SMB
Nmap discovered a Windows Directory server on the target ports 139 and 445
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi]
└─$ nmap --script smb-enum-shares -sV -p139,445 $IP
Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-14 20:00 CEST
Nmap scan report for 192.168.167.55
Host is up (0.022s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.76 secondsShare mapping failed
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi]
└─$ nxc smb $IP -u '' -p '' --shares --interfaces
SMB 192.168.167.55 445 SHENZI [*] Windows 10 / Server 2019 Build 19041 x64 (name:SHENZI) (domain:shenzi) (signing:False) (SMBv1:False)
SMB 192.168.167.55 445 SHENZI [-] shenzi\: STATUS_ACCESS_DENIED
SMB 192.168.167.55 445 SHENZI [-] IndexError: list index out of range
SMB 192.168.167.55 445 SHENZI [-] Error enumerating shares: Error occurs while reading from remote(104)The target SMB server does not allow anonymous access
Null Session
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi]
└─$ smbclient -L //$IP/
Password for [WORKGROUP\kali]:
Sharename Type Comment
--------- ---- -------
IPC$ IPC Remote IPC
Shenzi Disk
Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 192.168.167.55 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
Unable to connect with SMB1 -- no workgroup availableContrary to the result above, I am able to access to the target SMB server anonymously
The Shenzi share is a none default SMB share
smb: \> put test
NT_STATUS_ACCESS_DENIED opening remote file \testNo write access
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi]
└─$ smbclient //$IP/Shenzi
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu May 28 17:45:09 2020
.. D 0 Thu May 28 17:45:09 2020
passwords.txt A 894 Thu May 28 17:45:09 2020
readme_en.txt A 7367 Thu May 28 17:45:09 2020
sess_klk75u2q4rpgfjs3785h6hpipp A 3879 Thu May 28 17:45:09 2020
why.tmp A 213 Thu May 28 17:45:09 2020
xampp-control.ini A 178 Thu May 28 17:45:09 2020
12941823 blocks of size 4096. 6475930 blocks availableThere are 5 files within the Shenzi share
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi/smb]
└─$ smbget smb://$IP/Shenzi -U '' -N --recursive
Using guest user
Can't open directory smb://192.168.167.55/Shenzi: Permission denied
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi/smb]
└─$ smbget smb://$IP/Shenzi -U 'kali' -N --recursive
Using domain: WORKGROUP, user: kali
smb://192.168.167.55/Shenzi/passwords.txt
smb://192.168.167.55/Shenzi/readme_en.txt
smb://192.168.167.55/Shenzi/sess_klk75u2q4rpgfjs3785h6hpipp
smb://192.168.167.55/Shenzi/why.tmp
smb://192.168.167.55/Shenzi/xampp-control.ini
Downloaded 12.24kB in 1 secondsGuest session failed but I can access it as kali
passwords.txt
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi/smb]
└─$ cat passwords.txt
### XAMPP Default Passwords ###
1) MySQL (phpMyAdmin):
User: root
Password:
(means no password!)
2) FileZilla FTP:
[ You have to create a new user on the FileZilla Interface ]
3) Mercury (not in the USB & lite version):
Postmaster: Postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
User: newuser
Password: wampp
4) WEBDAV:
User: xampp-dav-unsecure
Password: ppmax2011
Attention: WEBDAV is not active since XAMPP Version 1.7.4.
For activation please comment out the httpd-dav.conf and
following modules in the httpd.conf
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
Please do not forget to refresh the WEBDAV authentification (users and passwords).
5) WordPress:
User: admin
Password: FeltHeadwallWight357The passwords.txt file contains some credentials
interestingly, there is an entry for WordPress; admin:FeltHeadwallWight357
readme_en.txt
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi/smb]
└─$ cat readme_en.txt
###### ApacheFriends XAMPP Version 7.4.6 ######
Important! PHP in this package needs the Microsoft Visual C++ 2017 Redistributable package from
http://www.microsoft.com/en-us/download/. Please ensure that the VC++ 2017 runtime
libraries are installed on your system.
+ Apache 2.4.43
+ MariaDB 10.4.11
+ PHP 7.4.6 (VC15 X86 64bit thread safe) + PEAR
+ phpMyAdmin 5.0.2
+ OpenSSL 1.1.0g
+ ADOdb 518a
+ Mercury Mail Transport System v4.63 (not included in the portable version)
+ FileZilla FTP Server 0.9.41 (not included in the portable version)
+ Webalizer 2.23-04 (not included in the portable version)
+ Strawberry Perl 5.16.3.1 Portable
+ Tomcat 7.0.103
+ XAMPP Control Panel Version 3.2.4.
