the environment. It also allows for processes to communicate with
each other using a concept called named pipes, and this is what's known as inter-process communication.
Security Impact
SMBv1 has been depreciated by Microsoft since 2013. Due to this, SMBv1 has become outdated and contains multiple
exploits/vulnerabilities that can allow remote control execution on the target machine using this protocol.
Affected Nodes
FOURTEEN (14) NODES AFFECTED
IP Address Host Name Operating System
10.10.150.15 SRVMABOG01 Windows Server 2016 Standard 14393 x64
10.10.150.33 SRVINTRANETNEW Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
10.10.150.34 SRVINTRABOG01 Windows Server 2022 Standard 20348 x64
10.10.150.39 SRVINTRABOG02 Windows Server 2022 Standard 20348 x64
10.10.150.41 SRVMONBOG01 Windows Server 2012 R2 Standard 9600 x64
10.10.150.11 SRVRSBOG02 Windows Server 2012 R2 Standard 9600 x64
10.10.150.10 SRVICPBOG01 Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
10.10.150.9 SRVRSBOG01 Windows Server 2012 R2 Standard 9600 x64
10.10.150.104 SRVODISSY01 Windows Server 2012 R2 Standard 9600 x64
10.10.150.156 SRVTMGBOG02 Windows Server 2008 R2 Standard 7601 Service Pack 1
10.10.150.161 SRVODISSY02 Windows Server 2012 R2 Standard 9600 x64
10.10.150.162 SRVIISAPIBOG01 Windows Server 2022 Standard 20348 x64
10.10.181.95 SRVODYPRB001 Windows Server 2012 R2 Standard 9600 x64
10.10.181.176 SRVREPPRB001 Windows Server 2012 R2 Standard 9600 x64
Recommendation
To stay protected from exploits that target vulnerabilities in this protocol, it's recommended to disable SMBv1 in favor of
SMBv2/v3.
Microsoft has published documentation on their site about disabling SMBv1, as well as upgrading to SMBv2/v3 in just a
few commands.
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 41 of 93
Disabling SMBv1: https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-
enable-and-disable-smbv1-v2-v3?tabs=server#how-to-remove-smbv1-via-powershell
Enabling SMBv2/v3: https://learn.microsoft.com/en-us/windows-server/storage/file-server/troubleshoot/detect-
enable-and-disable-smbv1-v2-v3?tabs=server#how-to-remove-smbv1-via-powershell
Reproduction Steps
The CrackMapExec tool can be utilized to check whether or not a host has SMBv1 enabled. To do so the following
command can be used:
crackmapexec smb <ip>
This will scan the IP and return a result similar to this:
SMB 10.10.10.10 445 SRV [*] Windows Server 2012 R2 Standard 9600 x64 (name:SRV) (domain:domain.l
ocal) (SMBv1:True)
The (SMBv1:True) part of the response is what indicates whether or not SMBv1 is in use. In this case you can see it
shows that this host has SMBv1 enabled since the value is set to True.
References
WannaCry: What is WANNACRY/WANACRYPTOR? (cisa.gov)
Petya: Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit | Mandiant
Bad Rabbit: Bad Rabbit, Software S0606 | MITRE ATT&CK®
Evidence
SMB 10.10.150.39 445 SRVINTRABOG02 [*] Windows Server 2022 Standard 20348 x64 (name:
SRVINTRABOG02) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.150.11 445 SRVRSBOG02 [*] Windows Server 2012 R2 Standard 9600 x64 (nam
e:SRVRSBOG02) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.150.15 445 SRVMABOG01 [*] Windows Server 2016 Standard 14393 x64 (name:
SRVMABOG01) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.150.10 445 SRVICPBOG01 [*] Windows Server 2008 R2 Standard 7601 Service
Pack 1 x64 (name:SRVICPBOG01) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.150.34 445 SRVINTRABOG01 [*] Windows Server 2022 Standard 20348 x64 (name:
SRVINTRABOG01) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
SMB 10.10.150.33 445 SRVINTRANETNEW [*] Windows Server 2008 R2 Standard 7601 Service
Pack 1 x64 (name:SRVINTRANETNEW) (domain:saludtotal.loc) (signing:False) (SMBv1:True)
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 42 of 93
HIGH Weak Active Directory Account Password Policy
Observation
An Active Directory Domain Password Policy is extremely critical as it is the security settings that many domain user
accounts will use when having their accounts configured. These policies include lockout thresholds, lockout durations,
minimum characters required, password complexity requirements, and more. During post-exploitation, it was discovered
that the password policy configured does not meet security best practices.
Security Impact
A weak password policy can be disastrous for a company in that it allows attackers to exploit the weaknesses of domain
user accounts. For example, the lack of a strict account lockout threshold allows malicious attackers to perform
numerous login attempts to domain user accounts prior to being locked out. Here are some of the security impacts that
can be associated with domain password policies:
Minimum password length: An attacker can take advantage of this by trying weak passwords that exist in the
dictionary, such as Apple, Car, Dog, etc. By increasing the minimum password length, an attacker's chances of
successfully guessing and/or even cracking (through password cracking techniques) a password is much lower.
Lockout threshold: If the lockout threshold value is too low, an attacker can perform numerous login attempts to
the user accounts before locking out an account, which then depends on the lockout duration for unlocking the
domain user account.
Lockout duration (minutes): If the account does not remain locked out for a long period of time, then attackers
can continuously perform login attempts every X amount of minutes that the account gets unlocked. A small
number increases the chances of a successful attack as the disruption to user accounts will be minimum.
Lockout observation window (minutes): By default, Microsoft Windows sets this to 30. This setting indicates how
many times someone can perform a login attempt before it subtracts from the lockout threshold. For example, if this
setting is set to 30, then this means an attacker can perform one login attempt per 30 minutes, and the lockout
threshold will never exceed the value of 1 because the observation window resets the counter every 30 minutes.
Recommendation
Use the references to reconfigure your domain's password policy to adhere to security best practices. It is crucial to
enforce complex passwords. In addition, the following minimum configurations are recommended:
- Minimum password length: no lower than 8
- Reset Account Lockout Counter / Lockout observation window (minutes): at least 30 minutes
- Locked Account Duration / Lockout duration (minutes): at least 30 minutes
- Lockout threshold / Account Lockout Threshold: no higher than 5
Note: the Lockout threshold / Account Lockout Threshold configuration should not be set to 0, because that disables the
threshold and can allow malicious actors to perform bruteforce password attacks without the risk of locking out users.
Reproduction Steps
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 43 of 93
Using the Microsoft Windows command line interface (CLI), use the following command to query the domain's password
policy:
net accounts "domain" /domain
References
https://blog.devolutions.net/2018/02/top-10-password-policies-and-best-practices-for-system-administrators
https://www.microsoft.com/en-us/microsoft-365/blog/2018/03/05/azure-ad-and-adfs-best-practices-defending-
against-password-spray-attacks/
Evidence
The following weak Active Directory password policy settings were identified for the saludtotal.loc domain:
Reset Account Lockout Counter: 5 minutes
Locked Account Duration: 5 minutes
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 44 of 93
MEDIUM Anonymous FTP Enabled
Observation
A file transfer protocol (FTP) service allows users to transfer files to/from remote FTP servers. The FTP service typically
allows for setting user credentials, which could include complex usernames and passwords. However, during the case of
the assessment, testing identified that anonymous FTP was found present. Anonymous FTP servers allow for anyone to
login to the FTP server to browse the files that have been remotely uploaded.
Security Impact
The issue with anonymous FTP is that any individual, including an attacker, could gain remote access to the FTP server
and observe the contents within the server. Depending on anonymous permissions, an attacker may also be able to
leverage this default, weak configuration in order to store/transmit malicious code.
The exposure of files stored on anonymous FTP servers could present the opportunity for an attacker to compromise the
confidentiality and/or integrity of sensitive files that may be deemed for authorized access only.
Affected Nodes
ONE (1) NODE AFFECTED
IP Address Host Name Operating System
10.10.150.139 Undetected
Recommendation
If the anonymous FTP server is not required for business operations, consider disabling the service altogether and
updating the organization's configuration baseline. The configuration baseline should ensure that unnecessary services
are disabled prior to deployment. If the service is required for business operations, consider disabling anonymous
authentication and implementing authentication that leverages a complex password.
Reproduction Steps
Using the operating system's built in FTP client, Metasploit, or Nmap, connect to the affected FTP server(s) using
"anonymous/anonymous" (username and password).
Evidence
Nmap scan report for 10.10.150.139
Host is up, received arp-response (0.0020s latency).
Scanned at 2024-10-04 05:17:44 UTC for 0s
PORT STATE SERVICE REASON
21/tcp open ftp syn-ack ttl 64
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 45 of 93
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
MAC Address: 00:50:56:97:73:FA (VMware)
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 46 of 93
MEDIUM Insecure Protocol - FTP
Observation
The File Transfer Protocol (FTP) service is used for client systems to connect to and store and retrieve files. However,
FTP does not encrypt the communications between the server and the client, exposing all data in cleartext. Although
FTP can negotiate to use TLS, the affected server(s) were not found to negotiate TLS.
Security Impact
Since FTP is cleartext, all of the traffic between the client and the server is exposed in cleartext. This presents the
opportunity for an attacker to perform a man-in-the-middle attack and obtain sensitive user credentials as well as file
contents. Such valuable information may also be useful for other attacks within the environment.
Affected Nodes
NINE (9) NODES AFFECTED
IP Address Host Name Operating System
10.10.181.1 Undetected
10.10.181.232 SRVTOTPRB001 Windows Server 2022 Build 20348 x64
10.10.150.10 SRVICPBOG01 Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
10.10.150.33 SRVINTRANETNEW Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
10.10.150.75 SRVFTPTEMP Windows Server 2022 Build 20348 x64
10.10.150.79 SRVFTPSSL Windows Server 2022 Build 20348 x64
10.10.150.139 Undetected
10.10.181.80 SRVTOTDEV002 Windows Server 2022 Build 20348 x64
10.10.181.88 SRVTOTDEV001 Windows Server 2022 Build 20348 x64
Recommendation
Disable the service if it is not needed for business operations. If transferring files is necessary for business operations,
then consider implementing Secure FTP (SFTP) as SFTP uses encryption during communications to/from SFTP clients.
Reproduction Steps
Use an FTP client to connect to one of the affected servers on port 21/tcp. The following syntax can be used to attempt
connecting to an FTP server:
ftp <server_ip_address>
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 47 of 93
Furthermore, if an FTP client does not exist and the available operating system leverages the native telnet command,
connectivity can be tested against an FTP server using the following syntax and leveraging the Telnet command:
telnet <server_ip_address> 21
If the command above works, then the remote server is listening on port 21/tcp.
References
https://www.ipa.go.jp/security/rfc/RFC2577EN.html
Evidence
[+] 10.10.150.10:21 - FTP Banner: '220-Microsoft FTP S -- snipped --
[+] 10.10.181.1:21 - FTP Banner: '220 FTP server read -- snipped --
[+] 10.10.150.75:21 - FTP Banner: '220 Microsoft FTP S -- snipped --
[+] 10.10.150.79:21 - FTP Banner: '220 Microsoft FTP S -- snipped --
[+] 10.10.150.139:21 - FTP Banner: '220 (vsFTPd 3.0.2)'
[+] 10.10.181.232:21 - FTP Banner: '220 Microsoft FTP S -- snipped --
[+] 10.10.150.33:21 - FTP Banner: '220-Microsoft FTP S -- snipped --
[+] 10.10.181.80:21 - FTP Banner: '220-Microsoft FTP S -- snipped --
[+] 10.10.181.88:21 - FTP Banner: '220-Microsoft FTP S -- snipped --
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 48 of 93
MEDIUM Insecure Protocol - Telnet
Observation
The telnet service is used for network administrators to perform remote administration of network devices. This service,
however, does not enforce encryption and, therefore, exposes all traffic in cleartext.
Security Impact
Since telnet communications are in cleartext, an attacker could perform a man-in-the-middle attack and obtain sensitive
information such as user credentials, command outputs, and more. Such valuable information may also be useful for
other attacks within the environment.
Affected Nodes
TWELVE (12) NODES AFFECTED
IP Address Host Name Operating System
10.10.150.188 Undetected
10.10.181.1 Undetected
10.10.181.50 Undetected
10.10.181.51 Undetected
10.10.181.212 Undetected
10.10.181.213 Undetected
10.10.150.8 Undetected
10.10.150.62 Undetected
10.10.150.63 Undetected
10.10.150.208 Undetected
10.10.150.209 Undetected
10.10.150.217 Undetected
Recommendation
Disable the telnet service if it is not required for business operations. If it is required for business operations, consider
using an alternative protocol, such as Secure Shell (SSH), to accomplish the same goal with encryption being
implemented.
Reproduction Steps
Use a telnet client to connect to a telnet server. Using a network packet analyzer, such as Wireshark, observe the
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 49 of 93
packets originating from the telnet client to discover the cleartext communications.
References
https://isc.sans.edu/diary/Computer+Security+Awareness+Month+-+Day+18+-
+Telnet+an+oldie+but+a+goodie/7393
Evidence
[+] 10.10.181.1:23 - 10.10.181.1:23 TELNET login :
[+] 10.10.150.8:23 - 10.10.150.8:23 TELNET ********** -- snipped --
[+] 10.10.150.63:23 - 10.10.150.63:23 TELNET Fabric OS -- snipped --
[+] 10.10.150.62:23 - 10.10.150.62:23 TELNET Fabric OS -- snipped --
[+] 10.10.150.188:23 - 10.10.150.188:23 TELNET Welcome -- snipped --
[+] 10.10.181.50:23 - 10.10.181.50:23 TELNET Fabric OS -- snipped --
[+] 10.10.181.51:23 - 10.10.181.51:23 TELNET Fabric OS -- snipped --
[+] 10.10.181.212:23 - 10.10.181.212:23 TELNET Fabric O -- snipped --
[+] 10.10.181.213:23 - 10.10.181.213:23 TELNET Fabric O -- snipped --
[+] 10.10.150.208:23 - 10.10.150.208:23 TELNET Fabric O -- snipped --
[+] 10.10.150.209:23 - 10.10.150.209:23 TELNET Fabric O -- snipped --
[+] 10.10.150.217:23 - 10.10.150.217:23 TELNET Welcome -- snipped --
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 50 of 93
MEDIUM SMB NULL Session Authentication
Observation
A Server Message Block protocol (SMB) service allows SMB NULL Session Authentication (i.e. without a username or
password). SMB NULL sessions allow anyone to log in to SMB shares to browse the files that have been remotely
uploaded.
Security Impact
The issue with SMB NULL sessions is that any individual, including an attacker, could gain remote access to the SMB
share and observe the contents. If the NULL session also provides write access, an attacker may also be able to
leverage this insecure configuration in order to store/transmit malicious code.
The exposure of files stored on affected SMB shares could present the opportunity for an attacker to compromise the
confidentiality and/or integrity of sensitive files that may be deemed for authorized access only.
Affected Nodes
TEN (10) NODES AFFECTED
IP Address Host Name Operating System
10.10.150.33 SRVINTRANETNEW Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
10.10.150.34 SRVINTRABOG01 Windows Server 2022 Standard 20348 x64
10.10.150.39 SRVINTRABOG02 Windows Server 2022 Standard 20348 x64
10.10.150.2 SRVDCBOG02 Windows 10 / Server 2019 Build 17763 x64
10.10.150.10 SRVICPBOG01 Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
10.10.150.150 SRVDCBOG03 Windows 10 / Server 2019 Build 17763 x64
10.10.150.156 SRVTMGBOG02 Windows Server 2008 R2 Standard 7601 Service Pack 1
10.10.150.162 SRVIISAPIBOG01 Windows Server 2022 Standard 20348 x64
10.10.150.200 SRVTERBOG01 Windows Server 2022 Build 20348 x64
10.10.150.61 SRVTERBOG02 Windows 10 / Server 2019 Build 17763 x64
Recommendation
If the SMB server is not required for business operations, consider disabling the service altogether and updating the
organization's configuration baseline. The configuration baseline should ensure that unnecessary services are disabled
prior to deployment. If the service is required for business operations, consider disabling SMB NULL session
authentication and implementing authentication that leverages a complex password.
