RustScan
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ rustscan -a $IP -b 25000
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
please contribute more quotes to our github https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open 10.10.11.175:25
open 10.10.11.175:53
open 10.10.11.175:88
open 10.10.11.175:135
open 10.10.11.175:139
open 10.10.11.175:389
open 10.10.11.175:445
open 10.10.11.175:464
open 10.10.11.175:593
open 10.10.11.175:636
open 10.10.11.175:3268
open 10.10.11.175:3269
open 10.10.11.175:5985
open 10.10.11.175:8530
open 10.10.11.175:8531
open 10.10.11.175:9389
open 10.10.11.175:49667
open 10.10.11.175:49685
open 10.10.11.175:49686
open 10.10.11.175:49944
open 10.10.11.175:49921
open 10.10.11.175:55165Nmap
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ nmap -Pn -p- $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-03 12:21 CET
Nmap scan report for 10.10.11.175
Host is up (0.029s latency).
Not shown: 65513 filtered tcp ports (no-response)
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
5985/tcp open wsman
8530/tcp open unknown
8531/tcp open unknown
9389/tcp open adws
49667/tcp open unknown
49685/tcp open unknown
49686/tcp open unknown
49921/tcp open unknown
49944/tcp open unknown
55165/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 420.25 seconds
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ nmap -Pn -sC -sV -p25,53,88,135,139,389,445,464,593,636,3268,3269,5985,8530,8531,9389,49667,49685,49686,49944,49921,55165 $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-03 12:25 CET
Stats: 0:01:42 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 95.45% done; ETC: 12:27 (0:00:05 remaining)
Stats: 0:02:22 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 100.00% done; ETC: 12:27 (0:00:00 remaining)
Nmap scan report for 10.10.11.175
Host is up (0.029s latency).
PORT STATE SERVICE VERSION
25/tcp open smtp hMailServer smtpd
| smtp-commands: mail.outdated.htb, SIZE 20480000, AUTH LOGIN, HELP
|_ 211 DATA HELO EHLO MAIL NOOP QUIT RCPT RSET SAML TURN VRFY
53/tcp open domain?
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-01-03 19:25:21Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=DC.outdated.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.outdated.htb
| Not valid before: 2023-12-13T00:17:36
|_Not valid after: 2024-12-12T00:17:36
|_ssl-date: 2024-01-03T19:28:18+00:00; +7h59m51s from scanner time.
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-03T19:28:18+00:00; +7h59m51s from scanner time.
| ssl-cert: Subject: commonName=DC.outdated.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.outdated.htb
| Not valid before: 2023-12-13T00:17:36
|_Not valid after: 2024-12-12T00:17:36
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-03T19:28:18+00:00; +7h59m51s from scanner time.
| ssl-cert: Subject: commonName=DC.outdated.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.outdated.htb
| Not valid before: 2023-12-13T00:17:36
|_Not valid after: 2024-12-12T00:17:36
3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: outdated.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-03T19:28:18+00:00; +7h59m51s from scanner time.
| ssl-cert: Subject: commonName=DC.outdated.htb
| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.outdated.htb
| Not valid before: 2023-12-13T00:17:36
|_Not valid after: 2024-12-12T00:17:36
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8530/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Site doesn't have a title.
|_http-server-header: Microsoft-IIS/10.0
8531/tcp open unknown
9389/tcp open mc-nmf .NET Message Framing
49667/tcp open msrpc Microsoft Windows RPC
49685/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49686/tcp open msrpc Microsoft Windows RPC
49921/tcp open msrpc Microsoft Windows RPC
49944/tcp open msrpc Microsoft Windows RPC
55165/tcp open msrpc Microsoft Windows RPC
Service Info: Hosts: mail.outdated.htb, DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2024-01-03T19:27:41
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: mean: 7h59m50s, deviation: 0s, median: 7h59m50s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 186.11 secondsThe target system appears to be a Domain Controller in an Active Directory environment
The domain is outdated.htb
According to the scan result above, the FQDN of the DC host is DC.outdated.htb while the target system appears to be mail.outdated.htb
Although the target environment has not been identified yet, I will have those written down to the /etc/hosts file
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
UDP
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ sudo nmap -sU -top-ports 1000 $IP
starting nmap 7.94svn ( https://nmap.org ) at 2024-01-03 12:15 CET
Nmap scan report for 10.10.11.175
Host is up (0.029s latency).
not shown: 997 open|filtered udp ports (no-response)
PORT STATE SERVICE
53/udp open domain
88/udp open kerberos-sec
123/udp open ntp
nmap done: 1 IP address (1 host up) scanned in 12.25 seconds
┌──(kali㉿kali)-[~/archive/htb/labs/outdated]
└─$ sudo nmap -Pn -sU -sC -sV -p53,88,123 $IP
[sudo] password for kali:
starting nmap 7.94svn ( https://nmap.org ) at 2024-01-03 12:26 CET
Nmap scan report for 10.10.11.175
Host is up (0.025s latency).
PORT STATE SERVICE VERSION
53/udp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| nbtstat:
|_ CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
88/udp open kerberos-sec microsoft windows kerberos (server time: 2024-01-03 19:26:30Z)
123/udp open ntp NTP v3
| ntp-info:
|_
1 service unrecognized despite returning data. if you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
sf-port53-udp:V=7.94SVN%I=7%D=1/3%Time=6595447E%P=x86_64-pc-linux-gnu%r(NB
sf:TStat,32,"\x80\xf0\x80\x82\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAA
sf:AAAAAAAAA\0\0!\0\x01");
service info: OS: Windows; CPE: cpe:/o:microsoft:windows
host script results:
|_clock-skew: 7h59m56s
service detection performed. please report any incorrect results at https://nmap.org/submit/ .
nmap done: 1 IP address (1 host up) scanned in 31.50 seconds