RustScan
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ rustscan -a $IP -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
please contribute more quotes to our github https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open 10.10.11.202:53
open 10.10.11.202:88
open 10.10.11.202:135
open 10.10.11.202:139
open 10.10.11.202:389
open 10.10.11.202:445
open 10.10.11.202:464
open 10.10.11.202:593
open 10.10.11.202:636
open 10.10.11.202:1433
open 10.10.11.202:3269
open 10.10.11.202:3268
open 10.10.11.202:5985
open 10.10.11.202:9389
open 10.10.11.202:49667
open 10.10.11.202:49687
open 10.10.11.202:49688
open 10.10.11.202:49704
open 10.10.11.202:49712
open 10.10.11.202:50658Nmap
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ nmap -Pn -sC -sV -p53,88,135,139,389,445,593,636,1433,3269,3268,464,5985,9389,49667,49687,49688,49704,49712,50658 $IP
Starting Nmap 7.94 ( https://nmap.org ) at 2023-08-12 17:17 CEST
Nmap scan report for 10.10.11.202
Host is up (0.096s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2023-08-12 23:17:16Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-08-12T23:18:47+00:00; +7h59m56s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
|_ssl-date: 2023-08-12T23:18:46+00:00; +7h59m56s from scanner time.
1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.2000.00; RTM
| ms-sql-info:
| 10.10.11.202:1433:
| Version:
| name: Microsoft SQL Server 2019 RTM
| number: 15.00.2000.00
| Product: Microsoft SQL Server 2019
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| ms-sql-ntlm-info:
| 10.10.11.202:1433:
| Target_Name: sequel
| NetBIOS_Domain_Name: sequel
| NetBIOS_Computer_Name: DC
| DNS_Domain_Name: sequel.htb
| DNS_Computer_Name: dc.sequel.htb
| DNS_Tree_Name: sequel.htb
|_ Product_Version: 10.0.17763
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2023-08-13T01:17:25
|_Not valid after: 2053-08-13T01:17:25
|_ssl-date: 2023-08-13T01:20:00+00:00; +4m47s from scanner time.
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-08-12T23:18:47+00:00; +7h59m56s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: sequel.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2023-08-12T23:18:46+00:00; +7h59m56s from scanner time.
| ssl-cert: Subject: commonName=dc.sequel.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:dc.sequel.htb
| Not valid before: 2022-11-18T21:20:35
|_Not valid after: 2023-11-18T21:20:35
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49687/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49688/tcp open msrpc Microsoft Windows RPC
49704/tcp open msrpc Microsoft Windows RPC
49712/tcp open msrpc Microsoft Windows RPC
50658/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 7h59m55s, deviation: 0s, median: 7h59m55s
| smb2-time:
| date: 2023-08-12T23:18:10
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 97.68 secondsThe target system appears to be a Windows DC host in an Active Directory environment
The domain is SEQUEL.HTB and the FQDN of the target system is dc.sequel.htb
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
UDP
┌──(kali㉿kali)-[~/archive/htb/labs/escape]
└─$ sudo nmap -Pn -sU -top-ports 1000 $IP
[sudo] password for kali:
starting nmap 7.94 ( https://nmap.org ) at 2023-08-12 17:17 CEST
Nmap scan report for 10.10.11.202
Host is up (0.097s latency).
not shown: 998 open|filtered udp ports (no-response)
PORT STATE SERVICE
88/udp open kerberos-sec
123/udp open ntp
nmap done: 1 IP address (1 host up) scanned in 36.33 seconds