Reproduction Steps
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 51 of 93
Connect to the affected SMB server(s) using a blank username and a blank password. For the built-in Unix utility
smbclient, the syntax is shown below:
smbclient -L <IP> --no-pass
If the operation succeeds without any errors and smbclient prints information about the configured shares and/or
workgroups, the SMB server is affected.
The same checks can also be performed using dedicated scripts that are part of the Metasploit framework or the Nmap
portscanning tool.
Evidence
[10.10.150.2]
# crackmapexec smb 10.10.150.2 -u '' -p '' --local-auth
SMB 10.10.150.2 445 SRVDCBOG02 [+] SRVDCBOG02\:
------------------------------------------------------------
[10.10.150.33]
# crackmapexec smb 10.10.150.33 -u '' -p '' --local-auth
SMB 10.10.150.33 445 SRVINTRANETNEW [+] SRVINTRANETNEW\:
------------------------------------------------------------
[10.10.150.10]
# crackmapexec smb 10.10.150.10 -u '' -p '' --local-auth
SMB 10.10.150.10 445 SRVICPBOG01 [+] SRVICPBOG01\:
------------------------------------------------------------
[10.10.150.34]
# crackmapexec smb 10.10.150.34 -u '' -p '' --local-auth
SMB 10.10.150.34 445 SRVINTRABOG01 [+] SRVINTRABOG01\:
------------------------------------------------------------
[10.10.150.39]
# crackmapexec smb 10.10.150.39 -u '' -p '' --local-auth
SMB 10.10.150.39 445 SRVINTRABOG02 [+] SRVINTRABOG02\:
------------------------------------------------------------
[10.10.150.61]
--snipped--
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 52 of 93
MEDIUM SMB Signing Not Required
Observation
Testing identified Microsoft Windows configuration concerns that could potentially result in an increased risk of an attack
against Microsoft operating systems within the targeted environment. By default, Microsoft Windows comes pre-installed
with several configuration issues that require network administrators to explicitly disable or enable to enhance security. If
these options are not modified, then these systems could remain vulnerable to several attacks.
More specifically, the SMB signing feature was not found to be required at the time of testing. SMB signing is a security
feature implemented by Microsoft to combat SMB relay attacks. An SMB relay attack occurs when an attacker tricks the
victim system into authenticating to the attacker, and the attacker relays those credentials to another system.
Security Impact
Since many organizations use Microsoft Windows and Active Directory environments to manage users, a successful
attack against a Microsoft Windows system could potentially expose the organization to other attacks, including privilege
escalation and lateral movement. Furthermore, many Microsoft Windows systems share similar configurations due to
Group Policy's ability to configure settings on a global scale. A single misconfiguration within Group Policy could present
significant threats.
As it relates to SMB signing, a successful SMB relay attack could provide an attacker with access to a system of the
attacker's choosing, depending on the permission levels of the authentication credentials being relayed. This could result
in remote command execution, access to resources, and more.
Affected Nodes
ONE HUNDRED AND SEVENTY (170) NODES AFFECTED
IP Address Host Name Operating System
10.10.150.110 SRVBDBOGN1 Windows 10 / Server 2019 Build 17763 x64
10.10.150.123 SRVBDBOGN4 Windows 10 / Server 2019 Build 17763 x64
10.10.150.112 SRVBDBOGN2 Windows 10 / Server 2019 Build 17763 x64
10.10.150.113 SRVBDBOGN3 Windows 10 / Server 2019 Build 17763 x64
10.10.150.111 SRVBDBOGN1 Windows 10 / Server 2019 Build 17763 x64
10.10.181.217 SRVIISPNDEV001 Windows 10 / Server 2019 Build 17763 x64
10.10.181.220 SRVFSPYD001 Windows Server 2022 Build 20348 x64
10.10.181.221 SRVUBKBOG01 Windows Server 2022 Build 20348 x64
10.10.181.214 SRVPACDEV001 Windows Server 2022 Build 20348 x64
10.10.181.215 SRVIISITDEV001 Windows 10 / Server 2019 Build 17763 x64
10.10.181.216 SRVIISITDEV002 Windows 10 / Server 2019 Build 17763 x64
10.10.150.14 SRVDBAIG Windows Server 2022 Build 20348 x64
10.10.150.15 SRVMABOG01 Windows Server 2016 Standard 14393 x64
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 53 of 93
10.10.150.18 SRVINVTBOG001 Windows Server 2022 Build 20348 x64
10.10.150.19 SRVMABOG02 Windows Server 2022 Build 20348 x64
10.10.150.20 SVAPPXCAPBOG04 Windows Server 2022 Build 20348 x64
10.10.150.33 SRVINTRANETNEW Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
10.10.150.34 SRVINTRABOG01 Windows Server 2022 Standard 20348 x64
10.10.150.39 SRVINTRABOG02 Windows Server 2022 Standard 20348 x64
10.10.150.41 SRVMONBOG01 Windows Server 2012 R2 Standard 9600 x64
10.10.181.241 SRVBDPRB002 Windows Server 2022 Build 20348 x64
10.10.181.248 SRVBDDEV003 Windows Server 2022 Build 20348 x64
10.10.181.249 SRVBDDEV004 Windows Server 2022 Build 20348 x64
10.10.181.246 SRVBDDEV001 Windows Server 2022 Build 20348 x64
10.10.181.247 SRVBDDEV002 Windows Server 2022 Build 20348 x64
10.10.181.251 SRVBDCAP004 Windows Server 2022 Build 20348 x64
10.10.150.11 SRVRSBOG02 Windows Server 2012 R2 Standard 9600 x64
10.10.150.13 SRVFACBOG01 Windows 10 / Server 2019 Build 17763 x64
10.10.150.10 SRVICPBOG01 Windows Server 2008 R2 Standard 7601 Service Pack 1 x64
10.10.150.12 SRVSRSBOG03 Windows Server 2022 Build 20348 x64
10.10.150.9 SRVRSBOG01 Windows Server 2012 R2 Standard 9600 x64
10.10.181.20 SRVAPAV68 Windows 10 / Server 2019 Build 17763 x64
10.10.181.16 SRVMNTDEV001 Windows 10 / Server 2019 Build 17763 x64
10.10.181.231 SRVISWEBPRB001 Windows Server 2022 Build 20348 x64
10.10.181.89 RSCRYSTALPYD Windows Server 2022 Build 20348 x64
10.10.181.85 SRVIISPNPRB004 Windows 10 / Server 2019 Build 17763 x64
10.10.181.6 SRVIISENLDEV001 Windows 10 / Server 2019 Build 17763 x64
10.10.181.4 SRVIISCMDEV01 Windows 10 / Server 2019 Build 17763 x64
10.10.181.80 SRVTOTDEV002 Windows Server 2022 Build 20348 x64
10.10.150.246 SRVPRTGBOG02 Windows Server 2022 Build 20348 x64
10.10.181.172 SRVISWEBPRB002 Windows Server 2022 Build 20348 x64
10.10.181.83 SRVPACDEV002 Windows Server 2022 Build 20348 x64
10.10.150.157 SRVIISBOG09 Windows 10 / Server 2019 Build 17763 x64
10.10.150.65 SRVSSLBOG01 Windows Server 2022 Build 20348 x64
10.10.150.74 SRVPACBOG03 Windows Server 2022 Build 20348 x64
10.10.150.75 SRVFTPTEMP Windows Server 2022 Build 20348 x64
10.10.150.78 SRVTSMBOG02 Windows Server 2022 Build 20348 x64
10.10.150.79 SRVFTPSSL Windows Server 2022 Build 20348 x64
10.10.150.85 SRVRSIBOG01 Windows Server 2022 Build 20348 x64
10.10.150.86 SRVIISRSIBOG01 Windows Server 2022 Build 20348 x64
10.10.150.90 SRVPRTGBOG04 Windows Server 2022 Build 20348 x64
10.10.150.104 SRVODISSY01 Windows Server 2012 R2 Standard 9600 x64
10.10.150.119 SRVRCSBOG02 Windows Server 2022 Build 20348 x64
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 54 of 93
10.10.150.121 SVAPPBOG07 Windows Server 2022 Build 20348 x64
10.10.150.128 SVAPPBOG14 Windows Server 2022 Build 20348 x64
10.10.150.129 SVAPPBOG13 Windows Server 2022 Build 20348 x64
10.10.150.131 SVAPPBOG03 Windows Server 2022 Build 20348 x64
10.10.150.143 SVAPPBOG04 Windows Server 2022 Build 20348 x64
10.10.150.145 SVAPPBOG05 Windows Server 2022 Build 20348 x64
10.10.150.147 SRVPACBOG04 Windows Server 2022 Build 20348 x64
10.10.150.148 SVAPPBOG06 Windows Server 2022 Build 20348 x64
10.10.150.149 SVAPPBOG08 Windows Server 2022 Build 20348 x64
10.10.150.156 SRVTMGBOG02 Windows Server 2008 R2 Standard 7601 Service Pack 1
10.10.150.161 SRVODISSY02 Windows Server 2012 R2 Standard 9600 x64
10.10.150.162 SRVIISAPIBOG01 Windows Server 2022 Standard 20348 x64
10.10.150.165 SVAPPBOG15 Windows Server 2022 Build 20348 x64
10.10.150.171 SRVDWH001 Windows Server 2022 Build 20348 x64
10.10.150.174 SRVPOCBOG02 Windows Server 2022 Build 20348 x64
10.10.150.180 SRVCRYPTBOG01 Windows Server 2022 Build 20348 x64
10.10.150.184 SRVPOCBOG01 Windows Server 2022 Build 20348 x64
10.10.150.186 SRVPRTGBOG05 Windows Server 2022 Build 20348 x64
10.10.150.191 SVAPPBOG11 Windows Server 2022 Build 20348 x64
10.10.150.192 SVAPPBOG12 Windows Server 2022 Build 20348 x64
10.10.150.194 SRVODISSY05 Windows Server 2022 Build 20348 x64
10.10.150.197 SDAPPBOG01 Windows Server 2022 Build 20348 x64
10.10.150.198 SDAPPBOG02 Windows Server 2022 Build 20348 x64
10.10.150.200 SRVTERBOG01 Windows Server 2022 Build 20348 x64
10.10.150.216 SRVAPPINSIGHT01 Windows Server 2022 Build 20348 x64
10.10.150.225 SRVZVMADMBOG01 Windows Server 2022 Build 20348 x64
10.10.150.235 SVAPPBOG09 Windows Server 2022 Build 20348 x64
10.10.150.241 SRVGLPIBOG01 Windows Server 2022 Build 20348 x64
10.10.150.244 SVAPPBOG01 Windows Server 2022 Build 20348 x64
10.10.150.249 SVAPPBOG10 Windows Server 2022 Build 20348 x64
10.10.181.29 SRVTOTPRB002 Windows Server 2022 Build 20348 x64
10.10.181.30 SRVSRSPYD01 Windows Server 2022 Build 20348 x64
10.10.181.33 SRVBDPRB005 Windows Server 2022 Build 20348 x64
10.10.181.36 SRVISWEBDEV001 Windows Server 2022 Build 20348 x64
10.10.181.37 SRVISWEBDEV002 Windows Server 2022 Build 20348 x64
10.10.181.40 SRVPACPRB002 Windows Server 2022 Build 20348 x64
10.10.181.75 SRVBDCAP001 Windows Server 2022 Build 20348 x64
10.10.181.88 SRVTOTDEV001 Windows Server 2022 Build 20348 x64
10.10.181.90 SRVPACPRB001 Windows Server 2022 Build 20348 x64
10.10.181.95 SRVODYPRB001 Windows Server 2012 R2 Standard 9600 x64
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 55 of 93
10.10.181.176 SRVREPPRB001 Windows Server 2012 R2 Standard 9600 x64
10.10.181.232 SRVTOTPRB001 Windows Server 2022 Build 20348 x64
10.10.181.240 SRVBDPRB001 Windows Server 2022 Build 20348 x64
10.10.181.242 SRVBDPRB003 Windows Server 2022 Build 20348 x64
10.10.181.250 SRVBDPRB004 Windows Server 2022 Build 20348 x64
10.10.150.16 SRVMNTBOG03 Windows 10 / Server 2019 Build 17763 x64
10.10.150.40 SRVADCBOG02 Windows 10 / Server 2019 Build 17763 x64
10.10.150.42 SRVIISBOG51 Windows 10 / Server 2019 Build 17763 x64
10.10.150.43 SRVIISBOG50 Windows 10 / Server 2019 Build 17763 x64
10.10.150.44 SRVIISBOG52 Windows 10 / Server 2019 Build 17763 x64
10.10.150.48 SRVBDBOGN1 Windows 10 / Server 2019 Build 17763 x64
10.10.150.49 SRVBDBOGN2 Windows 10 / Server 2019 Build 17763 x64
10.10.150.50 SRVBDBOGN3 Windows 10 / Server 2019 Build 17763 x64
10.10.150.51 SRVBDBOGN4 Windows 10 / Server 2019 Build 17763 x64
10.10.150.61 SRVTERBOG02 Windows 10 / Server 2019 Build 17763 x64
10.10.150.98 SRVFSSOBOG01 Windows 10 / Server 2019 Build 17763 x64
10.10.150.100 SRVIISITBOG01 Windows 10 / Server 2019 Build 17763 x64
10.10.150.101 SRVIISITBOG08 Windows 10 / Server 2019 Build 17763 x64
10.10.150.102 SRVIISITBOG09 Windows 10 / Server 2019 Build 17763 x64
10.10.150.103 SRVIISITBOG10 Windows 10 / Server 2019 Build 17763 x64
10.10.150.105 SRVIISITBOG04 Windows 10 / Server 2019 Build 17763 x64
10.10.150.106 SRVIISITBOG02 Windows 10 / Server 2019 Build 17763 x64
10.10.150.107 SRVIISITBOG03 Windows 10 / Server 2019 Build 17763 x64
10.10.150.109 SRVBDBOGN2 Windows 10 / Server 2019 Build 17763 x64
10.10.150.114 SRVBDBOGN1 Windows 10 / Server 2019 Build 17763 x64
10.10.150.115 SRVBDBOGN2 Windows 10 / Server 2019 Build 17763 x64
10.10.150.116 SRVBDBOGN3 Windows 10 / Server 2019 Build 17763 x64
10.10.150.117 REPORTESCRYSTAL Windows 10 / Server 2019 Build 17763 x64
10.10.150.118 SRVIISITBOG11 Windows 10 / Server 2019 Build 17763 x64
10.10.150.122 SRVBDBOGN4 Windows 10 / Server 2019 Build 17763 x64
10.10.150.127 RSCRYSTAL2 Windows 10 / Server 2019 Build 17763 x64
10.10.150.130 SRVIISITBOG05 Windows 10 / Server 2019 Build 17763 x64
10.10.150.133 SRVRPBOG02 Windows 10 / Server 2019 Build 17763 x64
10.10.150.135 SRVIISITBOG06 Windows 10 / Server 2019 Build 17763 x64
10.10.150.136 SRVIISBOG12 Windows 10 / Server 2019 Build 17763 x64
10.10.150.137 SRVWORKBOG01 Windows 10 / Server 2019 Build 17763 x64
10.10.150.138 SRVIISITBOG07 Windows 10 / Server 2019 Build 17763 x64
10.10.150.140 SRVDBORACLE01 Windows 10 / Server 2019 Build 17763 x64
10.10.150.141 SRVIISBOG01 Windows 10 / Server 2019 Build 17763 x64
10.10.150.142 SRVIISBOG02 Windows 10 / Server 2019 Build 17763 x64
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 56 of 93
10.10.150.144 SRVIISBOG03 Windows 10 / Server 2019 Build 17763 x64
10.10.150.151 SRVPRINCIPAL Windows 10 / Server 2019 Build 17763 x64
10.10.150.152 SRVMBTBOG01 Windows 10 / Server 2019 Build 17763 x64
10.10.150.153 SRVIISBOG10 Windows 10 / Server 2019 Build 17763 x64
10.10.150.154 SRVIISBOG11 Windows 10 / Server 2019 Build 17763 x64
10.10.150.155 SRVIISBOG14 Windows 10 / Server 2019 Build 17763 x64
10.10.150.158 SRVIISBOG15 Windows 10 / Server 2019 Build 17763 x64
10.10.150.159 SRVIISITBOG12 Windows 10 / Server 2019 Build 17763 x64
10.10.150.160 SRVIISBOG16 Windows 10 / Server 2019 Build 17763 x64
10.10.150.166 SRVRPBOG03 Windows 10 / Server 2019 Build 17763 x64
10.10.150.167 SRVIISBOG17 Windows 10 / Server 2019 Build 17763 x64
10.10.150.172 SRVDWH002 Windows 10 / Server 2019 Build 17763 x64
10.10.150.181 SRVIISBOG18 Windows 10 / Server 2019 Build 17763 x64
10.10.150.182 SRVIISBOG19 Windows 10 / Server 2019 Build 17763 x64
10.10.150.183 SRVIISBOG20 Windows 10 / Server 2019 Build 17763 x64
10.10.150.189 SRVIISITBOG13 Windows 10 / Server 2019 Build 17763 x64
10.10.150.211 SRVIISBOG53 Windows 10 / Server 2019 Build 17763 x64
10.10.150.248 SRVPOCBOG04 Windows 10 / Server 2019 Build 17763 x64
10.10.181.5 SRVIISCMDEV02 Windows 10 / Server 2019 Build 17763 x64
10.10.181.7 SRVIISENLDEV002 Windows 10 / Server 2019 Build 17763 x64
10.10.181.106 SRVMNTPRB001 Windows 10 / Server 2019 Build 17763 x64
10.10.181.120 SRVIISENLPRB002 Windows 10 / Server 2019 Build 17763 x64
10.10.181.178 SRVIISCMPRB002 Windows 10 / Server 2019 Build 17763 x64
10.10.181.179 SRVIISITPRB002 Windows 10 / Server 2019 Build 17763 x64
10.10.181.186 SRVIISPNPRB002 Windows 10 / Server 2019 Build 17763 x64
10.10.181.187 SRVIISPNPRB003 Windows 10 / Server 2019 Build 17763 x64
10.10.181.188 SRVIISPNDEV002 Windows 10 / Server 2019 Build 17763 x64
10.10.181.189 SRVIISPNDEV003 Windows 10 / Server 2019 Build 17763 x64
10.10.181.190 SRVTFSBOG01 Windows 10 / Server 2019 Build 17763 x64
10.10.181.191 SRVTFSBDBOG01 Windows 10 / Server 2019 Build 17763 x64
10.10.181.219 SRV3PARPYD001 Windows 10 / Server 2019 Build 17763 x64
10.10.181.222 SRVIISPNCAP001 Windows 10 / Server 2019 Build 17763 x64
10.10.181.228 SRVIISCMPRB001 Windows 10 / Server 2019 Build 17763 x64
10.10.181.229 SRVIISITPRB001 Windows 10 / Server 2019 Build 17763 x64
10.10.181.230 SRVIISPNPRB001 Windows 10 / Server 2019 Build 17763 x64
10.10.181.233 SRVIISENLPRB001 Windows 10 / Server 2019 Build 17763 x64
10.10.181.253 SRVBDDEV005 Windows 10 / Server 2019 Build 17763 x64
Recommendation
Enforce SMB signing by configuring this across the organization's systems via Group Policy.