+ XAMPP mailToDisk 1.0 (write emails via PHP on local disk in <xampp>\mailoutput. Activated in the php.ini as mail default.)
---------------------------------------------------------------
* System Requirements:
+ 64 MB RAM (RECOMMENDED)
+ 750 MB free fixed disk
+ Windows 7, Windows 8, Windows 10
---------------------------------------------------------------
* ATTENTION!!!!
For trouble with the mysql connection (via mysqlnd API in php) see also the startpage:
http://localhost/xampp/index.php
* QUICK INSTALLATION:
[NOTE: Unpack the package to your USB stick or a partition of your choice.
There it must be on the highest level like E:\ or W:\. It will
build E:\xampp or W:\xampp or something like this. Please do not use the "setup_xampp.bat" for an USB stick installation!]
Step 1: Unpack the package into a directory of your choice. Please start the
"setup_xampp.bat" and beginning the installation. Note: XAMPP makes no entries in the windows registry and no settings for the system variables.
Step 2: If installation ends successfully, start the Apache 2 with
"apache_start".bat", MySQL with "mysql_start".bat". Stop the MySQL Server with "mysql_stop.bat". For shutdown the Apache HTTPD, only close the Apache Command (CMD). Or use the fine XAMPP Control Panel with double-click on "xampp-control.exe"!
Step 3: Start your browser and type http://127.0.0.1 or http://localhost in the location bar. You should see our pre-made
start page with certain examples and test screens.
Step 4: PHP (with mod_php, as *.php), Perl by default with *.cgi, SSI with *.shtml are all located in => C:\xampp\htdocs\.
Examples:
- C:\xampp\htdocs\test.php => http://localhost/test.php
- C:\xampp\htdocs\myhome\test.php => http://localhost/myhome/test.php
Step 5: XAMPP UNINSTALL? Simply remove the "xampp" Directory.
But before please shutdown the apache and mysql.
---------------------------------------------------------------
* PHP MAIL FUNCTION:
There are three ways to work with the PHP Mail function.
1) With XAMPP mailToDisk every mail sending via the PHP mail() function will written in the <xampp>\mailoutput folder. MailToDisk is the default you do not have to change the php.ini. And please do not use mailToDisk for production!
2) With fakemail (sendmail.exe) you will send all mail() to your personal mail account. Therefore you have to edit the <xampp>\sendmail\sendmail.ini first. Then please activate fakemail (sendamil.exe) in the php.ini and comment out the mailToDisk line.
3) You can use a SMTP Server like the Mercury Mail Server alternate. Therefore comment out all sendmail_path lines in the php.ini. Now use the -> SMTP = localhost und -> smtp_port = 25 lines of course with your values in the php.ini.
Attention : If XAMPP is installed in a base directory with spaces (e.g. c:\program files\xampp) fakemail and mailtodisk do not work correctly. In this case please copy the sendmail or mailtodisk folder in your root folder (e.g. C:\sendmail) and use this for sendmail_path.
---------------------------------------------------------------
* PASSWORDS:
1) MySQL:
User: root
Password:
(means no password!)
2) FileZilla FTP:
[ You have to create a new user on the FileZilla Interface ]
3) Mercury:
Postmaster: postmaster (postmaster@localhost)
Administrator: Admin (admin@localhost)
TestUser: newuser
Password: wampp
4) WEBDAV:
User: xampp-dav-unsecure
Password: ppmax2011
---------------------------------------------------------------
* ONLY FOR NT SYSTEMS! (NT4 | Windows 2000 | Windows XP):
- \xampp\apache\apache_installservice.bat
===> Install Apache 2 as service
- \xampp\apache\apache_uninstallservice.bat
===> Uninstall Apache 2 as service
- \xampp\mysql\mysql_installservice.bat
===> Install MySQL as service
- \xampp\mysql\mysql_uninstallservice.bat
===> Uninstall MySQL as service
==> After all un- / installations of services, better restart system!
----------------------------------------------------------------
A matter of security (A MUST READ!)
As mentioned before, XAMPP is not meant for production use but only for developers in a development environment. The way XAMPP is configured is to be open as possible and allowing the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal. Here a list of missing security
in XAMPP:
- The MySQL administrator (root) has no password.
