RustScan

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ rustscan -a $IP -b 25000
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛
 
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open 10.10.11.129:53
open 10.10.11.129:80
open 10.10.11.129:88
open 10.10.11.129:135
open 10.10.11.129:139
open 10.10.11.129:389
open 10.10.11.129:443
open 10.10.11.129:445
open 10.10.11.129:464
open 10.10.11.129:593
open 10.10.11.129:636
open 10.10.11.129:3269
open 10.10.11.129:3268
open 10.10.11.129:8172
open 10.10.11.129:9389

Nmap

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ nmap -sC -sV -p- $IP
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-29 12:32 CET
Stats: 0:02:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 57.14% done; ETC: 12:34 (0:00:08 remaining)
Nmap scan report for 10.10.11.129
Host is up (0.032s latency).
Not shown: 65514 filtered tcp ports (no-response)
PORT      STATE SERVICE       VERSION
53/tcp    open  domain        Simple DNS Plus
80/tcp    open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Search &mdash; Just Testing IIS
88/tcp    open  kerberos-sec  Microsoft Windows Kerberos (server time: 2024-01-29 11:34:10Z)
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp   open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-29T11:35:39+00:00; -11s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
443/tcp   open  ssl/http      Microsoft IIS httpd 10.0
|_http-title: Search &mdash; Just Testing IIS
|_ssl-date: 2024-01-29T11:35:39+00:00; -11s from scanner time.
| tls-alpn: 
|_  http/1.1
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
| http-methods: 
|_  Potentially risky methods: TRACE
445/tcp   open  microsoft-ds?
464/tcp   open  kpasswd5?
593/tcp   open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp   open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
|_ssl-date: 2024-01-29T11:35:39+00:00; -11s from scanner time.
3268/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-29T11:35:39+00:00; -11s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
3269/tcp  open  ssl/ldap      Microsoft Windows Active Directory LDAP (Domain: search.htb0., Site: Default-First-Site-Name)
|_ssl-date: 2024-01-29T11:35:39+00:00; -11s from scanner time.
| ssl-cert: Subject: commonName=research
| Not valid before: 2020-08-11T08:13:35
|_Not valid after:  2030-08-09T08:13:35
8172/tcp  open  ssl/http      Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Site doesn't have a title.
|_ssl-date: 2024-01-29T11:35:39+00:00; -11s from scanner time.
| ssl-cert: Subject: commonName=WMSvc-SHA2-RESEARCH
| Not valid before: 2020-04-07T09:05:25
|_Not valid after:  2030-04-05T09:05:25
| tls-alpn: 
|_  http/1.1
9389/tcp  open  mc-nmf        .NET Message Framing
49667/tcp open  msrpc         Microsoft Windows RPC
49675/tcp open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
49676/tcp open  msrpc         Microsoft Windows RPC
49694/tcp open  msrpc         Microsoft Windows RPC
49736/tcp open  msrpc         Microsoft Windows RPC
49817/tcp open  msrpc         Microsoft Windows RPC
Service Info: Host: RESEARCH; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-time: 
|   date: 2024-01-29T11:35:01
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
|_clock-skew: mean: -10s, deviation: 0s, median: -11s
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 221.06 seconds

The target system appears to be a Domain Controller in an Active Directory environment The domain is SEARCH.HTB The FQDN of the target system appears to be research.search.htb

The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution

UDP

┌──(kali㉿kali)-[~/archive/htb/labs/search]
└─$ sudo nmap -sU -top-ports 1000 $IP
starting nmap 7.94svn ( https://nmap.org ) at 2024-01-29 12:31 CET
Nmap scan report for 10.10.11.129
Host is up (0.031s latency).
not shown: 997 open|filtered udp ports (no-response)
PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
 
nmap done: 1 IP address (1 host up) scanned in 9.73 seconds

InfoSec LAB

Explorer

Search_Recon

RustScan

Nmap

UDP

Interactive Graph View

Table of Contents

Backlinks