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 57 of 93
Reproduction Steps
Leverage the "smb-security-mode" script within Nmap to scan a system for SMB signing. The following command can be
run from a Linux system with Nmap installed:
nmap <ip> -p 445 -sS -Pn --script smb-security-mode -v -n
References
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-
securing-active-directory
https://www.microsoft.com/security/blog/2018/12/05/step-1-identify-users-top-10-actions-to-secure-your-
environment/
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines
https://support.microsoft.com/en-us/help/887429/overview-of-server-message-block-signing
Evidence
10.10.181.233:(signing:False)
10.10.181.215:(signing:False)
10.10.150.11:(signing:False)
10.10.150.39:(signing:False)
10.10.150.113:(signing:False)
10.10.150.112:(signing:False)
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 58 of 93
MEDIUM Weak SNMP Community Strings
Observation
Simple Network Management Protocol (SNMP) is a protocol used by remote administration tools to enumerate
information about a particular SNMP-enabled device, such as running services, listening ports, etc. To perform this
process, the SNMP client uses an SNMP community string, which is essentially very similar to a password. If the correct
SNMP community string is provided, then it is possible to extract information from the remote device. When an SNMP
community string is default or can be easily guessed by malicious attackers, this allows for the unauthorized user to
extract information about the device.
Security Impact
Depending on the information extracted from the remote device, it could potentially expose additional security
vulnerabilities. These additional vulnerabilities may provide valuable information to an attacker to be able to conduct a
successful attack against the vulnerable system or other confidential/sensitive resources or systems.
Affected Nodes
THIRTEEN (13) NODES AFFECTED
IP Address Host Name Operating System
10.10.181.50 Undetected
10.10.181.51 Undetected
10.10.181.212 Undetected
10.10.181.213 Undetected
10.10.150.4 Undetected
10.10.150.5 Undetected
10.10.150.62 Undetected
10.10.150.63 Undetected
10.10.150.64 Undetected
10.10.150.199 Undetected
10.10.150.208 Undetected
10.10.150.209 Undetected
10.10.150.243 Undetected
Recommendation
Since SNMP is typically enabled by default, it should first be evaluated to determine if it should be enabled. If required,
change the default SNMP community string to one that meets the organization's password complexity requirements.
Finally, ensure that SNMPv3 is enabled if possible.
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 59 of 93
Reproduction Steps
Leverage a tool such as "Hydra" in order to perform an attack against the SNMP community string. Another tool that may
be useful for reproducing this issue is Metasploit. Metasploit contains a module named snmp_login that allows for
attempts to enumerate information by leveraging several SNMP community strings.
Evidence
[161][snmp] host: 10.10.150.209 password: private
[161][snmp] host: 10.10.150.243 password: public
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.10.150.4:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.10.150.4
Hostname : SW1-Rack2AP11
Description : Aruba JL678A 6100 24G 4SFP+ Swch PL.10.14.1000
Contact : ""
Location : ""
Uptime snmp : 5 days, 00:00:34.68
Uptime system : 5 days, 00:00:34.68
System date : 2024-10-4 00:05:19.0
[*] Network information:
IP forwarding enabled : yes
--snipped--
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 60 of 93
INFORMATIONAL Egress Filtering Deficiencies
Observation
An egress filtering check was performed as part of the internal network penetration test. This check aims to determine if
the internal environment allows excessive access to the public Internet, which could increase the risk of data exfiltration.
This check was not performed against a specific in-scope target, but on the public Internet in general to evaluate this
risk.
During this check, it was possible to identify access to an excessive number of ports residing on the public Internet. This
particular check targeted scanme.nmap.org, which is designed for organizations to check whether or not they have
access to servers on the public Internet.
Security Impact
Allowing end-users access to excessive services, such as SSH, Telnet, etc. allows for an attacker or end-user to bypass
security controls by exfiltrating information through other communication channels. During an attack, an attacker may
also leverage this excessive access to establish a command-and-control (C2) server to communicate commands and
data back and forth between a compromised system.
Recommendation
Disable access to services that are not required for business operations. Restricting access to only services that are
required for business operations allows the organizations to establish more control over communication channels,
allowing for inspection of indicators of compromise (IoC) as well as malicious data exfiltration attempts.
Reproduction Steps
With permission, perform a scan against an Internet-facing service that has an excessive amount of ports opened.
Analyze the results of the results to determine where services may be visible from the internal network environment.
Evidence
# Nmap 7.95 scan initiated Fri Oct 4 05:11:46 2024 as: nmap -sS -Pn -v -n -oA /root/pentest/172483/discovery/scan
me scanme.nmap.org
Nmap scan report for scanme.nmap.org ([external-ip])
Host is up (0.12s latency).
Other addresses for scanme.nmap.org (not scanned): 2600:3c01::f03c:91ff:fe18:bb2f
Not shown: 996 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9929/tcp open nping-echo
31337/tcp open Elite
Read data files from: /usr/local/bin/../share/nmap
# Nmap done at Fri Oct 4 05:11:58 2024 -- 1 IP address (1 host up) scanned in 11.97 seconds
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 61 of 93
Appendix A: Host Discovery (Operating Systems)
Internal Network Penetration Test
The following table shows the operating systems that were discovered as part of this assessment. It should be noted that the
operating system discovery techniques are only able to identify the specific OS versions based on the way the targets respond to
various fingerprinting methods. In some cases, all operating systems may not be identifiable at the time of testing.
IP Address DNS Name Operating System Domain
10.10.150.2 SRVDCBOG02 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.9 SRVRSBOG01 Windows Server 2012 R2 Standard 9600 x64 saludtotal.loc
10.10.150.10 SRVICPBOG01 Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 saludtotal.loc
10.10.150.11 SRVRSBOG02 Windows Server 2012 R2 Standard 9600 x64 saludtotal.loc
10.10.150.12 SRVSRSBOG03 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.13 SRVFACBOG01 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.14 SRVDBAIG Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.15 SRVMABOG01 Windows Server 2016 Standard 14393 x64 saludtotal.loc
10.10.150.16 SRVMNTBOG03 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.18 SRVINVTBOG001 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.19 SRVMABOG02 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.20 SVAPPXCAPBOG04 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.33 SRVINTRANETNEW Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 saludtotal.loc
10.10.150.34 SRVINTRABOG01 Windows Server 2022 Standard 20348 x64 saludtotal.loc
10.10.150.39 SRVINTRABOG02 Windows Server 2022 Standard 20348 x64 saludtotal.loc
10.10.150.40 SRVADCBOG02 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.41 SRVMONBOG01 Windows Server 2012 R2 Standard 9600 x64 saludtotal.loc
10.10.150.42 SRVIISBOG51 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.43 SRVIISBOG50 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.44 SRVIISBOG52 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.48 SRVBDBOGN1 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.49 SRVBDBOGN2 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.50 SRVBDBOGN3 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.51 SRVBDBOGN4 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.61 SRVTERBOG02 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.65 SRVSSLBOG01 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.74 SRVPACBOG03 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.75 SRVFTPTEMP Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.78 SRVTSMBOG02 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.79 SRVFTPSSL Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.81 SRVEXBOG01 Windows Server 2022 Build 20348 x64 saludtotal.loc
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 62 of 93
10.10.150.85 SRVRSIBOG01 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.86 SRVIISRSIBOG01 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.90 SRVPRTGBOG04 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.98 SRVFSSOBOG01 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.100 SRVIISITBOG01 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.101 SRVIISITBOG08 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.102 SRVIISITBOG09 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.103 SRVIISITBOG10 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.104 SRVODISSY01 Windows Server 2012 R2 Standard 9600 x64 saludtotal.loc
10.10.150.105 SRVIISITBOG04 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.106 SRVIISITBOG02 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.107 SRVIISITBOG03 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.109 SRVBDBOGN2 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.110 SRVBDBOGN1 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.111 SRVBDBOGN1 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.112 SRVBDBOGN2 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.113 SRVBDBOGN3 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.114 SRVBDBOGN1 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.115 SRVBDBOGN2 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.116 SRVBDBOGN3 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.117 REPORTESCRYSTAL Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.118 SRVIISITBOG11 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.119 SRVRCSBOG02 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.121 SVAPPBOG07 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.122 SRVBDBOGN4 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.123 SRVBDBOGN4 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.127 RSCRYSTAL2 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.128 SVAPPBOG14 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.129 SVAPPBOG13 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.130 SRVIISITBOG05 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.131 SVAPPBOG03 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.133 SRVRPBOG02 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.135 SRVIISITBOG06 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.136 SRVIISBOG12 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.137 SRVWORKBOG01 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.138 SRVIISITBOG07 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.140 SRVDBORACLE01 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.141 SRVIISBOG01 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.142 SRVIISBOG02 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.143 SVAPPBOG04 Windows Server 2022 Build 20348 x64 saludtotal.loc
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 63 of 93
10.10.150.144 SRVIISBOG03 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.145 SVAPPBOG05 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.147 SRVPACBOG04 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.148 SVAPPBOG06 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.149 SVAPPBOG08 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.150 SRVDCBOG03 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.151 SRVPRINCIPAL Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.152 SRVMBTBOG01 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.153 SRVIISBOG10 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.154 SRVIISBOG11 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.155 SRVIISBOG14 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.156 SRVTMGBOG02 Windows Server 2008 R2 Standard 7601 Service Pack 1 saludtotal.loc
10.10.150.157 SRVIISBOG09 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.158 SRVIISBOG15 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.159 SRVIISITBOG12 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.160 SRVIISBOG16 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.161 SRVODISSY02 Windows Server 2012 R2 Standard 9600 x64 saludtotal.loc
10.10.150.162 SRVIISAPIBOG01 Windows Server 2022 Standard 20348 x64 saludtotal.loc
10.10.150.165 SVAPPBOG15 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.166 SRVRPBOG03 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.167 SRVIISBOG17 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.171 SRVDWH001 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.172 SRVDWH002 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.174 SRVPOCBOG02 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.180 SRVCRYPTBOG01 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.181 SRVIISBOG18 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.182 SRVIISBOG19 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.183 SRVIISBOG20 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.184 SRVPOCBOG01 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.186 SRVPRTGBOG05 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.189 SRVIISITBOG13 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.191 SVAPPBOG11 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.192 SVAPPBOG12 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.194 SRVODISSY05 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.197 SDAPPBOG01 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.198 SDAPPBOG02 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.200 SRVTERBOG01 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.211 SRVIISBOG53 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.216 SRVAPPINSIGHT01 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.225 SRVZVMADMBOG01 Windows Server 2022 Build 20348 x64 saludtotal.loc
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 64 of 93
10.10.150.235 SVAPPBOG09 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.241 SRVGLPIBOG01 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.244 SVAPPBOG01 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.246 SRVPRTGBOG02 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.150.248 SRVPOCBOG04 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.150.249 SVAPPBOG10 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.4 SRVIISCMDEV01 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.5 SRVIISCMDEV02 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.6 SRVIISENLDEV001 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.7 SRVIISENLDEV002 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.16 SRVMNTDEV001 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.20 SRVAPAV68 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.29 SRVTOTPRB002 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.30 SRVSRSPYD01 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.33 SRVBDPRB005 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.36 SRVISWEBDEV001 Windows Server 2022 Build 20348 x64
10.10.181.37 SRVISWEBDEV002 Windows Server 2022 Build 20348 x64
10.10.181.40 SRVPACPRB002 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.75 SRVBDCAP001 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.80 SRVTOTDEV002 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.83 SRVPACDEV002 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.85 SRVIISPNPRB004 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.88 SRVTOTDEV001 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.89 RSCRYSTALPYD Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.90 SRVPACPRB001 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.95 SRVODYPRB001 Windows Server 2012 R2 Standard 9600 x64 saludtotal.loc
10.10.181.106 SRVMNTPRB001 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.120 SRVIISENLPRB002 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.172 SRVISWEBPRB002 Windows Server 2022 Build 20348 x64
10.10.181.176 SRVREPPRB001 Windows Server 2012 R2 Standard 9600 x64 saludtotal.loc
10.10.181.178 SRVIISCMPRB002 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.179 SRVIISITPRB002 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.186 SRVIISPNPRB002 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.187 SRVIISPNPRB003 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.188 SRVIISPNDEV002 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.189 SRVIISPNDEV003 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.190 SRVTFSBOG01 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.191 SRVTFSBDBOG01 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.214 SRVPACDEV001 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.215 SRVIISITDEV001 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 65 of 93
10.10.181.216 SRVIISITDEV002 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.217 SRVIISPNDEV001 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.219 SRV3PARPYD001 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.220 SRVFSPYD001 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.221 SRVUBKBOG01 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.222 SRVIISPNCAP001 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.228 SRVIISCMPRB001 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.229 SRVIISITPRB001 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.230 SRVIISPNPRB001 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.231 SRVISWEBPRB001 Windows Server 2022 Build 20348 x64
10.10.181.232 SRVTOTPRB001 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.233 SRVIISENLPRB001 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
10.10.181.240 SRVBDPRB001 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.241 SRVBDPRB002 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.242 SRVBDPRB003 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.246 SRVBDDEV001 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.247 SRVBDDEV002 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.248 SRVBDDEV003 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.249 SRVBDDEV004 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.250 SRVBDPRB004 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.251 SRVBDCAP004 Windows Server 2022 Build 20348 x64 saludtotal.loc
10.10.181.253 SRVBDDEV005 Windows 10 / Server 2019 Build 17763 x64 saludtotal.loc
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 66 of 93
Appendix B: Identified Nodes Without Ports
During testing, all identified systems were found to have at least one (1) open port. As a result, no table will be displayed in this
section.
