RustScan
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ rustscan -a $IP
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
Nmap? More like slowmap.🐢
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 10000.
Open 10.10.11.31:53
Open 10.10.11.31:80
Open 10.10.11.31:88
Open 10.10.11.31:135
Open 10.10.11.31:139
Open 10.10.11.31:389
Open 10.10.11.31:445
Open 10.10.11.31:464
Open 10.10.11.31:593
Open 10.10.11.31:636
Open 10.10.11.31:3268
Open 10.10.11.31:3269
Open 10.10.11.31:3389
Open 10.10.11.31:5985
Open 10.10.11.31:9389
Open 10.10.11.31:49747
Open 10.10.11.31:49720
Open 10.10.11.31:49692
Open 10.10.11.31:49691
Open 10.10.11.31:49690
Open 10.10.11.31:49667Nmap
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ nmap -sC -sV -p53,80,88,135,139,389,445,464,593,636,3268,3269,3389,59859389 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-31 22:55 CEST
Nmap scan report for 10.10.11.31
Host is up (0.022s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Infiltrator.htb
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-08-31 20:55:29Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-08-31T20:56:48+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after: 2099-07-17T18:48:15
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-08-31T20:56:48+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after: 2099-07-17T18:48:15
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-08-31T20:56:48+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after: 2099-07-17T18:48:15
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: infiltrator.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-08-31T20:56:48+00:00; 0s from scanner time.
| ssl-cert: Subject:
| Subject Alternative Name: DNS:dc01.infiltrator.htb, DNS:infiltrator.htb, DNS:INFILTRATOR
| Not valid before: 2024-08-04T18:48:15
|_Not valid after: 2099-07-17T18:48:15
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: INFILTRATOR
| NetBIOS_Domain_Name: INFILTRATOR
| NetBIOS_Computer_Name: DC01
| DNS_Domain_Name: infiltrator.htb
| DNS_Computer_Name: dc01.infiltrator.htb
| DNS_Tree_Name: infiltrator.htb
| Product_Version: 10.0.17763
|_ System_Time: 2024-08-31T20:56:08+00:00
|_ssl-date: 2024-08-31T20:56:48+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=dc01.infiltrator.htb
| Not valid before: 2024-07-30T13:20:17
|_Not valid after: 2025-01-29T13:20:17
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
9389/tcp open mc-nmf .NET Message Framing
Service Info: Host: DC01; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
| smb2-time:
| date: 2024-08-31T20:56:10
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.75 secondsThe target system appears to be a Domain Controller in an Active Directory environment
The domain is INFILTRATOR.HTB
The FQDN of the target system is dc01.infiltrator.htb
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
UDP
┌──(kali㉿kali)-[~/archive/htb/labs/infiltrator]
└─$ sudo nmap -Pn -sU -top-ports 1000 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-31 23:07 CEST
Nmap scan report for dc01.infiltrator.htb (10.10.11.31)
Host is up (0.035s latency).
Not shown: 998 open|filtered udp ports (no-response)
PORT STATE SERVICE
88/udp open kerberos-sec
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 45.19 seconds