RustScan
┌──(kali㉿kali)-[~/archive/htb/labs/mantis]
└─$ rustscan -a $IP -b 10000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
please contribute more quotes to our github https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open 10.10.10.52:53
open 10.10.10.52:88
open 10.10.10.52:135
open 10.10.10.52:139
open 10.10.10.52:389
open 10.10.10.52:445
open 10.10.10.52:464
open 10.10.10.52:593
open 10.10.10.52:636
open 10.10.10.52:1337
open 10.10.10.52:1433
open 10.10.10.52:3268
open 10.10.10.52:3269
open 10.10.10.52:5722
open 10.10.10.52:8080
open 10.10.10.52:9389
open 10.10.10.52:49152
open 10.10.10.52:49153
open 10.10.10.52:49154
open 10.10.10.52:49155
open 10.10.10.52:49158
open 10.10.10.52:49157
open 10.10.10.52:49161
open 10.10.10.52:49165
open 10.10.10.52:49168
open 10.10.10.52:50255Based on the scan result above, it would appear that the target host is a domain controller in Active Directory environment.
Proceeding to an additional scan for service enumeration
Nmap
┌──(kali㉿kali)-[~/archive/htb/labs]
└─$ sudo nmap -AO -p- $IP
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-09 22:40 CEST
Nmap scan report for 10.10.10.52
Host is up (0.029s latency).
Not shown: 65510 closed tcp ports (reset)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15CD4) (Windows Server 2008 R2 SP1)
| dns-nsid:
|_ bind.version: Microsoft DNS 6.1.7601 (1DB15CD4)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-10-09 20:41:46Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
445/tcp open microsoft-ds Windows Server 2008 R2 Standard 7601 Service Pack 1 microsoft-ds (workgroup: HTB)
Host script results:
| smb2-time:
| date: 2022-10-09T20:42:52
|_ start_date: 2022-10-09T20:40:16
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
| ms-sql-info:
| 10.10.10.52:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| smb-os-discovery:
| OS: Windows Server 2008 R2 Standard 7601 Service Pack 1 (Windows Server 2008 R2 Standard 6.1)
| OS CPE: cpe:/o:microsoft:windows_server_2008::sp1
| Computer name: mantis
| NetBIOS computer name: MANTIS\x00
| Domain name: htb.local
| Forest name: htb.local
| FQDN: mantis.htb.local
|_ System time: 2022-10-09T16:42:54-04:00
| smb2-security-mode:
| 2.1:
|_ Message signing enabled and required
|_clock-skew: mean: 34m16s, deviation: 1h30m44s, median: -1s
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
1337/tcp open http Microsoft IIS httpd 7.5
|_http-server-header: Microsoft-IIS/7.5
|_http-title: IIS7
| http-methods:
|_ Potentially risky methods: TRACE
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-10-09T20:40:43
|_Not valid after: 2052-10-09T20:40:43
|_ssl-date: 2022-10-09T20:43:00+00:00; -1s from scanner time.
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
|_ Product_Version: 6.1.7601
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: htb.local, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5722/tcp open msrpc Microsoft Windows RPC
8080/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Tossed Salad - Blog
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49164/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49171/tcp open msrpc Microsoft Windows RPC
50255/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000
|_ssl-date: 2022-10-09T20:43:00+00:00; -1s from scanner time.
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Not valid before: 2022-10-09T20:40:43
|_Not valid after: 2052-10-09T20:40:43
| ms-sql-ntlm-info:
| Target_Name: HTB
| NetBIOS_Domain_Name: HTB
| NetBIOS_Computer_Name: MANTIS
| DNS_Domain_Name: htb.local
| DNS_Computer_Name: mantis.htb.local
|_ Product_Version: 6.1.7601
Network Distance: 2 hops
Service Info: Host: MANTIS; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
TRACEROUTE (using port 1025/tcp)
HOP RTT ADDRESS
1 29.65 ms 10.10.14.1
2 29.84 ms 10.10.10.52
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 137.08 secondsService and version enumeration complete
- The target host is
Mantis - The domain is
htb.local - The target system appears to be
Windows Server 2008 R2 Standard 7601 SP 1 MSSQLis present on port 1433