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 67 of 93
Appendix C: Host Discovery (Opened Ports)
Internal Network Penetration Test
IP Address DNS Name Port (Limited to 1000) Protocol
10.10.150.2 SRVDCBOG02 5666 tcp
10.10.150.2 SRVDCBOG02 88 tcp
10.10.150.2 SRVDCBOG02 135 tcp
10.10.150.2 SRVDCBOG02 5985 tcp
10.10.150.2 SRVDCBOG02 10001 tcp
10.10.150.2 SRVDCBOG02 42 tcp
10.10.150.2 SRVDCBOG02 389 udp
10.10.150.2 SRVDCBOG02 1723 tcp
10.10.150.2 SRVDCBOG02 443 tcp
10.10.150.2 SRVDCBOG02 389 tcp
10.10.150.2 SRVDCBOG02 500 udp
10.10.150.2 SRVDCBOG02 80 tcp
10.10.150.2 SRVDCBOG02 53 tcp
10.10.150.2 SRVDCBOG02 636 tcp
10.10.150.2 SRVDCBOG02 3268 tcp
10.10.150.2 SRVDCBOG02 3269 tcp
10.10.150.2 SRVDCBOG02 47001 tcp
10.10.150.2 SRVDCBOG02 445 tcp
10.10.150.2 SRVDCBOG02 3389 tcp
10.10.150.2 SRVDCBOG02 139 tcp
10.10.150.2 SRVDCBOG02 88 udp
10.10.150.3 22 tcp
10.10.150.3 443 tcp
10.10.150.3 80 tcp
10.10.150.3 161 udp
10.10.150.4 80 tcp
10.10.150.4 161 udp
10.10.150.4 443 tcp
10.10.150.4 22 tcp
10.10.150.5 443 tcp
10.10.150.5 161 udp
10.10.150.5 22 tcp
10.10.150.5 80 tcp
10.10.150.6 80 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 68 of 93
10.10.150.6 443 tcp
10.10.150.6 22 tcp
10.10.150.7 443 tcp
10.10.150.7 80 tcp
10.10.150.7 22 tcp
10.10.150.8 23 tcp
10.10.150.8 80 tcp
10.10.150.9 SRVRSBOG01 445 tcp
10.10.150.9 SRVRSBOG01 5985 tcp
10.10.150.9 SRVRSBOG01 47001 tcp
10.10.150.9 SRVRSBOG01 3389 tcp
10.10.150.9 SRVRSBOG01 49152 tcp
10.10.150.9 SRVRSBOG01 80 tcp
10.10.150.9 SRVRSBOG01 139 tcp
10.10.150.9 SRVRSBOG01 135 tcp
10.10.150.9 SRVRSBOG01 5666 tcp
10.10.150.10 SRVICPBOG01 80 tcp
10.10.150.10 SRVICPBOG01 81 tcp
10.10.150.10 SRVICPBOG01 8081 tcp
10.10.150.10 SRVICPBOG01 139 tcp
10.10.150.10 SRVICPBOG01 47001 tcp
10.10.150.10 SRVICPBOG01 3389 tcp
10.10.150.10 SRVICPBOG01 5666 tcp
10.10.150.10 SRVICPBOG01 21 tcp
10.10.150.10 SRVICPBOG01 135 tcp
10.10.150.10 SRVICPBOG01 445 tcp
10.10.150.10 SRVICPBOG01 49152 tcp
10.10.150.11 SRVRSBOG02 3389 tcp
10.10.150.11 SRVRSBOG02 445 tcp
10.10.150.11 SRVRSBOG02 139 tcp
10.10.150.11 SRVRSBOG02 5985 tcp
10.10.150.11 SRVRSBOG02 80 tcp
10.10.150.11 SRVRSBOG02 47001 tcp
10.10.150.11 SRVRSBOG02 135 tcp
10.10.150.11 SRVRSBOG02 5666 tcp
10.10.150.11 SRVRSBOG02 49152 tcp
10.10.150.12 SRVSRSBOG03 80 tcp
10.10.150.12 SRVSRSBOG03 5666 tcp
10.10.150.12 SRVSRSBOG03 47001 tcp
10.10.150.12 SRVSRSBOG03 445 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 69 of 93
10.10.150.12 SRVSRSBOG03 5985 tcp
10.10.150.12 SRVSRSBOG03 139 tcp
10.10.150.12 SRVSRSBOG03 3389 tcp
10.10.150.12 SRVSRSBOG03 135 tcp
10.10.150.13 SRVFACBOG01 3389 tcp
10.10.150.13 SRVFACBOG01 445 tcp
10.10.150.13 SRVFACBOG01 139 tcp
10.10.150.13 SRVFACBOG01 5666 tcp
10.10.150.13 SRVFACBOG01 47001 tcp
10.10.150.13 SRVFACBOG01 5985 tcp
10.10.150.13 SRVFACBOG01 135 tcp
10.10.150.14 SRVDBAIG 445 tcp
10.10.150.14 SRVDBAIG 1433 tcp
10.10.150.14 SRVDBAIG 139 tcp
10.10.150.14 SRVDBAIG 47001 tcp
10.10.150.14 SRVDBAIG 9081 tcp
10.10.150.14 SRVDBAIG 9080 tcp
10.10.150.14 SRVDBAIG 5666 tcp
10.10.150.14 SRVDBAIG 3389 tcp
10.10.150.14 SRVDBAIG 5985 tcp
10.10.150.14 SRVDBAIG 135 tcp
10.10.150.15 SRVMABOG01 5666 tcp
10.10.150.15 SRVMABOG01 443 tcp
10.10.150.15 SRVMABOG01 1723 tcp
10.10.150.15 SRVMABOG01 3389 tcp
10.10.150.15 SRVMABOG01 5985 tcp
10.10.150.15 SRVMABOG01 47001 tcp
10.10.150.15 SRVMABOG01 80 tcp
10.10.150.15 SRVMABOG01 445 tcp
10.10.150.15 SRVMABOG01 139 tcp
10.10.150.15 SRVMABOG01 135 tcp
10.10.150.16 SRVMNTBOG03 80 tcp
10.10.150.16 SRVMNTBOG03 445 tcp
10.10.150.16 SRVMNTBOG03 139 tcp
10.10.150.16 SRVMNTBOG03 135 tcp
10.10.150.16 SRVMNTBOG03 1723 tcp
10.10.150.16 SRVMNTBOG03 3389 tcp
10.10.150.16 SRVMNTBOG03 500 udp
10.10.150.16 SRVMNTBOG03 47001 tcp
10.10.150.16 SRVMNTBOG03 443 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 70 of 93
10.10.150.16 SRVMNTBOG03 5985 tcp
10.10.150.17 reportesst.saludtotal.loc 80 tcp
10.10.150.18 SRVINVTBOG001 5666 tcp
10.10.150.18 SRVINVTBOG001 445 tcp
10.10.150.18 SRVINVTBOG001 3389 tcp
10.10.150.18 SRVINVTBOG001 80 tcp
10.10.150.18 SRVINVTBOG001 443 tcp
10.10.150.18 SRVINVTBOG001 135 tcp
10.10.150.18 SRVINVTBOG001 5985 tcp
10.10.150.18 SRVINVTBOG001 47001 tcp
10.10.150.18 SRVINVTBOG001 139 tcp
10.10.150.19 SRVMABOG02 5985 tcp
10.10.150.19 SRVMABOG02 3389 tcp
10.10.150.19 SRVMABOG02 5666 tcp
10.10.150.19 SRVMABOG02 47001 tcp
10.10.150.19 SRVMABOG02 139 tcp
10.10.150.19 SRVMABOG02 80 tcp
10.10.150.19 SRVMABOG02 445 tcp
10.10.150.19 SRVMABOG02 2103 tcp
10.10.150.19 SRVMABOG02 135 tcp
10.10.150.20 SVAPPXCAPBOG04 139 tcp
10.10.150.20 SVAPPXCAPBOG04 5985 tcp
10.10.150.20 SVAPPXCAPBOG04 2598 tcp
10.10.150.20 SVAPPXCAPBOG04 80 tcp
10.10.150.20 SVAPPXCAPBOG04 3389 tcp
10.10.150.20 SVAPPXCAPBOG04 47001 tcp
10.10.150.20 SVAPPXCAPBOG04 1494 tcp
10.10.150.20 SVAPPXCAPBOG04 445 tcp
10.10.150.20 SVAPPXCAPBOG04 135 tcp
10.10.150.21 443 tcp
10.10.150.21 22 tcp
10.10.150.21 161 udp
10.10.150.22 22 tcp
10.10.150.22 161 udp
10.10.150.22 443 tcp
10.10.150.23 22 tcp
10.10.150.23 443 tcp
10.10.150.23 623 udp
10.10.150.23 80 tcp
10.10.150.24 443 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 71 of 93
10.10.150.24 80 tcp
10.10.150.24 22 tcp
10.10.150.24 623 udp
10.10.150.25 443 tcp
10.10.150.25 22 tcp
10.10.150.25 623 udp
10.10.150.25 80 tcp
10.10.150.26 80 tcp
10.10.150.26 443 tcp
10.10.150.26 22 tcp
10.10.150.26 623 udp
10.10.150.27 623 udp
10.10.150.27 443 tcp
10.10.150.27 80 tcp
10.10.150.27 22 tcp
10.10.150.28 22 tcp
10.10.150.28 623 udp
10.10.150.28 443 tcp
10.10.150.28 80 tcp
10.10.150.29 22 tcp
10.10.150.29 623 udp
10.10.150.29 80 tcp
10.10.150.29 5989 tcp
10.10.150.29 443 tcp
10.10.150.30 22 tcp
10.10.150.30 443 tcp
10.10.150.30 80 tcp
10.10.150.31 443 tcp
10.10.150.31 22 tcp
10.10.150.31 80 tcp
10.10.150.32 443 tcp
10.10.150.32 22 tcp
10.10.150.32 80 tcp
10.10.150.33 SRVINTRANETNEW 5666 tcp
10.10.150.33 SRVINTRANETNEW 3389 tcp
10.10.150.33 SRVINTRANETNEW 80 tcp
10.10.150.33 SRVINTRANETNEW 8080 tcp
10.10.150.33 SRVINTRANETNEW 445 tcp
10.10.150.33 SRVINTRANETNEW 21 tcp
10.10.150.33 SRVINTRANETNEW 5985 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 72 of 93
10.10.150.33 SRVINTRANETNEW 47001 tcp
10.10.150.33 SRVINTRANETNEW 135 tcp
10.10.150.33 SRVINTRANETNEW 139 tcp
10.10.150.33 SRVINTRANETNEW 49152 tcp
10.10.150.33 SRVINTRANETNEW 81 tcp
10.10.150.34 SRVINTRABOG01 81 tcp
10.10.150.34 SRVINTRABOG01 3389 tcp
10.10.150.34 SRVINTRABOG01 443 tcp
10.10.150.34 SRVINTRABOG01 47001 tcp
10.10.150.34 SRVINTRABOG01 80 tcp
10.10.150.34 SRVINTRABOG01 5666 tcp
10.10.150.34 SRVINTRABOG01 5985 tcp
10.10.150.34 SRVINTRABOG01 445 tcp
10.10.150.34 SRVINTRABOG01 135 tcp
10.10.150.34 SRVINTRABOG01 139 tcp
10.10.150.35 80 tcp
10.10.150.35 443 tcp
10.10.150.36 ProdTotalinfo.saludtotal.loc 80 tcp
10.10.150.36 ProdTotalinfo.saludtotal.loc 22 tcp
10.10.150.37 3306 tcp
10.10.150.37 22 tcp
10.10.150.39 SRVINTRABOG02 3389 tcp
10.10.150.39 SRVINTRABOG02 81 tcp
10.10.150.39 SRVINTRABOG02 5666 tcp
10.10.150.39 SRVINTRABOG02 139 tcp
10.10.150.39 SRVINTRABOG02 5985 tcp
10.10.150.39 SRVINTRABOG02 443 tcp
10.10.150.39 SRVINTRABOG02 135 tcp
10.10.150.39 SRVINTRABOG02 80 tcp
10.10.150.39 SRVINTRABOG02 445 tcp
10.10.150.39 SRVINTRABOG02 47001 tcp
10.10.150.40 SRVADCBOG02 47001 tcp
10.10.150.40 SRVADCBOG02 135 tcp
10.10.150.40 SRVADCBOG02 5985 tcp
10.10.150.40 SRVADCBOG02 139 tcp
10.10.150.40 SRVADCBOG02 8443 tcp
10.10.150.40 SRVADCBOG02 445 tcp
10.10.150.40 SRVADCBOG02 3389 tcp
10.10.150.41 SRVMONBOG01 445 tcp
10.10.150.41 SRVMONBOG01 47001 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 73 of 93
10.10.150.41 SRVMONBOG01 5985 tcp
10.10.150.41 SRVMONBOG01 139 tcp
10.10.150.41 SRVMONBOG01 49152 tcp
10.10.150.41 SRVMONBOG01 5666 tcp
10.10.150.41 SRVMONBOG01 3389 tcp
10.10.150.41 SRVMONBOG01 1723 tcp
10.10.150.41 SRVMONBOG01 135 tcp
10.10.150.42 SRVIISBOG51 139 tcp
10.10.150.42 SRVIISBOG51 81 tcp
10.10.150.42 SRVIISBOG51 5985 tcp
10.10.150.42 SRVIISBOG51 47001 tcp
10.10.150.42 SRVIISBOG51 3389 tcp
10.10.150.42 SRVIISBOG51 445 tcp
10.10.150.42 SRVIISBOG51 135 tcp
10.10.150.42 SRVIISBOG51 5666 tcp
10.10.150.42 SRVIISBOG51 80 tcp
10.10.150.43 SRVIISBOG50 443 tcp
10.10.150.43 SRVIISBOG50 445 tcp
10.10.150.43 SRVIISBOG50 80 tcp
10.10.150.43 SRVIISBOG50 139 tcp
10.10.150.43 SRVIISBOG50 5666 tcp
10.10.150.43 SRVIISBOG50 5985 tcp
10.10.150.43 SRVIISBOG50 47001 tcp
10.10.150.43 SRVIISBOG50 3389 tcp
10.10.150.43 SRVIISBOG50 81 tcp
10.10.150.43 SRVIISBOG50 135 tcp
10.10.150.44 SRVIISBOG52 139 tcp
10.10.150.44 SRVIISBOG52 47001 tcp
10.10.150.44 SRVIISBOG52 5666 tcp
10.10.150.44 SRVIISBOG52 5985 tcp
10.10.150.44 SRVIISBOG52 445 tcp
10.10.150.44 SRVIISBOG52 80 tcp
10.10.150.44 SRVIISBOG52 135 tcp
10.10.150.44 SRVIISBOG52 3389 tcp
10.10.150.44 SRVIISBOG52 81 tcp
10.10.150.45 5989 tcp
10.10.150.45 8443 tcp
10.10.150.45 500 udp
10.10.150.45 7443 tcp
10.10.150.45 3260 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 74 of 93
10.10.150.45 80 tcp
10.10.150.45 22 tcp
10.10.150.45 443 tcp
10.10.150.46 22 tcp
10.10.150.46 443 tcp
10.10.150.46 5989 tcp
10.10.150.46 80 tcp
10.10.150.46 7443 tcp
10.10.150.46 8443 tcp
10.10.150.46 500 udp
10.10.150.47 8443 tcp
10.10.150.47 500 udp
10.10.150.47 80 tcp
10.10.150.47 443 tcp
10.10.150.47 22 tcp
10.10.150.48 SRVBDBOGN1 5985 tcp
10.10.150.48 SRVBDBOGN1 445 tcp
10.10.150.48 SRVBDBOGN1 1433 tcp
10.10.150.48 SRVBDBOGN1 1581 tcp
10.10.150.48 SRVBDBOGN1 3389 tcp
10.10.150.48 SRVBDBOGN1 47001 tcp
10.10.150.48 SRVBDBOGN1 135 tcp
10.10.150.49 SRVBDBOGN2 47001 tcp
10.10.150.49 SRVBDBOGN2 445 tcp
10.10.150.49 SRVBDBOGN2 1433 tcp
10.10.150.49 SRVBDBOGN2 3389 tcp
10.10.150.49 SRVBDBOGN2 5985 tcp
10.10.150.49 SRVBDBOGN2 135 tcp
10.10.150.49 SRVBDBOGN2 1581 tcp
10.10.150.50 SRVBDBOGN3 1581 tcp
10.10.150.50 SRVBDBOGN3 445 tcp
10.10.150.50 SRVBDBOGN3 1433 tcp
10.10.150.50 SRVBDBOGN3 135 tcp
10.10.150.50 SRVBDBOGN3 5985 tcp
10.10.150.50 SRVBDBOGN3 47001 tcp
10.10.150.50 SRVBDBOGN3 3389 tcp
10.10.150.51 SRVBDBOGN4 3389 tcp
10.10.150.51 SRVBDBOGN4 47001 tcp
10.10.150.51 SRVBDBOGN4 5985 tcp
10.10.150.51 SRVBDBOGN4 5666 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 75 of 93
10.10.150.51 SRVBDBOGN4 135 tcp
10.10.150.51 SRVBDBOGN4 445 tcp
10.10.150.51 SRVBDBOGN4 1433 tcp
10.10.150.51 SRVBDBOGN4 1581 tcp
10.10.150.55 5989 tcp
10.10.150.55 3260 tcp