- The MySQL daemon is accessible via network.
- phpMyAdmin is accessible via network.
- Examples are accessible via network.
---------------------------------------------------------------
* MYSQL NOTES:
(1) The MySQL server can be started by double-clicking (executing) mysql_start.bat. This file can be found in the same folder you installed XAMPP in, most likely this will be C:\xampp\.
The exact path to this file is X:\xampp\mysql_start.bat, where "X" indicates the letter of the drive you unpacked XAMPP into. This batch file starts the MySQL server in console mode. The first intialization might take a few minutes.
Do not close the DOS window or you'll crash the server! To stop the server, please use mysql_stop.bat, which is located in the same directory. Or use the fine XAMPP Control Panel with double-click on "xampp-control.exe" for all these things!
(2) To use MySQL as Service for NT / 2000 / XP, simply copy the "my.ini" file to "C:\my.ini". Please note that this file has to be placed in C:\ (root), other locations are not permitted. Then execute the "mysql_installservice.bat" in the mysql folder.
(3) MySQL starts with standard values for the user id and the password. The preset user id is "root", the password is "" (= no password). To access MySQL via PHP with the preset values, you'll have to use the following syntax:
mysql_connect("localhost", "root", "");
If you want to set a password for MySQL access, please use of MySQL Admin.
To set the passwort "secret" for the user "root", type the following:
C:\xampp\mysql\bin\mysqladmin.exe -u root -p secret
After changing the password you'll have to reconfigure phpMyAdmin to use the new password, otherwise it won't be able to access the databases. To do that, open the file config.inc.php in \xampp\phpmyadmin\ and edit the following lines:
$cfg['Servers'][$i]['user'] = 'root'; // MySQL User
$cfg['Servers'][$i]['auth_type'] = 'http'; // HTTP authentification
So first the 'root' password is queried by the MySQL server, before phpMyAdmin may access.
---------------------------------------------------------------
Have a lot of fun! | Viel Spaß! | Bonne Chance!Default N/A
sess_klk75u2q4rpgfjs3785h6hpipp
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi/smb]
└─$ cat sess_klk75u2q4rpgfjs3785h6hpipp
PMA_token |s:32:"522b574a21767922222439295b4b2975"; HMAC_secret |s:16:"67gK3D[0mYw<Mlpn";browser_access_time|a:2:{s:7:"default";i:1590593735;s:36:"d3907c4c-ecaf-f98a-85db-1bce60b6913a";i:1590596659;}relation|a:1:{i:1;a:41:{s:11:"PMA_VERSION";s:5:"5.0.2";s:7:"relwork";b:1;s:11:"displaywork";b:1;s:12:"bookmarkwork";b:1;s:7:"pdfwork";b:1;s:8:"commwork";b:1;s:8:"mimework";b:1;s:11:"historywork";b:1;s:10:"recentwork";b:1;s:12:"favoritework";b:1;s:11:"uiprefswork";b:1;s:12:"trackingwork";b:1;s:14:"userconfigwork";b:1;s:9:"menuswork";b:1;s:7:"navwork";b:1;s:17:"savedsearcheswork";b:1;s:18:"centralcolumnswork";b:1;s:20:"designersettingswork";b:1;s:19:"exporttemplateswork";b:1;s:8:"allworks";b:1;s:4:"user";s:4:"root";s:2:"db";s:10:"phpmyadmin";s:8:"bookmark";s:13:"pma__bookmark";s:15:"central_columns";s:20:"pma__central_columns";s:11:"column_info";s:16:"pma__column_info";s:17:"designer_settings";s:22:"pma__designer_settings";s:16:"export_templates";s:21:"pma__export_templates";s:8:"favorite";s:13:"pma__favorite";s:7:"history";s:12:"pma__history";s:16:"navigationhiding";s:21:"pma__navigationhiding";s:9:"pdf_pages";s:14:"pma__pdf_pages";s:6:"recent";s:11:"pma__recent";s:8:"relation";s:13:"pma__relation";s:13:"savedsearches";s:18:"pma__savedsearches";s:12:"table_coords";s:17:"pma__table_coords";s:10:"table_info";s:15:"pma__table_info";s:13:"table_uiprefs";s:18:"pma__table_uiprefs";s:8:"tracking";s:13:"pma__tracking";s:10:"userconfig";s:15:"pma__userconfig";s:10:"usergroups";s:15:"pma__usergroups";s:5:"users";s:10:"pma__users";}}two_factor_check|b:1;cache|a:3:{s:8:"server_1";a:4:{s:15:"userprefs_mtime";s:10:"1590593621";s:14:"userprefs_type";s:2:"db";s:12:"config_mtime";i:1584764260;s:9:"userprefs";a:1:{s:7:"Console";a:1:{s:4:"Mode";s:8:"collapse";}}}s:13:"server_1_root";a:16:{s:14:"mysql_cur_user";s:14:"root@localhost";s:12:"is_grantuser";b:1;s:13:"is_createuser";b:1;s:12:"is_superuser";b:1;s:17:"is_create_db_priv";b:1;s:14:"is_reload_priv";b:1;s:12:"db_to_create";s:0:"";s:30:"dbs_where_create_table_allowed";a:1:{i:0;s:1:"*";}s:11:"dbs_to_test";b:0;s:9:"proc_priv";b:1;s:10:"table_priv";b:1;s:8:"col_priv";b:1;s:7:"db_priv";b:1;s:11:"binary_logs";a:0:{}s:18:"menu-levels-server";a:13:{s:9:"databases";s:9:"Databases";s:3:"sql";s:3:"SQL";s:6:"status";s:6:"Status";s:6:"rights";s:5:"Users";s:6:"export";s:6:"Export";s:6:"import";s:6:"Import";s:8:"settings";s:8:"Settings";s:6:"binlog";s:10:"Binary log";s:11:"replication";s:11:"Replication";s:4:"vars";s:9:"Variables";s:7:"charset";s:8:"Charsets";s:7:"plugins";s:7:"Plugins";s:6:"engine";s:7:"Engines";}s:14:"menu-levels-db";a:14:{s:9:"structure";s:9:"Structure";s:3:"sql";s:3:"SQL";s:6:"search";s:6:"Search";s:5:"query";s:5:"Query";s:6:"export";s:6:"Export";s:6:"import";s:6:"Import";s:9:"operation";s:10:"Operations";s:10:"privileges";s:10:"Privileges";s:8:"routines";s:8:"Routines";s:6:"events";s:6:"Events";s:8:"triggers";s:8:"Triggers";s:8:"tracking";s:8:"Tracking";s:8:"designer";s:8:"Designer";s:15:"central_columns";s:15:"Central columns";}}s:13:"version_check";a:2:{s:8:"response";s:419:"{
"date": "2020-03-21",
"version": "5.0.2",
"releases": [
{
"date": "2020-03-21",
"php_versions": ">=5.5,<8.0",
"version": "4.9.5",
"mysql_versions": ">=5.5"
},
{
"date": "2020-03-21",
"php_versions": ">=7.1,<8.0",
"version": "5.0.2",
"mysql_versions": ">=5.5"
}
]
}";s:9:"timestamp";i:1590593621;}}git_location|N;is_git_revision|b:0;tmpval|a:4:{s:14:"favoriteTables";a:1:{i:1;a:0:{}}s:12:"recentTables";a:1:{i:1;a:0:{}}s:18:"table_limit_offset";i:0;s:21:"table_limit_offset_db";s:8:"testsite";}ConfigFile1|a:2:{s:7:"Console";a:1:{s:4:"Mode";s:8:"collapse";}s:7:"Servers";a:1:{i:1;a:2:{s:7:"only_db";s:0:"";s:7:"hide_db";s:0:"";}}}debug|a:0:{}errors|a:0:{} The sess_klk75u2q4rpgfjs3785h6hpipp file is a PHP session file
This appears to be used for phpMyAdmin
why.tmp
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi/smb]
└─$ cat why.tmp
Warum dieses tmp-Verzeichnis?
Das braucht beispielweise PHP
f�r seine Sessions-Verwaltung.
Also bitte nicht l�schen!
Why this tmp-Folder?
PHP need it for saving
the Sessions.
So please do not delete it! N/A
xampp-control.ini
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shenzi/smb]
└─$ cat xampp-control.ini
[Common]
Edition=
Editor=notepad.exe
Browser=
Debug=0
Debuglevel=0
TomcatVisible=1
Language=English
[EnableModules]
Apache=1
MySQL=1
FileZilla=0
Mercury=0
Tomcat=0Only Apache and MySQL are enableed