InfoSec LAB

Support_Recon

Created: 3 min read

RustScan

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ rustscan -a $IP -b 25000
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
please contribute more quotes to our github https://github.com/rustscan/rustscan
 
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
open 10.10.11.174:53
open 10.10.11.174:88
open 10.10.11.174:135
open 10.10.11.174:139
open 10.10.11.174:389
open 10.10.11.174:445
open 10.10.11.174:464
open 10.10.11.174:593
open 10.10.11.174:636
open 10.10.11.174:3268
open 10.10.11.174:3269
open 10.10.11.174:5985
open 10.10.11.174:9389
open 10.10.11.174:49664
open 10.10.11.174:49668
open 10.10.11.174:49674
open 10.10.11.174:49686
open 10.10.11.174:49700

Nmap

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ nmap -Pn -sC -sV -p53,88,135,139,389,445,464,593,636,3268,3269,5985,9389 $IP
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-04 05:35 CEST
Nmap scan report for 10.10.11.174
Host is up (0.21s latency).
 
PORT     STATE SERVICE       VERSION
53/tcp   open  domain        Simple DNS Plus
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2023-10-04 03:36:04Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds?
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: support.htb0., Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
5985/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open  mc-nmf        .NET Message Framing
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
 
Host script results:
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled and required
| smb2-time: 
|   date: 2023-10-04T03:36:18
|_  start_date: N/A
|_clock-skew: -1s
 
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 64.44 seconds

The target system appears to be a Domain Controller in an Active Directory environment While the hostname is unknown at this point, the target domain is SUPPORT.HTB

The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution This is a temporal solution due to the hostname being unknown at this time and it will be updated as soon as the FQDN of the target system is uncovered

UDP

┌──(kali㉿kali)-[~/archive/htb/labs/support]
└─$ sudo nmap -sU -top-ports 1000 $IP
starting nmap 7.94 ( https://nmap.org ) at 2023-10-04 05:30 CEST
Nmap scan report for 10.10.11.174
Host is up (0.11s latency).
not shown: 996 open|filtered udp ports (no-response)
PORT    STATE SERVICE
53/udp  open  domain
88/udp  open  kerberos-sec
123/udp open  ntp
389/udp open  ldap
 
nmap done: 1 IP address (1 host up) scanned in 27.49 seconds

Interactive Graph View

Backlinks