10.10.150.55 443 tcp
10.10.150.55 80 tcp
10.10.150.55 22 tcp
10.10.150.55 8443 tcp
10.10.150.55 7443 tcp
10.10.150.55 500 udp
10.10.150.56 443 tcp
10.10.150.56 22 tcp
10.10.150.56 80 tcp
10.10.150.56 8443 tcp
10.10.150.56 500 udp
10.10.150.56 8080 tcp
10.10.150.57 22 tcp
10.10.150.57 80 tcp
10.10.150.57 7443 tcp
10.10.150.57 443 tcp
10.10.150.57 500 udp
10.10.150.57 8443 tcp
10.10.150.58 443 tcp
10.10.150.58 80 tcp
10.10.150.61 SRVTERBOG02 3389 tcp
10.10.150.61 SRVTERBOG02 47001 tcp
10.10.150.61 SRVTERBOG02 5985 tcp
10.10.150.61 SRVTERBOG02 5666 tcp
10.10.150.61 SRVTERBOG02 135 tcp
10.10.150.61 SRVTERBOG02 445 tcp
10.10.150.61 SRVTERBOG02 139 tcp
10.10.150.62 23 tcp
10.10.150.62 80 tcp
10.10.150.62 22 tcp
10.10.150.62 161 udp
10.10.150.62 443 tcp
10.10.150.63 161 udp
10.10.150.63 443 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 76 of 93
10.10.150.63 23 tcp
10.10.150.63 80 tcp
10.10.150.63 22 tcp
10.10.150.64 161 udp
10.10.150.64 22 tcp
10.10.150.64 443 tcp
10.10.150.64 80 tcp
10.10.150.65 SRVSSLBOG01 139 tcp
10.10.150.65 SRVSSLBOG01 47001 tcp
10.10.150.65 SRVSSLBOG01 5666 tcp
10.10.150.65 SRVSSLBOG01 3389 tcp
10.10.150.65 SRVSSLBOG01 445 tcp
10.10.150.65 SRVSSLBOG01 135 tcp
10.10.150.65 SRVSSLBOG01 80 tcp
10.10.150.65 SRVSSLBOG01 5985 tcp
10.10.150.67 22 tcp
10.10.150.67 80 tcp
10.10.150.67 443 tcp
10.10.150.69 ServiciosQflow.saludtotal.loc 81 tcp
10.10.150.71 SRVESXBOG07.saludtotal.loc 8300 tcp
10.10.150.71 SRVESXBOG07.saludtotal.loc 8000 tcp
10.10.150.71 SRVESXBOG07.saludtotal.loc 902 tcp
10.10.150.71 SRVESXBOG07.saludtotal.loc 443 tcp
10.10.150.71 SRVESXBOG07.saludtotal.loc 80 tcp
10.10.150.71 SRVESXBOG07.saludtotal.loc 9080 tcp
10.10.150.72 srvoperadoras.saludtotal.loc 8080 tcp
10.10.150.72 srvoperadoras.saludtotal.loc 8009 tcp
10.10.150.72 srvoperadoras.saludtotal.loc 80 tcp
10.10.150.72 srvoperadoras.saludtotal.loc 22 tcp
10.10.150.72 srvoperadoras.saludtotal.loc 27000 tcp
10.10.150.73 SRVESXBOG10.saludtotal.loc 443 tcp
10.10.150.73 SRVESXBOG10.saludtotal.loc 9080 tcp
10.10.150.73 SRVESXBOG10.saludtotal.loc 8300 tcp
10.10.150.73 SRVESXBOG10.saludtotal.loc 8000 tcp
10.10.150.73 SRVESXBOG10.saludtotal.loc 902 tcp
10.10.150.73 SRVESXBOG10.saludtotal.loc 80 tcp
10.10.150.73 SRVESXBOG10.saludtotal.loc 22 tcp
10.10.150.74 SRVPACBOG03 47001 tcp
10.10.150.74 SRVPACBOG03 5666 tcp
10.10.150.74 SRVPACBOG03 445 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 77 of 93
10.10.150.74 SRVPACBOG03 135 tcp
10.10.150.74 SRVPACBOG03 80 tcp
10.10.150.74 SRVPACBOG03 139 tcp
10.10.150.74 SRVPACBOG03 5985 tcp
10.10.150.74 SRVPACBOG03 3389 tcp
10.10.150.75 SRVFTPTEMP 135 tcp
10.10.150.75 SRVFTPTEMP 5985 tcp
10.10.150.75 SRVFTPTEMP 47001 tcp
10.10.150.75 SRVFTPTEMP 9080 tcp
10.10.150.75 SRVFTPTEMP 9081 tcp
10.10.150.75 SRVFTPTEMP 3389 tcp
10.10.150.75 SRVFTPTEMP 445 tcp
10.10.150.75 SRVFTPTEMP 139 tcp
10.10.150.75 SRVFTPTEMP 80 tcp
10.10.150.75 SRVFTPTEMP 21 tcp
10.10.150.78 SRVTSMBOG02 47001 tcp
10.10.150.78 SRVTSMBOG02 5666 tcp
10.10.150.78 SRVTSMBOG02 9001 tcp
10.10.150.78 SRVTSMBOG02 8443 tcp
10.10.150.78 SRVTSMBOG02 5985 tcp
10.10.150.78 SRVTSMBOG02 3389 tcp
10.10.150.78 SRVTSMBOG02 445 tcp
10.10.150.78 SRVTSMBOG02 139 tcp
10.10.150.78 SRVTSMBOG02 135 tcp
10.10.150.79 SRVFTPSSL 5985 tcp
10.10.150.79 SRVFTPSSL 47001 tcp
10.10.150.79 SRVFTPSSL 3389 tcp
10.10.150.79 SRVFTPSSL 445 tcp
10.10.150.79 SRVFTPSSL 139 tcp
10.10.150.79 SRVFTPSSL 80 tcp
10.10.150.79 SRVFTPSSL 22 tcp
10.10.150.79 SRVFTPSSL 21 tcp
10.10.150.79 SRVFTPSSL 135 tcp
10.10.150.79 SRVFTPSSL 5666 tcp
10.10.150.80 SRVESXBOG09.saludtotal.loc 8000 tcp
10.10.150.80 SRVESXBOG09.saludtotal.loc 9080 tcp
10.10.150.80 SRVESXBOG09.saludtotal.loc 8300 tcp
10.10.150.80 SRVESXBOG09.saludtotal.loc 902 tcp
10.10.150.80 SRVESXBOG09.saludtotal.loc 443 tcp
10.10.150.80 SRVESXBOG09.saludtotal.loc 80 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 78 of 93
10.10.150.81 SRVEXBOG01 443 tcp
10.10.150.81 SRVEXBOG01 587 tcp
10.10.150.81 SRVEXBOG01 8503 tcp
10.10.150.81 SRVEXBOG01 47001 tcp
10.10.150.81 SRVEXBOG01 6667 tcp
10.10.150.81 SRVEXBOG01 6405 tcp
10.10.150.81 SRVEXBOG01 6001 tcp
10.10.150.81 SRVEXBOG01 5666 tcp
10.10.150.81 SRVEXBOG01 3389 tcp
10.10.150.81 SRVEXBOG01 2525 tcp
10.10.150.81 SRVEXBOG01 465 tcp
10.10.150.81 SRVEXBOG01 445 tcp
10.10.150.81 SRVEXBOG01 444 tcp
10.10.150.81 SRVEXBOG01 139 tcp
10.10.150.81 SRVEXBOG01 135 tcp
10.10.150.81 SRVEXBOG01 81 tcp
10.10.150.81 SRVEXBOG01 80 tcp
10.10.150.81 SRVEXBOG01 25 tcp
10.10.150.81 SRVEXBOG01 8471 tcp
10.10.150.81 SRVEXBOG01 5985 tcp
10.10.150.85 SRVRSIBOG01 47001 tcp
10.10.150.85 SRVRSIBOG01 8180 tcp
10.10.150.85 SRVRSIBOG01 5985 tcp
10.10.150.85 SRVRSIBOG01 5666 tcp
10.10.150.85 SRVRSIBOG01 1433 tcp
10.10.150.85 SRVRSIBOG01 445 tcp
10.10.150.85 SRVRSIBOG01 139 tcp
10.10.150.85 SRVRSIBOG01 135 tcp
10.10.150.85 SRVRSIBOG01 80 tcp
10.10.150.85 SRVRSIBOG01 3389 tcp
10.10.150.86 SRVIISRSIBOG01 47001 tcp
10.10.150.86 SRVIISRSIBOG01 5985 tcp
10.10.150.86 SRVIISRSIBOG01 5666 tcp
10.10.150.86 SRVIISRSIBOG01 3389 tcp
10.10.150.86 SRVIISRSIBOG01 139 tcp
10.10.150.86 SRVIISRSIBOG01 135 tcp
10.10.150.86 SRVIISRSIBOG01 80 tcp
10.10.150.86 SRVIISRSIBOG01 445 tcp
10.10.150.86 SRVIISRSIBOG01 8180 tcp
10.10.150.90 SRVPRTGBOG04 139 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 79 of 93
10.10.150.90 SRVPRTGBOG04 5985 tcp
10.10.150.90 SRVPRTGBOG04 47001 tcp
10.10.150.90 SRVPRTGBOG04 3389 tcp
10.10.150.90 SRVPRTGBOG04 445 tcp
10.10.150.90 SRVPRTGBOG04 443 tcp
10.10.150.90 SRVPRTGBOG04 135 tcp
10.10.150.90 SRVPRTGBOG04 80 tcp
10.10.150.90 SRVPRTGBOG04 5666 tcp
10.10.150.92 7000 tcp
10.10.150.92 22 tcp
10.10.150.92 5666 tcp
10.10.150.92 7001 tcp
10.10.150.93 7000 tcp
10.10.150.93 5666 tcp
10.10.150.93 22 tcp
10.10.150.93 7001 tcp
10.10.150.94 serviciospac.saludtotal.loc 80 tcp
10.10.150.95 22 tcp
10.10.150.95 7001 tcp
10.10.150.95 7000 tcp
10.10.150.95 5666 tcp
10.10.150.96 7000 tcp
10.10.150.96 5666 tcp
10.10.150.96 7001 tcp
10.10.150.96 22 tcp
10.10.150.97 5666 tcp
10.10.150.97 22 tcp
10.10.150.97 7001 tcp
10.10.150.97 7000 tcp
10.10.150.98 SRVFSSOBOG01 47001 tcp
10.10.150.98 SRVFSSOBOG01 3389 tcp
10.10.150.98 SRVFSSOBOG01 8443 tcp
10.10.150.98 SRVFSSOBOG01 5985 tcp
10.10.150.98 SRVFSSOBOG01 8000 tcp
10.10.150.98 SRVFSSOBOG01 135 tcp
10.10.150.98 SRVFSSOBOG01 139 tcp
10.10.150.98 SRVFSSOBOG01 445 tcp
10.10.150.99 22 tcp
10.10.150.99 10000 tcp
10.10.150.99 7000 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 80 of 93
10.10.150.100 SRVIISITBOG01 3389 tcp
10.10.150.100 SRVIISITBOG01 1723 tcp
10.10.150.100 SRVIISITBOG01 443 tcp
10.10.150.100 SRVIISITBOG01 80 tcp
10.10.150.100 SRVIISITBOG01 81 tcp
10.10.150.100 SRVIISITBOG01 135 tcp
10.10.150.100 SRVIISITBOG01 139 tcp
10.10.150.100 SRVIISITBOG01 445 tcp
10.10.150.100 SRVIISITBOG01 5666 tcp
10.10.150.100 SRVIISITBOG01 5985 tcp
10.10.150.100 SRVIISITBOG01 10001 tcp
10.10.150.100 SRVIISITBOG01 47001 tcp
10.10.150.100 SRVIISITBOG01 500 udp
10.10.150.101 SRVIISITBOG08 5985 tcp
10.10.150.101 SRVIISITBOG08 47001 tcp
10.10.150.101 SRVIISITBOG08 139 tcp
10.10.150.101 SRVIISITBOG08 445 tcp
10.10.150.101 SRVIISITBOG08 3389 tcp
10.10.150.101 SRVIISITBOG08 5666 tcp
10.10.150.101 SRVIISITBOG08 81 tcp
10.10.150.101 SRVIISITBOG08 135 tcp
10.10.150.101 SRVIISITBOG08 80 tcp
10.10.150.102 SRVIISITBOG09 5666 tcp
10.10.150.102 SRVIISITBOG09 5985 tcp
10.10.150.102 SRVIISITBOG09 135 tcp
10.10.150.102 SRVIISITBOG09 80 tcp
10.10.150.102 SRVIISITBOG09 139 tcp
10.10.150.102 SRVIISITBOG09 445 tcp
10.10.150.102 SRVIISITBOG09 81 tcp
10.10.150.102 SRVIISITBOG09 3389 tcp
10.10.150.102 SRVIISITBOG09 47001 tcp
10.10.150.103 SRVIISITBOG10 47001 tcp
10.10.150.103 SRVIISITBOG10 5666 tcp
10.10.150.103 SRVIISITBOG10 5985 tcp
10.10.150.103 SRVIISITBOG10 500 udp
10.10.150.103 SRVIISITBOG10 139 tcp
10.10.150.103 SRVIISITBOG10 81 tcp
10.10.150.103 SRVIISITBOG10 443 tcp
10.10.150.103 SRVIISITBOG10 135 tcp
10.10.150.103 SRVIISITBOG10 445 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 81 of 93
10.10.150.103 SRVIISITBOG10 1723 tcp
10.10.150.103 SRVIISITBOG10 80 tcp
10.10.150.103 SRVIISITBOG10 3389 tcp
10.10.150.104 SRVODISSY01 49152 tcp
10.10.150.104 SRVODISSY01 47001 tcp
10.10.150.104 SRVODISSY01 5985 tcp
10.10.150.104 SRVODISSY01 5666 tcp
10.10.150.104 SRVODISSY01 445 tcp
10.10.150.104 SRVODISSY01 139 tcp
10.10.150.104 SRVODISSY01 135 tcp
10.10.150.104 SRVODISSY01 81 tcp
10.10.150.104 SRVODISSY01 80 tcp
10.10.150.104 SRVODISSY01 3389 tcp
10.10.150.105 SRVIISITBOG04 80 tcp
10.10.150.105 SRVIISITBOG04 47001 tcp
10.10.150.105 SRVIISITBOG04 445 tcp
10.10.150.105 SRVIISITBOG04 3389 tcp
10.10.150.105 SRVIISITBOG04 135 tcp
10.10.150.105 SRVIISITBOG04 139 tcp
10.10.150.105 SRVIISITBOG04 5666 tcp
10.10.150.105 SRVIISITBOG04 81 tcp
10.10.150.105 SRVIISITBOG04 5985 tcp
10.10.150.105 SRVIISITBOG04 10001 tcp
10.10.150.106 SRVIISITBOG02 445 tcp
10.10.150.106 SRVIISITBOG02 3389 tcp
10.10.150.106 SRVIISITBOG02 80 tcp
10.10.150.106 SRVIISITBOG02 81 tcp
10.10.150.106 SRVIISITBOG02 135 tcp
10.10.150.106 SRVIISITBOG02 139 tcp
10.10.150.106 SRVIISITBOG02 5666 tcp
10.10.150.106 SRVIISITBOG02 5985 tcp
10.10.150.106 SRVIISITBOG02 47001 tcp
10.10.150.107 SRVIISITBOG03 3389 tcp
10.10.150.107 SRVIISITBOG03 139 tcp
10.10.150.107 SRVIISITBOG03 443 tcp
10.10.150.107 SRVIISITBOG03 445 tcp
10.10.150.107 SRVIISITBOG03 5985 tcp
10.10.150.107 SRVIISITBOG03 1723 tcp
10.10.150.107 SRVIISITBOG03 5666 tcp
10.10.150.107 SRVIISITBOG03 81 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 82 of 93
10.10.150.107 SRVIISITBOG03 80 tcp
10.10.150.107 SRVIISITBOG03 135 tcp
10.10.150.107 SRVIISITBOG03 500 udp
10.10.150.107 SRVIISITBOG03 10001 tcp
10.10.150.107 SRVIISITBOG03 47001 tcp
10.10.150.108 ServiciosIT.saludtotal.loc 80 tcp
10.10.150.109 SRVBDBOGN2 1581 tcp
10.10.150.109 SRVBDBOGN2 3389 tcp
10.10.150.109 SRVBDBOGN2 5985 tcp
10.10.150.109 SRVBDBOGN2 135 tcp
10.10.150.109 SRVBDBOGN2 445 tcp
10.10.150.109 SRVBDBOGN2 47001 tcp
10.10.150.110 SRVBDBOGN1 135 tcp
10.10.150.110 SRVBDBOGN1 1581 tcp
10.10.150.110 SRVBDBOGN1 445 tcp
10.10.150.110 SRVBDBOGN1 47001 tcp
10.10.150.110 SRVBDBOGN1 5985 tcp
10.10.150.110 SRVBDBOGN1 3389 tcp
10.10.150.111 SRVBDBOGN1 139 tcp
10.10.150.111 SRVBDBOGN1 135 tcp
10.10.150.111 SRVBDBOGN1 47001 tcp
10.10.150.111 SRVBDBOGN1 5022 tcp
10.10.150.111 SRVBDBOGN1 5985 tcp
10.10.150.111 SRVBDBOGN1 445 tcp
10.10.150.111 SRVBDBOGN1 3389 tcp
10.10.150.111 SRVBDBOGN1 1581 tcp
10.10.150.111 SRVBDBOGN1 1433 tcp
10.10.150.112 SRVBDBOGN2 47001 tcp
10.10.150.112 SRVBDBOGN2 5985 tcp
10.10.150.112 SRVBDBOGN2 5022 tcp
10.10.150.112 SRVBDBOGN2 3389 tcp
10.10.150.112 SRVBDBOGN2 1581 tcp
10.10.150.112 SRVBDBOGN2 445 tcp
10.10.150.112 SRVBDBOGN2 139 tcp
10.10.150.112 SRVBDBOGN2 135 tcp
10.10.150.113 SRVBDBOGN3 47001 tcp
10.10.150.113 SRVBDBOGN3 5985 tcp
10.10.150.113 SRVBDBOGN3 5022 tcp
10.10.150.113 SRVBDBOGN3 3389 tcp
10.10.150.113 SRVBDBOGN3 1581 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 83 of 93
10.10.150.113 SRVBDBOGN3 445 tcp
10.10.150.113 SRVBDBOGN3 139 tcp
10.10.150.113 SRVBDBOGN3 135 tcp
10.10.150.114 SRVBDBOGN1 5985 tcp
10.10.150.114 SRVBDBOGN1 47001 tcp
10.10.150.114 SRVBDBOGN1 135 tcp
10.10.150.114 SRVBDBOGN1 139 tcp
10.10.150.114 SRVBDBOGN1 445 tcp
10.10.150.114 SRVBDBOGN1 1581 tcp
10.10.150.114 SRVBDBOGN1 3389 tcp
10.10.150.115 SRVBDBOGN2 135 tcp
10.10.150.115 SRVBDBOGN2 445 tcp
10.10.150.115 SRVBDBOGN2 1581 tcp
10.10.150.115 SRVBDBOGN2 5985 tcp
10.10.150.115 SRVBDBOGN2 47001 tcp
10.10.150.115 SRVBDBOGN2 139 tcp
10.10.150.115 SRVBDBOGN2 3389 tcp
10.10.150.116 SRVBDBOGN3 135 tcp
10.10.150.116 SRVBDBOGN3 139 tcp
10.10.150.116 SRVBDBOGN3 1581 tcp
10.10.150.116 SRVBDBOGN3 445 tcp
10.10.150.116 SRVBDBOGN3 3389 tcp
10.10.150.116 SRVBDBOGN3 5985 tcp
10.10.150.116 SRVBDBOGN3 47001 tcp
10.10.150.117 REPORTESCRYSTAL 3389 tcp
10.10.150.117 REPORTESCRYSTAL 5666 tcp
10.10.150.117 REPORTESCRYSTAL 5985 tcp
10.10.150.117 REPORTESCRYSTAL 445 tcp
10.10.150.117 REPORTESCRYSTAL 1433 tcp
10.10.150.117 REPORTESCRYSTAL 47001 tcp
10.10.150.117 REPORTESCRYSTAL 1581 tcp
10.10.150.117 REPORTESCRYSTAL 135 tcp
10.10.150.117 REPORTESCRYSTAL 139 tcp
10.10.150.118 SRVIISITBOG11 139 tcp
10.10.150.118 SRVIISITBOG11 5666 tcp
10.10.150.118 SRVIISITBOG11 445 tcp
10.10.150.118 SRVIISITBOG11 3389 tcp
10.10.150.118 SRVIISITBOG11 80 tcp
10.10.150.118 SRVIISITBOG11 135 tcp
10.10.150.118 SRVIISITBOG11 5985 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 84 of 93
10.10.150.118 SRVIISITBOG11 47001 tcp
10.10.150.118 SRVIISITBOG11 81 tcp
10.10.150.119 SRVRCSBOG02 1433 tcp
10.10.150.119 SRVRCSBOG02 5985 tcp
10.10.150.119 SRVRCSBOG02 5666 tcp
10.10.150.119 SRVRCSBOG02 3389 tcp
10.10.150.119 SRVRCSBOG02 445 tcp
10.10.150.119 SRVRCSBOG02 139 tcp
10.10.150.119 SRVRCSBOG02 135 tcp
10.10.150.119 SRVRCSBOG02 47001 tcp
10.10.150.121 SVAPPBOG07 5985 tcp
10.10.150.121 SVAPPBOG07 3389 tcp
10.10.150.121 SVAPPBOG07 2598 tcp
10.10.150.121 SVAPPBOG07 1494 tcp
10.10.150.121 SVAPPBOG07 139 tcp
10.10.150.121 SVAPPBOG07 135 tcp
10.10.150.121 SVAPPBOG07 80 tcp
10.10.150.121 SVAPPBOG07 47001 tcp
10.10.150.121 SVAPPBOG07 5666 tcp
10.10.150.121 SVAPPBOG07 445 tcp
10.10.150.122 SRVBDBOGN4 5985 tcp
10.10.150.122 SRVBDBOGN4 445 tcp
10.10.150.122 SRVBDBOGN4 1581 tcp
10.10.150.122 SRVBDBOGN4 3389 tcp
10.10.150.122 SRVBDBOGN4 5666 tcp
10.10.150.122 SRVBDBOGN4 47001 tcp
10.10.150.122 SRVBDBOGN4 135 tcp
10.10.150.122 SRVBDBOGN4 139 tcp
10.10.150.123 SRVBDBOGN4 47001 tcp
10.10.150.123 SRVBDBOGN4 5985 tcp
10.10.150.123 SRVBDBOGN4 5666 tcp
10.10.150.123 SRVBDBOGN4 5022 tcp
10.10.150.123 SRVBDBOGN4 1581 tcp
10.10.150.123 SRVBDBOGN4 3389 tcp
10.10.150.123 SRVBDBOGN4 135 tcp
10.10.150.123 SRVBDBOGN4 445 tcp
10.10.150.123 SRVBDBOGN4 139 tcp
10.10.150.124 SRVVSNAPBOG01.saludtotal.loc 8098 tcp
10.10.150.124 SRVVSNAPBOG01.saludtotal.loc 2049 tcp
10.10.150.124 SRVVSNAPBOG01.saludtotal.loc 3260 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 85 of 93
10.10.150.124 SRVVSNAPBOG01.saludtotal.loc 445 tcp
10.10.150.124 SRVVSNAPBOG01.saludtotal.loc 139 tcp
10.10.150.124 SRVVSNAPBOG01.saludtotal.loc 111 tcp
10.10.150.124 SRVVSNAPBOG01.saludtotal.loc 22 tcp
10.10.150.125 22 tcp
10.10.150.125 80 tcp
10.10.150.125 3260 tcp
10.10.150.125 111 tcp
10.10.150.126 SRVSPPBOG01.saludtotal.loc 443 tcp
10.10.150.126 SRVSPPBOG01.saludtotal.loc 8090 tcp
10.10.150.126 SRVSPPBOG01.saludtotal.loc 22 tcp
10.10.150.127 RSCRYSTAL2 47001 tcp
10.10.150.127 RSCRYSTAL2 135 tcp
10.10.150.127 RSCRYSTAL2 139 tcp
10.10.150.127 RSCRYSTAL2 445 tcp
10.10.150.127 RSCRYSTAL2 1433 tcp
10.10.150.127 RSCRYSTAL2 1723 tcp
10.10.150.127 RSCRYSTAL2 3389 tcp
10.10.150.127 RSCRYSTAL2 443 tcp
10.10.150.127 RSCRYSTAL2 5666 tcp
10.10.150.127 RSCRYSTAL2 5985 tcp
10.10.150.128 SVAPPBOG14 47001 tcp
10.10.150.128 SVAPPBOG14 2598 tcp
10.10.150.128 SVAPPBOG14 3389 tcp
10.10.150.128 SVAPPBOG14 5985 tcp
10.10.150.128 SVAPPBOG14 5666 tcp
10.10.150.128 SVAPPBOG14 1494 tcp
10.10.150.128 SVAPPBOG14 445 tcp
10.10.150.128 SVAPPBOG14 139 tcp
10.10.150.128 SVAPPBOG14 135 tcp
10.10.150.128 SVAPPBOG14 80 tcp
10.10.150.129 SVAPPBOG13 5666 tcp
10.10.150.129 SVAPPBOG13 445 tcp
10.10.150.129 SVAPPBOG13 5985 tcp
10.10.150.129 SVAPPBOG13 47001 tcp
10.10.150.129 SVAPPBOG13 3389 tcp
10.10.150.129 SVAPPBOG13 2598 tcp
10.10.150.129 SVAPPBOG13 1494 tcp
10.10.150.129 SVAPPBOG13 139 tcp
10.10.150.129 SVAPPBOG13 135 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 86 of 93
10.10.150.129 SVAPPBOG13 80 tcp
10.10.150.130 SRVIISITBOG05 5985 tcp
10.10.150.130 SRVIISITBOG05 47001 tcp
10.10.150.130 SRVIISITBOG05 81 tcp
10.10.150.130 SRVIISITBOG05 139 tcp
10.10.150.130 SRVIISITBOG05 445 tcp
10.10.150.130 SRVIISITBOG05 3389 tcp
10.10.150.130 SRVIISITBOG05 5666 tcp
10.10.150.130 SRVIISITBOG05 80 tcp
10.10.150.130 SRVIISITBOG05 135 tcp
10.10.150.131 SVAPPBOG03 10001 tcp
10.10.150.131 SVAPPBOG03 47001 tcp
10.10.150.131 SVAPPBOG03 5985 tcp
10.10.150.131 SVAPPBOG03 5666 tcp
10.10.150.131 SVAPPBOG03 3389 tcp
10.10.150.131 SVAPPBOG03 2598 tcp
10.10.150.131 SVAPPBOG03 1494 tcp
10.10.150.131 SVAPPBOG03 445 tcp
10.10.150.131 SVAPPBOG03 139 tcp
10.10.150.131 SVAPPBOG03 135 tcp
10.10.150.131 SVAPPBOG03 80 tcp
10.10.150.132 srvvcsabog01.saludtotal.loc 9084 tcp
10.10.150.132 srvvcsabog01.saludtotal.loc 5580 tcp
10.10.150.132 srvvcsabog01.saludtotal.loc 5480 tcp
10.10.150.132 srvvcsabog01.saludtotal.loc 3128 tcp
10.10.150.132 srvvcsabog01.saludtotal.loc 636 tcp
10.10.150.132 srvvcsabog01.saludtotal.loc 443 tcp
10.10.150.132 srvvcsabog01.saludtotal.loc 389 tcp
10.10.150.132 srvvcsabog01.saludtotal.loc 80 tcp
10.10.150.132 srvvcsabog01.saludtotal.loc 22 tcp
10.10.150.133 SRVRPBOG02 135 tcp
10.10.150.133 SRVRPBOG02 443 tcp
10.10.150.133 SRVRPBOG02 139 tcp
10.10.150.133 SRVRPBOG02 445 tcp
10.10.150.133 SRVRPBOG02 47001 tcp
10.10.150.133 SRVRPBOG02 1433 tcp
10.10.150.133 SRVRPBOG02 1723 tcp
10.10.150.133 SRVRPBOG02 5985 tcp
10.10.150.133 SRVRPBOG02 3389 tcp
10.10.150.134 443 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 87 of 93
10.10.150.134 80 tcp
10.10.150.134 22 tcp
10.10.150.135 SRVIISITBOG06 47001 tcp
10.10.150.135 SRVIISITBOG06 445 tcp
10.10.150.135 SRVIISITBOG06 3389 tcp
10.10.150.135 SRVIISITBOG06 80 tcp
10.10.150.135 SRVIISITBOG06 81 tcp
10.10.150.135 SRVIISITBOG06 135 tcp
10.10.150.135 SRVIISITBOG06 139 tcp
10.10.150.135 SRVIISITBOG06 5666 tcp
10.10.150.135 SRVIISITBOG06 5985 tcp
10.10.150.136 SRVIISBOG12 445 tcp
10.10.150.136 SRVIISBOG12 81 tcp
10.10.150.136 SRVIISBOG12 135 tcp
10.10.150.136 SRVIISBOG12 139 tcp
10.10.150.136 SRVIISBOG12 5985 tcp
10.10.150.136 SRVIISBOG12 80 tcp
10.10.150.136 SRVIISBOG12 2103 tcp
10.10.150.136 SRVIISBOG12 3389 tcp
10.10.150.136 SRVIISBOG12 5666 tcp
10.10.150.136 SRVIISBOG12 47001 tcp
10.10.150.137 SRVWORKBOG01 445 tcp
10.10.150.137 SRVWORKBOG01 139 tcp
10.10.150.137 SRVWORKBOG01 3389 tcp
10.10.150.137 SRVWORKBOG01 5985 tcp
10.10.150.137 SRVWORKBOG01 47001 tcp
10.10.150.137 SRVWORKBOG01 135 tcp
10.10.150.138 SRVIISITBOG07 139 tcp
10.10.150.138 SRVIISITBOG07 81 tcp
10.10.150.138 SRVIISITBOG07 135 tcp
10.10.150.138 SRVIISITBOG07 445 tcp
10.10.150.138 SRVIISITBOG07 3389 tcp
10.10.150.138 SRVIISITBOG07 5985 tcp
10.10.150.138 SRVIISITBOG07 5666 tcp
10.10.150.138 SRVIISITBOG07 47001 tcp
10.10.150.138 SRVIISITBOG07 80 tcp
10.10.150.139 3306 tcp
10.10.150.139 22 tcp
10.10.150.139 21 tcp
10.10.150.140 SRVDBORACLE01 47001 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 88 of 93
10.10.150.140 SRVDBORACLE01 5985 tcp
10.10.150.140 SRVDBORACLE01 445 tcp
10.10.150.140 SRVDBORACLE01 1521 tcp
10.10.150.140 SRVDBORACLE01 3389 tcp
10.10.150.140 SRVDBORACLE01 5666 tcp
10.10.150.140 SRVDBORACLE01 135 tcp
10.10.150.140 SRVDBORACLE01 139 tcp
10.10.150.141 SRVIISBOG01 139 tcp
10.10.150.141 SRVIISBOG01 80 tcp
10.10.150.141 SRVIISBOG01 82 tcp
10.10.150.141 SRVIISBOG01 85 tcp
10.10.150.141 SRVIISBOG01 135 tcp
10.10.150.141 SRVIISBOG01 445 tcp
10.10.150.141 SRVIISBOG01 3389 tcp
10.10.150.141 SRVIISBOG01 47001 tcp
10.10.150.141 SRVIISBOG01 5985 tcp
10.10.150.141 SRVIISBOG01 2103 tcp
10.10.150.141 SRVIISBOG01 88 tcp
10.10.150.141 SRVIISBOG01 5666 tcp
10.10.150.142 SRVIISBOG02 3389 tcp
10.10.150.142 SRVIISBOG02 2103 tcp
10.10.150.142 SRVIISBOG02 5666 tcp
10.10.150.142 SRVIISBOG02 5985 tcp
10.10.150.142 SRVIISBOG02 88 tcp
10.10.150.142 SRVIISBOG02 82 tcp
10.10.150.142 SRVIISBOG02 135 tcp
10.10.150.142 SRVIISBOG02 80 tcp
10.10.150.142 SRVIISBOG02 139 tcp
10.10.150.142 SRVIISBOG02 47001 tcp
10.10.150.142 SRVIISBOG02 445 tcp
10.10.150.142 SRVIISBOG02 85 tcp
10.10.150.143 SVAPPBOG04 47001 tcp
10.10.150.143 SVAPPBOG04 5985 tcp
10.10.150.143 SVAPPBOG04 5666 tcp
10.10.150.143 SVAPPBOG04 3389 tcp
10.10.150.143 SVAPPBOG04 2598 tcp
10.10.150.143 SVAPPBOG04 1494 tcp
10.10.150.143 SVAPPBOG04 445 tcp
10.10.150.143 SVAPPBOG04 139 tcp
10.10.150.143 SVAPPBOG04 135 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 89 of 93
10.10.150.143 SVAPPBOG04 80 tcp
10.10.150.144 SRVIISBOG03 85 tcp
10.10.150.144 SRVIISBOG03 80 tcp
10.10.150.144 SRVIISBOG03 82 tcp
10.10.150.144 SRVIISBOG03 88 tcp
10.10.150.144 SRVIISBOG03 135 tcp
10.10.150.144 SRVIISBOG03 139 tcp
10.10.150.144 SRVIISBOG03 5666 tcp
10.10.150.144 SRVIISBOG03 47001 tcp
10.10.150.144 SRVIISBOG03 5985 tcp
10.10.150.144 SRVIISBOG03 445 tcp
10.10.150.144 SRVIISBOG03 2103 tcp
10.10.150.144 SRVIISBOG03 3389 tcp
10.10.150.145 SVAPPBOG05 47001 tcp
10.10.150.145 SVAPPBOG05 5985 tcp
10.10.150.145 SVAPPBOG05 5666 tcp
10.10.150.145 SVAPPBOG05 3389 tcp
10.10.150.145 SVAPPBOG05 2598 tcp
10.10.150.145 SVAPPBOG05 1494 tcp
10.10.150.145 SVAPPBOG05 445 tcp
10.10.150.145 SVAPPBOG05 139 tcp
10.10.150.145 SVAPPBOG05 135 tcp
10.10.150.145 SVAPPBOG05 80 tcp
10.10.150.147 SRVPACBOG04 3389 tcp
10.10.150.147 SRVPACBOG04 445 tcp
10.10.150.147 SRVPACBOG04 47001 tcp
10.10.150.147 SRVPACBOG04 5985 tcp
10.10.150.147 SRVPACBOG04 5666 tcp
10.10.150.147 SRVPACBOG04 139 tcp
10.10.150.147 SRVPACBOG04 135 tcp
10.10.150.147 SRVPACBOG04 80 tcp
10.10.150.148 SVAPPBOG06 47001 tcp
10.10.150.148 SVAPPBOG06 5666 tcp
10.10.150.148 SVAPPBOG06 5985 tcp
10.10.150.148 SVAPPBOG06 445 tcp
10.10.150.148 SVAPPBOG06 3389 tcp
10.10.150.148 SVAPPBOG06 2598 tcp
10.10.150.148 SVAPPBOG06 1494 tcp
10.10.150.148 SVAPPBOG06 80 tcp
10.10.150.148 SVAPPBOG06 139 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 90 of 93
10.10.150.148 SVAPPBOG06 135 tcp
10.10.150.149 SVAPPBOG08 47001 tcp
10.10.150.149 SVAPPBOG08 5985 tcp
10.10.150.149 SVAPPBOG08 5666 tcp
10.10.150.149 SVAPPBOG08 3389 tcp
10.10.150.149 SVAPPBOG08 2598 tcp
10.10.150.149 SVAPPBOG08 1494 tcp
10.10.150.149 SVAPPBOG08 445 tcp
10.10.150.149 SVAPPBOG08 139 tcp
10.10.150.149 SVAPPBOG08 135 tcp
10.10.150.149 SVAPPBOG08 80 tcp
10.10.150.150 SRVDCBOG03 389 udp
10.10.150.150 SRVDCBOG03 88 udp
10.10.150.150 SRVDCBOG03 47001 tcp
10.10.150.150 SRVDCBOG03 10001 tcp
10.10.150.150 SRVDCBOG03 5985 tcp
10.10.150.150 SRVDCBOG03 5666 tcp
10.10.150.150 SRVDCBOG03 3389 tcp
10.10.150.150 SRVDCBOG03 3269 tcp
10.10.150.150 SRVDCBOG03 3268 tcp
10.10.150.150 SRVDCBOG03 636 tcp
10.10.150.150 SRVDCBOG03 445 tcp
10.10.150.150 SRVDCBOG03 443 tcp
10.10.150.150 SRVDCBOG03 389 tcp
10.10.150.150 SRVDCBOG03 139 tcp
10.10.150.150 SRVDCBOG03 135 tcp
10.10.150.150 SRVDCBOG03 88 tcp
10.10.150.150 SRVDCBOG03 80 tcp
10.10.150.150 SRVDCBOG03 53 tcp
10.10.150.151 SRVPRINCIPAL 5666 tcp
10.10.150.151 SRVPRINCIPAL 5985 tcp
10.10.150.151 SRVPRINCIPAL 135 tcp
10.10.150.151 SRVPRINCIPAL 47001 tcp
10.10.150.151 SRVPRINCIPAL 139 tcp
10.10.150.151 SRVPRINCIPAL 445 tcp
10.10.150.151 SRVPRINCIPAL 3389 tcp
10.10.150.152 SRVMBTBOG01 139 tcp
10.10.150.152 SRVMBTBOG01 5985 tcp
10.10.150.152 SRVMBTBOG01 47001 tcp
10.10.150.152 SRVMBTBOG01 443 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 91 of 93
10.10.150.152 SRVMBTBOG01 445 tcp
10.10.150.152 SRVMBTBOG01 1723 tcp
10.10.150.152 SRVMBTBOG01 3306 tcp
10.10.150.152 SRVMBTBOG01 3389 tcp
10.10.150.152 SRVMBTBOG01 5666 tcp
10.10.150.152 SRVMBTBOG01 80 tcp
10.10.150.152 SRVMBTBOG01 135 tcp
10.10.150.153 SRVIISBOG10 7 tcp
10.10.150.153 SRVIISBOG10 9 tcp
10.10.150.153 SRVIISBOG10 5985 tcp
10.10.150.153 SRVIISBOG10 9091 tcp
10.10.150.153 SRVIISBOG10 19 tcp
10.10.150.153 SRVIISBOG10 2103 tcp
10.10.150.153 SRVIISBOG10 13 tcp
10.10.150.153 SRVIISBOG10 3389 tcp
10.10.150.153 SRVIISBOG10 5666 tcp
10.10.150.153 SRVIISBOG10 10001 tcp
10.10.150.153 SRVIISBOG10 47001 tcp
10.10.150.153 SRVIISBOG10 445 tcp
10.10.150.153 SRVIISBOG10 80 tcp
10.10.150.153 SRVIISBOG10 81 tcp
10.10.150.153 SRVIISBOG10 135 tcp
10.10.150.153 SRVIISBOG10 139 tcp
10.10.150.154 SRVIISBOG11 13 tcp
10.10.150.154 SRVIISBOG11 19 tcp
10.10.150.154 SRVIISBOG11 9 tcp
10.10.150.154 SRVIISBOG11 80 tcp
10.10.150.154 SRVIISBOG11 7 tcp
10.10.150.154 SRVIISBOG11 81 tcp
10.10.150.154 SRVIISBOG11 5985 tcp
10.10.150.154 SRVIISBOG11 9091 tcp
10.10.150.154 SRVIISBOG11 5666 tcp
10.10.150.154 SRVIISBOG11 10001 tcp
10.10.150.154 SRVIISBOG11 135 tcp
10.10.150.154 SRVIISBOG11 139 tcp
10.10.150.154 SRVIISBOG11 3389 tcp
10.10.150.154 SRVIISBOG11 47001 tcp
10.10.150.154 SRVIISBOG11 50090 tcp
10.10.150.154 SRVIISBOG11 500 udp
10.10.150.154 SRVIISBOG11 443 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 92 of 93
10.10.150.154 SRVIISBOG11 2103 tcp
10.10.150.154 SRVIISBOG11 445 tcp
10.10.150.154 SRVIISBOG11 1723 tcp
10.10.150.155 SRVIISBOG14 80 tcp
10.10.150.155 SRVIISBOG14 81 tcp
10.10.150.155 SRVIISBOG14 135 tcp
vPenTest Trial - SaTo | Project: Horario de despliegue agente Confidential | Page 93 of 93
You might also like
- CEH: Certified Ethical Hacker v11 : Exam Cram Notes - First Edition - 2021From EverandCEH: Certified Ethical Hacker v11 : Exam Cram Notes - First Edition - 2021No ratings yet
- AZURE AZ 500 STUDY GUIDE-1: Microsoft Certified Associate Azure Security Engineer: Exam-AZ 500From EverandAZURE AZ 500 STUDY GUIDE-1: Microsoft Certified Associate Azure Security Engineer: Exam-AZ 500No ratings yet
- CISSP Exam Study Guide: NIST Framework, Digital Forensics & Cybersecurity GovernanceFrom EverandCISSP Exam Study Guide: NIST Framework, Digital Forensics & Cybersecurity Governance5/5 (1)
- The Certified Ethical Hacker Exam - version 8 (The concise study guide)From EverandThe Certified Ethical Hacker Exam - version 8 (The concise study guide)3/5 (9)
- Pentest+ Exam Pass: (PT0-002): Penetration Testing And Vulnerability Management For Cybersecurity ProfessionalsFrom EverandPentest+ Exam Pass: (PT0-002): Penetration Testing And Vulnerability Management For Cybersecurity ProfessionalsNo ratings yet
- Cyber Safe: Protecting Your Digital Life in an Interconnected WorldFrom EverandCyber Safe: Protecting Your Digital Life in an Interconnected WorldNo ratings yet
- SSL VPN : Understanding, evaluating and planning secure, web-based remote accessFrom EverandSSL VPN : Understanding, evaluating and planning secure, web-based remote accessNo ratings yet
- IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditingFrom EverandIT Audit Field Manual: Strengthen your cyber defense through proactive IT auditingNo ratings yet
- Cybersecurity Enforcement and Monitoring Solutions: Enhanced Wireless, Mobile and Cloud Security DeploymentFrom EverandCybersecurity Enforcement and Monitoring Solutions: Enhanced Wireless, Mobile and Cloud Security DeploymentNo ratings yet
- Mastering Kali Linux: Practical Security and Penetration Testing TechniquesFrom EverandMastering Kali Linux: Practical Security and Penetration Testing TechniquesNo ratings yet
- Network Security Traceback Attack and React in the United States Department of Defense NetworkFrom EverandNetwork Security Traceback Attack and React in the United States Department of Defense NetworkNo ratings yet
- Advanced Penetration Testing with Kali Linux: Unlocking industry-oriented VAPT tactics (English Edition)From EverandAdvanced Penetration Testing with Kali Linux: Unlocking industry-oriented VAPT tactics (English Edition)No ratings yet
- Cybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1From EverandCybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1No ratings yet
- Practical Guide to Penetration Testing: Breaking and Securing SystemsFrom EverandPractical Guide to Penetration Testing: Breaking and Securing SystemsNo ratings yet
- NIST Cybersecurity Framework (CSF) For Information Systems Security: NIST Cybersecurity Framework (CSF), #1From EverandNIST Cybersecurity Framework (CSF) For Information Systems Security: NIST Cybersecurity Framework (CSF), #1No ratings yet
- Pentesting Azure Applications: The Definitive Guide to Testing and Securing DeploymentsFrom EverandPentesting Azure Applications: The Definitive Guide to Testing and Securing DeploymentsNo ratings yet
- Penetration Testing Fundamentals -1: Penetration Testing Study Guide To Breaking Into SystemsFrom EverandPenetration Testing Fundamentals -1: Penetration Testing Study Guide To Breaking Into SystemsNo ratings yet
- Practical Pentesting Guide: Preparation for Certification and Ethical HackingFrom EverandPractical Pentesting Guide: Preparation for Certification and Ethical HackingNo ratings yet
- Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 3From EverandCertified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 3No ratings yet
- The Complete Guide to Parrot OS: Ethical Hacking and CybersecurityFrom EverandThe Complete Guide to Parrot OS: Ethical Hacking and CybersecurityNo ratings yet
- Enhancing Your Cloud Security with a CNAPP Solution: Unlock the full potential of Microsoft Defender for Cloud to fortify your cloud securityFrom EverandEnhancing Your Cloud Security with a CNAPP Solution: Unlock the full potential of Microsoft Defender for Cloud to fortify your cloud securityNo ratings yet
- The Palo Alto Networks Handbook: Practical Solutions for Cyber Threat ProtectionFrom EverandThe Palo Alto Networks Handbook: Practical Solutions for Cyber Threat ProtectionNo ratings yet
- ETHICAL HACKING GUIDE-Part 1: Comprehensive Guide to Ethical Hacking worldFrom EverandETHICAL HACKING GUIDE-Part 1: Comprehensive Guide to Ethical Hacking worldNo ratings yet
- Web Security for Developers: Real Threats, Practical DefenseFrom EverandWeb Security for Developers: Real Threats, Practical DefenseNo ratings yet
- Computer Networking: Beginners Guide to Network Security & Network Troubleshooting FundamentalsFrom EverandComputer Networking: Beginners Guide to Network Security & Network Troubleshooting FundamentalsNo ratings yet
- Cloud Computing: The Untold Origins of Cloud Computing (Manipulation, Configuring and Accessing the Applications Online)From EverandCloud Computing: The Untold Origins of Cloud Computing (Manipulation, Configuring and Accessing the Applications Online)No ratings yet
- Cybersecurity for Small Networks: A Guide for the Reasonably ParanoidFrom EverandCybersecurity for Small Networks: A Guide for the Reasonably ParanoidNo ratings yet
- Ethical Hacking: A Beginner's Guide to Cybersecurity. Master the Basics of Computer Systems, Networks, and Security to Protect Yourself OnlineFrom EverandEthical Hacking: A Beginner's Guide to Cybersecurity. Master the Basics of Computer Systems, Networks, and Security to Protect Yourself OnlineNo ratings yet
- CYBER SECURITY HANDBOOK Part-2: Lock, Stock, and Cyber: A Comprehensive Security HandbookFrom EverandCYBER SECURITY HANDBOOK Part-2: Lock, Stock, and Cyber: A Comprehensive Security HandbookNo ratings yet
- The OpenVPN Handbook: Secure Your Networks with Virtual Private NetworkingFrom EverandThe OpenVPN Handbook: Secure Your Networks with Virtual Private NetworkingNo ratings yet
- Cyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certificationsFrom EverandCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certificationsNo ratings yet
- The Ransomware Handbook: How to Prepare for, Prevent, and Recover from Ransomware AttacksFrom EverandThe Ransomware Handbook: How to Prepare for, Prevent, and Recover from Ransomware Attacks4/5 (1)
- Building Virtual Pentesting Labs for Advanced Penetration TestingFrom EverandBuilding Virtual Pentesting Labs for Advanced Penetration TestingNo ratings yet
- Penetration Testing, Threat Hunting, and Cryptography: Mastering CybersecurityFrom EverandPenetration Testing, Threat Hunting, and Cryptography: Mastering CybersecurityNo ratings yet
- Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security GuideFrom EverandAdvanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide4.5/5 (6)
- The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacksFrom EverandThe Cyber Security Handbook – Prepare for, respond to and recover from cyber attacksNo ratings yet
- CCNP 300 410 ENARSI NetworkTUT 26 5 2021No ratings yetCCNP 300 410 ENARSI NetworkTUT 26 5 2021104 pages
- Baicells ENB Configuration Guide-BaiBLQ - 3.0.X-01No ratings yetBaicells ENB Configuration Guide-BaiBLQ - 3.0.X-0186 pages
- Cisco Virtual Routing and Forwarding (VRF)No ratings yetCisco Virtual Routing and Forwarding (VRF)10 pages
- 3GPP TS 29.274: Technical SpecificationNo ratings yet3GPP TS 29.274: Technical Specification154 pages
- S5570S-EI Series High Performance Intelligent Ethernet Switch DatasheetNo ratings yetS5570S-EI Series High Performance Intelligent Ethernet Switch Datasheet23 pages
- HW - Module 1 & 2 Exercise Questions To Be SolvedNo ratings yetHW - Module 1 & 2 Exercise Questions To Be Solved7 pages
- JUNOS Cookbook 1st Edition Aviva Garrett - The latest ebook is available, download it today100% (2)JUNOS Cookbook 1st Edition Aviva Garrett - The latest ebook is available, download it today49 pages
- (20170424) Makito - Site-To-Site Layer 2 VPN With PPP BCPNo ratings yet(20170424) Makito - Site-To-Site Layer 2 VPN With PPP BCP32 pages
- CCNA 200-301 Chapter 5 - Analyzing Ethernet LAN SwitchingNo ratings yetCCNA 200-301 Chapter 5 - Analyzing Ethernet LAN Switching24 pages
- R315168 - U-WAM - Host Interface Specifications - EN - 22No ratings yetR315168 - U-WAM - Host Interface Specifications - EN - 22139 pages
- Module - 3 - Internet Protocol - Part 2No ratings yetModule - 3 - Internet Protocol - Part 252 pages
- Network Devices: Information Technology - Part INo ratings yetNetwork Devices: Information Technology - Part I43 pages
- CEH: Certified Ethical Hacker v11 : Exam Cram Notes - First Edition - 2021From EverandCEH: Certified Ethical Hacker v11 : Exam Cram Notes - First Edition - 2021
- AZURE AZ 500 STUDY GUIDE-1: Microsoft Certified Associate Azure Security Engineer: Exam-AZ 500From EverandAZURE AZ 500 STUDY GUIDE-1: Microsoft Certified Associate Azure Security Engineer: Exam-AZ 500
- CISSP Exam Study Guide: NIST Framework, Digital Forensics & Cybersecurity GovernanceFrom EverandCISSP Exam Study Guide: NIST Framework, Digital Forensics & Cybersecurity Governance
- The Certified Ethical Hacker Exam - version 8 (The concise study guide)From EverandThe Certified Ethical Hacker Exam - version 8 (The concise study guide)
- Pentest+ Exam Pass: (PT0-002): Penetration Testing And Vulnerability Management For Cybersecurity ProfessionalsFrom EverandPentest+ Exam Pass: (PT0-002): Penetration Testing And Vulnerability Management For Cybersecurity Professionals
- Cyber Safe: Protecting Your Digital Life in an Interconnected WorldFrom EverandCyber Safe: Protecting Your Digital Life in an Interconnected World
- SSL VPN : Understanding, evaluating and planning secure, web-based remote accessFrom EverandSSL VPN : Understanding, evaluating and planning secure, web-based remote access
- Mastering Kali Linux for Advanced Penetration TestingFrom EverandMastering Kali Linux for Advanced Penetration Testing
- IT Audit Field Manual: Strengthen your cyber defense through proactive IT auditingFrom EverandIT Audit Field Manual: Strengthen your cyber defense through proactive IT auditing
- Cybersecurity Enforcement and Monitoring Solutions: Enhanced Wireless, Mobile and Cloud Security DeploymentFrom EverandCybersecurity Enforcement and Monitoring Solutions: Enhanced Wireless, Mobile and Cloud Security Deployment
- Mastering Kali Linux: Practical Security and Penetration Testing TechniquesFrom EverandMastering Kali Linux: Practical Security and Penetration Testing Techniques
- Kali Linux, Ethical Hacking And Pen Testing For BeginnersFrom EverandKali Linux, Ethical Hacking And Pen Testing For Beginners
- Network Security Traceback Attack and React in the United States Department of Defense NetworkFrom EverandNetwork Security Traceback Attack and React in the United States Department of Defense Network
- Advanced Penetration Testing with Kali Linux: Unlocking industry-oriented VAPT tactics (English Edition)From EverandAdvanced Penetration Testing with Kali Linux: Unlocking industry-oriented VAPT tactics (English Edition)
- Cybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1From EverandCybersecurity for Beginners : Learn the Fundamentals of Cybersecurity in an Easy, Step-by-Step Guide: 1
- Certified Ethical Hacker (CEH v12) Exam PreparationFrom EverandCertified Ethical Hacker (CEH v12) Exam Preparation
- Practical Guide to Penetration Testing: Breaking and Securing SystemsFrom EverandPractical Guide to Penetration Testing: Breaking and Securing Systems
- NIST Cybersecurity Framework (CSF) For Information Systems Security: NIST Cybersecurity Framework (CSF), #1From EverandNIST Cybersecurity Framework (CSF) For Information Systems Security: NIST Cybersecurity Framework (CSF), #1
- Pentesting Azure Applications: The Definitive Guide to Testing and Securing DeploymentsFrom EverandPentesting Azure Applications: The Definitive Guide to Testing and Securing Deployments
- Penetration Testing Fundamentals -1: Penetration Testing Study Guide To Breaking Into SystemsFrom EverandPenetration Testing Fundamentals -1: Penetration Testing Study Guide To Breaking Into Systems
- Practical Pentesting Guide: Preparation for Certification and Ethical HackingFrom EverandPractical Pentesting Guide: Preparation for Certification and Ethical Hacking
- Certified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 3From EverandCertified Information Systems Auditor Exam Prep And Dumps Exam Review Guide for ISACA CISA Exam PART 3
- The Complete Guide to Parrot OS: Ethical Hacking and CybersecurityFrom EverandThe Complete Guide to Parrot OS: Ethical Hacking and Cybersecurity
- Enhancing Your Cloud Security with a CNAPP Solution: Unlock the full potential of Microsoft Defender for Cloud to fortify your cloud securityFrom EverandEnhancing Your Cloud Security with a CNAPP Solution: Unlock the full potential of Microsoft Defender for Cloud to fortify your cloud security
- Ethical Hacking and Computer Securities for BeginnersFrom EverandEthical Hacking and Computer Securities for Beginners
- The Palo Alto Networks Handbook: Practical Solutions for Cyber Threat ProtectionFrom EverandThe Palo Alto Networks Handbook: Practical Solutions for Cyber Threat Protection
- ETHICAL HACKING GUIDE-Part 1: Comprehensive Guide to Ethical Hacking worldFrom EverandETHICAL HACKING GUIDE-Part 1: Comprehensive Guide to Ethical Hacking world
- Web Security for Developers: Real Threats, Practical DefenseFrom EverandWeb Security for Developers: Real Threats, Practical Defense
- Computer Networking: Beginners Guide to Network Security & Network Troubleshooting FundamentalsFrom EverandComputer Networking: Beginners Guide to Network Security & Network Troubleshooting Fundamentals
- Cloud Computing: The Untold Origins of Cloud Computing (Manipulation, Configuring and Accessing the Applications Online)From EverandCloud Computing: The Untold Origins of Cloud Computing (Manipulation, Configuring and Accessing the Applications Online)
- Cybersecurity for Small Networks: A Guide for the Reasonably ParanoidFrom EverandCybersecurity for Small Networks: A Guide for the Reasonably Paranoid
- Ethical Hacking: A Beginner's Guide to Cybersecurity. Master the Basics of Computer Systems, Networks, and Security to Protect Yourself OnlineFrom EverandEthical Hacking: A Beginner's Guide to Cybersecurity. Master the Basics of Computer Systems, Networks, and Security to Protect Yourself Online
- CYBER SECURITY HANDBOOK Part-2: Lock, Stock, and Cyber: A Comprehensive Security HandbookFrom EverandCYBER SECURITY HANDBOOK Part-2: Lock, Stock, and Cyber: A Comprehensive Security Handbook
- The OpenVPN Handbook: Secure Your Networks with Virtual Private NetworkingFrom EverandThe OpenVPN Handbook: Secure Your Networks with Virtual Private Networking
- Cyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certificationsFrom EverandCyber Essentials: A guide to the Cyber Essentials and Cyber Essentials Plus certifications
- The Ransomware Handbook: How to Prepare for, Prevent, and Recover from Ransomware AttacksFrom EverandThe Ransomware Handbook: How to Prepare for, Prevent, and Recover from Ransomware Attacks
- Building Virtual Pentesting Labs for Advanced Penetration TestingFrom EverandBuilding Virtual Pentesting Labs for Advanced Penetration Testing
- Penetration Testing, Threat Hunting, and Cryptography: Mastering CybersecurityFrom EverandPenetration Testing, Threat Hunting, and Cryptography: Mastering Cybersecurity
- Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security GuideFrom EverandAdvanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide
- The Cyber Security Handbook – Prepare for, respond to and recover from cyber attacksFrom EverandThe Cyber Security Handbook – Prepare for, respond to and recover from cyber attacks
- Baicells ENB Configuration Guide-BaiBLQ - 3.0.X-01Baicells ENB Configuration Guide-BaiBLQ - 3.0.X-01
- S5570S-EI Series High Performance Intelligent Ethernet Switch DatasheetS5570S-EI Series High Performance Intelligent Ethernet Switch Datasheet
- JUNOS Cookbook 1st Edition Aviva Garrett - The latest ebook is available, download it todayJUNOS Cookbook 1st Edition Aviva Garrett - The latest ebook is available, download it today
- (20170424) Makito - Site-To-Site Layer 2 VPN With PPP BCP(20170424) Makito - Site-To-Site Layer 2 VPN With PPP BCP
- CCNA 200-301 Chapter 5 - Analyzing Ethernet LAN SwitchingCCNA 200-301 Chapter 5 - Analyzing Ethernet LAN Switching
- R315168 - U-WAM - Host Interface Specifications - EN - 22R315168 - U-WAM - Host Interface Specifications - EN - 22